Initial commit
This commit is contained in:
commit
40a4cf285e
18 changed files with 1933 additions and 0 deletions
93
checker/auth.go
Normal file
93
checker/auth.go
Normal file
|
|
@ -0,0 +1,93 @@
|
|||
package checker
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/jcmturner/gokrb5/v8/client"
|
||||
"github.com/jcmturner/gokrb5/v8/config"
|
||||
)
|
||||
|
||||
// runAuthProbe performs a Login (AS-REQ + preauth) and, if a targetService
|
||||
// is supplied, a TGS-REQ. kdcHosts maps reachable KDC hostnames to their
|
||||
// TCP port so we can populate the krb5 config without doing DNS again.
|
||||
func runAuthProbe(ctx context.Context, realm, principal, password, targetService string,
|
||||
kdcHosts map[string]uint16, timeout time.Duration) *AuthProbeResult {
|
||||
res := &AuthProbeResult{Attempted: true, Principal: principal, TargetService: targetService}
|
||||
|
||||
username := principal
|
||||
if i := strings.LastIndex(principal, "@"); i >= 0 {
|
||||
username = principal[:i]
|
||||
}
|
||||
|
||||
cfg := config.New()
|
||||
cfg.LibDefaults.DefaultRealm = realm
|
||||
cfg.LibDefaults.NoAddresses = true
|
||||
cfg.LibDefaults.TicketLifetime = 10 * time.Minute
|
||||
cfg.LibDefaults.Clockskew = 5 * time.Minute
|
||||
cfg.LibDefaults.UDPPreferenceLimit = 1 // force TCP
|
||||
cfg.LibDefaults.DefaultTktEnctypeIDs = preferredEnctypes
|
||||
cfg.LibDefaults.DefaultTGSEnctypeIDs = preferredEnctypes
|
||||
cfg.LibDefaults.PermittedEnctypeIDs = preferredEnctypes
|
||||
|
||||
realmCfg := config.Realm{Realm: realm}
|
||||
for host, port := range kdcHosts {
|
||||
realmCfg.KDC = append(realmCfg.KDC, host+":"+strconv.Itoa(int(port)))
|
||||
}
|
||||
cfg.Realms = []config.Realm{realmCfg}
|
||||
cfg.DomainRealm = config.DomainRealm{strings.ToLower(realm): realm}
|
||||
|
||||
start := time.Now()
|
||||
cl := client.NewWithPassword(username, realm, password, cfg,
|
||||
client.DisablePAFXFAST(true))
|
||||
|
||||
loginErr := cl.Login()
|
||||
res.Latency = time.Since(start)
|
||||
if loginErr != nil {
|
||||
res.Error = loginErr.Error()
|
||||
if code, ok := extractKRBErrorCode(loginErr); ok {
|
||||
res.ErrorCode = code
|
||||
res.ErrorName = errorcodeName(code)
|
||||
}
|
||||
return res
|
||||
}
|
||||
res.TGTAcquired = true
|
||||
|
||||
spn := targetService
|
||||
if spn == "" {
|
||||
// Self-test: request a fresh TGT (krbtgt/REALM@REALM).
|
||||
spn = fmt.Sprintf("krbtgt/%s", realm)
|
||||
}
|
||||
if _, _, err := cl.GetServiceTicket(spn); err != nil {
|
||||
res.Error = fmt.Sprintf("TGS failed for %s: %v", spn, err)
|
||||
if code, ok := extractKRBErrorCode(err); ok {
|
||||
res.ErrorCode = code
|
||||
res.ErrorName = errorcodeName(code)
|
||||
}
|
||||
return res
|
||||
}
|
||||
res.TGSAcquired = true
|
||||
return res
|
||||
}
|
||||
|
||||
// extractKRBErrorCode tries to pull a Kerberos error code out of the
|
||||
// wrapped errors returned by gokrb5. It's best-effort: if the code
|
||||
// can't be determined, ok is false.
|
||||
func extractKRBErrorCode(err error) (int32, bool) {
|
||||
if err == nil {
|
||||
return 0, false
|
||||
}
|
||||
// gokrb5 wraps KRBError values: their Error() string begins with "KRB Error: (N)".
|
||||
msg := err.Error()
|
||||
if _, after, ok := strings.Cut(msg, "KRB Error: ("); ok {
|
||||
if code, _, ok := strings.Cut(after, ")"); ok {
|
||||
if n, err := strconv.Atoi(code); err == nil {
|
||||
return int32(n), true
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0, false
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue