Support krb5 authentication
This commit is contained in:
parent
7a72afc81d
commit
54555dcca4
4 changed files with 129 additions and 4 deletions
|
|
@ -5,14 +5,19 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/jcmturner/gokrb5/v8/client"
|
||||
"github.com/jcmturner/gokrb5/v8/config"
|
||||
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||
"github.com/julienschmidt/httprouter"
|
||||
|
||||
"git.nemunai.re/lectures/adlin/libadlin"
|
||||
)
|
||||
|
||||
var AuthFunc = checkAuth
|
||||
var AuthFunc = checkAuthKrb5
|
||||
|
||||
func init() {
|
||||
router.GET("/api/auth", apiAuthHandler(validateAuthToken))
|
||||
|
|
@ -87,7 +92,7 @@ func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
|
|||
return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
|
||||
}
|
||||
|
||||
func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
||||
func checkAuthHttp(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
||||
var lf loginForm
|
||||
if err := json.Unmarshal(body, &lf); err != nil {
|
||||
return nil, err
|
||||
|
|
@ -111,3 +116,54 @@ func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func parseETypes(s []string, w bool) []int32 {
|
||||
var eti []int32
|
||||
for _, et := range s {
|
||||
if !w {
|
||||
var weak bool
|
||||
for _, wet := range strings.Fields(config.WeakETypeList) {
|
||||
if et == wet {
|
||||
weak = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if weak {
|
||||
continue
|
||||
}
|
||||
}
|
||||
i := etypeID.EtypeSupported(et)
|
||||
if i != 0 {
|
||||
eti = append(eti, i)
|
||||
}
|
||||
}
|
||||
return eti
|
||||
}
|
||||
|
||||
func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
||||
var lf loginForm
|
||||
if err := json.Unmarshal(body, &lf); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cnf := config.New()
|
||||
cnf.LibDefaults.DNSLookupKDC = true
|
||||
cnf.LibDefaults.DNSLookupRealm = true
|
||||
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
|
||||
c := client.NewWithPassword(lf.Username, "CRI.EPITA.FR", lf.Password, cnf)
|
||||
if err := c.Login(); err != nil {
|
||||
if errk, ok := err.(krberror.Krberror); ok {
|
||||
if errk.RootCause == krberror.NetworkingError {
|
||||
return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
|
||||
} else if errk.RootCause == krberror.KDCError {
|
||||
return nil, errors.New(`{"status": "Invalid username or password"}`)
|
||||
}
|
||||
}
|
||||
return nil, err
|
||||
} else {
|
||||
return dummyAuth(w, nil, body)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue