2021-09-22 15:02:30 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2022-07-09 17:42:00 +00:00
|
|
|
"log"
|
2021-09-22 15:02:30 +00:00
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
|
2022-07-09 17:42:00 +00:00
|
|
|
"github.com/gin-gonic/gin"
|
2021-09-22 15:02:30 +00:00
|
|
|
"github.com/jcmturner/gokrb5/v8/client"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/config"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
|
|
|
)
|
|
|
|
|
|
|
|
func parseETypes(s []string, w bool) []int32 {
|
|
|
|
var eti []int32
|
|
|
|
for _, et := range s {
|
|
|
|
if !w {
|
|
|
|
var weak bool
|
|
|
|
for _, wet := range strings.Fields(config.WeakETypeList) {
|
|
|
|
if et == wet {
|
|
|
|
weak = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if weak {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
i := etypeID.EtypeSupported(et)
|
|
|
|
if i != 0 {
|
|
|
|
eti = append(eti, i)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return eti
|
|
|
|
}
|
|
|
|
|
2022-07-09 17:42:00 +00:00
|
|
|
func checkAuthKrb5(c *gin.Context) {
|
2021-09-22 15:02:30 +00:00
|
|
|
var lf loginForm
|
2022-07-09 17:42:00 +00:00
|
|
|
if err := c.ShouldBindJSON(&lf); err != nil {
|
|
|
|
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
|
|
|
|
return
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|
|
|
|
|
2022-09-09 22:27:08 +00:00
|
|
|
// Convert email to login
|
|
|
|
lf.Login = strings.TrimSuffix(lf.Login, "@epita.fr")
|
|
|
|
|
2022-09-07 12:08:23 +00:00
|
|
|
if !allowLocalAuth {
|
|
|
|
found := false
|
|
|
|
for _, u := range localAuthUsers {
|
|
|
|
if lf.Login == u {
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|
|
|
|
|
2022-09-07 12:08:23 +00:00
|
|
|
if !userExists(lf.Login) && !found {
|
|
|
|
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "You are not allowed to log you in this way. Please use OpenID Connect."})
|
|
|
|
return
|
|
|
|
}
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
cnf := config.New()
|
|
|
|
cnf.LibDefaults.DNSLookupKDC = true
|
|
|
|
cnf.LibDefaults.DNSLookupRealm = true
|
|
|
|
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
|
|
|
|
2022-07-09 17:42:00 +00:00
|
|
|
cl := client.NewWithPassword(lf.Login, "CRI.EPITA.FR", lf.Password, cnf)
|
|
|
|
if err := cl.Login(); err != nil {
|
2021-09-22 15:02:30 +00:00
|
|
|
if errk, ok := err.(krberror.Krberror); ok {
|
|
|
|
if errk.RootCause == krberror.NetworkingError {
|
2022-07-09 17:42:00 +00:00
|
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Authentication system unavailable, please retry."})
|
|
|
|
return
|
2021-09-22 15:02:30 +00:00
|
|
|
} else if errk.RootCause == krberror.KDCError {
|
2022-07-09 17:42:00 +00:00
|
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Invalid username or password"})
|
|
|
|
return
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|
|
|
|
}
|
2022-07-09 17:42:00 +00:00
|
|
|
log.Println("Unable to login through Kerberos: unknown error:", err)
|
|
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Invalid credentials (unknown error)."})
|
|
|
|
return
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|
2022-07-09 17:42:00 +00:00
|
|
|
|
2023-02-25 10:39:51 +00:00
|
|
|
if usr, err := completeAuth(c, lf.Login, lf.Login+"@epita.fr", "", "", 0, "", nil); err != nil {
|
2022-09-07 18:54:04 +00:00
|
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": err.Error()})
|
|
|
|
return
|
|
|
|
} else {
|
|
|
|
c.JSON(http.StatusOK, authToken{User: usr, CurrentPromo: currentPromo})
|
|
|
|
}
|
2021-09-22 15:02:30 +00:00
|
|
|
}
|