open-vault/command/agent/auth/kerberos/kerberos.go
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00

104 lines
2.7 KiB
Go

package kerberos
import (
"context"
"errors"
"fmt"
"net/http"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-secure-stdlib/parseutil"
kerberos "github.com/hashicorp/vault-plugin-auth-kerberos"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/agent/auth"
"github.com/jcmturner/gokrb5/v8/spnego"
)
type kerberosMethod struct {
logger hclog.Logger
mountPath string
loginCfg *kerberos.LoginCfg
}
func NewKerberosAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
if conf == nil {
return nil, errors.New("empty config")
}
if conf.Config == nil {
return nil, errors.New("empty config data")
}
username, err := read("username", conf.Config)
if err != nil {
return nil, err
}
service, err := read("service", conf.Config)
if err != nil {
return nil, err
}
realm, err := read("realm", conf.Config)
if err != nil {
return nil, err
}
keytabPath, err := read("keytab_path", conf.Config)
if err != nil {
return nil, err
}
krb5ConfPath, err := read("krb5conf_path", conf.Config)
if err != nil {
return nil, err
}
disableFast := false
disableFastRaw, ok := conf.Config["disable_fast_negotiation"]
if ok {
disableFast, err = parseutil.ParseBool(disableFastRaw)
if err != nil {
return nil, fmt.Errorf("error parsing 'disable_fast_negotiation': %s", err)
}
}
return &kerberosMethod{
logger: conf.Logger,
mountPath: conf.MountPath,
loginCfg: &kerberos.LoginCfg{
Username: username,
Service: service,
Realm: realm,
KeytabPath: keytabPath,
Krb5ConfPath: krb5ConfPath,
DisableFASTNegotiation: disableFast,
},
}, nil
}
func (k *kerberosMethod) Authenticate(context.Context, *api.Client) (string, http.Header, map[string]interface{}, error) {
k.logger.Trace("beginning authentication")
authHeaderVal, err := kerberos.GetAuthHeaderVal(k.loginCfg)
if err != nil {
return "", nil, nil, err
}
var header http.Header
header = make(map[string][]string)
header.Set(spnego.HTTPHeaderAuthRequest, authHeaderVal)
return k.mountPath + "/login", header, make(map[string]interface{}), nil
}
// These functions are implemented to meet the AuthHandler interface,
// but we don't need to take advantage of them.
func (k *kerberosMethod) NewCreds() chan struct{} { return nil }
func (k *kerberosMethod) CredSuccess() {}
func (k *kerberosMethod) Shutdown() {}
// read reads a key from a map and convert its value to a string.
func read(key string, m map[string]interface{}) (string, error) {
raw, ok := m[key]
if !ok {
return "", fmt.Errorf("%q is required", key)
}
v, ok := raw.(string)
if !ok {
return "", fmt.Errorf("%q must be a string", key)
}
return v, nil
}