f7147025dd
* Swap sdk/helper libs to go-secure-stdlib * Migrate to go-secure-stdlib reloadutil * Migrate to go-secure-stdlib kv-builder * Migrate to go-secure-stdlib gatedwriter
104 lines
2.7 KiB
Go
104 lines
2.7 KiB
Go
package kerberos
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
|
kerberos "github.com/hashicorp/vault-plugin-auth-kerberos"
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/command/agent/auth"
|
|
"github.com/jcmturner/gokrb5/v8/spnego"
|
|
)
|
|
|
|
type kerberosMethod struct {
|
|
logger hclog.Logger
|
|
mountPath string
|
|
loginCfg *kerberos.LoginCfg
|
|
}
|
|
|
|
func NewKerberosAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
|
|
if conf == nil {
|
|
return nil, errors.New("empty config")
|
|
}
|
|
if conf.Config == nil {
|
|
return nil, errors.New("empty config data")
|
|
}
|
|
username, err := read("username", conf.Config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
service, err := read("service", conf.Config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
realm, err := read("realm", conf.Config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
keytabPath, err := read("keytab_path", conf.Config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
krb5ConfPath, err := read("krb5conf_path", conf.Config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
disableFast := false
|
|
disableFastRaw, ok := conf.Config["disable_fast_negotiation"]
|
|
if ok {
|
|
disableFast, err = parseutil.ParseBool(disableFastRaw)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error parsing 'disable_fast_negotiation': %s", err)
|
|
}
|
|
}
|
|
|
|
return &kerberosMethod{
|
|
logger: conf.Logger,
|
|
mountPath: conf.MountPath,
|
|
loginCfg: &kerberos.LoginCfg{
|
|
Username: username,
|
|
Service: service,
|
|
Realm: realm,
|
|
KeytabPath: keytabPath,
|
|
Krb5ConfPath: krb5ConfPath,
|
|
DisableFASTNegotiation: disableFast,
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
func (k *kerberosMethod) Authenticate(context.Context, *api.Client) (string, http.Header, map[string]interface{}, error) {
|
|
k.logger.Trace("beginning authentication")
|
|
authHeaderVal, err := kerberos.GetAuthHeaderVal(k.loginCfg)
|
|
if err != nil {
|
|
return "", nil, nil, err
|
|
}
|
|
var header http.Header
|
|
header = make(map[string][]string)
|
|
header.Set(spnego.HTTPHeaderAuthRequest, authHeaderVal)
|
|
return k.mountPath + "/login", header, make(map[string]interface{}), nil
|
|
}
|
|
|
|
// These functions are implemented to meet the AuthHandler interface,
|
|
// but we don't need to take advantage of them.
|
|
func (k *kerberosMethod) NewCreds() chan struct{} { return nil }
|
|
func (k *kerberosMethod) CredSuccess() {}
|
|
func (k *kerberosMethod) Shutdown() {}
|
|
|
|
// read reads a key from a map and convert its value to a string.
|
|
func read(key string, m map[string]interface{}) (string, error) {
|
|
raw, ok := m[key]
|
|
if !ok {
|
|
return "", fmt.Errorf("%q is required", key)
|
|
}
|
|
v, ok := raw.(string)
|
|
if !ok {
|
|
return "", fmt.Errorf("%q must be a string", key)
|
|
}
|
|
return v, nil
|
|
}
|