forked from NeilGerring/gokrb5
-
Notifications
You must be signed in to change notification settings - Fork 0
/
APExchange.go
62 lines (54 loc) · 2.36 KB
/
APExchange.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package service
import (
"time"
"gopkg.in/jcmturner/gokrb5.v7/credentials"
"gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
"gopkg.in/jcmturner/gokrb5.v7/messages"
)
// VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
func VerifyAPREQ(APReq messages.APReq, s *Settings) (bool, *credentials.Credentials, error) {
var creds *credentials.Credentials
ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress())
if err != nil || !ok {
return false, creds, err
}
if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 {
return false, creds,
messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required")
}
// Check for replay
rc := GetReplayCache(s.MaxClockSkew())
if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) {
return false, creds,
messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected")
}
c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm)
creds = c
creds.SetAuthTime(time.Now().UTC())
creds.SetAuthenticated(true)
creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime)
//PAC decoding
if !s.disablePACDecoding {
isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger())
if isPAC && err != nil {
return false, creds, err
}
if isPAC {
// There is a valid PAC. Adding attributes to creds
creds.SetADCredentials(credentials.ADCredentials{
GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(),
LogOnTime: pac.KerbValidationInfo.LogOnTime.Time(),
LogOffTime: pac.KerbValidationInfo.LogOffTime.Time(),
PasswordLastSet: pac.KerbValidationInfo.PasswordLastSet.Time(),
EffectiveName: pac.KerbValidationInfo.EffectiveName.Value,
FullName: pac.KerbValidationInfo.FullName.Value,
UserID: int(pac.KerbValidationInfo.UserID),
PrimaryGroupID: int(pac.KerbValidationInfo.PrimaryGroupID),
LogonServer: pac.KerbValidationInfo.LogonServer.Value,
LogonDomainName: pac.KerbValidationInfo.LogonDomainName.Value,
LogonDomainID: pac.KerbValidationInfo.LogonDomainID.String(),
})
}
}
return true, creds, nil
}