-
Notifications
You must be signed in to change notification settings - Fork 4.2k
/
kerberos.go
91 lines (84 loc) · 2.33 KB
/
kerberos.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package kerberos
import (
"context"
"errors"
"fmt"
"net/http"
"github.com/hashicorp/go-hclog"
kerberos "github.com/hashicorp/vault-plugin-auth-kerberos"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/agent/auth"
"github.com/jcmturner/gokrb5/v8/spnego"
)
type kerberosMethod struct {
logger hclog.Logger
mountPath string
loginCfg *kerberos.LoginCfg
}
func NewKerberosAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
if conf == nil {
return nil, errors.New("empty config")
}
if conf.Config == nil {
return nil, errors.New("empty config data")
}
username, err := read("username", conf.Config)
if err != nil {
return nil, err
}
service, err := read("service", conf.Config)
if err != nil {
return nil, err
}
realm, err := read("realm", conf.Config)
if err != nil {
return nil, err
}
keytabPath, err := read("keytab_path", conf.Config)
if err != nil {
return nil, err
}
krb5ConfPath, err := read("krb5conf_path", conf.Config)
if err != nil {
return nil, err
}
return &kerberosMethod{
logger: conf.Logger,
mountPath: conf.MountPath,
loginCfg: &kerberos.LoginCfg{
Username: username,
Service: service,
Realm: realm,
KeytabPath: keytabPath,
Krb5ConfPath: krb5ConfPath,
},
}, nil
}
func (k *kerberosMethod) Authenticate(context.Context, *api.Client) (string, http.Header, map[string]interface{}, error) {
k.logger.Trace("beginning authentication")
authHeaderVal, err := kerberos.GetAuthHeaderVal(k.loginCfg)
if err != nil {
return "", nil, nil, err
}
var header http.Header
header = make(map[string][]string)
header.Set(spnego.HTTPHeaderAuthRequest, authHeaderVal)
return k.mountPath + "/login", header, make(map[string]interface{}), nil
}
// These functions are implemented to meet the AuthHandler interface,
// but we don't need to take advantage of them.
func (k *kerberosMethod) NewCreds() chan struct{} { return nil }
func (k *kerberosMethod) CredSuccess() {}
func (k *kerberosMethod) Shutdown() {}
// read reads a key from a map and convert its value to a string.
func read(key string, m map[string]interface{}) (string, error) {
raw, ok := m[key]
if !ok {
return "", fmt.Errorf("%q is required", key)
}
v, ok := raw.(string)
if !ok {
return "", fmt.Errorf("%q must be a string", key)
}
return v, nil
}