Skip to content

Commit

Permalink
handle raw KRB5 token (#366)
Browse files Browse the repository at this point in the history
* handle raw krb5 tokens in negotiation header

Co-authored-by: jgiannuzzi <[email protected]>

Co-authored-by: Jonathan Giannuzzi <[email protected]>
  • Loading branch information
jcmturner and jgiannuzzi authored Feb 8, 2020
1 parent 56d95dc commit 00ec292
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 3 deletions.
17 changes: 14 additions & 3 deletions v8/spnego/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"net/url"
"strings"

"github.com/jcmturner/gofork/encoding/asn1"
"github.com/jcmturner/goidentity/v6"
"github.com/jcmturner/gokrb5/v8/client"
"github.com/jcmturner/gokrb5/v8/credentials"
Expand Down Expand Up @@ -291,9 +292,19 @@ func getAuthorizationNegotiationHeaderAsSPNEGOToken(spnego *SPNEGO, r *http.Requ
var st SPNEGOToken
err = st.Unmarshal(b)
if err != nil {
err = fmt.Errorf("error in unmarshaling SPNEGO token: %v", err)
spnegoNegotiateKRB5MechType(spnego, w, "%s - SPNEGO %v", r.RemoteAddr, err)
return nil, err
// Check if this is a raw KRB5 context token - issue #347.
var k5t KRB5Token
if k5t.Unmarshal(b) != nil {
err = fmt.Errorf("error in unmarshaling SPNEGO token: %v", err)
spnegoNegotiateKRB5MechType(spnego, w, "%s - SPNEGO %v", r.RemoteAddr, err)
return nil, err
}
// Wrap it into an SPNEGO context token
st.Init = true
st.NegTokenInit = NegTokenInit{
MechTypes: []asn1.ObjectIdentifier{k5t.OID},
MechTokenBytes: b,
}
}
return &st, nil
}
Expand Down
31 changes: 31 additions & 0 deletions v8/spnego/http_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package spnego
import (
"bytes"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
Expand Down Expand Up @@ -155,6 +156,36 @@ func TestService_SPNEGOKRB_ValidUser(t *testing.T) {
assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
}

func TestService_SPNEGOKRB_ValidUser_RawKRB5Token(t *testing.T) {
test.Integration(t)

s := httpServer()
defer s.Close()
r, _ := http.NewRequest("GET", s.URL, nil)

cl := getClient()
sc := SPNEGOClient(cl, "HTTP/host.test.gokrb5")
err := sc.AcquireCred()
if err != nil {
t.Fatalf("could not acquire client credential: %v", err)
}
st, err := sc.InitSecContext()
if err != nil {
t.Fatalf("could not initialize context: %v", err)
}

// Use the raw KRB5 context token
nb := st.(*SPNEGOToken).NegTokenInit.MechTokenBytes
hs := "Negotiate " + base64.StdEncoding.EncodeToString(nb)
r.Header.Set(HTTPHeaderAuthRequest, hs)

httpResp, err := http.DefaultClient.Do(r)
if err != nil {
t.Fatalf("Request error: %v\n", err)
}
assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
}

func TestService_SPNEGOKRB_Replay(t *testing.T) {
test.Integration(t)

Expand Down

0 comments on commit 00ec292

Please sign in to comment.