github.com/jcmturner/gokrb5/v8@v8.4.4/service/APExchange.go (about)

     1  package service
     2  
     3  import (
     4  	"time"
     5  
     6  	"github.com/jcmturner/gokrb5/v8/credentials"
     7  	"github.com/jcmturner/gokrb5/v8/iana/errorcode"
     8  	"github.com/jcmturner/gokrb5/v8/messages"
     9  )
    10  
    11  // VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
    12  func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error) {
    13  	var creds *credentials.Credentials
    14  	ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal())
    15  	if err != nil || !ok {
    16  		return false, creds, err
    17  	}
    18  
    19  	if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 {
    20  		return false, creds,
    21  			messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required")
    22  	}
    23  
    24  	// Check for replay
    25  	rc := GetReplayCache(s.MaxClockSkew())
    26  	if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) {
    27  		return false, creds,
    28  			messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected")
    29  	}
    30  
    31  	c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm)
    32  	creds = c
    33  	creds.SetAuthTime(time.Now().UTC())
    34  	creds.SetAuthenticated(true)
    35  	creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime)
    36  
    37  	//PAC decoding
    38  	if !s.disablePACDecoding {
    39  		isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger())
    40  		if isPAC && err != nil {
    41  			return false, creds, err
    42  		}
    43  		if isPAC {
    44  			// There is a valid PAC. Adding attributes to creds
    45  			creds.SetADCredentials(credentials.ADCredentials{
    46  				GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(),
    47  				LogOnTime:           pac.KerbValidationInfo.LogOnTime.Time(),
    48  				LogOffTime:          pac.KerbValidationInfo.LogOffTime.Time(),
    49  				PasswordLastSet:     pac.KerbValidationInfo.PasswordLastSet.Time(),
    50  				EffectiveName:       pac.KerbValidationInfo.EffectiveName.Value,
    51  				FullName:            pac.KerbValidationInfo.FullName.Value,
    52  				UserID:              int(pac.KerbValidationInfo.UserID),
    53  				PrimaryGroupID:      int(pac.KerbValidationInfo.PrimaryGroupID),
    54  				LogonServer:         pac.KerbValidationInfo.LogonServer.Value,
    55  				LogonDomainName:     pac.KerbValidationInfo.LogonDomainName.Value,
    56  				LogonDomainID:       pac.KerbValidationInfo.LogonDomainID.String(),
    57  			})
    58  		}
    59  	}
    60  	return true, creds, nil
    61  }