github.com/jcmturner/gokrb5/v8@v8.4.4/service/settings.go (about)

     1  package service
     2  
     3  import (
     4  	"log"
     5  	"net/http"
     6  	"time"
     7  
     8  	"github.com/jcmturner/gokrb5/v8/keytab"
     9  	"github.com/jcmturner/gokrb5/v8/types"
    10  )
    11  
    12  // Settings defines service side configuration settings.
    13  type Settings struct {
    14  	Keytab             *keytab.Keytab
    15  	ktprinc            *types.PrincipalName
    16  	sname              string
    17  	requireHostAddr    bool
    18  	disablePACDecoding bool
    19  	cAddr              types.HostAddress
    20  	maxClockSkew       time.Duration
    21  	logger             *log.Logger
    22  	sessionMgr         SessionMgr
    23  }
    24  
    25  // NewSettings creates a new service Settings.
    26  func NewSettings(kt *keytab.Keytab, settings ...func(*Settings)) *Settings {
    27  	s := new(Settings)
    28  	s.Keytab = kt
    29  	for _, set := range settings {
    30  		set(s)
    31  	}
    32  	return s
    33  }
    34  
    35  // RequireHostAddr used to configure service side to required host addresses to be specified in Kerberos tickets.
    36  //
    37  // s := NewSettings(kt, RequireHostAddr(true))
    38  func RequireHostAddr(b bool) func(*Settings) {
    39  	return func(s *Settings) {
    40  		s.requireHostAddr = b
    41  	}
    42  }
    43  
    44  // RequireHostAddr indicates if the service should require the host address to be included in the ticket.
    45  func (s *Settings) RequireHostAddr() bool {
    46  	return s.requireHostAddr
    47  }
    48  
    49  // DecodePAC used to configure service side to enable/disable PAC decoding if the PAC is present.
    50  // Defaults to enabled if not specified.
    51  //
    52  // s := NewSettings(kt, DecodePAC(false))
    53  func DecodePAC(b bool) func(*Settings) {
    54  	return func(s *Settings) {
    55  		s.disablePACDecoding = !b
    56  	}
    57  }
    58  
    59  // DecodePAC indicates whether the service should decode any PAC information present in the ticket.
    60  func (s *Settings) DecodePAC() bool {
    61  	return !s.disablePACDecoding
    62  }
    63  
    64  // ClientAddress used to configure service side with the clients host address to be used during validation.
    65  //
    66  // s := NewSettings(kt, ClientAddress(h))
    67  func ClientAddress(h types.HostAddress) func(*Settings) {
    68  	return func(s *Settings) {
    69  		s.cAddr = h
    70  	}
    71  }
    72  
    73  // ClientAddress returns the client host address which has been provided to the service.
    74  func (s *Settings) ClientAddress() types.HostAddress {
    75  	return s.cAddr
    76  }
    77  
    78  // Logger used to configure service side with a logger.
    79  //
    80  // s := NewSettings(kt, Logger(l))
    81  func Logger(l *log.Logger) func(*Settings) {
    82  	return func(s *Settings) {
    83  		s.logger = l
    84  	}
    85  }
    86  
    87  // Logger returns the logger instances configured for the service. If none is configured nill will be returned.
    88  func (s *Settings) Logger() *log.Logger {
    89  	return s.logger
    90  }
    91  
    92  // KeytabPrincipal used to override the principal name used to find the key in the keytab.
    93  //
    94  // s := NewSettings(kt, KeytabPrincipal("someaccount"))
    95  func KeytabPrincipal(p string) func(*Settings) {
    96  	return func(s *Settings) {
    97  		pn, _ := types.ParseSPNString(p)
    98  		s.ktprinc = &pn
    99  	}
   100  }
   101  
   102  // KeytabPrincipal returns the principal name used to find the key in the keytab if it has been overridden.
   103  func (s *Settings) KeytabPrincipal() *types.PrincipalName {
   104  	return s.ktprinc
   105  }
   106  
   107  // MaxClockSkew used to configure service side with the maximum acceptable clock skew
   108  // between the service and the issue time of kerberos tickets
   109  //
   110  // s := NewSettings(kt, MaxClockSkew(d))
   111  func MaxClockSkew(d time.Duration) func(*Settings) {
   112  	return func(s *Settings) {
   113  		s.maxClockSkew = d
   114  	}
   115  }
   116  
   117  // MaxClockSkew returns the maximum acceptable clock skew between the service and the issue time of kerberos tickets.
   118  // If none is defined a duration of 5 minutes is returned.
   119  func (s *Settings) MaxClockSkew() time.Duration {
   120  	if s.maxClockSkew.Nanoseconds() == 0 {
   121  		return time.Duration(5) * time.Minute
   122  	}
   123  	return s.maxClockSkew
   124  }
   125  
   126  // SName used provide a specific service name to the service settings.
   127  //
   128  // s := NewSettings(kt, SName("HTTP/some.service.com"))
   129  func SName(sname string) func(*Settings) {
   130  	return func(s *Settings) {
   131  		s.sname = sname
   132  	}
   133  }
   134  
   135  // SName returns the specific service name to the service.
   136  func (s *Settings) SName() string {
   137  	return s.sname
   138  }
   139  
   140  // SessionManager configures a session manager to establish sessions with clients to avoid excessive authentication challenges.
   141  //
   142  // s := NewSettings(kt, SessionManager(sm))
   143  func SessionManager(sm SessionMgr) func(*Settings) {
   144  	return func(s *Settings) {
   145  		s.sessionMgr = sm
   146  	}
   147  }
   148  
   149  // SessionManager returns any configured session manager.
   150  func (s *Settings) SessionManager() SessionMgr {
   151  	return s.sessionMgr
   152  }
   153  
   154  // SessionMgr must provide a ways to:
   155  //
   156  // - Create new sessions and in the process add a value to the session under the key provided.
   157  //
   158  // - Get an existing session returning the value in the session under the key provided.
   159  // Return nil bytes and/or error if there is no session.
   160  type SessionMgr interface {
   161  	New(w http.ResponseWriter, r *http.Request, k string, v []byte) error
   162  	Get(r *http.Request, k string) ([]byte, error)
   163  }