forked from jackc/pgconn
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit adds the GSSAPI authentication to pgx. This roughly follows the lib/pq implementation: * We require registering a provider to avoid mass dependency inclusions that may not be desired (lib/pq#971). * Requires the pgproto3 package be updated. I've included my custom fork for now.
- Loading branch information
Showing
10 changed files
with
385 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
module github.com/jackc/pgconn/auth/krb | ||
|
||
go 1.18 | ||
|
||
require ( | ||
github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 | ||
github.com/jcmturner/gokrb5/v8 v8.2.0 | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4= | ||
github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro= | ||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= | ||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= | ||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= | ||
github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ= | ||
github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= | ||
github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= | ||
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= | ||
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= | ||
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= | ||
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= | ||
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= | ||
github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8= | ||
github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= | ||
github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= | ||
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= | ||
github.com/jcmturner/gokrb5/v8 v8.2.0 h1:lzPl/30ZLkTveYsYZPKMcgXc8MbnE6RsTd4F9KgiLtk= | ||
github.com/jcmturner/gokrb5/v8 v8.2.0/go.mod h1:T1hnNppQsBtxW0tCHMHTkAt8n/sABdzZgZdoFrZaZNM= | ||
github.com/jcmturner/rpc/v2 v2.0.2 h1:gMB4IwRXYsWw4Bc6o/az2HJgFUA1ffSh90i26ZJ6Xl0= | ||
github.com/jcmturner/rpc/v2 v2.0.2/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= | ||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= | ||
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= | ||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||
golang.org/x/crypto v0.0.0-20200117160349-530e935923ad h1:Jh8cai0fqIK+f6nG0UgPW5wFk8wmiMhM3AyciDBdtQg= | ||
golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | ||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa h1:F+8P+gmewFQYRk6JoLQLwjBCTu3mcIURZfNkVweuRKA= | ||
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= | ||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package krb | ||
|
||
import ( | ||
"net" | ||
"strings" | ||
) | ||
|
||
/* | ||
* Find the A record associated with a hostname | ||
* In general, hostnames supplied to the driver should be | ||
* canonicalized because the KDC usually only has one | ||
* principal and not one per potential alias of a host. | ||
*/ | ||
func canonicalizeHostname(host string) (string, error) { | ||
canon := host | ||
|
||
name, err := net.LookupCNAME(host) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
name = strings.TrimSuffix(name, ".") | ||
|
||
if name != "" { | ||
canon = name | ||
} | ||
|
||
return canon, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
//go:build !windows | ||
// +build !windows | ||
|
||
package krb | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
"os/user" | ||
"strings" | ||
|
||
"github.com/jcmturner/gokrb5/v8/client" | ||
"github.com/jcmturner/gokrb5/v8/config" | ||
"github.com/jcmturner/gokrb5/v8/credentials" | ||
"github.com/jcmturner/gokrb5/v8/spnego" | ||
) | ||
|
||
/* | ||
* UNIX Kerberos support, using jcmturner's pure-go | ||
* implementation | ||
*/ | ||
|
||
// GSS implements the pq.GSS interface. | ||
type GSS struct { | ||
cli *client.Client | ||
} | ||
|
||
// NewGSS creates a new GSS provider. | ||
func NewGSS() (*GSS, error) { | ||
g := &GSS{} | ||
err := g.init() | ||
|
||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return g, nil | ||
} | ||
|
||
func (g *GSS) init() error { | ||
cfgPath, ok := os.LookupEnv("KRB5_CONFIG") | ||
if !ok { | ||
cfgPath = "/etc/krb5.conf" | ||
} | ||
|
||
cfg, err := config.Load(cfgPath) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
u, err := user.Current() | ||
if err != nil { | ||
return err | ||
} | ||
|
||
ccpath := "/tmp/krb5cc_" + u.Uid | ||
|
||
ccname := os.Getenv("KRB5CCNAME") | ||
if strings.HasPrefix(ccname, "FILE:") { | ||
ccpath = strings.SplitN(ccname, ":", 2)[1] | ||
} | ||
|
||
ccache, err := credentials.LoadCCache(ccpath) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
cl, err := client.NewFromCCache(ccache, cfg, client.DisablePAFXFAST(true)) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
cl.Login() | ||
|
||
g.cli = cl | ||
|
||
return nil | ||
} | ||
|
||
// GetInitToken implements the GSS interface. | ||
func (g *GSS) GetInitToken(host string, service string) ([]byte, error) { | ||
|
||
// Resolve the hostname down to an 'A' record, if required (usually, it is) | ||
if g.cli.Config.LibDefaults.DNSCanonicalizeHostname { | ||
var err error | ||
host, err = canonicalizeHostname(host) | ||
if err != nil { | ||
return nil, err | ||
} | ||
} | ||
|
||
spn := service + "/" + host | ||
|
||
return g.GetInitTokenFromSPN(spn) | ||
} | ||
|
||
// GetInitTokenFromSpn implements the GSS interface. | ||
func (g *GSS) GetInitTokenFromSPN(spn string) ([]byte, error) { | ||
s := spnego.SPNEGOClient(g.cli, spn) | ||
|
||
st, err := s.InitSecContext() | ||
if err != nil { | ||
return nil, fmt.Errorf("kerberos error (InitSecContext): %s", err.Error()) | ||
} | ||
|
||
b, err := st.Marshal() | ||
if err != nil { | ||
return nil, fmt.Errorf("kerberos error (Marshaling token): %s", err.Error()) | ||
} | ||
|
||
return b, nil | ||
} | ||
|
||
// Continue implements the GSS interface. | ||
func (g *GSS) Continue(inToken []byte) (done bool, outToken []byte, err error) { | ||
t := &spnego.SPNEGOToken{} | ||
err = t.Unmarshal(inToken) | ||
if err != nil { | ||
return true, nil, fmt.Errorf("kerberos error (Unmarshaling token): %s", err.Error()) | ||
} | ||
|
||
state := t.NegTokenResp.State() | ||
if state != spnego.NegStateAcceptCompleted { | ||
return true, nil, fmt.Errorf("kerberos: expected state 'Completed' - got %d", state) | ||
} | ||
|
||
return true, nil, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
//go:build windows | ||
// +build windows | ||
|
||
package krb | ||
|
||
import ( | ||
"github.com/alexbrainman/sspi" | ||
"github.com/alexbrainman/sspi/negotiate" | ||
) | ||
|
||
// GSS implements the pq.GSS interface. | ||
type GSS struct { | ||
creds *sspi.Credentials | ||
ctx *negotiate.ClientContext | ||
} | ||
|
||
// NewGSS creates a new GSS provider. | ||
func NewGSS() (*GSS, error) { | ||
g := &GSS{} | ||
err := g.init() | ||
|
||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return g, nil | ||
} | ||
|
||
func (g *GSS) init() error { | ||
creds, err := negotiate.AcquireCurrentUserCredentials() | ||
if err != nil { | ||
return err | ||
} | ||
|
||
g.creds = creds | ||
return nil | ||
} | ||
|
||
// GetInitToken implements the GSS interface. | ||
func (g *GSS) GetInitToken(host string, service string) ([]byte, error) { | ||
|
||
host, err := canonicalizeHostname(host) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
spn := service + "/" + host | ||
|
||
return g.GetInitTokenFromSpn(spn) | ||
} | ||
|
||
// GetInitTokenFromSpn implements the GSS interface. | ||
func (g *GSS) GetInitTokenFromSpn(spn string) ([]byte, error) { | ||
ctx, token, err := negotiate.NewClientContext(g.creds, spn) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
g.ctx = ctx | ||
|
||
return token, nil | ||
} | ||
|
||
// Continue implements the GSS interface. | ||
func (g *GSS) Continue(inToken []byte) (done bool, outToken []byte, err error) { | ||
return g.ctx.Update(inToken) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.