Blame - vendor/github.com/Shopify/sarama/gssapi_kerberos.go - voltha-go

blob: ab8b70196f8239cb42ec9b8b114ba20b7863d977 [file] [log] [blame]

Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	1	package sarama
				2
				3	import (
				4	"encoding/binary"
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	5	"errors"
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	6	"fmt"
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	7	"io"
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	8	"math"
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	9	"strings"
				10	"time"
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	11
				12	"github.com/jcmturner/gofork/encoding/asn1"
				13	"github.com/jcmturner/gokrb5/v8/asn1tools"
				14	"github.com/jcmturner/gokrb5/v8/gssapi"
				15	"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
				16	"github.com/jcmturner/gokrb5/v8/iana/keyusage"
				17	"github.com/jcmturner/gokrb5/v8/messages"
				18	"github.com/jcmturner/gokrb5/v8/types"
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	19	)
				20
				21	const (
				22	TOK_ID_KRB_AP_REQ = 256
				23	GSS_API_GENERIC_TAG = 0x60
				24	KRB5_USER_AUTH = 1
				25	KRB5_KEYTAB_AUTH = 2
				26	GSS_API_INITIAL = 1
				27	GSS_API_VERIFY = 2
				28	GSS_API_FINISH = 3
				29	)
				30
				31	type GSSAPIConfig struct {
				32	AuthType int
				33	KeyTabPath string
				34	KerberosConfigPath string
				35	ServiceName string
				36	Username string
				37	Password string
				38	Realm string
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	39	DisablePAFXFAST bool
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	40	}
				41
				42	type GSSAPIKerberosAuth struct {
				43	Config *GSSAPIConfig
				44	ticket messages.Ticket
				45	encKey types.EncryptionKey
				46	NewKerberosClientFunc func(config *GSSAPIConfig) (KerberosClient, error)
				47	step int
				48	}
				49
				50	type KerberosClient interface {
				51	Login() error
				52	GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)
				53	Domain() string
				54	CName() types.PrincipalName
				55	Destroy()
				56	}
				57
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	58	// writePackage appends length in big endian before the payload, and sends it to kafka
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	59	func (krbAuth GSSAPIKerberosAuth) writePackage(broker Broker, payload []byte) (int, error) {
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	60	length := uint64(len(payload))
				61	size := length + 4 // 4 byte length header + payload
				62	if size > math.MaxInt32 {
				63	return 0, errors.New("payload too large, will overflow int32")
				64	}
				65	finalPackage := make([]byte, size)
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	66	copy(finalPackage[4:], payload)
				67	binary.BigEndian.PutUint32(finalPackage, uint32(length))
				68	bytes, err := broker.conn.Write(finalPackage)
				69	if err != nil {
				70	return bytes, err
				71	}
				72	return bytes, nil
				73	}
				74
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	75	// readPackage reads payload length (4 bytes) and then reads the payload into []byte
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	76	func (krbAuth GSSAPIKerberosAuth) readPackage(broker Broker) ([]byte, int, error) {
				77	bytesRead := 0
				78	lengthInBytes := make([]byte, 4)
				79	bytes, err := io.ReadFull(broker.conn, lengthInBytes)
				80	if err != nil {
				81	return nil, bytesRead, err
				82	}
				83	bytesRead += bytes
				84	payloadLength := binary.BigEndian.Uint32(lengthInBytes)
				85	payloadBytes := make([]byte, payloadLength) // buffer for read..
				86	bytes, err = io.ReadFull(broker.conn, payloadBytes) // read bytes
				87	if err != nil {
				88	return payloadBytes, bytesRead, err
				89	}
				90	bytesRead += bytes
				91	return payloadBytes, bytesRead, nil
				92	}
				93
				94	func (krbAuth *GSSAPIKerberosAuth) newAuthenticatorChecksum() []byte {
				95	a := make([]byte, 24)
				96	flags := []int{gssapi.ContextFlagInteg, gssapi.ContextFlagConf}
				97	binary.LittleEndian.PutUint32(a[:4], 16)
				98	for _, i := range flags {
				99	f := binary.LittleEndian.Uint32(a[20:24])
				100	f \|= uint32(i)
				101	binary.LittleEndian.PutUint32(a[20:24], f)
				102	}
				103	return a
				104	}
				105
				106	/*
				107	*
				108	* Construct Kerberos AP_REQ package, conforming to RFC-4120
				109	* https://tools.ietf.org/html/rfc4120#page-84
				110	*
				111	*/
				112	func (krbAuth *GSSAPIKerberosAuth) createKrb5Token(
				113	domain string, cname types.PrincipalName,
				114	ticket messages.Ticket,
				115	sessionKey types.EncryptionKey) ([]byte, error) {
				116	auth, err := types.NewAuthenticator(domain, cname)
				117	if err != nil {
				118	return nil, err
				119	}
				120	auth.Cksum = types.Checksum{
				121	CksumType: chksumtype.GSSAPI,
				122	Checksum: krbAuth.newAuthenticatorChecksum(),
				123	}
				124	APReq, err := messages.NewAPReq(
				125	ticket,
				126	sessionKey,
				127	auth,
				128	)
				129	if err != nil {
				130	return nil, err
				131	}
				132	aprBytes := make([]byte, 2)
				133	binary.BigEndian.PutUint16(aprBytes, TOK_ID_KRB_AP_REQ)
				134	tb, err := APReq.Marshal()
				135	if err != nil {
				136	return nil, err
				137	}
				138	aprBytes = append(aprBytes, tb...)
				139	return aprBytes, nil
				140	}
				141
				142	/*
				143	*
				144	* Append the GSS-API header to the payload, conforming to RFC-2743
				145	* Section 3.1, Mechanism-Independent Token Format
				146	*
				147	* https://tools.ietf.org/html/rfc2743#page-81
				148	*
				149	* GSSAPIHeader + <specific mechanism payload>
				150	*
				151	*/
				152	func (krbAuth *GSSAPIKerberosAuth) appendGSSAPIHeader(payload []byte) ([]byte, error) {
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	153	oidBytes, err := asn1.Marshal(gssapi.OIDKRB5.OID())
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	154	if err != nil {
				155	return nil, err
				156	}
				157	tkoLengthBytes := asn1tools.MarshalLengthBytes(len(oidBytes) + len(payload))
				158	GSSHeader := append([]byte{GSS_API_GENERIC_TAG}, tkoLengthBytes...)
				159	GSSHeader = append(GSSHeader, oidBytes...)
				160	GSSPackage := append(GSSHeader, payload...)
				161	return GSSPackage, nil
				162	}
				163
				164	func (krbAuth *GSSAPIKerberosAuth) initSecContext(bytes []byte, kerberosClient KerberosClient) ([]byte, error) {
				165	switch krbAuth.step {
				166	case GSS_API_INITIAL:
				167	aprBytes, err := krbAuth.createKrb5Token(
				168	kerberosClient.Domain(),
				169	kerberosClient.CName(),
				170	krbAuth.ticket,
				171	krbAuth.encKey)
				172	if err != nil {
				173	return nil, err
				174	}
				175	krbAuth.step = GSS_API_VERIFY
				176	return krbAuth.appendGSSAPIHeader(aprBytes)
				177	case GSS_API_VERIFY:
				178	wrapTokenReq := gssapi.WrapToken{}
				179	if err := wrapTokenReq.Unmarshal(bytes, true); err != nil {
				180	return nil, err
				181	}
				182	// Validate response.
				183	isValid, err := wrapTokenReq.Verify(krbAuth.encKey, keyusage.GSSAPI_ACCEPTOR_SEAL)
				184	if !isValid {
				185	return nil, err
				186	}
				187
				188	wrapTokenResponse, err := gssapi.NewInitiatorWrapToken(wrapTokenReq.Payload, krbAuth.encKey)
				189	if err != nil {
				190	return nil, err
				191	}
				192	krbAuth.step = GSS_API_FINISH
				193	return wrapTokenResponse.Marshal()
				194	}
				195	return nil, nil
				196	}
				197
				198	/* This does the handshake for authorization */
				199	func (krbAuth GSSAPIKerberosAuth) Authorize(broker Broker) error {
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	200	kerberosClient, err := krbAuth.NewKerberosClientFunc(krbAuth.Config)
				201	if err != nil {
				202	Logger.Printf("Kerberos client error: %s", err)
				203	return err
				204	}
				205
				206	err = kerberosClient.Login()
				207	if err != nil {
				208	Logger.Printf("Kerberos client error: %s", err)
				209	return err
				210	}
				211	// Construct SPN using serviceName and host
				212	// SPN format: <SERVICE>/<FQDN>
				213
				214	host := strings.SplitN(broker.addr, ":", 2)[0] // Strip port part
				215	spn := fmt.Sprintf("%s/%s", broker.conf.Net.SASL.GSSAPI.ServiceName, host)
				216
				217	ticket, encKey, err := kerberosClient.GetServiceTicket(spn)
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	218	if err != nil {
				219	Logger.Printf("Error getting Kerberos service ticket : %s", err)
				220	return err
				221	}
				222	krbAuth.ticket = ticket
				223	krbAuth.encKey = encKey
				224	krbAuth.step = GSS_API_INITIAL
				225	var receivedBytes []byte = nil
				226	defer kerberosClient.Destroy()
				227	for {
				228	packBytes, err := krbAuth.initSecContext(receivedBytes, kerberosClient)
				229	if err != nil {
				230	Logger.Printf("Error while performing GSSAPI Kerberos Authentication: %s\n", err)
				231	return err
				232	}
				233	requestTime := time.Now()
				234	bytesWritten, err := krbAuth.writePackage(broker, packBytes)
				235	if err != nil {
				236	Logger.Printf("Error while performing GSSAPI Kerberos Authentication: %s\n", err)
				237	return err
				238	}
				239	broker.updateOutgoingCommunicationMetrics(bytesWritten)
				240	if krbAuth.step == GSS_API_VERIFY {
khenaidoo	d948f77	2021-08-11 17:49:24 -0400	[diff] [blame^]	241	bytesRead := 0
Scott Baker	8461e15	2019-10-01 14:44:30 -0700	[diff] [blame]	242	receivedBytes, bytesRead, err = krbAuth.readPackage(broker)
				243	requestLatency := time.Since(requestTime)
				244	broker.updateIncomingCommunicationMetrics(bytesRead, requestLatency)
				245	if err != nil {
				246	Logger.Printf("Error while performing GSSAPI Kerberos Authentication: %s\n", err)
				247	return err
				248	}
				249	} else if krbAuth.step == GSS_API_FINISH {
				250	return nil
				251	}
				252	}
				253	}