├── .github └── workflows │ └── go.yml ├── LICENSE ├── README.md ├── examples └── main.go ├── go.mod ├── go.sum ├── spnego.go ├── spnego_gokrb5.go ├── spnego_windows.go └── transport.go /.github/workflows/go.yml: -------------------------------------------------------------------------------- 1 | name: Go 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | jobs: 10 | 11 | build: 12 | runs-on: ubuntu-latest 13 | strategy: 14 | matrix: 15 | go: ["1.15", "1.16"] 16 | steps: 17 | - uses: actions/checkout@v2 18 | 19 | - name: Set up Go 20 | uses: actions/setup-go@v2 21 | with: 22 | go-version: ${{ matrix.go }} 23 | 24 | - name: Build 25 | run: go build -v ./... 26 | 27 | - name: Test 28 | run: go test -v ./... 29 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Daniel Potapov 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # go-spnego 2 | 3 | The package extends Go's HTTP Transport allowing Kerberos authentication through Negotiate mechanism (see [RFC4559](https://tools.ietf.org/html/rfc4559)). 4 | 5 | Internally it is implemented by wrapping 2 libraries: [gokrb5](https://github.com/jcmturner/gokrb5) on Linux and [sspi](https://github.com/alexbrainman/sspi) on Windows. 6 | 7 | There is no pre-authenticaion yet, so the library assumes you have Kerberos ticket obtained. 8 | 9 | Linux implementation requires MIT or Heimdal Kerberos to be present. Windows implementation utilizes credentials of currently logged in user. 10 | 11 | Currently it allows only to make HTTP calls, no server side support yet. 12 | 13 | ### Installation 14 | 15 | ``` 16 | go get github.com/dpotapov/go-spnego 17 | ``` 18 | 19 | ### Usage example 20 | 21 | ``` 22 | import "github.com/dpotapov/go-spnego" 23 | ... 24 | c := &http.Client{ 25 | Transport: &spnego.Transport{}, 26 | } 27 | 28 | resp, err := c.Get("http://kerberized.service.com/") 29 | ``` 30 | 31 | ### Configuration 32 | 33 | Windows: no configuration options. 34 | 35 | Linux: 36 | * `KRB5_CONFIG` - path to configuration file in MIT Kerberos format. Default is `/etc/krb5.conf`. 37 | * `KRB5CCNAME` - path to credential cache in the form _type:residual_. Only `FILE:` type is supported. Default is `FILE:/tmp/krb5cc_$(id -u)` -------------------------------------------------------------------------------- /examples/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | "os" 7 | 8 | "github.com/dpotapov/go-spnego" 9 | ) 10 | 11 | func main() { 12 | c := &http.Client{ 13 | Transport: &spnego.Transport{}, 14 | } 15 | 16 | if len(os.Args) < 2 { 17 | fmt.Printf("Usage:\n\t%s \n", os.Args[0]) 18 | return 19 | } 20 | 21 | resp, err := c.Get(os.Args[1]) 22 | if err != nil { 23 | panic(err) 24 | } 25 | 26 | fmt.Print(resp.Status) 27 | } 28 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/dpotapov/go-spnego 2 | 3 | go 1.12 4 | 5 | require ( 6 | github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 7 | github.com/jcmturner/gokrb5/v8 v8.4.2 8 | golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect 9 | ) 10 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= 2 | github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= 3 | github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= 4 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 5 | github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= 6 | github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= 7 | github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI= 8 | github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= 9 | github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= 10 | github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= 11 | github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= 12 | github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= 13 | github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= 14 | github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= 15 | github.com/jcmturner/gofork v1.0.0 h1:J7uCkflzTEhUZ64xqKnkDxq3kzc96ajM1Gli5ktUem8= 16 | github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= 17 | github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= 18 | github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= 19 | github.com/jcmturner/gokrb5/v8 v8.4.2 h1:6ZIM6b/JJN0X8UM43ZOM6Z4SJzla+a/u7scXFJzodkA= 20 | github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc= 21 | github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= 22 | github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= 23 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 24 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 25 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 26 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 27 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= 28 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 29 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 30 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 31 | golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9 h1:umElSU9WZirRdgu2yFHY0ayQkEnKiOC1TtM3fWXFnoU= 32 | golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 33 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 34 | golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 35 | golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= 36 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 37 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 38 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 39 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 40 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 41 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 42 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 43 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 44 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 45 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 46 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= 47 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 48 | -------------------------------------------------------------------------------- /spnego.go: -------------------------------------------------------------------------------- 1 | package spnego 2 | 3 | import ( 4 | "net" 5 | "net/http" 6 | "strings" 7 | ) 8 | 9 | // Provider is the interface that wraps OS agnostic functions for handling SPNEGO communication 10 | type Provider interface { 11 | SetSPNEGOHeader(*http.Request, bool) error 12 | } 13 | 14 | func canonicalizeHostname(hostname string) (string, error) { 15 | addrs, err := net.LookupHost(hostname) 16 | if err != nil { 17 | return "", err 18 | } 19 | if len(addrs) < 1 { 20 | return hostname, nil 21 | } 22 | 23 | names, err := net.LookupAddr(addrs[0]) 24 | if err != nil { 25 | return "", err 26 | } 27 | if len(names) < 1 { 28 | return hostname, nil 29 | } 30 | 31 | return strings.TrimRight(names[0], "."), nil 32 | } 33 | -------------------------------------------------------------------------------- /spnego_gokrb5.go: -------------------------------------------------------------------------------- 1 | // +build !windows 2 | 3 | package spnego 4 | 5 | import ( 6 | "net/http" 7 | "os" 8 | "os/user" 9 | "strings" 10 | 11 | "github.com/jcmturner/gokrb5/v8/client" 12 | "github.com/jcmturner/gokrb5/v8/config" 13 | "github.com/jcmturner/gokrb5/v8/credentials" 14 | "github.com/jcmturner/gokrb5/v8/spnego" 15 | ) 16 | 17 | type krb5 struct { 18 | cfg *config.Config 19 | cl *client.Client 20 | } 21 | 22 | // New constructs OS specific implementation of spnego.Provider interface 23 | func New() Provider { 24 | return &krb5{} 25 | } 26 | 27 | func (k *krb5) makeCfg() error { 28 | if k.cfg != nil { 29 | return nil 30 | } 31 | 32 | cfgPath := os.Getenv("KRB5_CONFIG") 33 | if _, err := os.Stat(cfgPath); os.IsNotExist(err) { 34 | cfgPath = "/etc/krb5.conf" // ToDo: Macs and Windows have different path, also some Unix may have /etc/krb5/krb5.conf 35 | } 36 | 37 | cfg, err := config.Load(cfgPath) 38 | if err != nil { 39 | return err 40 | } 41 | 42 | k.cfg = cfg 43 | return nil 44 | } 45 | 46 | func (k *krb5) makeClient() error { 47 | u, err := user.Current() 48 | if err != nil { 49 | return err 50 | } 51 | 52 | ccpath := "/tmp/krb5cc_" + u.Uid 53 | 54 | ccname := os.Getenv("KRB5CCNAME") 55 | if strings.HasPrefix(ccname, "FILE:") { 56 | ccpath = strings.SplitN(ccname, ":", 2)[1] 57 | } 58 | 59 | ccache, err := credentials.LoadCCache(ccpath) 60 | if err != nil { 61 | return err 62 | } 63 | 64 | k.cl, err = client.NewFromCCache(ccache, k.cfg, client.DisablePAFXFAST(true)) 65 | return err 66 | } 67 | 68 | func (k *krb5) SetSPNEGOHeader(req *http.Request, canonicalize bool) error { 69 | h := req.URL.Hostname() 70 | if canonicalize { 71 | var err error 72 | if h, err = canonicalizeHostname(h); err != nil { 73 | return err 74 | } 75 | } 76 | 77 | if err := k.makeCfg(); err != nil { 78 | return err 79 | } 80 | 81 | if err := k.makeClient(); err != nil { 82 | return err 83 | } 84 | 85 | return spnego.SetSPNEGOHeader(k.cl, req, "HTTP/"+h) 86 | } 87 | -------------------------------------------------------------------------------- /spnego_windows.go: -------------------------------------------------------------------------------- 1 | package spnego 2 | 3 | import ( 4 | "encoding/base64" 5 | "net/http" 6 | 7 | "github.com/alexbrainman/sspi/negotiate" 8 | ) 9 | 10 | // SSPI implements spnego.Provider interface on Windows OS 11 | type sspi struct{} 12 | 13 | // New constructs OS specific implementation of spnego.Provider interface 14 | func New() Provider { 15 | return &sspi{} 16 | } 17 | 18 | // SetSPNEGOHeader puts the SPNEGO authorization header on HTTP request object 19 | func (s *sspi) SetSPNEGOHeader(req *http.Request, canonicalize bool) error { 20 | h := req.URL.Hostname() 21 | if canonicalize { 22 | var err error 23 | if h, err = canonicalizeHostname(h); err != nil { 24 | return err 25 | } 26 | } 27 | spn := "HTTP/" + h 28 | 29 | cred, err := negotiate.AcquireCurrentUserCredentials() 30 | if err != nil { 31 | return err 32 | } 33 | defer cred.Release() 34 | 35 | secctx, token, err := negotiate.NewClientContext(cred, spn) 36 | if err != nil { 37 | return err 38 | } 39 | defer secctx.Release() 40 | 41 | req.Header.Set("Authorization", "Negotiate "+base64.StdEncoding.EncodeToString(token)) 42 | return nil 43 | } 44 | -------------------------------------------------------------------------------- /transport.go: -------------------------------------------------------------------------------- 1 | package spnego 2 | 3 | import "net/http" 4 | 5 | // Transport extends the native http.Transport to provide SPNEGO communication 6 | type Transport struct { 7 | http.Transport 8 | spnego Provider 9 | NoCanonicalize bool 10 | } 11 | 12 | // Error is used to distinguish errors from underlying libraries (gokrb5 or sspi). 13 | type Error struct { 14 | Err error 15 | } 16 | 17 | // Error implements the error interface 18 | func (e *Error) Error() string { 19 | return e.Err.Error() 20 | } 21 | 22 | // RoundTrip implements the RoundTripper interface. 23 | func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { 24 | if t.spnego == nil { 25 | t.spnego = New() 26 | } 27 | 28 | if err := t.spnego.SetSPNEGOHeader(req, !t.NoCanonicalize); err != nil { 29 | return nil, &Error{Err: err} 30 | } 31 | 32 | return t.Transport.RoundTrip(req) 33 | // ToDo: process negotiate token from response 34 | } 35 | --------------------------------------------------------------------------------