Add single sign-on support via SSPI on Windows (#8463)
* Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not acceptedtokarchuk/v1.17
parent
eb1b225d9a
commit
7b4d2f7a2a
@ -0,0 +1,125 @@ |
||||
// Copyright 2014 The Gogs Authors. All rights reserved.
|
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"strings" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/base" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
"code.gitea.io/gitea/modules/timeutil" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
) |
||||
|
||||
// Ensure the struct implements the interface.
|
||||
var ( |
||||
_ SingleSignOn = &Basic{} |
||||
) |
||||
|
||||
// Basic implements the SingleSignOn interface and authenticates requests (API requests
|
||||
// only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
|
||||
// header.
|
||||
type Basic struct { |
||||
} |
||||
|
||||
// Init does nothing as the Basic implementation does not need to allocate any resources
|
||||
func (b *Basic) Init() error { |
||||
return nil |
||||
} |
||||
|
||||
// Free does nothing as the Basic implementation does not have to release any resources
|
||||
func (b *Basic) Free() error { |
||||
return nil |
||||
} |
||||
|
||||
// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
|
||||
// it from settings.
|
||||
func (b *Basic) IsEnabled() bool { |
||||
return setting.Service.EnableBasicAuth |
||||
} |
||||
|
||||
// VerifyAuthData extracts and validates Basic data (username and password/token) from the
|
||||
// "Authorization" header of the request and returns the corresponding user object for that
|
||||
// name/token on successful validation.
|
||||
// Returns nil if header is empty or validation fails.
|
||||
func (b *Basic) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User { |
||||
baHead := ctx.Req.Header.Get("Authorization") |
||||
if len(baHead) == 0 { |
||||
return nil |
||||
} |
||||
|
||||
auths := strings.Fields(baHead) |
||||
if len(auths) != 2 || auths[0] != "Basic" { |
||||
return nil |
||||
} |
||||
|
||||
var u *models.User |
||||
uname, passwd, _ := base.BasicAuthDecode(auths[1]) |
||||
|
||||
// Check if username or password is a token
|
||||
isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic" |
||||
// Assume username is token
|
||||
authToken := uname |
||||
if !isUsernameToken { |
||||
// Assume password is token
|
||||
authToken = passwd |
||||
} |
||||
|
||||
uid := CheckOAuthAccessToken(authToken) |
||||
if uid != 0 { |
||||
var err error |
||||
ctx.Data["IsApiToken"] = true |
||||
|
||||
u, err = models.GetUserByID(uid) |
||||
if err != nil { |
||||
log.Error("GetUserByID: %v", err) |
||||
return nil |
||||
} |
||||
} |
||||
token, err := models.GetAccessTokenBySHA(authToken) |
||||
if err == nil { |
||||
if isUsernameToken { |
||||
u, err = models.GetUserByID(token.UID) |
||||
if err != nil { |
||||
log.Error("GetUserByID: %v", err) |
||||
return nil |
||||
} |
||||
} else { |
||||
u, err = models.GetUserByName(uname) |
||||
if err != nil { |
||||
log.Error("GetUserByID: %v", err) |
||||
return nil |
||||
} |
||||
if u.ID != token.UID { |
||||
return nil |
||||
} |
||||
} |
||||
token.UpdatedUnix = timeutil.TimeStampNow() |
||||
if err = models.UpdateAccessToken(token); err != nil { |
||||
log.Error("UpdateAccessToken: %v", err) |
||||
} |
||||
} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) { |
||||
log.Error("GetAccessTokenBySha: %v", err) |
||||
} |
||||
|
||||
if u == nil { |
||||
u, err = models.UserSignIn(uname, passwd) |
||||
if err != nil { |
||||
if !models.IsErrUserNotExist(err) { |
||||
log.Error("UserSignIn: %v", err) |
||||
} |
||||
return nil |
||||
} |
||||
} else { |
||||
ctx.Data["IsApiToken"] = true |
||||
} |
||||
|
||||
return u |
||||
} |
@ -0,0 +1,33 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"code.gitea.io/gitea/models" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
) |
||||
|
||||
// SingleSignOn represents a SSO authentication method (plugin) for HTTP requests.
|
||||
type SingleSignOn interface { |
||||
// Init should be called exactly once before using any of the other methods,
|
||||
// in order to allow the plugin to allocate necessary resources
|
||||
Init() error |
||||
|
||||
// Free should be called exactly once before application closes, in order to
|
||||
// give chance to the plugin to free any allocated resources
|
||||
Free() error |
||||
|
||||
// IsEnabled checks if the current SSO method has been enabled in settings.
|
||||
IsEnabled() bool |
||||
|
||||
// VerifyAuthData tries to verify the SSO authentication data contained in the request.
|
||||
// If verification is successful returns either an existing user object (with id > 0)
|
||||
// or a new user object (with id = 0) populated with the information that was found
|
||||
// in the authentication data (username or email).
|
||||
// Returns nil if verification fails.
|
||||
VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User |
||||
} |
@ -0,0 +1,142 @@ |
||||
// Copyright 2014 The Gogs Authors. All rights reserved.
|
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"strings" |
||||
"time" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/timeutil" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
) |
||||
|
||||
// Ensure the struct implements the interface.
|
||||
var ( |
||||
_ SingleSignOn = &OAuth2{} |
||||
) |
||||
|
||||
// CheckOAuthAccessToken returns uid of user from oauth token
|
||||
func CheckOAuthAccessToken(accessToken string) int64 { |
||||
// JWT tokens require a "."
|
||||
if !strings.Contains(accessToken, ".") { |
||||
return 0 |
||||
} |
||||
token, err := models.ParseOAuth2Token(accessToken) |
||||
if err != nil { |
||||
log.Trace("ParseOAuth2Token: %v", err) |
||||
return 0 |
||||
} |
||||
var grant *models.OAuth2Grant |
||||
if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil { |
||||
return 0 |
||||
} |
||||
if token.Type != models.TypeAccessToken { |
||||
return 0 |
||||
} |
||||
if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() { |
||||
return 0 |
||||
} |
||||
return grant.UserID |
||||
} |
||||
|
||||
// OAuth2 implements the SingleSignOn interface and authenticates requests
|
||||
// (API requests only) by looking for an OAuth token in query parameters or the
|
||||
// "Authorization" header.
|
||||
type OAuth2 struct { |
||||
} |
||||
|
||||
// Init does nothing as the OAuth2 implementation does not need to allocate any resources
|
||||
func (o *OAuth2) Init() error { |
||||
return nil |
||||
} |
||||
|
||||
// Free does nothing as the OAuth2 implementation does not have to release any resources
|
||||
func (o *OAuth2) Free() error { |
||||
return nil |
||||
} |
||||
|
||||
// userIDFromToken returns the user id corresponding to the OAuth token.
|
||||
func (o *OAuth2) userIDFromToken(ctx *macaron.Context) int64 { |
||||
// Check access token.
|
||||
tokenSHA := ctx.Query("token") |
||||
if len(tokenSHA) == 0 { |
||||
tokenSHA = ctx.Query("access_token") |
||||
} |
||||
if len(tokenSHA) == 0 { |
||||
// Well, check with header again.
|
||||
auHead := ctx.Req.Header.Get("Authorization") |
||||
if len(auHead) > 0 { |
||||
auths := strings.Fields(auHead) |
||||
if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") { |
||||
tokenSHA = auths[1] |
||||
} |
||||
} |
||||
} |
||||
if len(tokenSHA) == 0 { |
||||
return 0 |
||||
} |
||||
|
||||
// Let's see if token is valid.
|
||||
if strings.Contains(tokenSHA, ".") { |
||||
uid := CheckOAuthAccessToken(tokenSHA) |
||||
if uid != 0 { |
||||
ctx.Data["IsApiToken"] = true |
||||
} |
||||
return uid |
||||
} |
||||
t, err := models.GetAccessTokenBySHA(tokenSHA) |
||||
if err != nil { |
||||
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) { |
||||
log.Error("GetAccessTokenBySHA: %v", err) |
||||
} |
||||
return 0 |
||||
} |
||||
t.UpdatedUnix = timeutil.TimeStampNow() |
||||
if err = models.UpdateAccessToken(t); err != nil { |
||||
log.Error("UpdateAccessToken: %v", err) |
||||
} |
||||
ctx.Data["IsApiToken"] = true |
||||
return t.UID |
||||
} |
||||
|
||||
// IsEnabled returns true as this plugin is enabled by default and its not possible
|
||||
// to disable it from settings.
|
||||
func (o *OAuth2) IsEnabled() bool { |
||||
return true |
||||
} |
||||
|
||||
// VerifyAuthData extracts the user ID from the OAuth token in the query parameters
|
||||
// or the "Authorization" header and returns the corresponding user object for that ID.
|
||||
// If verification is successful returns an existing user object.
|
||||
// Returns nil if verification fails.
|
||||
func (o *OAuth2) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User { |
||||
if !models.HasEngine { |
||||
return nil |
||||
} |
||||
|
||||
if !isAPIPath(ctx) && !isAttachmentDownload(ctx) { |
||||
return nil |
||||
} |
||||
|
||||
id := o.userIDFromToken(ctx) |
||||
if id <= 0 { |
||||
return nil |
||||
} |
||||
|
||||
user, err := models.GetUserByID(id) |
||||
if err != nil { |
||||
if !models.IsErrUserNotExist(err) { |
||||
log.Error("GetUserByName: %v", err) |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
return user |
||||
} |
@ -0,0 +1,115 @@ |
||||
// Copyright 2014 The Gogs Authors. All rights reserved.
|
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"strings" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
gouuid "github.com/satori/go.uuid" |
||||
) |
||||
|
||||
// Ensure the struct implements the interface.
|
||||
var ( |
||||
_ SingleSignOn = &ReverseProxy{} |
||||
) |
||||
|
||||
// ReverseProxy implements the SingleSignOn interface, but actually relies on
|
||||
// a reverse proxy for authentication of users.
|
||||
// On successful authentication the proxy is expected to populate the username in the
|
||||
// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
|
||||
// user in the "setting.ReverseProxyAuthEmail" header.
|
||||
type ReverseProxy struct { |
||||
} |
||||
|
||||
// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
|
||||
func (r *ReverseProxy) getUserName(ctx *macaron.Context) string { |
||||
webAuthUser := strings.TrimSpace(ctx.Req.Header.Get(setting.ReverseProxyAuthUser)) |
||||
if len(webAuthUser) == 0 { |
||||
return "" |
||||
} |
||||
return webAuthUser |
||||
} |
||||
|
||||
// Init does nothing as the ReverseProxy implementation does not need initialization
|
||||
func (r *ReverseProxy) Init() error { |
||||
return nil |
||||
} |
||||
|
||||
// Free does nothing as the ReverseProxy implementation does not have to release resources
|
||||
func (r *ReverseProxy) Free() error { |
||||
return nil |
||||
} |
||||
|
||||
// IsEnabled checks if EnableReverseProxyAuth setting is true
|
||||
func (r *ReverseProxy) IsEnabled() bool { |
||||
return setting.Service.EnableReverseProxyAuth |
||||
} |
||||
|
||||
// VerifyAuthData extracts the username from the "setting.ReverseProxyAuthUser" header
|
||||
// of the request and returns the corresponding user object for that name.
|
||||
// Verification of header data is not performed as it should have already been done by
|
||||
// the revese proxy.
|
||||
// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
|
||||
// user object is returned (populated with username or email found in header).
|
||||
// Returns nil if header is empty.
|
||||
func (r *ReverseProxy) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User { |
||||
username := r.getUserName(ctx) |
||||
if len(username) == 0 { |
||||
return nil |
||||
} |
||||
|
||||
user, err := models.GetUserByName(username) |
||||
if err != nil { |
||||
if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() { |
||||
return r.newUser(ctx) |
||||
} |
||||
log.Error("GetUserByName: %v", err) |
||||
return nil |
||||
} |
||||
|
||||
return user |
||||
} |
||||
|
||||
// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
|
||||
func (r *ReverseProxy) isAutoRegisterAllowed() bool { |
||||
return setting.Service.EnableReverseProxyAutoRegister |
||||
} |
||||
|
||||
// newUser creates a new user object for the purpose of automatic registration
|
||||
// and populates its name and email with the information present in request headers.
|
||||
func (r *ReverseProxy) newUser(ctx *macaron.Context) *models.User { |
||||
username := r.getUserName(ctx) |
||||
if len(username) == 0 { |
||||
return nil |
||||
} |
||||
|
||||
email := gouuid.NewV4().String() + "@localhost" |
||||
if setting.Service.EnableReverseProxyEmail { |
||||
webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail) |
||||
if len(webAuthEmail) > 0 { |
||||
email = webAuthEmail |
||||
} |
||||
} |
||||
|
||||
user := &models.User{ |
||||
Name: username, |
||||
Email: email, |
||||
Passwd: username, |
||||
IsActive: true, |
||||
} |
||||
if err := models.CreateUser(user); err != nil { |
||||
// FIXME: should I create a system notice?
|
||||
log.Error("CreateUser: %v", err) |
||||
return nil |
||||
} |
||||
return user |
||||
} |
@ -0,0 +1,49 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"code.gitea.io/gitea/models" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
) |
||||
|
||||
// Ensure the struct implements the interface.
|
||||
var ( |
||||
_ SingleSignOn = &Session{} |
||||
) |
||||
|
||||
// Session checks if there is a user uid stored in the session and returns the user
|
||||
// object for that uid.
|
||||
type Session struct { |
||||
} |
||||
|
||||
// Init does nothing as the Session implementation does not need to allocate any resources
|
||||
func (s *Session) Init() error { |
||||
return nil |
||||
} |
||||
|
||||
// Free does nothing as the Session implementation does not have to release any resources
|
||||
func (s *Session) Free() error { |
||||
return nil |
||||
} |
||||
|
||||
// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
|
||||
// it from settings.
|
||||
func (s *Session) IsEnabled() bool { |
||||
return true |
||||
} |
||||
|
||||
// VerifyAuthData checks if there is a user uid stored in the session and returns the user
|
||||
// object for that uid.
|
||||
// Returns nil if there is no user uid stored in the session.
|
||||
func (s *Session) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User { |
||||
user := SessionUser(sess) |
||||
if user != nil { |
||||
return user |
||||
} |
||||
return nil |
||||
} |
@ -0,0 +1,141 @@ |
||||
// Copyright 2014 The Gogs Authors. All rights reserved.
|
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"fmt" |
||||
"reflect" |
||||
"strings" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
) |
||||
|
||||
// ssoMethods contains the list of SSO authentication plugins in the order they are expected to be
|
||||
// executed.
|
||||
//
|
||||
// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
|
||||
// in the session (if there is a user id stored in session other plugins might return the user
|
||||
// object for that id).
|
||||
//
|
||||
// The Session plugin is expected to be executed second, in order to skip authentication
|
||||
// for users that have already signed in.
|
||||
var ssoMethods = []SingleSignOn{ |
||||
&OAuth2{}, |
||||
&Session{}, |
||||
&ReverseProxy{}, |
||||
&Basic{}, |
||||
} |
||||
|
||||
// The purpose of the following three function variables is to let the linter know that
|
||||
// those functions are not dead code and are actually being used
|
||||
var ( |
||||
_ = handleSignIn |
||||
) |
||||
|
||||
// Methods returns the instances of all registered SSO methods
|
||||
func Methods() []SingleSignOn { |
||||
return ssoMethods |
||||
} |
||||
|
||||
// Register adds the specified instance to the list of available SSO methods
|
||||
func Register(method SingleSignOn) { |
||||
ssoMethods = append(ssoMethods, method) |
||||
} |
||||
|
||||
// Init should be called exactly once when the application starts to allow SSO plugins
|
||||
// to allocate necessary resources
|
||||
func Init() { |
||||
for _, method := range Methods() { |
||||
err := method.Init() |
||||
if err != nil { |
||||
log.Error("Could not initialize '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err) |
||||
} |
||||
} |
||||
} |
||||
|
||||
// Free should be called exactly once when the application is terminating to allow SSO plugins
|
||||
// to release necessary resources
|
||||
func Free() { |
||||
for _, method := range Methods() { |
||||
err := method.Free() |
||||
if err != nil { |
||||
log.Error("Could not free '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err) |
||||
} |
||||
} |
||||
} |
||||
|
||||
// SessionUser returns the user object corresponding to the "uid" session variable.
|
||||
func SessionUser(sess session.Store) *models.User { |
||||
// Get user ID
|
||||
uid := sess.Get("uid") |
||||
if uid == nil { |
||||
return nil |
||||
} |
||||
id, ok := uid.(int64) |
||||
if !ok { |
||||
return nil |
||||
} |
||||
|
||||
// Get user object
|
||||
user, err := models.GetUserByID(id) |
||||
if err != nil { |
||||
if !models.IsErrUserNotExist(err) { |
||||
log.Error("GetUserById: %v", err) |
||||
} |
||||
return nil |
||||
} |
||||
return user |
||||
} |
||||
|
||||
// isAPIPath returns true if the specified URL is an API path
|
||||
func isAPIPath(ctx *macaron.Context) bool { |
||||
return strings.HasPrefix(ctx.Req.URL.Path, "/api/") |
||||
} |
||||
|
||||
// isAttachmentDownload check if request is a file download (GET) with URL to an attachment
|
||||
func isAttachmentDownload(ctx *macaron.Context) bool { |
||||
return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET" |
||||
} |
||||
|
||||
// handleSignIn clears existing session variables and stores new ones for the specified user object
|
||||
func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) { |
||||
_ = sess.Delete("openid_verified_uri") |
||||
_ = sess.Delete("openid_signin_remember") |
||||
_ = sess.Delete("openid_determined_email") |
||||
_ = sess.Delete("openid_determined_username") |
||||
_ = sess.Delete("twofaUid") |
||||
_ = sess.Delete("twofaRemember") |
||||
_ = sess.Delete("u2fChallenge") |
||||
_ = sess.Delete("linkAccount") |
||||
err := sess.Set("uid", user.ID) |
||||
if err != nil { |
||||
log.Error(fmt.Sprintf("Error setting session: %v", err)) |
||||
} |
||||
err = sess.Set("uname", user.Name) |
||||
if err != nil { |
||||
log.Error(fmt.Sprintf("Error setting session: %v", err)) |
||||
} |
||||
|
||||
// Language setting of the user overwrites the one previously set
|
||||
// If the user does not have a locale set, we save the current one.
|
||||
if len(user.Language) == 0 { |
||||
user.Language = ctx.Locale.Language() |
||||
if err := models.UpdateUserCols(user, "language"); err != nil { |
||||
log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language)) |
||||
return |
||||
} |
||||
} |
||||
|
||||
ctx.SetCookie("lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) |
||||
|
||||
// Clear whatever CSRF has right now, force to generate a new one
|
||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) |
||||
} |
@ -0,0 +1,237 @@ |
||||
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package sso |
||||
|
||||
import ( |
||||
"errors" |
||||
"reflect" |
||||
"strings" |
||||
|
||||
"code.gitea.io/gitea/models" |
||||
"code.gitea.io/gitea/modules/base" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
|
||||
"gitea.com/macaron/macaron" |
||||
"gitea.com/macaron/session" |
||||
|
||||
"github.com/quasoft/websspi" |
||||
gouuid "github.com/satori/go.uuid" |
||||
) |
||||
|
||||
const ( |
||||
tplSignIn base.TplName = "user/auth/signin" |
||||
) |
||||
|
||||
var ( |
||||
// sspiAuth is a global instance of the websspi authentication package,
|
||||
// which is used to avoid acquiring the server credential handle on
|
||||
// every request
|
||||
sspiAuth *websspi.Authenticator |
||||
|
||||
// Ensure the struct implements the interface.
|
||||
_ SingleSignOn = &SSPI{} |
||||
) |
||||
|
||||
// SSPI implements the SingleSignOn interface and authenticates requests
|
||||
// via the built-in SSPI module in Windows for SPNEGO authentication.
|
||||
// On successful authentication returns a valid user object.
|
||||
// Returns nil if authentication fails.
|
||||
type SSPI struct { |
||||
} |
||||
|
||||
// Init creates a new global websspi.Authenticator object
|
||||
func (s *SSPI) Init() error { |
||||
config := websspi.NewConfig() |
||||
var err error |
||||
sspiAuth, err = websspi.New(config) |
||||
return err |
||||
} |
||||
|
||||
// Free releases resources used by the global websspi.Authenticator object
|
||||
func (s *SSPI) Free() error { |
||||
return sspiAuth.Free() |
||||
} |
||||
|
||||
// IsEnabled checks if there is an active SSPI authentication source
|
||||
func (s *SSPI) IsEnabled() bool { |
||||
return models.IsSSPIEnabled() |
||||
} |
||||
|
||||
// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
|
||||
// If authentication is successful, returs the corresponding user object.
|
||||
// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
|
||||
// response code, as required by the SPNEGO protocol.
|
||||
func (s *SSPI) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User { |
||||
if !s.shouldAuthenticate(ctx) { |
||||
return nil |
||||
} |
||||
|
||||
cfg, err := s.getConfig() |
||||
if err != nil { |
||||
log.Error("could not get SSPI config: %v", err) |
||||
return nil |
||||
} |
||||
|
||||
userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp) |
||||
if err != nil { |
||||
log.Warn("Authentication failed with error: %v\n", err) |
||||
sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken) |
||||
|
||||
// Include the user login page in the 401 response to allow the user
|
||||
// to login with another authentication method if SSPI authentication
|
||||
// fails
|
||||
addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed")) |
||||
ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn |
||||
ctx.Data["EnableSSPI"] = true |
||||
ctx.HTML(401, string(tplSignIn)) |
||||
return nil |
||||
} |
||||
if outToken != "" { |
||||
sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken) |
||||
} |
||||
|
||||
username := sanitizeUsername(userInfo.Username, cfg) |
||||
if len(username) == 0 { |
||||
return nil |
||||
} |
||||
log.Info("Authenticated as %s\n", username) |
||||
|
||||
user, err := models.GetUserByName(username) |
||||
if err != nil { |
||||
if !models.IsErrUserNotExist(err) { |
||||
log.Error("GetUserByName: %v", err) |
||||
return nil |
||||
} |
||||
if !cfg.AutoCreateUsers { |
||||
log.Error("User '%s' not found", username) |
||||
return nil |
||||
} |
||||
user, err = s.newUser(ctx, username, cfg) |
||||
if err != nil { |
||||
log.Error("CreateUser: %v", err) |
||||
return nil |
||||
} |
||||
} |
||||
|
||||
// Make sure requests to API paths and PWA resources do not create a new session
|
||||
if !isAPIPath(ctx) && !isAttachmentDownload(ctx) { |
||||
handleSignIn(ctx, sess, user) |
||||
} |
||||
|
||||
return user |
||||
} |
||||
|
||||
// getConfig retrieves the SSPI configuration from login sources
|
||||
func (s *SSPI) getConfig() (*models.SSPIConfig, error) { |
||||
sources, err := models.ActiveLoginSources(models.LoginSSPI) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
if len(sources) == 0 { |
||||
return nil, errors.New("no active login sources of type SSPI found") |
||||
} |
||||
if len(sources) > 1 { |
||||
return nil, errors.New("more than one active login source of type SSPI found") |
||||
} |
||||
return sources[0].SSPI(), nil |
||||
} |
||||
|
||||
func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) { |
||||
shouldAuth = false |
||||
path := strings.TrimSuffix(ctx.Req.URL.Path, "/") |
||||
if path == "/user/login" { |
||||
if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" { |
||||
shouldAuth = false |
||||
} else if ctx.Req.FormValue("auth_with_sspi") == "1" { |
||||
shouldAuth = true |
||||
} |
||||
} else if isAPIPath(ctx) || isAttachmentDownload(ctx) { |
||||
shouldAuth = true |
||||
} |
||||
return |
||||
} |
||||
|
||||
// newUser creates a new user object for the purpose of automatic registration
|
||||
// and populates its name and email with the information present in request headers.
|
||||
func (s *SSPI) newUser(ctx *macaron.Context, username string, cfg *models.SSPIConfig) (*models.User, error) { |
||||
email := gouuid.NewV4().String() + "@localhost.localdomain" |
||||
user := &models.User{ |
||||
Name: username, |
||||
Email: email, |
||||
KeepEmailPrivate: true, |
||||
Passwd: gouuid.NewV4().String(), |
||||
IsActive: cfg.AutoActivateUsers, |
||||
Language: cfg.DefaultLanguage, |
||||
UseCustomAvatar: true, |
||||
Avatar: base.DefaultAvatarLink(), |
||||
EmailNotificationsPreference: models.EmailNotificationsDisabled, |
||||
} |
||||
if err := models.CreateUser(user); err != nil { |
||||
return nil, err |
||||
} |
||||
return user, nil |
||||
} |
||||
|
||||
// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
|
||||
// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
|
||||
// from UPNs (eg. "user@domain.local" becomes "user")
|
||||
func stripDomainNames(username string) string { |
||||
if strings.Contains(username, "\\") { |
||||
parts := strings.SplitN(username, "\\", 2) |
||||
if len(parts) > 1 { |
||||
username = parts[1] |
||||
} |
||||
} else if strings.Contains(username, "@") { |
||||
parts := strings.Split(username, "@") |
||||
if len(parts) > 1 { |
||||
username = parts[0] |
||||
} |
||||
} |
||||
return username |
||||
} |
||||
|
||||
func replaceSeparators(username string, cfg *models.SSPIConfig) string { |
||||
newSep := cfg.SeparatorReplacement |
||||
username = strings.ReplaceAll(username, "\\", newSep) |
||||
username = strings.ReplaceAll(username, "/", newSep) |
||||
username = strings.ReplaceAll(username, "@", newSep) |
||||
return username |
||||
} |
||||
|
||||
func sanitizeUsername(username string, cfg *models.SSPIConfig) string { |
||||
if len(username) == 0 { |
||||
return "" |
||||
} |
||||
if cfg.StripDomainNames { |
||||
username = stripDomainNames(username) |
||||
} |
||||
// Replace separators even if we have already stripped the domain name part,
|
||||
// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
|
||||
username = replaceSeparators(username, cfg) |
||||
return username |
||||
} |
||||
|
||||
// addFlashErr adds an error message to the Flash object mapped to a macaron.Context
|
||||
func addFlashErr(ctx *macaron.Context, err string) { |
||||
fv := ctx.GetVal(reflect.TypeOf(&session.Flash{})) |
||||
if !fv.IsValid() { |
||||
return |
||||
} |
||||
flash, ok := fv.Interface().(*session.Flash) |
||||
if !ok { |
||||
return |
||||
} |
||||
flash.Error(err) |
||||
ctx.Data["Flash"] = flash |
||||
} |
||||
|
||||
// init registers the SSPI auth method as the last method in the list.
|
||||
// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
|
||||
// fails (or if negotiation should continue), which would prevent other authentication methods
|
||||
// to execute at all.
|
||||
func init() { |
||||
Register(&SSPI{}) |
||||
} |
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -0,0 +1,43 @@ |
||||
<div class="sspi field {{if not (eq .type 7)}}hide{{end}}"> |
||||
<div class="field"> |
||||
<div class="ui checkbox"> |
||||
<label for="sspi_auto_create_users"><strong>{{.i18n.Tr "admin.auths.sspi_auto_create_users"}}</strong></label> |
||||
<input id="sspi_auto_create_users" name="sspi_auto_create_users" class="sspi-auto-create-users" type="checkbox" {{if .SSPIAutoCreateUsers}}checked{{end}}> |
||||
<p class="help">{{.i18n.Tr "admin.auths.sspi_auto_create_users_helper"}}</p> |
||||
</div> |
||||
</div> |
||||
<div class="field"> |
||||
<div class="ui checkbox"> |
||||
<label for="sspi_auto_activate_users"><strong>{{.i18n.Tr "admin.auths.sspi_auto_activate_users"}}</strong></label> |
||||
<input id="sspi_auto_activate_users" name="sspi_auto_activate_users" class="sspi-auto-activate-users" type="checkbox" {{if .SSPIAutoActivateUsers}}checked{{end}}> |
||||
<p class="help">{{.i18n.Tr "admin.auths.sspi_auto_activate_users_helper"}}</p> |
||||
</div> |
||||
</div> |
||||
<div class="field"> |
||||
<div class="ui checkbox"> |
||||
<label for="sspi_strip_domain_names"><strong>{{.i18n.Tr "admin.auths.sspi_strip_domain_names"}}</strong></label> |
||||
<input id="sspi_strip_domain_names" name="sspi_strip_domain_names" class="sspi-strip-domain-names" type="checkbox" {{if .SSPIStripDomainNames}}checked{{end}}> |
||||
<p class="help">{{.i18n.Tr "admin.auths.sspi_strip_domain_names_helper"}}</p> |
||||
</div> |
||||
</div> |
||||
<div class="required field"> |
||||
<label for="sspi_separator_replacement">{{.i18n.Tr "admin.auths.sspi_separator_replacement"}}</label> |
||||
<input id="sspi_separator_replacement" name="sspi_separator_replacement" value="{{.SSPISeparatorReplacement}}"> |
||||
<p class="help">{{.i18n.Tr "admin.auths.sspi_separator_replacement_helper"}}</p> |
||||
</div> |
||||
<div class="field"> |
||||
<label for="sspi_default_language">{{.i18n.Tr "admin.auths.sspi_default_language"}}</label> |
||||
<div class="ui language selection dropdown" id="sspi_default_language"> |
||||
<input name="sspi_default_language" type="hidden" value="{{.SSPIDefaultLanguage}}"> |
||||
<i class="dropdown icon"></i> |
||||
<div class="text">{{range .AllLangs}}{{if eq $.SSPIDefaultLanguage .Lang}}{{.Name}}{{end}}{{end}}</div> |
||||
<div class="menu"> |
||||
<div class="item{{if not $.SSPIDefaultLanguage}} active selected{{end}}" data-value="">-</div> |
||||
{{range .AllLangs}} |
||||
<div class="item{{if eq $.SSPIDefaultLanguage .Lang}} active selected{{end}}" data-value="{{.Lang}}">{{.Name}}</div> |
||||
{{end}} |
||||
</div> |
||||
</div> |
||||
<p class="help">{{.i18n.Tr "admin.auths.sspi_default_language_helper"}}</p> |
||||
</div> |
||||
</div> |
@ -1,11 +1,19 @@ |
||||
{{if .EnableOpenIDSignIn}} |
||||
{{if or .EnableOpenIDSignIn .EnableSSPI}} |
||||
<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar"> |
||||
<a class="{{if .PageIsLogin}}active{{end}} item" rel="nofollow" href="{{AppSubUrl}}/user/login"> |
||||
{{.i18n.Tr "auth.login_userpass"}} |
||||
</a> |
||||
{{if .EnableOpenIDSignIn}} |
||||
<a class="{{if .PageIsLoginOpenID}}active{{end}} item" rel="nofollow" href="{{AppSubUrl}}/user/login/openid"> |
||||
<i class="fa fa-openid"></i> |
||||
OpenID |
||||
</a> |
||||
{{end}} |
||||
{{if .EnableSSPI}} |
||||
<a class="item" rel="nofollow" href="{{AppSubUrl}}/user/login?auth_with_sspi=1"> |
||||
<i class="fa fa-windows"></i> |
||||
SSPI |
||||
</a> |
||||
{{end}} |
||||
</div> |
||||
{{end}} |
||||
|
@ -0,0 +1,12 @@ |
||||
# Binaries for programs and plugins |
||||
*.exe |
||||
*.exe~ |
||||
*.dll |
||||
*.so |
||||
*.dylib |
||||
|
||||
# Test binary, build with `go test -c` |
||||
*.test |
||||
|
||||
# Output of the go coverage tool, specifically when used with LiteIDE |
||||
*.out |
@ -0,0 +1,13 @@ |
||||
jobs: |
||||
include: |
||||
- os: windows |
||||
script: $GOPATH/bin/goveralls -service=travis-ci |
||||
language: go |
||||
sudo: false |
||||
go: 1.13.x |
||||
before_install: go get github.com/mattn/goveralls |
||||
- os: linux |
||||
script: go build |
||||
language: go |
||||
sudo: false |
||||
go: 1.13.x |
@ -0,0 +1,21 @@ |
||||
MIT License |
||||
|
||||
Copyright (c) 2019 QuaSoft |
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy |
||||
of this software and associated documentation files (the "Software"), to deal |
||||
in the Software without restriction, including without limitation the rights |
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
||||
copies of the Software, and to permit persons to whom the Software is |
||||
furnished to do so, subject to the following conditions: |
||||
|
||||
The above copyright notice and this permission notice shall be included in all |
||||
copies or substantial portions of the Software. |
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
||||
SOFTWARE. |
@ -0,0 +1,41 @@ |
||||
# websspi |
||||
|
||||
[![GoDoc](https://godoc.org/github.com/quasoft/websspi?status.svg)](https://godoc.org/github.com/quasoft/websspi) [![Build Status](https://travis-ci.org/quasoft/websspi.png?branch=master)](https://travis-ci.org/quasoft/websspi) [![Coverage Status](https://coveralls.io/repos/github/quasoft/websspi/badge.svg?branch=master)](https://coveralls.io/github/quasoft/websspi?branch=master) [![Go Report Card](https://goreportcard.com/badge/github.com/quasoft/websspi)](https://goreportcard.com/report/github.com/quasoft/websspi) |
||||
|
||||
`websspi` will be an HTTP middleware for Golang that uses Kerberos for single sign-on (SSO) authentication of browser based clients in a Windows environment. |
||||
|
||||
The main goal is to create a middleware that performs authentication of HTTP requests without the need to create or use keytab files. |
||||
|
||||
The middleware will implement the scheme defined by RFC4559 (SPNEGO-based HTTP Authentication in Microsoft Windows) to exchange security tokens via HTTP headers and will use SSPI (Security Support Provider Interface) to authenticate HTTP requests. |
||||
|
||||
## How to use |
||||
|
||||
The examples directory contains a simple web server that demonstrates how to use the package. |
||||
Before trying it, you need to prepare your environment: |
||||
|
||||
1. Create a separate user account in active directory, under which the web server process will be running (eg. `user` under the `domain.local` domain) |
||||
|
||||
2. Create a service principal name for the host with class HTTP: |
||||
- Start Command prompt or PowerShell as domain administrator |
||||
- Run the command below, replacing `host.domain.local` with the fully qualified domain name of the server where the web application will be running, and `domain\user` with the name of the account created in step 1.: |
||||
|
||||
setspn -A HTTP/host.domain.local domain\user |
||||
|
||||
3. Start the web server app under the account created in step 1. |
||||
|
||||
4. If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`) |
||||
|
||||
5. Start Chrome, Edge or Internet Explorer and navigate to the URL of the web app (eg. `http://host.domain.local:9000`) |
||||
|
||||
6. The web app should greet you with the name of your AD account without asking you to login. In case it doesn't, make sure that: |
||||
|
||||
- You are not running the web browser on the same server where the web app is running. You should be running the web browser on a domain joined computer (client) that is different from the server |
||||
- There is only one HTTP/... SPN for the host |
||||
- The SPN contains only the hostname, without the port |
||||
- You have added the URL of the web app to the `Local intranet` zone |
||||
- The clocks of the server and client should not differ with more than 5 minutes |
||||
- `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`) |
||||
|
||||
## Security requirements |
||||
|
||||
- SPNEGO HTTP provides no facilities for protecting the HTTP headers or data including the Authorization and WWW-Authenticate headers, which means that the HTTP server **MUST** enforce use of SSL to provide confidentiality to data in these headers! |
@ -0,0 +1,9 @@ |
||||
module github.com/quasoft/websspi |
||||
|
||||
go 1.13 |
||||
|
||||
require ( |
||||
github.com/gorilla/securecookie v1.1.1 |
||||
github.com/gorilla/sessions v1.2.0 |
||||
golang.org/x/sys v0.0.0-20191010194322-b09406accb47 |
||||
) |
@ -0,0 +1,6 @@ |
||||
github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= |
||||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= |
||||
github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ= |
||||
github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= |
||||
golang.org/x/sys v0.0.0-20191010194322-b09406accb47 h1:/XfQ9z7ib8eEJX2hdgFTZJ/ntt0swNk5oYBziWeTCvY= |
||||
golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= |
@ -0,0 +1,36 @@ |
||||
package secctx |
||||
|
||||
import ( |
||||
"net/http" |
||||
|
||||
"github.com/gorilla/securecookie" |
||||
"github.com/gorilla/sessions" |
||||
) |
||||
|
||||
// CookieStore can store and retrieve SSPI context handles to/from an encrypted Cookie.
|
||||
type CookieStore struct { |
||||
store *sessions.CookieStore |
||||
} |
||||
|
||||
// NewCookieStore creates a new CookieStore for storing and retrieving of SSPI context handles
|
||||
// to/from encrypted Cookies
|
||||
func NewCookieStore() *CookieStore { |
||||
s := &CookieStore{} |
||||
s.store = sessions.NewCookieStore([]byte(securecookie.GenerateRandomKey(32))) |
||||
return s |
||||
} |
||||
|
||||
// GetHandle retrieves a *websspi.CtxtHandle value from the store
|
||||
func (s *CookieStore) GetHandle(r *http.Request) (interface{}, error) { |
||||
session, _ := s.store.Get(r, "websspi") |
||||
contextHandle := session.Values["contextHandle"] |
||||
return contextHandle, nil |
||||
} |
||||
|
||||
// SetHandle saves a *websspi.CtxtHandle value to the store
|
||||
func (s *CookieStore) SetHandle(r *http.Request, w http.ResponseWriter, contextHandle interface{}) error { |
||||
session, _ := s.store.Get(r, "websspi") |
||||
session.Values["contextHandle"] = contextHandle |
||||
err := session.Save(r, w) |
||||
return err |
||||
} |
@ -0,0 +1,13 @@ |
||||
package secctx |
||||
|
||||
import "net/http" |
||||
|
||||
// Store is an interface for storage of SSPI context handles.
|
||||
// SSPI context handles are Windows API handles and have nothing to do
|
||||
// with the "context" package in Go.
|
||||
type Store interface { |
||||
// GetHandle retrieves a *websspi.CtxtHandle value from the store
|
||||
GetHandle(r *http.Request) (interface{}, error) |
||||
// SetHandle saves a *websspi.CtxtHandle value to the store
|
||||
SetHandle(r *http.Request, w http.ResponseWriter, contextHandle interface{}) error |
||||
} |
@ -0,0 +1,7 @@ |
||||
package websspi |
||||
|
||||
// UserInfo represents an authenticated user.
|
||||
type UserInfo struct { |
||||
Username string // Name of user, usually in the form DOMAIN\User
|
||||
Groups []string // The global groups the user is a member of
|
||||
} |
@ -0,0 +1,22 @@ |
||||
package websspi |
||||
|
||||
import ( |
||||
"unicode/utf16" |
||||
"unsafe" |
||||
) |
||||
|
||||
// UTF16PtrToString converts a pointer to a UTF16 string to a string
|
||||
func UTF16PtrToString(ptr *uint16, maxLen int) (s string) { |
||||
if ptr == nil { |
||||
return "" |
||||
} |
||||
buf := make([]uint16, 0, maxLen) |
||||
for i, p := 0, uintptr(unsafe.Pointer(ptr)); i < maxLen; i, p = i+1, p+2 { |
||||
char := *(*uint16)(unsafe.Pointer(p)) |
||||
if char == 0 { |
||||
return string(utf16.Decode(buf)) |
||||
} |
||||
buf = append(buf, char) |
||||
} |
||||
return "" |
||||
} |
@ -0,0 +1,615 @@ |
||||
package websspi |
||||
|
||||
import ( |
||||
"context" |
||||
"encoding/base64" |
||||
"encoding/gob" |
||||
"errors" |
||||
"fmt" |
||||
"log" |
||||
"net/http" |
||||
"strings" |
||||
"sync" |
||||
"syscall" |
||||
"time" |
||||
"unsafe" |
||||
|
||||
"github.com/quasoft/websspi/secctx" |
||||
) |
||||
|
||||
// The Config object determines the behaviour of the Authenticator.
|
||||
type Config struct { |
||||
contextStore secctx.Store |
||||
authAPI API |
||||
KrbPrincipal string // Name of Kerberos principle used by the service (optional).
|
||||
AuthUserKey string // Key of header to fill with authenticated username, eg. "X-Authenticated-User" or "REMOTE_USER" (optional).
|
||||
EnumerateGroups bool // If true, groups the user is a member of are enumerated and stored in request context (default false)
|
||||
ServerName string // Specifies the DNS or NetBIOS name of the remote server which to query about user groups. Ignored if EnumerateGroups is false.
|
||||
} |
||||
|
||||
// NewConfig creates a configuration object with default values.
|
||||
func NewConfig() *Config { |
||||
return &Config{ |
||||
contextStore: secctx.NewCookieStore(), |
||||
authAPI: &Win32{}, |
||||
} |
||||
} |
||||
|
||||
// Validate makes basic validation of configuration to make sure that important and required fields
|
||||
// have been set with values in expected format.
|
||||
func (c *Config) Validate() error { |
||||
if c.contextStore == nil { |
||||
return errors.New("Store for context handles not specified in Config") |
||||
} |
||||
if c.authAPI == nil { |
||||
return errors.New("Authentication API not specified in Config") |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// contextKey represents a custom key for values stored in context.Context
|
||||
type contextKey string |
||||
|
||||
func (c contextKey) String() string { |
||||
return "websspi-key-" + string(c) |
||||
} |
||||
|
||||
var ( |
||||
UserInfoKey = contextKey("UserInfo") |
||||
) |
||||
|
||||
// The Authenticator type provides middleware methods for authentication of http requests.
|
||||
// A single authenticator object can be shared by concurrent goroutines.
|
||||
type Authenticator struct { |
||||
Config Config |
||||
serverCred *CredHandle |
||||
credExpiry *time.Time |
||||
ctxList []CtxtHandle |
||||
ctxListMux *sync.Mutex |
||||
} |
||||
|
||||
// New creates a new Authenticator object with the given configuration options.
|
||||
func New(config *Config) (*Authenticator, error) { |
||||
err := config.Validate() |
||||
if err != nil { |
||||
return nil, fmt.Errorf("invalid config: %v", err) |
||||
} |
||||
|
||||
var auth = &Authenticator{ |
||||
Config: *config, |
||||
ctxListMux: &sync.Mutex{}, |
||||
} |
||||
|
||||
err = auth.PrepareCredentials(config.KrbPrincipal) |
||||
if err != nil { |
||||
return nil, fmt.Errorf("could not acquire credentials handle for the service: %v", err) |
||||
} |
||||
log.Printf("Credential handle expiry: %v\n", *auth.credExpiry) |
||||
|
||||
return auth, nil |
||||
} |
||||
|
||||
// PrepareCredentials method acquires a credentials handle for the specified principal
|
||||
// for use during the live of the application.
|
||||
// On success stores the handle in the serverCred field and its expiry time in the
|
||||
// credExpiry field.
|
||||
// This method must be called once - when the application is starting or when the first
|
||||
// request from a client is received.
|
||||
func (a *Authenticator) PrepareCredentials(principal string) error { |
||||
var principalPtr *uint16 |
||||
if principal != "" { |
||||
var err error |
||||
principalPtr, err = syscall.UTF16PtrFromString(principal) |
||||
if err != nil { |
||||
return err |
||||
} |
||||
} |
||||
credentialUsePtr, err := syscall.UTF16PtrFromString(NEGOSSP_NAME) |
||||
if err != nil { |
||||
return err |
||||
} |
||||
var handle CredHandle |
||||
var expiry syscall.Filetime |
||||
status := a.Config.authAPI.AcquireCredentialsHandle( |
||||
principalPtr, |
||||
credentialUsePtr, |
||||
SECPKG_CRED_INBOUND, |
||||
nil, // logonId
|
||||
nil, // authData
|
||||
0, // getKeyFn
|
||||
0, // getKeyArgument
|
||||
&handle, |
||||
&expiry, |
||||
) |
||||
if status != SEC_E_OK { |
||||
return fmt.Errorf("call to AcquireCredentialsHandle failed with code 0x%x", status) |
||||
} |
||||
expiryTime := time.Unix(0, expiry.Nanoseconds()) |
||||
a.credExpiry = &expiryTime |
||||
a.serverCred = &handle |
||||
return nil |
||||
} |
||||
|
||||
// Free method should be called before shutting down the server to let
|
||||
// it release allocated Win32 resources
|
||||
func (a *Authenticator) Free() error { |
||||
var status SECURITY_STATUS |
||||
a.ctxListMux.Lock() |
||||
for _, ctx := range a.ctxList { |
||||
// TODO: Also check for stale security contexts and delete them periodically
|
||||
status = a.Config.authAPI.DeleteSecurityContext(&ctx) |
||||
if status != SEC_E_OK { |
||||
return fmt.Errorf("call to DeleteSecurityContext failed with code 0x%x", status) |
||||
} |
||||
} |
||||
a.ctxList = nil |
||||
a.ctxListMux.Unlock() |
||||
if a.serverCred != nil { |
||||
status = a.Config.authAPI.FreeCredentialsHandle(a.serverCred) |
||||
if status != SEC_E_OK { |
||||
return fmt.Errorf("call to FreeCredentialsHandle failed with code 0x%x", status) |
||||
} |
||||
a.serverCred = nil |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// StoreCtxHandle stores the specified context to the internal list (ctxList)
|
||||
func (a *Authenticator) StoreCtxHandle(handle *CtxtHandle) { |
||||
if handle == nil || *handle == (CtxtHandle{}) { |
||||
// Should not add nil or empty handle
|
||||
return |
||||
} |
||||
a.ctxListMux.Lock() |
||||
defer a.ctxListMux.Unlock() |
||||
a.ctxList = append(a.ctxList, *handle) |
||||
} |
||||
|
||||
// ReleaseCtxHandle deletes a context handle and removes it from the internal list (ctxList)
|
||||
func (a *Authenticator) ReleaseCtxHandle(handle *CtxtHandle) error { |
||||
if handle == nil || *handle == (CtxtHandle{}) { |
||||
// Removing a nil or empty handle is not an error condition
|
||||
return nil |
||||
} |
||||
a.ctxListMux.Lock() |
||||
defer a.ctxListMux.Unlock() |
||||
|
||||
// First, try to delete the handle
|
||||
status := a.Config.authAPI.DeleteSecurityContext(handle) |
||||
if status != SEC_E_OK { |
||||
return fmt.Errorf("call to DeleteSecurityContext failed with code 0x%x", status) |
||||
} |
||||
|
||||
// Then remove it from the internal list
|
||||
foundAt := -1 |
||||
for i, ctx := range a.ctxList { |
||||
if ctx == *handle { |
||||
foundAt = i |
||||
break |
||||
} |
||||
} |
||||
if foundAt > -1 { |
||||
a.ctxList[foundAt] = a.ctxList[len(a.ctxList)-1] |
||||
a.ctxList = a.ctxList[:len(a.ctxList)-1] |
||||
} |
||||
return nil |
||||
} |
||||
|
||||
// AcceptOrContinue tries to validate the auth-data token by calling the AcceptSecurityContext
|
||||
// function and returns and error if validation failed or continuation of the negotiation is needed.
|
||||
// No error is returned if the token was validated (user was authenticated).
|
||||
func (a *Authenticator) AcceptOrContinue(context *CtxtHandle, authData []byte) (newCtx *CtxtHandle, out []byte, exp *time.Time, err error) { |
||||
if authData == nil { |
||||
err = errors.New("input token cannot be nil") |
||||
return |
||||
} |
||||
|
||||
var inputDesc SecBufferDesc |
||||
var inputBuf SecBuffer |
||||
inputDesc.BuffersCount = 1 |
||||
inputDesc.Version = SECBUFFER_VERSION |
||||
inputDesc.Buffers = &inputBuf |
||||
inputBuf.BufferSize = uint32(len(authData)) |
||||
inputBuf.BufferType = SECBUFFER_TOKEN |
||||
inputBuf.Buffer = &authData[0] |
||||
|
||||
var outputDesc SecBufferDesc |
||||
var outputBuf SecBuffer |
||||
outputDesc.BuffersCount = 1 |
||||
outputDesc.Version = SECBUFFER_VERSION |
||||
outputDesc.Buffers = &outputBuf |
||||
outputBuf.BufferSize = 0 |
||||
outputBuf.BufferType = SECBUFFER_TOKEN |
||||
outputBuf.Buffer = nil |
||||
|
||||
var expiry syscall.Filetime |
||||
var contextAttr uint32 |
||||
var newContextHandle CtxtHandle |
||||
|
||||
var status = a.Config.authAPI.AcceptSecurityContext( |
||||
a.serverCred, |
||||
context, |
||||
&inputDesc, |
||||
ASC_REQ_ALLOCATE_MEMORY|ASC_REQ_MUTUAL_AUTH|ASC_REQ_CONFIDENTIALITY| |
||||
ASC_REQ_INTEGRITY|ASC_REQ_REPLAY_DETECT|ASC_REQ_SEQUENCE_DETECT, // contextReq uint32,
|
||||
SECURITY_NATIVE_DREP, // targDataRep uint32,
|
||||
&newContextHandle, |
||||
&outputDesc, // *SecBufferDesc
|
||||
&contextAttr, // contextAttr *uint32,
|
||||
&expiry, // *syscall.Filetime
|
||||
) |
||||
if newContextHandle.Lower != 0 || newContextHandle.Upper != 0 { |
||||
newCtx = &newContextHandle |
||||
} |
||||
tm := time.Unix(0, expiry.Nanoseconds()) |
||||
exp = &tm |
||||
if status == SEC_E_OK || status == SEC_I_CONTINUE_NEEDED { |
||||
// Copy outputBuf.Buffer to out and free the outputBuf.Buffer
|
||||
out = make([]byte, outputBuf.BufferSize) |
||||
var bufPtr = uintptr(unsafe.Pointer(outputBuf.Buffer)) |
||||
for i := 0; i < len(out); i++ { |
||||
out[i] = *(*byte)(unsafe.Pointer(bufPtr)) |
||||
bufPtr++ |
||||
} |
||||
} |
||||
if outputBuf.Buffer != nil { |
||||
freeStatus := a.Config.authAPI.FreeContextBuffer(outputBuf.Buffer) |
||||
if freeStatus != SEC_E_OK { |
||||
status = freeStatus |
||||
err = fmt.Errorf("could not free output buffer; FreeContextBuffer() failed with code: 0x%x", freeStatus) |
||||
return |
||||
} |
||||
} |
||||
if status == SEC_I_CONTINUE_NEEDED { |
||||
err = errors.New("Negotiation should continue") |
||||
return |
||||
} else if status != SEC_E_OK { |
||||
err = fmt.Errorf("call to AcceptSecurityContext failed with code 0x%x", status) |
||||
return |
||||
} |
||||
// TODO: Check contextAttr?
|
||||
return |
||||
} |
||||
|
||||
// GetCtxHandle retrieves the context handle for this client from request's cookies
|
||||
func (a *Authenticator) GetCtxHandle(r *http.Request) (*CtxtHandle, error) { |
||||
sessionHandle, err := a.Config.contextStore.GetHandle(r) |
||||
if err != nil { |
||||
return nil, fmt.Errorf("could not get context handle from session: %s", err) |
||||
} |
||||
if contextHandle, ok := sessionHandle.(*CtxtHandle); ok { |
||||
log.Printf("CtxHandle: 0x%x\n", *contextHandle) |
||||
if contextHandle.Lower == 0 && contextHandle.Upper == 0 { |
||||
return nil, nil |
||||
} |
||||
return contextHandle, nil |
||||
} |
||||
log.Printf("CtxHandle: nil\n") |
||||
return nil, nil |
||||
} |
||||
|
||||
// SetCtxHandle stores the context handle for this client to cookie of response
|
||||
func (a *Authenticator) SetCtxHandle(r *http.Request, w http.ResponseWriter, newContext *CtxtHandle) error { |
||||
// Store can't store nil value, so if newContext is nil, store an empty CtxHandle
|
||||
ctx := &CtxtHandle{} |
||||
if newContext != nil { |
||||
ctx = newContext |
||||
} |
||||
err := a.Config.contextStore.SetHandle(r, w, ctx) |
||||
if err != nil { |
||||
return fmt.Errorf("could not save context to cookie: %s", err) |
||||
} |
||||
log.Printf("New context: 0x%x\n", *ctx) |
||||
return nil |
||||
} |
||||
|
||||
// GetFlags returns the negotiated context flags
|
||||
func (a *Authenticator) GetFlags(context *CtxtHandle) (uint32, error) { |
||||
var flags SecPkgContext_Flags |
||||
status := a.Config.authAPI.QueryContextAttributes(context, SECPKG_ATTR_FLAGS, (*byte)(unsafe.Pointer(&flags))) |
||||
if status != SEC_E_OK { |
||||
return 0, fmt.Errorf("QueryContextAttributes failed with status 0x%x", status) |
||||
} |
||||
return flags.Flags, nil |
||||
} |
||||
|
||||
// GetUsername returns the name of the user associated with the specified security context
|
||||
func (a *Authenticator) GetUsername(context *CtxtHandle) (username string, err error) { |
||||
var names SecPkgContext_Names |
||||
status := a.Config.authAPI.QueryContextAttributes(context, SECPKG_ATTR_NAMES, (*byte)(unsafe.Pointer(&names))) |
||||
if status != SEC_E_OK { |
||||
err = fmt.Errorf("QueryContextAttributes failed with status 0x%x", status) |
||||
return |
||||
} |
||||
if names.UserName != nil { |
||||
username = UTF16PtrToString(names.UserName, 2048) |
||||
status = a.Config.authAPI.FreeContextBuffer((*byte)(unsafe.Pointer(names.UserName))) |
||||
if status != SEC_E_OK { |
||||
err = fmt.Errorf("FreeContextBuffer failed with status 0x%x", status) |
||||
} |
||||
return |
||||
} |
||||
err = errors.New("QueryContextAttributes returned empty name") |
||||
return |
||||
} |
||||
|
||||
// GetUserGroups returns the groups the user is a member of
|
||||
func (a *Authenticator) GetUserGroups(userName string) (groups []string, err error) { |
||||
var serverNamePtr *uint16 |
||||
if a.Config.ServerName != "" { |
||||
serverNamePtr, err = syscall.UTF16PtrFromString(a.Config.ServerName) |
||||
if err != nil { |
||||
return |
||||
} |
||||
} |
||||
|
||||
userNamePtr, err := syscall.UTF16PtrFromString(userName) |
||||
if err != nil { |
||||
return |
||||
} |
||||
var buf *byte |
||||
var entriesRead uint32 |
||||
var totalEntries uint32 |
||||
err = a.Config.authAPI.NetUserGetGroups( |
||||
serverNamePtr, |
||||
userNamePtr, |
||||
0, |
||||
&buf, |
||||
MAX_PREFERRED_LENGTH, |
||||
&entriesRead, |
||||
&totalEntries, |
||||
) |
||||
if buf == nil { |
||||
err = fmt.Errorf("NetUserGetGroups(): returned nil buffer, error: %s", err) |
||||
return |
||||
} |
||||
defer func() { |
||||
freeErr := a.Config.authAPI.NetApiBufferFree(buf) |
||||
if freeErr != nil { |
||||
err = freeErr |
||||
} |
||||
}() |
||||
if err != nil { |
||||
return |
||||
} |
||||
if entriesRead < totalEntries { |
||||
err = fmt.Errorf("NetUserGetGroups(): could not read all entries, read only %d entries of %d", entriesRead, totalEntries) |
||||
return |
||||
} |
||||
|
||||
ptr := uintptr(unsafe.Pointer(buf)) |
||||
for i := uint32(0); i < entriesRead; i++ { |
||||
groupInfo := (*GroupUsersInfo0)(unsafe.Pointer(ptr)) |
||||
groupName := UTF16PtrToString(groupInfo.Grui0_name, MAX_GROUP_NAME_LENGTH) |
||||
if groupName != "" { |
||||
groups = append(groups, groupName) |
||||
} |
||||
ptr += unsafe.Sizeof(GroupUsersInfo0{}) |
||||
} |
||||
return |
||||
} |
||||
|
||||
// GetUserInfo returns a structure containing the name of the user associated with the
|
||||
// specified security context and the groups to which they are a member of (if Config.EnumerateGroups)
|
||||
// is enabled
|
||||
func (a *Authenticator) GetUserInfo(context *CtxtHandle) (*UserInfo, error) { |
||||
// Get username
|
||||
username, err := a.GetUsername(context) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
info := UserInfo{ |
||||
Username: username, |
||||
} |
||||
|
||||
// Get groups
|
||||
if a.Config.EnumerateGroups { |
||||
info.Groups, err = a.GetUserGroups(username) |
||||
if err != nil { |
||||
return nil, err |
||||
} |
||||
} |
||||
|
||||
return &info, nil |
||||
} |
||||
|
||||
// GetAuthData parses the "Authorization" header received from the client,
|
||||
// extracts the auth-data token (input token) and decodes it to []byte
|
||||
func (a *Authenticator) GetAuthData(r *http.Request, w http.ResponseWriter) (authData []byte, err error) { |
||||
// 1. Check if Authorization header is present
|
||||
headers := r.Header["Authorization"] |
||||
if len(headers) == 0 { |
||||
err = errors.New("the Authorization header is not provided") |
||||
return |
||||
} |
||||
if len(headers) > 1 { |
||||
err = errors.New("received multiple Authorization headers, but expected only one") |
||||
return |
||||
} |
||||
|
||||
authzHeader := strings.TrimSpace(headers[0]) |
||||
if authzHeader == "" { |
||||
err = errors.New("the Authorization header is empty") |
||||
return |
||||
} |
||||
// 1.1. Make sure header starts with "Negotiate"
|
||||
if !strings.HasPrefix(strings.ToLower(authzHeader), "negotiate") { |
||||
err = errors.New("the Authorization header does not start with 'Negotiate'") |
||||
return |
||||
} |
||||
|
||||
// 2. Extract token from Authorization header
|
||||
authzParts := strings.Split(authzHeader, " ") |
||||
if len(authzParts) < 2 { |
||||
err = errors.New("the Authorization header does not contain token (gssapi-data)") |
||||
return |
||||
} |
||||
token := authzParts[len(authzParts)-1] |
||||
if token == "" { |
||||
err = errors.New("the token (gssapi-data) in the Authorization header is empty") |
||||
return |
||||
} |
||||
|
||||
// 3. Decode token
|
||||
authData, err = base64.StdEncoding.DecodeString(token) |
||||
if err != nil { |
||||
err = errors.New("could not decode token as base64 string") |
||||
return |
||||
} |
||||
|
||||
return |
||||
} |
||||
|
||||
// Authenticate tries to authenticate the HTTP request and returns nil
|
||||
// if authentication was successful.
|
||||
// Returns error and data for continuation if authentication was not successful.
|
||||
func (a *Authenticator) Authenticate(r *http.Request, w http.ResponseWriter) (userInfo *UserInfo, outToken string, err error) { |
||||
// 1. Extract auth-data from Authorization header
|
||||
authData, err := a.GetAuthData(r, w) |
||||
if err != nil { |
||||
err = fmt.Errorf("could not get auth data: %s", err) |
||||
return |
||||
} |
||||
|
||||
// 2. Authenticate user with provided token
|
||||
contextHandle, err := a.GetCtxHandle(r) |
||||
if err != nil { |
||||
return |
||||
} |
||||
newCtx, output, _, err := a.AcceptOrContinue(contextHandle, authData) |
||||
|
||||
// If a new context was created, make sure to delete it or store it
|
||||
// both in internal list and response Cookie
|
||||
defer func() { |
||||
// Negotiation is ending if we don't expect further responses from the client
|
||||
// (authentication was successful or no output token is going to be sent back),
|
||||
// clear client cookie
|
||||
endOfNegotiation := err == nil || len(output) == 0 |
||||
|
||||
// Current context (contextHandle) is not needed anymore and should be deleted if:
|
||||
// - we don't expect further responses from the client
|
||||
// - a new context has been returned by AcceptSecurityContext
|
||||
currCtxNotNeeded := endOfNegotiation || newCtx != nil |
||||
if !currCtxNotNeeded { |
||||
// Release current context only if its different than the new context
|
||||
if contextHandle != nil && *contextHandle != *newCtx { |
||||
remErr := a.ReleaseCtxHandle(contextHandle) |
||||
if remErr != nil { |
||||
err = remErr |
||||
return |
||||
} |
||||
} |
||||
} |
||||
|
||||
if endOfNegotiation { |
||||
// Clear client cookie
|
||||
setErr := a.SetCtxHandle(r, w, nil) |
||||
if setErr != nil { |
||||
err = fmt.Errorf("could not clear context, error: %s", setErr) |
||||
return |
||||
} |
||||
|
||||
// Delete any new context handle
|
||||
remErr := a.ReleaseCtxHandle(newCtx) |
||||
if remErr != nil { |
||||
err = remErr |
||||
return |
||||
} |
||||
|
||||
// Exit defer func
|
||||
return |
||||
} |
||||
|
||||
if newCtx != nil { |
||||
// Store new context handle to internal list and response Cookie
|
||||
a.StoreCtxHandle(newCtx) |
||||
setErr := a.SetCtxHandle(r, w, newCtx) |
||||
if setErr != nil { |
||||
err = setErr |
||||
return |
||||
} |
||||
} |
||||
}() |
||||
|
||||
outToken = base64.StdEncoding.EncodeToString(output) |
||||
if err != nil { |
||||
err = fmt.Errorf("AcceptOrContinue failed: %s", err) |
||||
return |
||||
} |
||||
|
||||
// 3. Get username and user groups
|
||||
currentCtx := newCtx |
||||
if currentCtx == nil { |
||||
currentCtx = contextHandle |
||||
} |
||||
userInfo, err = a.GetUserInfo(currentCtx) |
||||
if err != nil { |
||||
err = fmt.Errorf("could not get username, error: %s", err) |
||||
return |
||||
} |
||||
|
||||
return |
||||
} |
||||
|
||||
// AppendAuthenticateHeader populates WWW-Authenticate header,
|
||||
// indicating to client that authentication is required and returns a 401 (Unauthorized)
|
||||
// response code.
|
||||
// The data parameter can be empty for the first 401 response from the server.
|
||||
// For subsequent 401 responses the data parameter should contain the gssapi-data,
|
||||
// which is required for continuation of the negotiation.
|
||||
func (a *Authenticator) AppendAuthenticateHeader(w http.ResponseWriter, data string) { |
||||
value := "Negotiate" |
||||
if data != "" { |
||||
value += " " + data |
||||
} |
||||
w.Header().Set("WWW-Authenticate", value) |
||||
} |
||||
|
||||
// Return401 populates WWW-Authenticate header, indicating to client that authentication
|
||||
// is required and returns a 401 (Unauthorized) response code.
|
||||
// The data parameter can be empty for the first 401 response from the server.
|
||||
// For subsequent 401 responses the data parameter should contain the gssapi-data,
|
||||
// which is required for continuation of the negotiation.
|
||||
func (a *Authenticator) Return401(w http.ResponseWriter, data string) { |
||||
a.AppendAuthenticateHeader(w, data) |
||||
http.Error(w, "Error!", http.StatusUnauthorized) |
||||
} |
||||
|
||||
// WithAuth authenticates the request. On successful authentication the request
|
||||
// is passed down to the next http handler. The next handler can access information
|
||||
// about the authenticated user via the GetUserName method.
|
||||
// If authentication was not successful, the server returns 401 response code with
|
||||
// a WWW-Authenticate, indicating that authentication is required.
|
||||
func (a *Authenticator) WithAuth(next http.Handler) http.Handler { |
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
||||
log.Printf("Authenticating request to %s\n", r.RequestURI) |
||||
|
||||
user, data, err := a.Authenticate(r, w) |
||||
if err != nil { |
||||
log.Printf("Authentication failed with error: %v\n", err) |
||||
a.Return401(w, data) |
||||
return |
||||
} |
||||
|
||||
log.Print("Authenticated\n") |
||||
// Add the UserInfo value to the reqest's context
|
||||
r = r.WithContext(context.WithValue(r.Context(), UserInfoKey, user)) |
||||
// and to the request header with key Config.AuthUserKey
|
||||
if a.Config.AuthUserKey != "" { |
||||
r.Header.Set(a.Config.AuthUserKey, user.Username) |
||||
} |
||||
|
||||
// The WWW-Authenticate header might need to be sent back even
|
||||
// on successful authentication (eg. in order to let the client complete
|
||||
// mutual authentication).
|
||||
if data != "" { |
||||
a.AppendAuthenticateHeader(w, data) |
||||
} |
||||
next.ServeHTTP(w, r) |
||||
}) |
||||
} |
||||
|
||||
func init() { |
||||
gob.Register(&CtxtHandle{}) |
||||
gob.Register(&UserInfo{}) |
||||
} |
@ -0,0 +1,312 @@ |
||||
package websspi |
||||
|
||||
import ( |
||||
"syscall" |
||||
"unsafe" |
||||
|
||||
"golang.org/x/sys/windows" |
||||
) |
||||
|
||||
// secur32.dll
|
||||
|
||||
type SECURITY_STATUS syscall.Errno |
||||
|
||||
const ( |
||||
SEC_E_OK = SECURITY_STATUS(0) |
||||
|
||||
SEC_E_INCOMPLETE_MESSAGE = SECURITY_STATUS(0x80090318) |
||||
SEC_E_INSUFFICIENT_MEMORY = SECURITY_STATUS(0x80090300) |
||||
SEC_E_INTERNAL_ERROR = SECURITY_STATUS(0x80090304) |
||||
SEC_E_INVALID_HANDLE = SECURITY_STATUS(0x80090301) |
||||
SEC_E_INVALID_TOKEN = SECURITY_STATUS(0x80090308) |
||||
SEC_E_LOGON_DENIED = SECURITY_STATUS(0x8009030C) |
||||
SEC_E_NO_AUTHENTICATING_AUTHORITY = SECURITY_STATUS(0x80090311) |
||||
SEC_E_NO_CREDENTIALS = SECURITY_STATUS(0x8009030E) |
||||
SEC_E_UNSUPPORTED_FUNCTION = SECURITY_STATUS(0x80090302) |
||||
SEC_I_COMPLETE_AND_CONTINUE = SECURITY_STATUS(0x00090314) |
||||
SEC_I_COMPLETE_NEEDED = SECURITY_STATUS(0x00090313) |
||||
SEC_I_CONTINUE_NEEDED = SECURITY_STATUS(0x00090312) |
||||
SEC_E_NOT_OWNER = SECURITY_STATUS(0x80090306) |
||||
SEC_E_SECPKG_NOT_FOUND = SECURITY_STATUS(0x80090305) |
||||
SEC_E_UNKNOWN_CREDENTIALS = SECURITY_STATUS(0x8009030D) |
||||
|
||||
NEGOSSP_NAME = "Negotiate" |
||||
SECPKG_CRED_INBOUND = 1 |
||||
SECURITY_NATIVE_DREP = 16 |
||||
|
||||
ASC_REQ_DELEGATE = 1 |
||||
ASC_REQ_MUTUAL_AUTH = 2 |
||||
ASC_REQ_REPLAY_DETECT = 4 |
||||
ASC_REQ_SEQUENCE_DETECT = 8 |
||||
ASC_REQ_CONFIDENTIALITY = 16 |
||||
ASC_REQ_USE_SESSION_KEY = 32 |
||||
ASC_REQ_ALLOCATE_MEMORY = 256 |
||||
ASC_REQ_USE_DCE_STYLE = 512 |
||||
ASC_REQ_DATAGRAM = 1024 |
||||
ASC_REQ_CONNECTION = 2048 |
||||
ASC_REQ_EXTENDED_ERROR = 32768 |
||||
ASC_REQ_STREAM = 65536 |
||||
ASC_REQ_INTEGRITY = 131072 |
||||
|
||||
SECPKG_ATTR_SIZES = 0 |
||||
SECPKG_ATTR_NAMES = 1 |
||||
SECPKG_ATTR_LIFESPAN = 2 |
||||
SECPKG_ATTR_DCE_INFO = 3 |
||||
SECPKG_ATTR_STREAM_SIZES = 4 |
||||
SECPKG_ATTR_KEY_INFO = 5 |
||||
SECPKG_ATTR_AUTHORITY = 6 |
||||
SECPKG_ATTR_PROTO_INFO = 7 |
||||
SECPKG_ATTR_PASSWORD_EXPIRY = 8 |
||||
SECPKG_ATTR_SESSION_KEY = 9 |
||||
SECPKG_ATTR_PACKAGE_INFO = 10 |
||||
SECPKG_ATTR_USER_FLAGS = 11 |
||||
SECPKG_ATTR_NEGOTIATION_INFO = 12 |
||||
SECPKG_ATTR_NATIVE_NAMES = 13 |
||||
SECPKG_ATTR_FLAGS = 14 |
||||
|
||||
SECBUFFER_VERSION = 0 |
||||
SECBUFFER_TOKEN = 2 |
||||
) |
||||
|
||||
type CredHandle struct { |
||||
Lower uintptr |
||||
Upper uintptr |
||||
} |
||||
|
||||
type CtxtHandle struct { |
||||
Lower uintptr |
||||
Upper uintptr |
||||
} |
||||
|
||||
type SecBuffer struct { |
||||
BufferSize uint32 |
||||
BufferType uint32 |
||||
Buffer *byte |
||||
} |
||||
|
||||
type SecBufferDesc struct { |
||||
Version uint32 |
||||
BuffersCount uint32 |
||||
Buffers *SecBuffer |
||||
} |
||||
|
||||
type LUID struct { |
||||
LowPart uint32 |
||||
HighPart int32 |
||||
} |
||||
|
||||
type SecPkgContext_Names struct { |
||||
UserName *uint16 |
||||
} |
||||
|
||||
type SecPkgContext_Flags struct { |
||||
Flags uint32 |
||||
} |
||||
|
||||
// netapi32.dll
|
||||
|
||||
const ( |
||||
NERR_Success = 0x0 |
||||
NERR_InternalError = 0x85C |
||||
NERR_UserNotFound = 0x8AD |
||||
|
||||
ERROR_ACCESS_DENIED = 0x5 |
||||
ERROR_BAD_NETPATH = 0x35 |
||||
ERROR_INVALID_LEVEL = 0x7C |
||||
ERROR_INVALID_NAME = 0x7B |
||||
ERROR_MORE_DATA = 0xEA |
||||
ERROR_NOT_ENOUGH_MEMORY = 0x8 |
||||
|
||||
MAX_PREFERRED_LENGTH = 0xFFFFFFFF |
||||
MAX_GROUP_NAME_LENGTH = 256 |
||||
|
||||
SE_GROUP_MANDATORY = 0x1 |
||||
SE_GROUP_ENABLED_BY_DEFAULT = 0x2 |
||||
SE_GROUP_ENABLED = 0x4 |
||||
SE_GROUP_OWNER = 0x8 |
||||
SE_GROUP_USE_FOR_DENY_ONLY = 0x10 |
||||
SE_GROUP_INTEGRITY = 0x20 |
||||
SE_GROUP_INTEGRITY_ENABLED = 0x40 |
||||
SE_GROUP_LOGON_ID = 0xC0000000 |
||||
SE_GROUP_RESOURCE = 0x20000000 |
||||
) |
||||
|
||||
type GroupUsersInfo0 struct { |
||||
Grui0_name *uint16 |
||||
} |
||||
|
||||
type GroupUsersInfo1 struct { |
||||
Grui1_name *uint16 |
||||
Grui1_attributes uint32 |
||||
} |
||||
|
||||
// The API interface describes the Win32 functions used in this package and
|
||||
// its primary purpose is to allow replacing them with stub functions in unit tests.
|
||||
type API interface { |
||||
AcquireCredentialsHandle( |
||||
principal *uint16, |
||||
_package *uint16, |
||||
credentialUse uint32, |
||||
logonID *LUID, |
||||
authData *byte, |
||||
getKeyFn uintptr, |
||||
getKeyArgument uintptr, |
||||
credHandle *CredHandle, |
||||
expiry *syscall.Filetime, |
||||
) SECURITY_STATUS |
||||
AcceptSecurityContext( |
||||
credential *CredHandle, |
||||
context *CtxtHandle, |
||||
input *SecBufferDesc, |
||||
contextReq uint32, |
||||
targDataRep uint32, |
||||
newContext *CtxtHandle, |
||||
output *SecBufferDesc, |
||||
contextAttr *uint32, |
||||
expiry *syscall.Filetime, |
||||
) SECURITY_STATUS |
||||
QueryContextAttributes(context *CtxtHandle, attribute uint32, buffer *byte) SECURITY_STATUS |
||||
DeleteSecurityContext(context *CtxtHandle) SECURITY_STATUS |
||||
FreeContextBuffer(buffer *byte) SECURITY_STATUS |
||||
FreeCredentialsHandle(handle *CredHandle) SECURITY_STATUS |
||||
NetUserGetGroups( |
||||
serverName *uint16, |
||||
userName *uint16, |
||||
level uint32, |
||||
buf **byte, |
||||
prefmaxlen uint32, |
||||
entriesread *uint32, |
||||
totalentries *uint32, |
||||
) (neterr error) |
||||
NetApiBufferFree(buf *byte) (neterr error) |
||||
} |
||||
|
||||
// Win32 implements the API interface by calling the relevant system functions
|
||||
// from secur32.dll and netapi32.dll
|
||||
type Win32 struct{} |
||||
|
||||
var ( |
||||
secur32dll = windows.NewLazySystemDLL("secur32.dll") |
||||
netapi32dll = windows.NewLazySystemDLL("netapi32.dll") |
||||
|
||||
procAcquireCredentialsHandleW = secur32dll.NewProc("AcquireCredentialsHandleW") |
||||
procAcceptSecurityContext = secur32dll.NewProc("AcceptSecurityContext") |
||||
procQueryContextAttributesW = secur32dll.NewProc("QueryContextAttributesW") |
||||
procDeleteSecurityContext = secur32dll.NewProc("DeleteSecurityContext") |
||||
procFreeContextBuffer = secur32dll.NewProc("FreeContextBuffer") |
||||
procFreeCredentialsHandle = secur32dll.NewProc("FreeCredentialsHandle") |
||||
procNetUserGetGroups = netapi32dll.NewProc("NetUserGetGroups") |
||||
) |
||||
|
||||
func (w *Win32) AcquireCredentialsHandle( |
||||
principal *uint16, |
||||
_package *uint16, |
||||
credentialUse uint32, |
||||
logonId *LUID, |
||||
authData *byte, |
||||
getKeyFn uintptr, |
||||
getKeyArgument uintptr, |
||||
credHandle *CredHandle, |
||||
expiry *syscall.Filetime, |
||||
) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall9( |
||||
procAcquireCredentialsHandleW.Addr(), 9, |
||||
uintptr(unsafe.Pointer(principal)), |
||||
uintptr(unsafe.Pointer(_package)), |
||||
uintptr(credentialUse), |
||||
uintptr(unsafe.Pointer(logonId)), |
||||
uintptr(unsafe.Pointer(authData)), |
||||
uintptr(getKeyFn), |
||||
uintptr(getKeyArgument), |
||||
uintptr(unsafe.Pointer(credHandle)), |
||||
uintptr(unsafe.Pointer(expiry)), |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) AcceptSecurityContext( |
||||
credential *CredHandle, |
||||
context *CtxtHandle, |
||||
input *SecBufferDesc, |
||||
contextReq uint32, |
||||
targDataRep uint32, |
||||
newContext *CtxtHandle, |
||||
output *SecBufferDesc, |
||||
contextAttr *uint32, |
||||
expiry *syscall.Filetime, |
||||
) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall9( |
||||
procAcceptSecurityContext.Addr(), 9, |
||||
uintptr(unsafe.Pointer(credential)), |
||||
uintptr(unsafe.Pointer(context)), |
||||
uintptr(unsafe.Pointer(input)), |
||||
uintptr(contextReq), |
||||
uintptr(targDataRep), |
||||
uintptr(unsafe.Pointer(newContext)), |
||||
uintptr(unsafe.Pointer(output)), |
||||
uintptr(unsafe.Pointer(contextAttr)), |
||||
uintptr(unsafe.Pointer(expiry)), |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) QueryContextAttributes( |
||||
context *CtxtHandle, |
||||
attribute uint32, |
||||
buffer *byte, |
||||
) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall( |
||||
procQueryContextAttributesW.Addr(), 3, |
||||
uintptr(unsafe.Pointer(context)), |
||||
uintptr(attribute), |
||||
uintptr(unsafe.Pointer(buffer)), |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) DeleteSecurityContext(context *CtxtHandle) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall( |
||||
procDeleteSecurityContext.Addr(), 1, |
||||
uintptr(unsafe.Pointer(context)), |
||||
0, 0, |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) FreeContextBuffer(buffer *byte) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall( |
||||
procFreeContextBuffer.Addr(), 1, |
||||
uintptr(unsafe.Pointer(buffer)), |
||||
0, 0, |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) FreeCredentialsHandle(handle *CredHandle) SECURITY_STATUS { |
||||
r1, _, _ := syscall.Syscall( |
||||
procFreeCredentialsHandle.Addr(), 1, |
||||
uintptr(unsafe.Pointer(handle)), |
||||
0, 0, |
||||
) |
||||
return SECURITY_STATUS(r1) |
||||
} |
||||
|
||||
func (w *Win32) NetUserGetGroups( |
||||
serverName *uint16, |
||||
userName *uint16, |
||||
level uint32, |
||||
buf **byte, |
||||
prefmaxlen uint32, |
||||
entriesread *uint32, |
||||
totalentries *uint32, |
||||
) (neterr error) { |
||||
r0, _, _ := syscall.Syscall9(procNetUserGetGroups.Addr(), 7, uintptr(unsafe.Pointer(serverName)), uintptr(unsafe.Pointer(userName)), uintptr(level), uintptr(unsafe.Pointer(buf)), uintptr(prefmaxlen), uintptr(unsafe.Pointer(entriesread)), uintptr(unsafe.Pointer(totalentries)), 0, 0) |
||||
if r0 != 0 { |
||||
neterr = syscall.Errno(r0) |
||||
} |
||||
return |
||||
} |
||||
|
||||
func (w *Win32) NetApiBufferFree(buf *byte) (neterr error) { |
||||
return syscall.NetApiBufferFree(buf) |
||||
} |
@ -0,0 +1,39 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package cpu |
||||
|
||||
func doinit() { |
||||
ARM.HasSWP = isSet(hwCap, hwcap_SWP) |
||||
ARM.HasHALF = isSet(hwCap, hwcap_HALF) |
||||
ARM.HasTHUMB = isSet(hwCap, hwcap_THUMB) |
||||
ARM.Has26BIT = isSet(hwCap, hwcap_26BIT) |
||||
ARM.HasFASTMUL = isSet(hwCap, hwcap_FAST_MULT) |
||||
ARM.HasFPA = isSet(hwCap, hwcap_FPA) |
||||
ARM.HasVFP = isSet(hwCap, hwcap_VFP) |
||||
ARM.HasEDSP = isSet(hwCap, hwcap_EDSP) |
||||
ARM.HasJAVA = isSet(hwCap, hwcap_JAVA) |
||||
ARM.HasIWMMXT = isSet(hwCap, hwcap_IWMMXT) |
||||
ARM.HasCRUNCH = isSet(hwCap, hwcap_CRUNCH) |
||||
ARM.HasTHUMBEE = isSet(hwCap, hwcap_THUMBEE) |
||||
ARM.HasNEON = isSet(hwCap, hwcap_NEON) |
||||
ARM.HasVFPv3 = isSet(hwCap, hwcap_VFPv3) |
||||
ARM.HasVFPv3D16 = isSet(hwCap, hwcap_VFPv3D16) |
||||
ARM.HasTLS = isSet(hwCap, hwcap_TLS) |
||||
ARM.HasVFPv4 = isSet(hwCap, hwcap_VFPv4) |
||||
ARM.HasIDIVA = isSet(hwCap, hwcap_IDIVA) |
||||
ARM.HasIDIVT = isSet(hwCap, hwcap_IDIVT) |
||||
ARM.HasVFPD32 = isSet(hwCap, hwcap_VFPD32) |
||||
ARM.HasLPAE = isSet(hwCap, hwcap_LPAE) |
||||
ARM.HasEVTSTRM = isSet(hwCap, hwcap_EVTSTRM) |
||||
ARM.HasAES = isSet(hwCap2, hwcap2_AES) |
||||
ARM.HasPMULL = isSet(hwCap2, hwcap2_PMULL) |
||||
ARM.HasSHA1 = isSet(hwCap2, hwcap2_SHA1) |
||||
ARM.HasSHA2 = isSet(hwCap2, hwcap2_SHA2) |
||||
ARM.HasCRC32 = isSet(hwCap2, hwcap2_CRC32) |
||||
} |
||||
|
||||
func isSet(hwc uint, value uint) bool { |
||||
return hwc&value != 0 |
||||
} |
@ -0,0 +1,29 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,go1.12,!go1.13
|
||||
|
||||
package unix |
||||
|
||||
import ( |
||||
"unsafe" |
||||
) |
||||
|
||||
func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { |
||||
// To implement this using libSystem we'd need syscall_syscallPtr for
|
||||
// fdopendir. However, syscallPtr was only added in Go 1.13, so we fall
|
||||
// back to raw syscalls for this func on Go 1.12.
|
||||
var p unsafe.Pointer |
||||
if len(buf) > 0 { |
||||
p = unsafe.Pointer(&buf[0]) |
||||
} else { |
||||
p = unsafe.Pointer(&_zero) |
||||
} |
||||
r0, _, e1 := Syscall6(SYS_GETDIRENTRIES64, uintptr(fd), uintptr(p), uintptr(len(buf)), uintptr(unsafe.Pointer(basep)), 0, 0) |
||||
n = int(r0) |
||||
if e1 != 0 { |
||||
return n, errnoErr(e1) |
||||
} |
||||
return n, nil |
||||
} |
@ -0,0 +1,103 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,go1.13
|
||||
|
||||
package unix |
||||
|
||||
import "unsafe" |
||||
|
||||
//sys closedir(dir uintptr) (err error)
|
||||
//sys readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno)
|
||||
|
||||
func fdopendir(fd int) (dir uintptr, err error) { |
||||
r0, _, e1 := syscall_syscallPtr(funcPC(libc_fdopendir_trampoline), uintptr(fd), 0, 0) |
||||
dir = uintptr(r0) |
||||
if e1 != 0 { |
||||
err = errnoErr(e1) |
||||
} |
||||
return |
||||
} |
||||
|
||||
func libc_fdopendir_trampoline() |
||||
|
||||
//go:linkname libc_fdopendir libc_fdopendir
|
||||
//go:cgo_import_dynamic libc_fdopendir fdopendir "/usr/lib/libSystem.B.dylib"
|
||||
|
||||
func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { |
||||
// Simulate Getdirentries using fdopendir/readdir_r/closedir.
|
||||
const ptrSize = unsafe.Sizeof(uintptr(0)) |
||||
|
||||
// We store the number of entries to skip in the seek
|
||||
// offset of fd. See issue #31368.
|
||||
// It's not the full required semantics, but should handle the case
|
||||
// of calling Getdirentries or ReadDirent repeatedly.
|
||||
// It won't handle assigning the results of lseek to *basep, or handle
|
||||
// the directory being edited underfoot.
|
||||
skip, err := Seek(fd, 0, 1 /* SEEK_CUR */) |
||||
if err != nil { |
||||
return 0, err |
||||
} |
||||
|
||||
// We need to duplicate the incoming file descriptor
|
||||
// because the caller expects to retain control of it, but
|
||||
// fdopendir expects to take control of its argument.
|
||||
// Just Dup'ing the file descriptor is not enough, as the
|
||||
// result shares underlying state. Use Openat to make a really
|
||||
// new file descriptor referring to the same directory.
|
||||
fd2, err := Openat(fd, ".", O_RDONLY, 0) |
||||
if err != nil { |
||||
return 0, err |
||||
} |
||||
d, err := fdopendir(fd2) |
||||
if err != nil { |
||||
Close(fd2) |
||||
return 0, err |
||||
} |
||||
defer closedir(d) |
||||
|
||||
var cnt int64 |
||||
for { |
||||
var entry Dirent |
||||
var entryp *Dirent |
||||
e := readdir_r(d, &entry, &entryp) |
||||
if e != 0 { |
||||
return n, errnoErr(e) |
||||
} |
||||
if entryp == nil { |
||||
break |
||||
} |
||||
if skip > 0 { |
||||
skip-- |
||||
cnt++ |
||||
continue |
||||
} |
||||
reclen := int(entry.Reclen) |
||||
if reclen > len(buf) { |
||||
// Not enough room. Return for now.
|
||||
// The counter will let us know where we should start up again.
|
||||
// Note: this strategy for suspending in the middle and
|
||||
// restarting is O(n^2) in the length of the directory. Oh well.
|
||||
break |
||||
} |
||||
// Copy entry into return buffer.
|
||||
s := struct { |
||||
ptr unsafe.Pointer |
||||
siz int |
||||
cap int |
||||
}{ptr: unsafe.Pointer(&entry), siz: reclen, cap: reclen} |
||||
copy(buf, *(*[]byte)(unsafe.Pointer(&s))) |
||||
buf = buf[reclen:] |
||||
n += reclen |
||||
cnt++ |
||||
} |
||||
// Set the seek offset of the input fd to record
|
||||
// how many files we've already returned.
|
||||
_, err = Seek(fd, cnt, 0 /* SEEK_SET */) |
||||
if err != nil { |
||||
return n, err |
||||
} |
||||
|
||||
return n, nil |
||||
} |
@ -0,0 +1,9 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,386,!go1.12
|
||||
|
||||
package unix |
||||
|
||||
//sys Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) = SYS_GETDIRENTRIES64
|
@ -0,0 +1,9 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,amd64,!go1.12
|
||||
|
||||
package unix |
||||
|
||||
//sys Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) = SYS_GETDIRENTRIES64
|
@ -0,0 +1,11 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,386,!go1.12
|
||||
|
||||
package unix |
||||
|
||||
func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { |
||||
return 0, ENOSYS |
||||
} |
@ -0,0 +1,11 @@ |
||||
// Copyright 2019 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// +build darwin,arm64,!go1.12
|
||||
|
||||
package unix |
||||
|
||||
func Getdirentries(fd int, buf []byte, basep *uintptr) (n int, err error) { |
||||
return 0, ENOSYS |
||||
} |
@ -0,0 +1,41 @@ |
||||
// go run mksyscall.go -l32 -tags darwin,386,go1.13 syscall_darwin.1_13.go
|
||||
// Code generated by the command above; see README.md. DO NOT EDIT.
|
||||
|
||||
// +build darwin,386,go1.13
|
||||
|
||||
package unix |
||||
|
||||
import ( |
||||
"syscall" |
||||
"unsafe" |
||||
) |
||||
|
||||
var _ syscall.Errno |
||||
|
||||
// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
|
||||
|
||||
func closedir(dir uintptr) (err error) { |
||||
_, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) |
||||
if e1 != 0 { |
||||
err = errnoErr(e1) |
||||
} |
||||
return |
||||
} |
||||
|
||||
func libc_closedir_trampoline() |
||||
|
||||
//go:linkname libc_closedir libc_closedir
|
||||
//go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib"
|
||||
|
||||
// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
|
||||
|
||||
func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { |
||||
r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) |
||||
res = Errno(r0) |
||||
return |
||||
} |
||||
|
||||
func libc_readdir_r_trampoline() |
||||
|
||||
//go:linkname libc_readdir_r libc_readdir_r
|
||||
//go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib"
|
@ -0,0 +1,12 @@ |
||||
// go run mkasm_darwin.go 386 |
||||
// Code generated by the command above; DO NOT EDIT.
|
||||
|
||||
// +build go1.13 |
||||
|
||||
#include "textflag.h" |
||||
TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_fdopendir(SB) |
||||
TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_closedir(SB) |
||||
TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_readdir_r(SB) |
@ -0,0 +1,41 @@ |
||||
// go run mksyscall.go -tags darwin,amd64,go1.13 syscall_darwin.1_13.go
|
||||
// Code generated by the command above; see README.md. DO NOT EDIT.
|
||||
|
||||
// +build darwin,amd64,go1.13
|
||||
|
||||
package unix |
||||
|
||||
import ( |
||||
"syscall" |
||||
"unsafe" |
||||
) |
||||
|
||||
var _ syscall.Errno |
||||
|
||||
// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
|
||||
|
||||
func closedir(dir uintptr) (err error) { |
||||
_, _, e1 := syscall_syscall(funcPC(libc_closedir_trampoline), uintptr(dir), 0, 0) |
||||
if e1 != 0 { |
||||
err = errnoErr(e1) |
||||
} |
||||
return |
||||
} |
||||
|
||||
func libc_closedir_trampoline() |
||||
|
||||
//go:linkname libc_closedir libc_closedir
|
||||
//go:cgo_import_dynamic libc_closedir closedir "/usr/lib/libSystem.B.dylib"
|
||||
|
||||
// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
|
||||
|
||||
func readdir_r(dir uintptr, entry *Dirent, result **Dirent) (res Errno) { |
||||
r0, _, _ := syscall_syscall(funcPC(libc_readdir_r_trampoline), uintptr(dir), uintptr(unsafe.Pointer(entry)), uintptr(unsafe.Pointer(result))) |
||||
res = Errno(r0) |
||||
return |
||||
} |
||||
|
||||
func libc_readdir_r_trampoline() |
||||
|
||||
//go:linkname libc_readdir_r libc_readdir_r
|
||||
//go:cgo_import_dynamic libc_readdir_r readdir_r "/usr/lib/libSystem.B.dylib"
|
@ -0,0 +1,12 @@ |
||||
// go run mkasm_darwin.go amd64 |
||||
// Code generated by the command above; DO NOT EDIT.
|
||||
|
||||
// +build go1.13 |
||||
|
||||
#include "textflag.h" |
||||
TEXT ·libc_fdopendir_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_fdopendir(SB) |
||||
TEXT ·libc_closedir_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_closedir(SB) |
||||
TEXT ·libc_readdir_r_trampoline(SB),NOSPLIT,$0-0 |
||||
JMP libc_readdir_r(SB) |
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in new issue