Skip to content

Commit a02e778

Browse files
enjenj
committed
Implement SSPI Support on Windows (oc Kerberos)
This change is highly experimental and includes no tests (because you need an automated extended test with a fully configured Windows Active Directory server to actually test this). Signed-off-by: Monis Khan <[email protected]>
1 parent 1496791 commit a02e778

7 files changed

+373
-30
lines changed

pkg/oc/cli/cmd/version.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,8 +113,13 @@ func (o VersionOptions) RunVersion() error {
113113
}
114114
if tokencmd.GSSAPIEnabled() {
115115
features = append(features, "GSSAPI")
116-
features = append(features, "Kerberos") // GSSAPI or SSPI
117-
features = append(features, "SPNEGO") // GSSAPI or SSPI
116+
}
117+
if tokencmd.SSPIEnabled() {
118+
features = append(features, "SSPI")
119+
}
120+
if tokencmd.GSSAPIEnabled() || tokencmd.SSPIEnabled() {
121+
features = append(features, "Kerberos")
122+
features = append(features, "SPNEGO")
118123
}
119124
fmt.Printf("features: %s\n", strings.Join(features, " "))
120125
}

pkg/oc/util/tokencmd/negotiate_helpers.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
package tokencmd
2+
3+
import (
4+
"errors"
5+
"net/url"
6+
)
7+
8+
func getServiceName(sep rune, requestURL string) (string, error) {
9+
u, err := url.Parse(requestURL)
10+
if err != nil {
11+
return "", err
12+
}
13+
14+
return "HTTP" + string(sep) + u.Hostname(), nil
15+
}
16+
17+
type negotiateUnsupported struct {
18+
error
19+
}
20+
21+
func newUnsupportedNegotiator(name string) Negotiator {
22+
return &negotiateUnsupported{error: errors.New(name + " support is not enabled")}
23+
}
24+
25+
func (n *negotiateUnsupported) Load() error {
26+
return n
27+
}
28+
29+
func (n *negotiateUnsupported) InitSecContext(requestURL string, challengeToken []byte) ([]byte, error) {
30+
return nil, n
31+
}
32+
33+
func (*negotiateUnsupported) IsComplete() bool {
34+
return false
35+
}
36+
37+
func (n *negotiateUnsupported) Release() error {
38+
return n
39+
}

pkg/oc/util/tokencmd/negotiator_gssapi.go

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@ package tokencmd
44

55
import (
66
"errors"
7-
"net"
8-
"net/url"
97
"runtime"
108
"sync"
119
"time"
@@ -90,17 +88,11 @@ func (g *gssapiNegotiator) InitSecContext(requestURL string, challengeToken []by
9088
g.cred = lib.GSS_C_NO_CREDENTIAL
9189
}
9290

93-
u, err := url.Parse(requestURL)
91+
serviceName, err := getServiceName('@', requestURL)
9492
if err != nil {
9593
return nil, err
9694
}
9795

98-
hostname := u.Host
99-
if h, _, err := net.SplitHostPort(u.Host); err == nil {
100-
hostname = h
101-
}
102-
103-
serviceName := "HTTP@" + hostname
10496
glog.V(5).Infof("importing service name %s", serviceName)
10597
nameBuf, err := lib.MakeBufferString(serviceName)
10698
if err != nil {

pkg/oc/util/tokencmd/negotiator_gssapi_unsupported.go

Lines changed: 2 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,27 +2,10 @@
22

33
package tokencmd
44

5-
import "errors"
6-
75
func GSSAPIEnabled() bool {
86
return false
97
}
108

11-
type gssapiUnsupported struct{}
12-
13-
func NewGSSAPINegotiator(principalName string) Negotiater {
14-
return &gssapiUnsupported{}
15-
}
16-
17-
func (g *gssapiUnsupported) Load() error {
18-
return errors.New("GSSAPI support is not enabled")
19-
}
20-
func (g *gssapiUnsupported) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {
21-
return nil, errors.New("GSSAPI support is not enabled")
22-
}
23-
func (g *gssapiUnsupported) IsComplete() bool {
24-
return false
25-
}
26-
func (g *gssapiUnsupported) Release() error {
27-
return errors.New("GSSAPI support is not enabled")
9+
func NewGSSAPINegotiator(string) Negotiator {
10+
return newUnsupportedNegotiator("GSSAPI")
2811
}

0 commit comments

Comments
 (0)