Home Explore Help
Register Sign In
publics
/
gokrb5.v7
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

pac

Jonathan Turner 9 years ago
parent
d9ebe61a24
commit
93b5dbf25d
3 changed files with 55 additions and 1 deletions
Split View Show Diff Stats
  1. 5 1
      messages/Ticket.go
  2. 35 0
      pac/kerb_validation_info.go
  3. 15 0
      service/APExchange.go

+ 5 - 1
messages/Ticket.go
View File 

@@ -185,7 +185,7 @@ func (t *Ticket) DecryptEncPart(keytab keytab.Keytab) error {
 
 	return nil
 
 }
 
 
-func (t *Ticket) GetPACType(key types.EncryptionKey) (pac.PACType, error) {
 
+func (t *Ticket) GetPACType(keytab keytab.Keytab) (pac.PACType, error) {
 
 	for _, ad := range t.DecryptedEncPart.AuthorizationData {
 
 		if ad.ADType == adtype.AD_IF_RELEVANT {
 
 			var ad2 types.AuthorizationData
 
@@ -200,6 +200,10 @@ func (t *Ticket) GetPACType(key types.EncryptionKey) (pac.PACType, error) {
 
 				if err != nil {
 
 					return pac, fmt.Errorf("Error unmarshaling PAC: %v", err)
 
 				}
 
+				key, err := keytab.GetEncryptionKey(t.SName.NameString, t.Realm, t.EncPart.KVNO, t.EncPart.EType)
 
+				if err != nil {
 
+					return pac, NewKRBError(t.SName, t.Realm, errorcode.KRB_AP_ERR_NOKEY, fmt.Sprintf("Could not get key from keytab: %v", err))
 
+				}
 
 				err = pac.ProcessPACInfoBuffers(key)
 
 				return pac, err
 
 			}

+ 35 - 0
pac/kerb_validation_info.go
View File 

@@ -217,3 +217,38 @@ func (k *KerbValidationInfo) Unmarshal(b []byte) (err error) {
 
 
 	return nil
 
 }
 
+
 
+func (k *KerbValidationInfo) GetGroupMembershipSIDs() []string {
 
+	gSize := len(k.GroupIDs) + len(k.ExtraSIDs)
 
+	g := make([]string, gSize, gSize)
 
+	lSID := k.LogonDomainID.ToString()
 
+	for i := range k.GroupIDs {
 
+		g[i] = fmt.Sprintf("%s-%d", lSID, k.GroupIDs[i].RelativeID)
 
+	}
 
+	for _, s := range k.ExtraSIDs {
 
+		var exists = false
 
+		for _, es := range g {
 
+			if es == s.SID.ToString() {
 
+				exists = true
 
+				break
 
+			}
 
+		}
 
+		if !exists {
 
+			g = append(g, s.SID.ToString())
 
+		}
 
+	}
 
+	for _, r := range k.ResourceGroupIDs {
 
+		var exists = false
 
+		s := fmt.Sprintf("%s-%d", lSID, r)
 
+		for _, es := range g {
 
+			if es == s {
 
+				exists = true
 
+				break
 
+			}
 
+		}
 
+		if !exists {
 
+			g = append(g, s)
 
+		}
 
+	}
 
+	return g
 
+}

+ 15 - 0
service/APExchange.go
View File 

@@ -81,5 +81,20 @@ func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, cAddr string) (bool,
 
 		return false, creds, err
 
 	}
 
 	creds = credentials.NewCredentialsFromPrincipal(a.CName, a.CRealm)
 
+	pac, err := APReq.Ticket.GetPACType(kt)
 
+	if err == nil {
 
+		// There is a PAC. Adding attributes to creds
 
+		creds.Attributes["groupMembershipSIDs"] = pac.KerbValidationInfo.GetGroupMembershipSIDs()
 
+		creds.Attributes["logOnTime"] = pac.KerbValidationInfo.LogOnTime.Time()
 
+		creds.Attributes["logOffTime"] = pac.KerbValidationInfo.LogOffTime.Time()
 
+		creds.Attributes["passwordLastSet"] = pac.KerbValidationInfo.PasswordLastSet.Time()
 
+		creds.Attributes["effectiveName"] = pac.KerbValidationInfo.EffectiveName.Value
 
+		creds.Attributes["fullName"] = pac.KerbValidationInfo.FullName.Value
 
+		creds.Attributes["userID"] = int(pac.KerbValidationInfo.UserID)
 
+		creds.Attributes["primaryGroupID"] = int(pac.KerbValidationInfo.PrimaryGroupID)
 
+		creds.Attributes["logonServer"] = pac.KerbValidationInfo.LogonServer.Value
 
+		creds.Attributes["logonDomainName"] = pac.KerbValidationInfo.LogonDomainName.Value
 
+		creds.Attributes["logonDomainID"] = pac.KerbValidationInfo.LogonDomainID.ToString()
 
+	}
 
 	return true, creds, nil
 
 }