vikunja-api/vendor/github.com/jcmturner/gokrb5/v8/service/APExchange.go

package service

import (
	"time"

	"github.com/jcmturner/gokrb5/v8/credentials"
	"github.com/jcmturner/gokrb5/v8/iana/errorcode"
	"github.com/jcmturner/gokrb5/v8/messages"
)

// VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error) {
	var creds *credentials.Credentials
	ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal())
	if err != nil || !ok {
		return false, creds, err
	}

	if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 {
		return false, creds,
			messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required")
	}

	// Check for replay
	rc := GetReplayCache(s.MaxClockSkew())
	if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) {
		return false, creds,
			messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected")
	}

	c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm)
	creds = c
	creds.SetAuthTime(time.Now().UTC())
	creds.SetAuthenticated(true)
	creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime)

	//PAC decoding
	if !s.disablePACDecoding {
		isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger())
		if isPAC && err != nil {
			return false, creds, err
		}
		if isPAC {
			// There is a valid PAC. Adding attributes to creds
			creds.SetADCredentials(credentials.ADCredentials{
				GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(),
				LogOnTime:           pac.KerbValidationInfo.LogOnTime.Time(),
				LogOffTime:          pac.KerbValidationInfo.LogOffTime.Time(),
				PasswordLastSet:     pac.KerbValidationInfo.PasswordLastSet.Time(),
				EffectiveName:       pac.KerbValidationInfo.EffectiveName.Value,
				FullName:            pac.KerbValidationInfo.FullName.Value,
				UserID:              int(pac.KerbValidationInfo.UserID),
				PrimaryGroupID:      int(pac.KerbValidationInfo.PrimaryGroupID),
				LogonServer:         pac.KerbValidationInfo.LogonServer.Value,
				LogonDomainName:     pac.KerbValidationInfo.LogonDomainName.Value,
				LogonDomainID:       pac.KerbValidationInfo.LogonDomainID.String(),
			})
		}
	}
	return true, creds, nil
}
Update module lib/pq to v1.6.0 (#572) Update module lib/pq to v1.6.0 Reviewed-on: https://kolaente.dev/vikunja/api/pulls/572 2020-05-29 19:47:28 +02:00			`package service`

			`import (`
			`"time"`

			`"github.com/jcmturner/gokrb5/v8/credentials"`
			`"github.com/jcmturner/gokrb5/v8/iana/errorcode"`
			`"github.com/jcmturner/gokrb5/v8/messages"`
			`)`

			`// VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.`
			`func VerifyAPREQ(APReq messages.APReq, s Settings) (bool, *credentials.Credentials, error) {`
			`var creds *credentials.Credentials`
			`ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal())`
			`if err != nil \|\| !ok {`
			`return false, creds, err`
			`}`

			`if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 {`
			`return false, creds,`
			`messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required")`
			`}`

			`// Check for replay`
			`rc := GetReplayCache(s.MaxClockSkew())`
			`if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) {`
			`return false, creds,`
			`messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected")`
			`}`

			`c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm)`
			`creds = c`
			`creds.SetAuthTime(time.Now().UTC())`
			`creds.SetAuthenticated(true)`
			`creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime)`

			`//PAC decoding`
			`if !s.disablePACDecoding {`
			`isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger())`
			`if isPAC && err != nil {`
			`return false, creds, err`
			`}`
			`if isPAC {`
			`// There is a valid PAC. Adding attributes to creds`
			`creds.SetADCredentials(credentials.ADCredentials{`
			`GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(),`
			`LogOnTime: pac.KerbValidationInfo.LogOnTime.Time(),`
			`LogOffTime: pac.KerbValidationInfo.LogOffTime.Time(),`
			`PasswordLastSet: pac.KerbValidationInfo.PasswordLastSet.Time(),`
			`EffectiveName: pac.KerbValidationInfo.EffectiveName.Value,`
			`FullName: pac.KerbValidationInfo.FullName.Value,`
			`UserID: int(pac.KerbValidationInfo.UserID),`
			`PrimaryGroupID: int(pac.KerbValidationInfo.PrimaryGroupID),`
			`LogonServer: pac.KerbValidationInfo.LogonServer.Value,`
			`LogonDomainName: pac.KerbValidationInfo.LogonDomainName.Value,`
			`LogonDomainID: pac.KerbValidationInfo.LogonDomainID.String(),`
			`})`
			`}`
			`}`
			`return true, creds, nil`
			`}`