package service import ( "time" "github.com/jcmturner/gokrb5/v8/credentials" "github.com/jcmturner/gokrb5/v8/iana/errorcode" "github.com/jcmturner/gokrb5/v8/messages" ) // VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm. func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error) { var creds *credentials.Credentials ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal()) if err != nil || !ok { return false, creds, err } if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 { return false, creds, messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required") } // Check for replay rc := GetReplayCache(s.MaxClockSkew()) if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) { return false, creds, messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected") } c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm) creds = c creds.SetAuthTime(time.Now().UTC()) creds.SetAuthenticated(true) creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime) //PAC decoding if !s.disablePACDecoding { isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger()) if isPAC && err != nil { return false, creds, err } if isPAC { // There is a valid PAC. Adding attributes to creds creds.SetADCredentials(credentials.ADCredentials{ GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(), LogOnTime: pac.KerbValidationInfo.LogOnTime.Time(), LogOffTime: pac.KerbValidationInfo.LogOffTime.Time(), PasswordLastSet: pac.KerbValidationInfo.PasswordLastSet.Time(), EffectiveName: pac.KerbValidationInfo.EffectiveName.Value, FullName: pac.KerbValidationInfo.FullName.Value, UserID: int(pac.KerbValidationInfo.UserID), PrimaryGroupID: int(pac.KerbValidationInfo.PrimaryGroupID), LogonServer: pac.KerbValidationInfo.LogonServer.Value, LogonDomainName: pac.KerbValidationInfo.LogonDomainName.Value, LogonDomainID: pac.KerbValidationInfo.LogonDomainID.String(), }) } } return true, creds, nil }