Implement SSPI Support on Windows (oc Kerberos)

This change is highly experimental and includes no tests (because you need an automated extended test with a fully configured Windows Active Directory server to actually test this). Signed-off-by: Monis Khan <mkhan@redhat.com>
openshift · Jul 13, 2018 · 919477b · 919477b
1 parent 93c00d2
commit 919477b
Show file tree

Hide file tree

Showing 7 changed files with 373 additions and 30 deletions.
diff --git a/pkg/oc/cli/cmd/version.go b/pkg/oc/cli/cmd/version.go
@@ -113,8 +113,13 @@ func (o VersionOptions) RunVersion() error {
 		}
 		if tokencmd.GSSAPIEnabled() {
 			features = append(features, "GSSAPI")
-			features = append(features, "Kerberos") // GSSAPI or SSPI
-			features = append(features, "SPNEGO")   // GSSAPI or SSPI
+		}
+		if tokencmd.SSPIEnabled() {
+			features = append(features, "SSPI")
+		}
+		if tokencmd.GSSAPIEnabled() || tokencmd.SSPIEnabled() {
+			features = append(features, "Kerberos")
+			features = append(features, "SPNEGO")
 		}
 		fmt.Printf("features: %s\n", strings.Join(features, " "))
 	}

diff --git a/pkg/oc/util/tokencmd/negotiate_helpers.go b/pkg/oc/util/tokencmd/negotiate_helpers.go
@@ -0,0 +1,39 @@
+package tokencmd
+
+import (
+	"errors"
+	"net/url"
+)
+
+func getServiceName(sep rune, requestURL string) (string, error) {
+	u, err := url.Parse(requestURL)
+	if err != nil {
+		return "", err
+	}
+
+	return "HTTP" + string(sep) + u.Hostname(), nil
+}
+
+type negotiateUnsupported struct {
+	error
+}
+
+func newUnsupportedNegotiator(name string) Negotiator {
+	return &negotiateUnsupported{error: errors.New(name + " support is not enabled")}
+}
+
+func (n *negotiateUnsupported) Load() error {
+	return n
+}
+
+func (n *negotiateUnsupported) InitSecContext(requestURL string, challengeToken []byte) ([]byte, error) {
+	return nil, n
+}
+
+func (*negotiateUnsupported) IsComplete() bool {
+	return false
+}
+
+func (n *negotiateUnsupported) Release() error {
+	return n
+}
diff --git a/pkg/oc/util/tokencmd/negotiator_gssapi.go b/pkg/oc/util/tokencmd/negotiator_gssapi.go
@@ -4,8 +4,6 @@ package tokencmd
 
 import (
 	"errors"
-	"net"
-	"net/url"
 	"runtime"
 	"sync"
 	"time"
@@ -90,17 +88,11 @@ func (g *gssapiNegotiator) InitSecContext(requestURL string, challengeToken []by
 			g.cred = lib.GSS_C_NO_CREDENTIAL
 		}
 
-		u, err := url.Parse(requestURL)
+		serviceName, err := getServiceName('@', requestURL)
 		if err != nil {
 			return nil, err
 		}
 
-		hostname := u.Host
-		if h, _, err := net.SplitHostPort(u.Host); err == nil {
-			hostname = h
-		}
-
-		serviceName := "HTTP@" + hostname
 		glog.V(5).Infof("importing service name %s", serviceName)
 		nameBuf, err := lib.MakeBufferString(serviceName)
 		if err != nil {

diff --git a/pkg/oc/util/tokencmd/negotiator_gssapi_unsupported.go b/pkg/oc/util/tokencmd/negotiator_gssapi_unsupported.go
@@ -2,27 +2,10 @@
 
 package tokencmd
 
-import "errors"
-
 func GSSAPIEnabled() bool {
 	return false
 }
 
-type gssapiUnsupported struct{}
-
-func NewGSSAPINegotiator(principalName string) Negotiater {
-	return &gssapiUnsupported{}
-}
-
-func (g *gssapiUnsupported) Load() error {
-	return errors.New("GSSAPI support is not enabled")
-}
-func (g *gssapiUnsupported) InitSecContext(requestURL string, challengeToken []byte) (tokenToSend []byte, err error) {
-	return nil, errors.New("GSSAPI support is not enabled")
-}
-func (g *gssapiUnsupported) IsComplete() bool {
-	return false
-}
-func (g *gssapiUnsupported) Release() error {
-	return errors.New("GSSAPI support is not enabled")
+func NewGSSAPINegotiator(string) Negotiator {
+	return newUnsupportedNegotiator("GSSAPI")
 }