Use GSSAPI for IntegratedSecurity on Unix

Cargo.toml

@@ -48,6 +48,9 @@ async-trait = "0.1"
 [target.'cfg(windows)'.dependencies]
 winauth = "0.0.4"
 
+[target.'cfg(unix)'.dependencies]
+libgssapi = "0.4"
+
 [dependencies.tokio]
 version = "0.2"
 optional = true

src/client/auth.rs

@@ -58,6 +58,9 @@ pub enum AuthMethod {
     /// Authenticate as the currently logged in user. Only available on Windows
     /// platforms.
     WindowsIntegrated,
+    #[cfg(any(unix, doc))]
+    /// Authenticate as the currently logged in (Kerberos) user. Only available on Unix platforms.
+    Integrated,
     #[doc(hidden)]
     None,
 }

src/client/builder.rs

@@ -132,7 +132,7 @@ impl Config {
     /// |Parameter|Allowed values|Description|
     /// |--------|--------|--------|
     /// |`server`|`<string>`|The name or network address of the instance of SQL Server to which to connect. The port number can be specified after the server name. The correct form of this parameter is either `tcp:host,port` or `tcp:host\\instance`|
-    /// |`IntegratedSecurity`|`true`,`false`,`yes`,`no`|Toggle between Windows authentication and SQL authentication.|
+    /// |`IntegratedSecurity`|`true`,`false`,`yes`,`no`|Toggle between Windows/Kerberos authentication and SQL authentication.|
     /// |`uid`,`username`,`user`,`user id`|`<string>`|The SQL Server login account.|
     /// |`password`,`pwd`|`<string>`|The password for the SQL Server account logging on.|
     /// |`database`|`<string>`|The name of the database.|
@@ -281,6 +281,8 @@ impl AdoNetString {
                 (None, None) => Ok(AuthMethod::WindowsIntegrated),
                 _ => Ok(AuthMethod::windows(user.unwrap_or(""), pw.unwrap_or(""))),
             },
+            #[cfg(unix)]
+            Some(val) if val.to_lowercase() == "sspi" || Self::parse_bool(val)? => Ok(AuthMethod::Integrated),
             _ => Ok(AuthMethod::sql_server(user.unwrap_or(""), pw.unwrap_or(""))),
         }
     }

src/client/connection.rs

@@ -13,7 +13,6 @@ use crate::{
     EncryptionLevel, SqlReadBytes,
 };
 use bytes::BytesMut;
-#[cfg(windows)]
 use codec::TokenSSPI;
 use futures::{ready, AsyncRead, AsyncWrite, SinkExt, Stream, TryStream, TryStreamExt};
 use futures_codec::Framed;
@@ -23,6 +22,14 @@ use task::Poll;
 use tracing::{event, Level};
 #[cfg(windows)]
 use winauth::{windows::NtlmSspiBuilder, NextBytes};
+#[cfg(unix)]
+use libgssapi::{
+    name::Name,
+    credential::{Cred, CredUsage},
+    context::{CtxFlags, ClientCtx},
+    oid::{OidSet, GSS_NT_KRB5_PRINCIPAL, GSS_MECH_KRB5}
+};
+use std::ops::Deref;
 
 /// A `Connection` is an abstraction between the [`Client`] and the server. It
 /// can be used as a `Stream` to fetch [`Packet`]s from and to `send` packets
@@ -55,16 +62,12 @@ impl<S: AsyncRead + AsyncWrite + Unpin + Send> Connection<S> {
     /// Creates a new connection
     pub(crate) async fn connect(config: Config, tcp_stream: S) -> crate::Result<Connection<S>>
 where {
-        #[cfg(windows)]
         let context = {
             let mut context = Context::new();
             context.set_spn(config.get_host(), config.get_port());
             context
         };
 
-        #[cfg(not(windows))]
-        let context = { Context::new() };
-
         let transport = Framed::new(MaybeTlsStream::Raw(tcp_stream), PacketCodec);
 
         let mut connection = Self {
@@ -95,7 +98,6 @@ where {
         TokenStream::new(self).flush_done().await
     }
 
-    #[cfg(windows)]
     /// Flush the incoming token stream until receiving `SSPI` token.
     async fn flush_sspi(&mut self) -> crate::Result<TokenSSPI> {
         TokenStream::new(self).flush_sspi().await
@@ -262,6 +264,48 @@ where {
                     None => unreachable!(),
                 }
             }
+            #[cfg(unix)]
+            AuthMethod::Integrated => {
+                let mut s = OidSet::new()?;
+                s.add(&GSS_MECH_KRB5)?;
+
+                let client_cred = Cred::acquire(
+                    None, None, CredUsage::Initiate, Some(&s)
+                )?;
+
+                let ctx = ClientCtx::new(
+                    client_cred,
+                    Name::new(self.context.spn().as_bytes(), Some(&GSS_NT_KRB5_PRINCIPAL))?,
+                    CtxFlags::GSS_C_MUTUAL_FLAG | CtxFlags::GSS_C_SEQUENCE_FLAG,
+                    None,
+                );
+
+                let init_token = ctx.step(None)?;
+
+                msg.integrated_security = Some(Vec::from(init_token.unwrap().deref()));
+
+                let id = self.context.next_packet_id();
+                self.send(PacketHeader::login(id), msg).await?;
+
+                self = self.post_login_encryption(encryption);
+
+                let auth_bytes = self.flush_sspi().await?;
+
+                let next_token = match ctx.step(Some(auth_bytes.as_ref()))? {
+                    Some(response) => {
+                        TokenSSPI::new(Vec::from(response.deref()))
+                    },
+                    None => {
+                        TokenSSPI::new(Vec::new())
+                    }
+                };
+
+                let id = self.context.next_packet_id();
+                let header = PacketHeader::login(id);
+
+                self.send(header, next_token).await?;
+
+            },
             #[cfg(windows)]
             AuthMethod::Windows(auth) => {
                 let spn = self.context.spn().to_string();

src/error.rs

@@ -40,6 +40,10 @@ pub enum Error {
     #[error("Error forming TLS connection: {}", _0)]
     /// An error in the TLS handshake.
     Tls(String),
+    #[cfg(any(unix, doc))]
+    /// An error from the GSSAPI library.
+    #[error("GSSAPI Error: {}", _0)]
+    Gssapi(String)
 }
 
 impl From<uuid::Error> for Error {
@@ -93,3 +97,10 @@ impl From<std::string::FromUtf16Error> for Error {
         Error::Utf16
     }
 }
+
+#[cfg(unix)]
+impl From<libgssapi::error::Error> for Error {
+    fn from(err: libgssapi::error::Error) -> Error {
+        Error::Gssapi(format!("{}", err))
+    }
+}

src/lib.rs

@@ -92,10 +92,9 @@
 //! Tiberius supports different [ways of authentication] to the SQL Server:
 //!
 //! - SQL Server authentication uses the facilities of the database to
-//! authenticate the user. This is also the only cross-platform method that
-//! works outside of Windows platforms.
+//! authenticate the user.
 //! - Authentication with Windows credentials
-//! - Authentication with currently logged in Windows user
+//! - Authentication with currently logged in Windows user / Kerberos credentials
 //!
 //! # TLS
 //!

src/tds/codec/token.rs

@@ -7,7 +7,6 @@ mod token_login_ack;
 mod token_order;
 mod token_return_value;
 mod token_row;
-#[cfg(windows)]
 mod token_sspi;
 mod token_type;
 
@@ -20,6 +19,5 @@ pub use token_login_ack::*;
 pub use token_order::*;
 pub use token_return_value::*;
 pub use token_row::*;
-#[cfg(windows)]
 pub use token_sspi::*;
 pub use token_type::*;

src/tds/context.rs

@@ -9,7 +9,6 @@ pub(crate) struct Context {
     packet_id: u8,
     transaction_id: u64,
     last_meta: Option<Arc<TokenColMetaData>>,
-    #[cfg(windows)]
     spn: Option<String>,
 }
 
@@ -21,7 +20,6 @@ impl Context {
             packet_id: 0,
             transaction_id: 0,
             last_meta: None,
-            #[cfg(windows)]
             spn: None,
         }
     }
@@ -60,12 +58,10 @@ impl Context {
         self.version
     }
 
-    #[cfg(windows)]
     pub fn set_spn(&mut self, host: impl AsRef<str>, port: u16) {
         self.spn = Some(format!("MSSQLSvc/{}:{}", host.as_ref(), port));
     }
 
-    #[cfg(windows)]
     pub fn spn(&self) -> &str {
         self.spn.as_ref().map(|s| s.as_str()).unwrap_or("")
     }

src/tds/stream/token.rs

@@ -1,4 +1,3 @@
-#[cfg(windows)]
 use crate::tds::codec::TokenSSPI;
 use crate::{
     client::Connection,
@@ -25,7 +24,6 @@ pub enum ReceivedToken {
     EnvChange(TokenEnvChange),
     Info(TokenInfo),
     LoginAck(TokenLoginAck),
-    #[cfg(windows)]
     SSPI(TokenSSPI),
 }
 
@@ -53,7 +51,6 @@ where
         }
     }
 
-    #[cfg(windows)]
     pub(crate) async fn flush_sspi(self) -> crate::Result<TokenSSPI> {
         let mut stream = self.try_unfold();
 
@@ -163,7 +160,6 @@ where
         Ok(ReceivedToken::LoginAck(ack))
     }
 
-    #[cfg(windows)]
     async fn get_sspi(&mut self) -> crate::Result<ReceivedToken> {
         let sspi = TokenSSPI::decode_async(self.conn).await?;
         event!(Level::TRACE, "SSPI response");
@@ -195,7 +191,6 @@ where
                 TokenType::EnvChange => this.get_env_change().await?,
                 TokenType::Info => this.get_info().await?,
                 TokenType::LoginAck => this.get_login_ack().await?,
-                #[cfg(windows)]
                 TokenType::SSPI => this.get_sspi().await?,
                 _ => panic!("Token {:?} unimplemented!", ty),
             };