upload/koji: add support for GSSAPI/Kerberos auth

Prior this commit we only had support for username/password authentication in the koji integration. This wasn't particularly useful because this auth type isn't used in any production instance. This commit adds the support for GSSAPI/Kerberos authentication. The implementation uses kerby library which is very lightweight wrapper around C gssapi library. Also, the koji unit test and the run-koji-container script were modified so the GSSAPI auth is fully tested.
2020-08-19 15:14:20 +02:00 · 2020-08-19 15:14:20 +02:00 · 05fd221bd4
commit 05fd221bd4
parent ecc7340570
21 changed files with 1637 additions and 31 deletions
--- a/vendor/github.com/ubccr/kerby/khttp/handler.go
+++ b/vendor/github.com/ubccr/kerby/khttp/handler.go
@ -0,0 +1,39 @@
+package khttp
+
+import (
+	"fmt"
+	"github.com/ubccr/kerby"
+	"log"
+	"net/http"
+	"strings"
+)
+
+func Handler(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authReq := strings.Split(r.Header.Get(authorizationHeader), " ")
+		if len(authReq) != 2 || authReq[0] != negotiateHeader {
+			w.Header().Set(wwwAuthenticateHeader, negotiateHeader)
+			http.Error(w, "Invalid authorization header", http.StatusUnauthorized)
+			return
+		}
+
+		ks := new(kerby.KerbServer)
+		err := ks.Init("")
+		if err != nil {
+			log.Printf("KerbServer Init Error: %s", err.Error())
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		defer ks.Clean()
+
+		err = ks.Step(authReq[1])
+		if err != nil {
+			log.Printf("KerbServer Step Error: %s", err.Error())
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+
+		w.Header().Set(wwwAuthenticateHeader, fmt.Sprintf("%s %s", negotiateHeader, ks.Response()))
+		h.ServeHTTP(w, r)
+	})
+}