Add ability to provide user specific krb5

macsux · macsux · commit 679406ea82e7 · 2022-02-14T18:25:05.000-05:00
diff --git a/sample/KerberosDemo/manifest.yml b/sample/KerberosDemo/manifest.yml
@@ -5,7 +5,7 @@ applications:
   memory: 512M
   health-check-type: none
   buildpacks: 
-    - https://github.com/macsux/kerberos-buildpack/releases/download/v1.0.9/KerberosBuildpack-linux-x64-v1.0.9.zip
+    - https://github.com/macsux/kerberos-buildpack/releases/download/v1.0.10/KerberosBuildpack-linux-x64-v1.0.10.zip
     - dotnet_core_buildpack
   env:
     KRB5_KDC: dc1.macsux.com
diff --git a/src/KerberosBuildpack/KerberosBuildpack.cs b/src/KerberosBuildpack/KerberosBuildpack.cs
@@ -1,19 +1,4 @@
-﻿using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using System.Net;
-using System.Reflection;
-using System.Text.Json;
-using System.Text.Json.Nodes;
-using System.Threading.Tasks;
-using Kerberos.NET;
-using Kerberos.NET.Client;
-using Kerberos.NET.Configuration;
-using Kerberos.NET.Credentials;
-using Kerberos.NET.Crypto;
-using Kerberos.NET.Entities;
-using Kerberos.NET.Transport;
+﻿using System.Reflection;
 using NMica.Utils.IO;
 
 namespace KerberosBuildpack
@@ -30,6 +15,7 @@ protected override void Apply(AbsolutePath buildPath, AbsolutePath cachePath, Ab
             EnvironmentalVariables["KRB5_CONFIG"] = "/home/vcap/app/.krb5/krb5.conf";
             EnvironmentalVariables["KRB5CCNAME"] = "/home/vcap/app/.krb5/krb5cc";
             EnvironmentalVariables["KRB5_KTNAME"] = "/home/vcap/app/.krb5/service.keytab";
+            EnvironmentalVariables["KRB5_CLIENT_KTNAME"] = "/home/vcap/app/.krb5/service.keytab";
             
             Directory.CreateDirectory(krb5Dir);
 
diff --git a/src/KerberosBuildpack/KerberosBuildpack.csproj b/src/KerberosBuildpack/KerberosBuildpack.csproj
@@ -10,13 +10,13 @@
 
   <ItemGroup>
     <PackageReference Include="CommandDotNet" Version="3.0.2" />
-    <PackageReference Include="Kerberos.NET" Version="4.5.124" />
+<!--    <PackageReference Include="Kerberos.NET" Version="4.5.124" />-->
     <PackageReference Include="NMica.Utils" Version="1.0.1" />
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\KerberosSidecar\KerberosSidecar.csproj" />
-  </ItemGroup>
+<!--  <ItemGroup>-->
+<!--    <ProjectReference Include="..\KerberosSidecar\KerberosSidecar.csproj" />-->
+<!--  </ItemGroup>-->
 
   <ItemGroup>
     <EmbeddedResource Include="launch.yaml" />
diff --git a/src/KerberosSidecar/KerberosOptions.cs b/src/KerberosSidecar/KerberosOptions.cs
@@ -37,6 +37,7 @@ public class KerberosOptions
     public KerberosClient KerberosClient { get; set; } = null!;
 
     public bool RunOnce { get; set; }
+    public bool GenerateKrb5 { get; set; }
 
     public class Validator : IValidateOptions<KerberosOptions>
     {
diff --git a/src/KerberosSidecar/KerberosSidecar.csproj b/src/KerberosSidecar/KerberosSidecar.csproj
@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Kerberos.NET" Version="4.5.124" />
+    <PackageReference Include="Kerberos.NET" Version="4.5.155" />
     <PackageReference Include="MediatR.Extensions.Microsoft.DependencyInjection" Version="9.0.0" />
     <PackageReference Include="NetEscapades.Configuration.Yaml" Version="2.1.0" />
   </ItemGroup>
diff --git a/src/KerberosSidecar/KerberosWorker.cs b/src/KerberosSidecar/KerberosWorker.cs
@@ -79,7 +79,10 @@ private async Task CreateMitKerberosKeytab()
 
     private async Task CreateMitKerberosKrb5Config()
     {
-        await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile,  _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);
+        if (_options.CurrentValue.GenerateKrb5)
+        {
+            await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile, _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);
+        }
     }
 
     /// <summary>
@@ -118,6 +121,11 @@ private  async Task<KeyTable> GenerateKeytab()
                 kerberosKeys.Add(key);
             }
         }
+        foreach (var (encryptionType, salt) in credentials.Salts)
+        {
+            var key = new KerberosKey(_options.CurrentValue.Password, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { $"{credentials.UserName}@{credentials.Domain.ToUpper()}" }), salt: salt, etype: encryptionType);
+            kerberosKeys.Add(key);
+        }
         var keyTable = new KeyTable(kerberosKeys.ToArray());
         return keyTable;
     }
diff --git a/src/KerberosSidecar/Program.cs b/src/KerberosSidecar/Program.cs
@@ -43,26 +43,45 @@
         options.Kerb5ConfigFile ??= Path.Combine(userKerbDir, "krb5.conf");
         options.KeytabFile ??= Path.Combine(userKerbDir, "krb5.keytab");
         options.CacheFile ??= Path.Combine(userKerbDir, "krb5cc");
+        options.GenerateKrb5 = options.Kerb5ConfigFile != null! ? !File.Exists(options.Kerb5ConfigFile) : true;
+        
         Directory.CreateDirectory(Path.GetDirectoryName(options.Kerb5ConfigFile)!);
         Directory.CreateDirectory(Path.GetDirectoryName(options.KeytabFile)!);
         Directory.CreateDirectory(Path.GetDirectoryName(options.CacheFile)!);
 
         // var config = File.Exists(options.Kerb5ConfigFile) ? Krb5Config.Parse(File.ReadAllText(options.Kerb5ConfigFile)) : Krb5Config.Default();
-        var config = Krb5Config.Default();
-        config.Defaults.DefaultCCacheName = options.CacheFile;
-        string realm;
-        try
+        Krb5Config config;
+        if (options.GenerateKrb5)
         {
-            realm = new KerberosPasswordCredential(options.ServiceAccount, options.Password).Domain;
-        }
-        catch (Exception)
-        {
-            return; // we're gonna handle this case during validation
+            log.LogInformation("No krb5.conf exists - generating");
+            config = Krb5Config.Default();
+            string realm;
+            try
+            {
+                realm = new KerberosPasswordCredential(options.ServiceAccount, options.Password).Domain;
+            }
+            catch (Exception)
+            {
+                return; // we're gonna handle this case during validation
+            }
+
+            options.Kdc ??= realm;
+            if (realm != null)
+            {
+                config.Defaults.DefaultRealm = realm;
+                config.Realms[realm].Kdc.Add(options.Kdc);
+                config.Realms[realm].DefaultDomain = realm.ToLower();
+                config.DomainRealm.Add(realm.ToLower(), realm.ToUpper());
+                config.DomainRealm.Add($".{realm.ToLower()}", realm.ToUpper());
+            }
+            config.Defaults.DefaultCCacheName = options.CacheFile;
+            config.Defaults.DefaultKeytabName = options.KeytabFile;
+            config.Defaults.DefaultClientKeytabName = options.KeytabFile;
         }
-        options.Kdc ??= realm;
-        if (realm != null)
+        else
         {
-            config.Realms[realm].Kdc.Add(options.Kdc);
+            log.LogInformation("Existing krb5.conf was detected");
+            config = Krb5Config.Parse(File.ReadAllText(options.Kerb5ConfigFile!));
         }
 
         var client = new KerberosClient(config, loggerFactory);
diff --git a/src/KerberosSidecar/appsettings.Development.yaml b/src/KerberosSidecar/appsettings.Development.yaml
@@ -5,6 +5,6 @@ Logging:
     Microsoft.Hosting.Lifetime: Information
 KRB_SERVICE_ACCOUNT: iwaclient@macsux.com
 KRB_PASSWORD: P@ssw0rd
-KRB_KDC: dc1.macsux.com1
+KRB_KDC: dc1.macsux.com
 Routes:
   - "http://iwaclient"

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ public class KerberosOptions`
`37`	`37`	`public KerberosClient KerberosClient { get; set; } = null!;`
`38`	`38`
`39`	`39`	`public bool RunOnce { get; set; }`
	`40`	`+ public bool GenerateKrb5 { get; set; }`
`40`	`41`
`41`	`42`	`public class Validator : IValidateOptions<KerberosOptions>`
`42`	`43`	`{`
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,10 @@ private async Task CreateMitKerberosKeytab()`
`79`	`79`
`80`	`80`	`private async Task CreateMitKerberosKrb5Config()`
`81`	`81`	`{`
`82`		`- await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile, _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);`
	`82`	`+ if (_options.CurrentValue.GenerateKrb5)`
	`83`	`+ {`
	`84`	`+ await File.WriteAllTextAsync(_options.CurrentValue.Kerb5ConfigFile, _options.CurrentValue.KerberosClient.Configuration.Serialize(), _cancellationToken);`
	`85`	`+ }`
`83`	`86`	`}`
`84`	`87`
`85`	`88`	`/// <summary>`
`@@ -118,6 +121,11 @@ private async Task<KeyTable> GenerateKeytab()`
`118`	`121`	`kerberosKeys.Add(key);`
`119`	`122`	`}`
`120`	`123`	`}`
	`124`	`+ foreach (var (encryptionType, salt) in credentials.Salts)`
	`125`	`+ {`
	`126`	`+ var key = new KerberosKey(_options.CurrentValue.Password, new PrincipalName(PrincipalNameType.NT_PRINCIPAL, realm, new[] { $"{credentials.UserName}@{credentials.Domain.ToUpper()}" }), salt: salt, etype: encryptionType);`
	`127`	`+ kerberosKeys.Add(key);`
	`128`	`+ }`
`121`	`129`	`var keyTable = new KeyTable(kerberosKeys.ToArray());`
`122`	`130`	`return keyTable;`
`123`	`131`	`}`