1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
package client
import (
"context"
"fmt"
"io"
"os/exec"
"strings"
)
func (c client) princExists(ctx context.Context, name string) (exists bool, err error) {
out, err := c.execKrbAdmin(ctx, fmt.Sprintf("getprinc \"%s\"", name), func(writer io.WriteCloser) error { return nil })
if err != nil {
err = fmt.Errorf("%s (output: %s)", err, out)
return
}
if strings.Contains(out, "Principal does not exist") {
exists = false
} else if strings.Contains(out, "Expiration date: ") {
exists = true
} else {
err = fmt.Errorf("unrecognised output format: %s", out)
}
return
}
func (c client) doCreatePrinc(ctx context.Context, name string, password string) (err error) {
out, err := c.execKrbAdmin(ctx, fmt.Sprintf("addprinc \"%s\"", name), func(writer io.WriteCloser) error {
toWrite := append([]byte(password), '\n')
for i := 0; i < 2; i++ {
n, err := writer.Write(toWrite)
if err != nil || n != len(toWrite) {
return fmt.Errorf("error writing to stdin: %s", err)
}
}
return nil
})
if err != nil {
return
}
if !strings.Contains(out, "created") {
err = fmt.Errorf("unrecognised output format: %s", out)
}
return
}
func (c client) doChangePassword(ctx context.Context, name string, password string) (err error) {
out, err := c.execKrbAdmin(ctx, fmt.Sprintf("cpw \"%s\"", name), func(writer io.WriteCloser) error {
toWrite := append([]byte(password), '\n')
for i := 0; i < 2; i++ {
n, err := writer.Write(toWrite)
if err != nil || n != len(toWrite) {
return fmt.Errorf("error writing to stdin: %s", err)
}
}
return nil
})
if err != nil {
return
}
if !strings.Contains(out, "changed") {
err = fmt.Errorf("unrecognised output format: %s", out)
}
return
}
// execKrbAdmin starts krbadmin with the appropriate commands, and tries to authenticate as the admin principal
func (c client) execKrbAdmin(ctx context.Context, query string, writeFunc func(writer io.WriteCloser) error) (string, error) {
kadm, err := exec.LookPath("kadmin")
if err != nil {
return "", fmt.Errorf("error finding kadmin executable: %s", err)
}
cmd := exec.CommandContext(
ctx,
kadm,
"-p",
c.config.Username,
"-r",
c.config.Realm,
"-s",
c.config.KAdminServer,
"-q",
query,
)
stdin, err := cmd.StdinPipe()
if err != nil {
return "", fmt.Errorf("error getting stdin pipe: %s", err)
}
errChan := make(chan error)
go func() {
defer stdin.Close()
toWrite := append([]byte(c.config.Password), '\n')
n, err := stdin.Write(toWrite)
if err != nil || n != len(toWrite) {
errChan <- fmt.Errorf("error writing to stdin: %s", err)
return
}
err = writeFunc(stdin)
if err != nil || n != len(toWrite) {
errChan <- fmt.Errorf("error writing to stdin: %s", err)
return
}
}()
rawOut, err := cmd.CombinedOutput()
if err != nil {
return "", err
}
out := string(rawOut)
select {
case err = <-errChan:
return "", err
default:
}
return out, nil
}
|
