win32-sspi 0.0.1.rc1-x86-mingw32

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 94ed63fe1f2bf199120cb6e027ad643db0512179
+  data.tar.gz: 64236f4dd2ae87f6fb9f56510cf9eef7a09281a7
+SHA512:
+  metadata.gz: f47abf6eeec115b0e30fc2881b1493d106ed406b5795f49971531f1566c20e543317d2698c572d38ad51ef772437958ef596bda8341ceab2e3ba31139485d4c5
+  data.tar.gz: f1c4cbbcc6bf624cec854aeecf8294f1baa3b5e82ae66969cf103bfd92404ee0cec86c5c0c26a313cc8a744b069a0cb9e3dd1ff68172e4f3909f05ad2a8fc68a

data/License.txt

@@ -0,0 +1,8 @@
+MIT License
+Copyright (c) 2015 Gary Sick
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+This project is a fork of djbergers win32-sspi project which
+provided the beginnings of a an FFI implementation of SSPI
+on Windows. This project adds support for Kerberos through the
+SPNEGO/Negotiate protocol.
+
+The examples directory has working examples to illustrate
+usage. The sspi_negotiate_*.rb files are client/server
+examples of using Kerberos through SPNEGO/Negotiate protocol.
+In order to be used successfully across multiple systems
+in your domain you must define a Service Principal Name (SPN)
+associated with the user account under which the server is
+running unless the server is running as a Windows Service
+under the LocalSystem account. To establish a SPN use the
+setspn command as follows from a elevated privilege command
+window:
+
+```
+  setspn -S HTTP/fqdn-of-your-host USERDOMAIN\USERNAME
+```
+The SPN you establish must be passed to the Client constructor
+with the spn option in order to succesfully connect and
+authenticate with the server.
+
+The negotiate client/server implementations are also capable
+of supporting the NTLM protocol. To do so specify the auth_type
+option as 'NTLM' on the construction of the client. The user name
+and user domain will be taken from the environment and will use
+the current logged in users security context to authenticate with
+the server. Otherwise passing the options username, domain, password
+to the client constructor will establish a different security
+context for the given username to authenticate against.

data/Rakefile

@@ -0,0 +1,49 @@
+require 'rake'
+require 'rake/clean'
+require 'rake/testtask'
+require 'rubygems'
+require 'rubygems/package'
+
+CLEAN.include('**/*.gem')
+
+namespace :gem do
+  desc "Create the win32-sspi gem"
+  task :create => [:clean] do
+    spec = eval(IO.read('win32-sspi.gemspec'))
+    Gem::Package.build(spec)
+  end
+
+  desc "Install the win32-sspi gem"
+  task :install => [:create] do
+    file = Dir["*.gem"].first
+    sh "gem install #{file} -l --no-document"
+  end
+end
+
+namespace :test do
+  Rake::TestTask.new(:struct) do |t|
+    t.test_files = FileList['test/test_win32_sspi_structure_creates.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new(:client) do |t|
+    t.test_files = FileList['test/test_win32_sspi_negotiate_client.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new(:server) do |t|
+    t.test_files = FileList['test/test_win32_sspi_negotiate_server.rb']
+    t.warning = true
+    t.verbose = true
+  end
+
+  Rake::TestTask.new(:all) do |t|
+    t.test_files = FileList['test/test_win32*']
+    t.warning = true
+    t.verbose = true
+  end
+end
+
+task :default => 'test:all'

data/examples/sspi_negotiate_client.rb

@@ -0,0 +1,42 @@
+require 'pp'
+require 'net/http'
+unless ENV['WIN32_SSPI_TEST']
+  require 'win32-sspi'
+  require 'negotiate/client'
+else
+  require 'win32/sspi/negotiate/client'
+  puts "!!!! running with test environment !!!"
+end
+
+class RubySSPIClient
+  def self.run(url,auth_type)
+    uri = URI.parse(url)
+    client = (Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE == auth_type) ? 
+      Win32::SSPI::Negotiate::Client.new(spn:"HTTP/#{uri.host}") : 
+      Win32::SSPI::Negotiate::Client.new(auth_type:auth_type)
+    
+    Net::HTTP.start(uri.host, uri.port) do |http|
+      resp = nil
+      client.http_authenticate do |header|
+        req = Net::HTTP::Get.new(uri.path)
+        req['Authorization'] = header
+        resp = http.request(req)
+        resp['www-authenticate']
+      end
+      
+      puts resp.body if resp.body
+    end
+  end
+end
+
+if __FILE__ == $0
+  if ARGV.length < 1
+    puts "usage: ruby sspi_negotiate_client.rb url [auth_type (Negotiate|NTLM default=Negotiate)]"
+    puts "where: url = http://hostname:port/path"
+    exit(0)
+  end
+
+  url = ARGV[0]
+  auth_type = (2 == ARGV.length) ? ARGV[1] : Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE
+  RubySSPIClient.run(url,auth_type)
+end

data/examples/sspi_negotiate_server.rb

@@ -0,0 +1,99 @@
+# Attempting to setup an example authenticating server
+require 'webrick'
+unless ENV['WIN32_SSPI_TEST']
+  require 'win32-sspi'
+  require 'negotiate/server'
+else
+  require 'win32/sspi/negotiate/server'
+  puts "!!!! running with test environment !!!"
+end
+
+# A way to store state across multiple requests
+class StateStore
+  def self.state
+    @state ||= Hash.new
+  end
+  
+  def self.store_state(key,value)
+    state[key] = value
+  end
+  
+  def self.retrieve_state(key)
+    state[key]
+  end
+  
+  def self.clear_state
+    state.clear
+  end
+  
+  def self.retrieve_server(auth_type=Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE)
+    state[:server] ||= Win32::SSPI::Negotiate::Server.new(auth_type: auth_type)
+    state[:server]
+  end
+end
+
+
+class RubySSPIServlet < WEBrick::HTTPServlet::AbstractServlet
+  def initialize(server,auth_type)
+    super server
+    @auth_type = auth_type
+  end
+  
+  def do_GET(req,resp)
+    if req['Authorization'].nil? || req['Authorization'].empty?
+      resp['www-authenticate'] = @auth_type
+      resp.status = 401
+      return
+    end
+
+    authenticated = false
+
+    begin
+      sspi_server = StateStore.retrieve_server(@auth_type)
+      authenticated = sspi_server.http_authenticate(req['Authorization']) do |header,complete|
+        resp['www-authenticate'] = header if header
+        if complete
+          resp.status = 200
+          resp['Remote-User'] = sspi_server.username
+          resp['Remote-User-Domain'] = sspi_server.domain
+          resp['Content-Type'] = "text/plain"
+          resp.body = "#{Time.now}: Hello #{sspi_server.username} at #{sspi_server.domain}"
+        else
+          resp.status = 401
+        end
+      end
+    rescue SecurityStatusError => e
+      sspi_server.free_handles
+      StateStore.clear_state
+      
+      resp.status = 401
+      resp['www-authenticate'] = @auth_type
+      resp['Content-Type'] = "text/plain"
+      resp.body = e.message
+      puts "*** server encountered the following error ***\n #{e.message}"
+      return
+    end
+    
+    StateStore.clear_state if authenticated
+  end
+
+  def self.run(url,auth_type)
+    uri = URI.parse(url)
+    s = WEBrick::HTTPServer.new( :Binding=>uri.host, :Port=>uri.port)
+    s.mount(uri.path, RubySSPIServlet, auth_type)
+    trap("INT") { s.shutdown }
+    s.start
+  end
+end
+
+if $0 == __FILE__
+  if ARGV.length < 1
+    puts "usage: ruby sspi_negotiate_server.rb url [auth_type (Negotiate|NTLM default=Negotiate)]"
+    puts "where: url = http://hostname:port/path"
+    exit(0)
+  end
+
+  url = ARGV[0]
+  auth_type = (2 == ARGV.length) ? ARGV[1] : Win32::SSPI::API::Common::AUTH_TYPE_NEGOTIATE
+  RubySSPIServlet.run(url,auth_type)
+end

data/lib/win32-sspi.rb

@@ -0,0 +1,2 @@
+module Win32
+end

data/lib/win32/sspi/api/client.rb

@@ -0,0 +1,17 @@
+require_relative 'common'
+
+module Win32
+  module SSPI
+    module API
+      module Client
+        include Common
+
+        def initialize_security_context(ph_credential,ph_context,psz_targetname,f_contextreq,reserved1,targetdatarep,p_input,reserved2,ph_newcontext,p_output,pf_contextattr,pts_expiry)
+          status = InitializeSecurityContext(ph_credential,ph_context,psz_targetname,f_contextreq,reserved1,targetdatarep,p_input,reserved2,ph_newcontext,p_output,pf_contextattr,pts_expiry)
+          return status
+        end
+
+      end
+    end
+  end
+end

data/lib/win32/sspi/api/common.rb

@@ -0,0 +1,133 @@
+require 'base64'
+require_relative '../windows/constants'
+require_relative '../windows/structs'
+require_relative '../windows/functions'
+
+module Win32
+  module SSPI
+    module API
+      module Common
+        include Windows::Constants
+        include Windows::Structs
+        include Windows::Functions
+        
+        AUTH_TYPE_NEGOTIATE = 'Negotiate'
+        AUTH_TYPE_NTLM = 'NTLM'
+        
+        def create_sec_winnt_auth_identity(username,domain,password)
+          auth_struct = SEC_WINNT_AUTH_IDENTITY.new
+          auth_struct[:Flags] = SEC_WINNT_AUTH_IDENTITY_ANSI
+
+          if username
+            auth_struct[:User] = FFI::MemoryPointer.from_string(username.dup)
+            auth_struct[:UserLength] = username.size
+          end
+
+          if domain
+            auth_struct[:Domain] = FFI::MemoryPointer.from_string(domain.dup)
+            auth_struct[:DomainLength] = domain.size
+          end
+
+          if password
+            auth_struct[:Password] = FFI::MemoryPointer.from_string(password.dup)
+            auth_struct[:PasswordLength] = password.size
+          end
+          
+          auth_struct
+        end
+
+        def create_credhandle(lower=nil,upper=nil)
+          result = CredHandle.new
+          
+          if lower && upper
+            result.marshal_load([lower,upper])
+          end
+          
+          result
+        end
+        
+        def create_ctxhandle(lower=nil,upper=nil)
+          result = CtxtHandle.new
+          
+          if lower && upper
+            result.marshal_load([lower,upper])
+          end
+          
+          result
+        end
+        
+        def create_timestamp(low=nil,high=nil)
+          ts = TimeStamp.new
+          if low && high
+            ts[:dwLowDateTime] = low
+            ts[:dwHighDateTime] = high
+          end
+          ts
+        end
+        
+        def create_secbuffer(content=nil)
+          SecBuffer.new.init(content)
+        end
+        
+        def create_secbufferdesc(sec_buffer=nil)
+          SecBufferDesc.new.init(sec_buffer)
+        end
+        
+        def create_secpkg_context_names(name=nil)
+          result = SecPkgContext_Names.new
+          if name
+            result[:sUserName] = FFI::MemoryPointer.from_string(name.dup)
+          end
+          result
+        end
+        
+        def construct_http_header(auth_type, token)
+          b64_token = token.nil? ? nil : Base64.strict_encode64(token)
+          b64_token.nil? ? "#{auth_type}" : "#{auth_type} #{b64_token}"
+        end
+        
+        def de_construct_http_header(header)
+          auth_type, b64_token = header.split(' ')
+          token = b64_token.nil? ? nil : Base64.strict_decode64(b64_token)
+          [auth_type, token]
+        end
+        
+        def acquire_credentials_handle(psz_principal,psz_package,f_credentialuse,pv_logonid,p_authdata,p_getkeyfn,pv_getkeyarg,ph_credential,pts_expiry)
+          status = AcquireCredentialsHandle(psz_principal,psz_package,f_credentialuse,pv_logonid,p_authdata,p_getkeyfn,pv_getkeyarg,ph_credential,pts_expiry)
+          return status
+        end
+        
+        def query_context_attributes(ph_context,ul_attribute,p_buffer)
+          status = QueryContextAttributes(ph_context, ul_attribute, p_buffer)
+          return status
+        end
+        
+        def delete_security_context(ph_context)
+          status = DeleteSecurityContext(ph_context)
+          return status
+        end
+        
+        def free_credentials_handle(ph_credential)
+          status = FreeCredentialsHandle(ph_credential)
+          return status
+        end
+        
+        def free_context_and_credentials(context,credentials)
+          result = {name:'', status:SEC_E_OK, dsc_status:SEC_E_OK, fch_status:SEC_E_OK}
+          status = delete_security_context(context)
+          if SEC_E_OK != status
+            result[:name], result[:status], result[:dsc_status] = ["DeleteSecurityContext", status, status]
+          end
+          
+          status = free_credentials_handle(credentials)
+          if SEC_E_OK != status
+            result[:name], result[:status], result[:fch_status] = ["FreeCredentialsHandle", status, status]
+          end
+
+          return result
+        end
+        
+      end
+    end
+  end
+end

data/lib/win32/sspi/api/server.rb

@@ -0,0 +1,32 @@
+require_relative 'common'
+
+module Win32
+  module SSPI
+    module API
+      module Server
+        include Common
+        
+        def accept_security_context(ph_credential,ph_context,p_input,f_contextreq,targetdatarep,ph_newcontext,p_output,pf_contextattr,pts_timestamp)
+          status = AcceptSecurityContext(ph_credential,ph_context,p_input,f_contextreq,targetdatarep,ph_newcontext,p_output,pf_contextattr,pts_timestamp)
+          return status
+        end
+        
+        def complete_auth_token(ph_context,p_token)
+          status = CompleteAuthToken(ph_context,p_token)
+          return status
+        end
+        
+        def enumerate_security_packages(pc_packages,pp_packageinfo)
+          status = EnumerateSecurityPackages(pc_packages,pp_packageinfo)
+          return status
+        end
+        
+        def free_context_buffer(pv_contextbuffer)
+          status = FreeContextBuffer(pv_contextbuffer)
+          return status
+        end
+      end
+    end
+  end
+end
+

data/lib/win32/sspi/negotiate/client.rb

@@ -0,0 +1,159 @@
+require_relative '../windows/constants'
+require_relative '../windows/misc'
+require_relative '../api/client'
+
+module Win32
+  module SSPI
+    module Negotiate
+      class Client
+        include Windows::Constants
+        include API::Client
+      
+        attr_reader :spn
+        attr_reader :auth_type
+        attr_reader :token
+      
+        def initialize(options={})
+          @spn = options[:spn]
+          @auth_type = options[:auth_type] || AUTH_TYPE_NEGOTIATE
+          @token = nil
+          @credentials_handle = nil
+          @context_handle = nil
+          @username = options[:username]
+          @domain = options[:domain]
+          @password = options[:password]
+        end
+        
+        def http_authenticate(&block)
+          perform_authenticate(block)
+        end
+        
+        def authenticate(&block)
+          perform_authenticate(block,false)
+        end
+        
+        def perform_authenticate(block,with_http_header=true)
+          status = acquire_handle
+          if SEC_E_OK == status
+            begin
+              status = initialize_context(self.token)
+              if SEC_I_CONTINUE_NEEDED == status
+                token_from_block_result(block.call(block_arg_from_token(with_http_header)),with_http_header)
+              end
+            end while( SEC_I_CONTINUE_NEEDED == status )
+            
+            # if using NTLM protocol we need to complete the final leg of the authentication
+            if AUTH_TYPE_NTLM == self.auth_type && SEC_E_OK == status
+              block.call(block_arg_from_token(with_http_header))
+            end
+            
+            if SEC_E_OK == status
+              free_handles
+            end
+          end
+        end
+        
+        def block_arg_from_token(with_http_header)
+          with_http_header ? construct_http_header(self.auth_type,self.token) : self.token
+        end
+        
+        def token_from_block_result(block_result,with_http_header)
+          if block_result
+            if with_http_header
+              @auth_type, @token = de_construct_http_header(block_result)
+            else
+              @token = block_result
+            end
+          end
+        end
+        
+        def acquire_handle
+          return SEC_E_OK if @credentials_handle
+          
+          auth_data = nil
+          if AUTH_TYPE_NTLM == @auth_type
+            @username ||= ENV['USERNAME']
+            @domain ||= ENV['USERDOMAIN']
+            auth_data = create_sec_winnt_auth_identity(@username,@domain,@password)
+          end
+          
+          @credentials_handle = create_credhandle
+          expiry = create_timestamp
+        
+          status = acquire_credentials_handle(
+            @spn,
+            @auth_type,
+            SECPKG_CRED_OUTBOUND,
+            nil,
+            auth_data,
+            nil,
+            nil,
+            @credentials_handle,
+            expiry
+          )
+
+          if SEC_E_OK != status
+            @credentials_handle = nil
+            raise SecurityStatusError.new('AcquireCredentialsHandle', status, FFI.errno)
+          end
+          
+          status
+        end
+      
+        def initialize_context(token=nil)
+          return SEC_E_OK if token.nil? && @context_handle
+          
+          ctx = @context_handle
+          @context_handle ||= create_ctxhandle
+          context_attributes = FFI::MemoryPointer.new(:ulong)
+
+          rflags = ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
+          expiry = create_timestamp
+
+          if token
+            input_buffer   = create_secbuffer(token)
+            input_buffer_desc  = create_secbufferdesc(input_buffer)
+          end
+
+          output_buffer = create_secbuffer
+          output_buffer_desc  = create_secbufferdesc(output_buffer)
+        
+          status = initialize_security_context(
+            @credentials_handle,
+            ctx,
+            @spn,
+            rflags,
+            0,
+            SECURITY_NETWORK_DREP,
+            (token ? input_buffer_desc : nil),
+            0,
+            @context_handle,
+            output_buffer_desc,
+            context_attributes,
+            expiry
+          )
+
+          a_success = [SEC_E_OK, SEC_I_CONTINUE_NEEDED]
+          if a_success.include?(status)
+            @token = output_buffer.to_ruby_s
+          else
+            raise SecurityStatusError.new('InitializeSecurityContext', status, FFI.errno)
+          end
+
+          status
+        end
+        
+        def free_handles
+          result = free_context_and_credentials(@context_handle, @credentials_handle)
+          @context_handle, @credentials_handle = [nil,nil]
+          
+          if SEC_E_OK != result[:status]
+            raise SecurityStatusError.new(result[:name], result[:status], FFI.errno)
+          end
+          
+          result[:status]
+        end
+      end
+    end
+  end
+end