-
Notifications
You must be signed in to change notification settings - Fork 500
/
fedauth.go
81 lines (65 loc) · 3.19 KB
/
fedauth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package mssql
import (
"context"
"errors"
"github.com/denisenkom/go-mssqldb/msdsn"
)
// Federated authentication library affects the login data structure and message sequence.
const (
// FedAuthLibraryLiveIDCompactToken specifies the Microsoft Live ID Compact Token authentication scheme
FedAuthLibraryLiveIDCompactToken = 0x00
// FedAuthLibrarySecurityToken specifies a token-based authentication where the token is available
// without additional information provided during the login sequence.
FedAuthLibrarySecurityToken = 0x01
// FedAuthLibraryADAL specifies a token-based authentication where a token is obtained during the
// login sequence using the server SPN and STS URL provided by the server during login.
FedAuthLibraryADAL = 0x02
// FedAuthLibraryReserved is used to indicate that no federated authentication scheme applies.
FedAuthLibraryReserved = 0x7F
)
// Federated authentication ADAL workflow affects the mechanism used to authenticate.
const (
// FedAuthADALWorkflowPassword uses a username/password to obtain a token from Active Directory
FedAuthADALWorkflowPassword = 0x01
// fedAuthADALWorkflowPassword uses the Windows identity to obtain a token from Active Directory
FedAuthADALWorkflowIntegrated = 0x02
// FedAuthADALWorkflowMSI uses the managed identity service to obtain a token
FedAuthADALWorkflowMSI = 0x03
// FedAuthADALWorkflowNone does not need to obtain token
FedAuthADALWorkflowNone = 0x04
)
// newSecurityTokenConnector creates a new connector from a Config and a token provider.
// When invoked, token provider implementations should contact the security token
// service specified and obtain the appropriate token, or return an error
// to indicate why a token is not available.
// The returned connector may be used with sql.OpenDB.
func NewSecurityTokenConnector(config msdsn.Config, tokenProvider func(ctx context.Context) (string, error)) (*Connector, error) {
if tokenProvider == nil {
return nil, errors.New("mssql: tokenProvider cannot be nil")
}
conn := NewConnectorConfig(config)
conn.fedAuthRequired = true
conn.fedAuthLibrary = FedAuthLibrarySecurityToken
conn.securityTokenProvider = tokenProvider
return conn, nil
}
// NewActiveDirectoryTokenConnector creates a new connector from a Config and an Active Directory token provider.
// Token provider implementations are called during federated
// authentication login sequences where the server provides a service
// principal name and security token service endpoint that should be used
// to obtain the token. Implementations should contact the security token
// service specified and obtain the appropriate token, or return an error
// to indicate why a token is not available.
//
// The returned connector may be used with sql.OpenDB.
func NewActiveDirectoryTokenConnector(config msdsn.Config, adalWorkflow byte, tokenProvider func(ctx context.Context, serverSPN, stsURL string) (string, error)) (*Connector, error) {
if tokenProvider == nil {
return nil, errors.New("mssql: tokenProvider cannot be nil")
}
conn := NewConnectorConfig(config)
conn.fedAuthRequired = true
conn.fedAuthLibrary = FedAuthLibraryADAL
conn.fedAuthADALWorkflow = adalWorkflow
conn.adalTokenProvider = tokenProvider
return conn, nil
}