pulled-latest-mit-kerb-plus-main

cx-hitesh-madgulkar · cx-hitesh-madgulkar · commit eca87d5d11ce · 2025-10-03T18:25:58.000+05:30
diff --git a/internal/params/flags.go b/internal/params/flags.go
@@ -67,7 +67,7 @@ const (
 	IgnoreProxyFlag                = "ignore-proxy"
 	IgnoreProxyFlagUsage           = "Ignore proxy configuration"
 	ProxyTypeFlag                  = "proxy-auth-type"
-	ProxyTypeFlagUsage             = "Proxy authentication type, (basic, ntlm, kerberos, or kerberos-native)"
+	ProxyTypeFlagUsage             = "Proxy authentication type (supported types: basic, ntlm, kerberos or kerberos-native)"
 	TimeoutFlag                    = "timeout"
 	TimeoutFlagUsage               = "Timeout for network activity, (default 5 seconds)"
 	NtlmProxyDomainFlag            = "proxy-ntlm-domain"
@@ -80,8 +80,8 @@ const (
 	SastRecommendedExclusionsFlags = "sast-recommended-exclusions"
 	NtlmProxyDomainFlagUsage       = "Window domain when using NTLM proxy"
 	KerberosProxySPNFlagUsage      = "Service Principal Name (SPN) for Kerberos proxy authentication"
-	KerberosKrb5ConfFlagUsage      = "Path to krb5.conf file for Kerberos (default: /etc/krb5.conf)"
-	KerberosCcacheFlagUsage        = "Path to Kerberos credential cache (optional, uses KRB5CCNAME env or default)"
+	KerberosKrb5ConfFlagUsage      = "Path to Kerberos configuration file(default: /etc/krb5.conf on linux and C:\\Windows\\krb5.ini on windows)"
+	KerberosCcacheFlagUsage        = "Path to Kerberos credential cache (optional, default uses KRB5CCNAME env or OS default)"
 	BaseURIFlagUsage               = "The base system URI"
 	BaseAuthURIFlag                = "base-auth-uri"
 	BaseAuthURIFlagUsage           = "The base system IAM URI"
diff --git a/internal/wrappers/client.go b/internal/wrappers/client.go
@@ -12,7 +12,6 @@ import (
 	"net/http/httptrace"
 	"net/url"
 	"os"
-	"os/exec"
 	"runtime"
 	"strings"
 	"sync"
@@ -48,6 +47,7 @@ const (
 	contentTypeHeader       = "Content-Type"
 	formURLContentType      = "application/x-www-form-urlencoded"
 	jsonContentType         = "application/json"
+	defaultDialerDuration   = 30 * time.Second
 )
 
 var (
@@ -191,8 +191,8 @@ func basicProxyClient(timeout uint, proxyStr string) *http.Client {
 
 func ntmlProxyClient(timeout uint, proxyStr string) *http.Client {
 	dialer := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
+		Timeout:   defaultDialerDuration,
+		KeepAlive: defaultDialerDuration,
 	}
 	u, _ := url.Parse(proxyStr)
 	domainStr := viper.GetString(commonParams.ProxyDomainKey)
@@ -211,8 +211,8 @@ func ntmlProxyClient(timeout uint, proxyStr string) *http.Client {
 
 func kerberosProxyClient(timeout uint, proxyStr string) *http.Client {
 	dialer := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
+		Timeout:   defaultDialerDuration,
+		KeepAlive: defaultDialerDuration,
 	}
 	u, _ := url.Parse(proxyStr)
 
@@ -221,65 +221,45 @@ func kerberosProxyClient(timeout uint, proxyStr string) *http.Client {
 
 	// Validate required SPN parameter
 	if proxySPN == "" {
-		logger.PrintIfVerbose("ERROR: Kerberos SPN is required for Kerberos proxy authentication.")
-		fmt.Printf("Error: Kerberos SPN is required for --proxy-auth-type kerberos\n")
-		fmt.Printf("Please provide: --proxy-kerberos-spn 'HTTP/proxy.example.com'\n")
-		fmt.Printf("Or set environment variable: CX_PROXY_KERBEROS_SPN=HTTP/proxy.example.com\n")
-		os.Exit(1)
+		logger.PrintIfVerbose("Error: Kerberos SPN is required for Kerberos proxy authentication.")
+		logger.Print("Error: Kerberos SPN is required for Kerberos proxy authentication.")
+		logger.PrintIfVerbose("Please provide SPN using: --proxy-kerberos-spn 'HTTP/proxy.example.com' or set CX_PROXY_KERBEROS_SPN environment variable")
+
+		os.Exit(0)
 	}
 
 	// Use gokrb5 for all platforms (standard Kerberos)
 	return kerberosGokrb5ProxyClient(timeout, proxyStr, u, dialer, proxySPN)
 }
 
-// isWindowsKerberosAvailable checks if Windows has Kerberos available (simple check)
-func isWindowsKerberosAvailable() bool {
-	if runtime.GOOS != "windows" {
-		return false
-	}
-
-	// Simple check: can we run klist?
-	cmd := exec.Command("klist")
-	err := cmd.Run()
-	return err == nil
-}
-
 // kerberosNativeProxyClient creates an HTTP client using Windows native Kerberos (SSPI)
 func kerberosNativeProxyClient(timeout uint, proxyStr string) *http.Client {
-	// IMMEDIATE platform validation - fail fast with clear message
 	if runtime.GOOS != "windows" {
-		logger.PrintIfVerbose("ERROR: --proxy-auth-type kerberos-native is only supported on Windows")
-		fmt.Printf("Error: --proxy-auth-type kerberos-native is only supported on Windows.\n")
-		fmt.Printf("Current platform: %s\n", runtime.GOOS)
-		fmt.Printf("Use --proxy-auth-type kerberos for cross-platform MIT Kerberos support.\n")
-		os.Exit(1)
+		logger.PrintIfVerbose("Error: --proxy-auth-type kerberos-native is only supported on Windows")
+		logger.Print("Error: --proxy-auth-type kerberos-native is only supported on Windows")
+
+		os.Exit(0)
 	}
 
 	dialer := &net.Dialer{
-		Timeout:   30 * time.Second,
-		KeepAlive: 30 * time.Second,
+		Timeout:   defaultDialerDuration,
+		KeepAlive: defaultDialerDuration,
 	}
 	u, _ := url.Parse(proxyStr)
 
 	// Get Kerberos configuration
 	proxySPN := viper.GetString(commonParams.ProxyKerberosSPNKey)
 	if proxySPN == "" {
-		logger.PrintIfVerbose("ERROR: Kerberos SPN is required for Windows native authentication")
-		fmt.Println("Error: Kerberos SPN is required. Use --proxy-kerberos-spn flag")
-		fmt.Println("Example: --proxy-kerberos-spn 'HTTP/proxy.example.com'")
-		os.Exit(1)
+		logger.PrintIfVerbose("ERROR: Kerberos SPN is required for windows native kerberos authentication")
+		logger.Print("Error: Kerberos SPN is required for windows native kerberos authentication")
+		os.Exit(0)
 	}
 
 	// Validate SSPI setup
 	if err := kerberos.ValidateSSPISetup(proxySPN); err != nil {
-		logger.PrintIfVerbose("ERROR: Windows SSPI validation failed: " + err.Error())
-		fmt.Printf("Error: Windows native Kerberos setup failed: %v\n", err)
-		fmt.Printf("\nTroubleshooting:\n")
-		fmt.Printf("1. Ensure you are logged into a Windows domain\n")
-		fmt.Printf("2. Check if Kerberos tickets exist: run 'klist'\n")
-		fmt.Printf("3. Verify the SPN is correct: --proxy-kerberos-spn 'HTTP/proxy.example.com'\n")
-		fmt.Printf("4. Alternative: Use --proxy-auth-type kerberos for MIT Kerberos\n")
-		os.Exit(1)
+		logger.PrintIfVerbose("Error: Failed to generate a token for the specified SPN." + err.Error())
+		logger.Print("Error: Failed to generate a token for the specified SPN.")
+		os.Exit(0)
 	}
 
 	logger.PrintIfVerbose("Creating HTTP client using Windows native Kerberos (SSPI)")
@@ -303,18 +283,19 @@ func kerberosGokrb5ProxyClient(timeout uint, proxyStr string, u *url.URL, dialer
 	if krb5ConfPath == "" {
 		krb5ConfPath = kerberos.GetDefaultKrb5ConfPath()
 	}
+
 	ccachePath := viper.GetString(commonParams.ProxyKerberosCcacheKey)
 
 	// Early validation: Check gokrb5 Kerberos setup before creating client
 	if err := kerberos.ValidateKerberosSetup(krb5ConfPath, ccachePath, proxySPN); err != nil {
-		logger.PrintIfVerbose("Error: gokrb5 Kerberos proxy authentication setup failed: " + err.Error())
-		fmt.Println(fmt.Sprintf("Error: gokrb5 Kerberos proxy authentication setup failed: %v", err.Error()))
+		logger.PrintIfVerbose("Error: Kerberos proxy authentication setup failed: " + err.Error())
+		logger.Printf("Error: %v", err.Error())
 		os.Exit(0)
 	}
 
-	logger.PrintIfVerbose("Creating HTTP client using gokrb5 Kerberos Proxy using: " + proxyStr)
-	logger.PrintIfVerbose("gokrb5 Kerberos SPN: " + proxySPN)
-	logger.PrintIfVerbose("gokrb5 Kerberos krb5.conf: " + krb5ConfPath)
+	logger.PrintIfVerbose("Creating HTTP client using Kerberos Proxy using: " + proxyStr)
+	logger.PrintIfVerbose("Kerberos SPN: " + proxySPN)
+	logger.PrintIfVerbose("Kerberos krb5 configuration file: " + krb5ConfPath)
 
 	kerberosConfig := kerberos.KerberosConfig{
 		ProxySPN:     proxySPN,
@@ -797,6 +778,11 @@ func request(client *http.Client, req *http.Request, responseBody bool) (*http.R
 		Domains = AppendIfNotExists(Domains, req.URL.Host)
 		if err != nil {
 			logger.PrintIfVerbose(err.Error())
+			// Check if this is a non-retryable error (e.g., wrong Kerberos SPN)
+			if kerberos.IsNonRetryable(err) {
+				logger.PrintIfVerbose("Non-retryable error detected, skipping retries")
+				return nil, err
+			}
 		}
 		if resp != nil && err == nil {
 			if hasRedirectStatusCode(resp) {
diff --git a/internal/wrappers/kerberos/proxy-kerberos.go b/internal/wrappers/kerberos/proxy-kerberos.go
@@ -20,6 +20,26 @@ import (
 	"github.com/pkg/errors"
 )
 
+const (
+	osWindows   = "windows"
+	httpsScheme = "https"
+)
+
+// NonRetryableError represents an error that should not trigger HTTP request retries
+type NonRetryableError struct {
+	Message string
+}
+
+func (e *NonRetryableError) Error() string {
+	return e.Message
+}
+
+// IsNonRetryable returns true if the error should not trigger retries
+func IsNonRetryable(err error) bool {
+	_, ok := err.(*NonRetryableError)
+	return ok
+}
+
 // Gokrb5DialContext is the DialContext function that should be wrapped with a
 // Kerberos Authentication using gokrb5.
 type Gokrb5DialContext func(ctx context.Context, network, addr string) (net.Conn, error)
@@ -41,7 +61,7 @@ func NewKerberosProxyDialContext(dialer *net.Dialer, proxyURL *url.URL,
 	}
 	return func(ctx context.Context, network, addr string) (net.Conn, error) {
 		dialProxy := func() (net.Conn, error) {
-			if proxyURL.Scheme == "https" {
+			if proxyURL.Scheme == httpsScheme {
 				return tls.DialWithDialer(dialer, "tcp", proxyURL.Host, tlsConfig)
 			}
 			return dialer.DialContext(ctx, network, proxyURL.Host)
@@ -51,12 +71,6 @@ func NewKerberosProxyDialContext(dialer *net.Dialer, proxyURL *url.URL,
 }
 
 func dialAndNegotiate(addr string, kerberosConfig KerberosConfig, baseDial func() (net.Conn, error)) (net.Conn, error) {
-	// Validate required SPN parameter early
-	if kerberosConfig.ProxySPN == "" {
-		log.Printf("Kerberos SPN is required but not provided")
-		return nil, errors.New("Kerberos SPN is required. Use --proxy-kerberos-spn flag or CX_PROXY_KERBEROS_SPN env var")
-	}
-
 	conn, err := baseDial()
 	if err != nil {
 		log.Printf("Could not call dial context with proxy: %s", err)
@@ -65,36 +79,16 @@ func dialAndNegotiate(addr string, kerberosConfig KerberosConfig, baseDial func(
 
 	// Use default krb5.conf path if not specified
 	krb5ConfPath := kerberosConfig.Krb5ConfPath
-	if krb5ConfPath == "" {
-		krb5ConfPath = GetDefaultKrb5ConfPath()
-	}
-
-	// Check if krb5.conf exists before trying to load it
-	if _, err := os.Stat(krb5ConfPath); os.IsNotExist(err) {
-		log.Printf("Kerberos configuration file not found at %s", krb5ConfPath)
-		return conn, errors.New("Kerberos configuration file not found. Please ensure krb5.conf is properly configured")
-	}
 
 	// Load krb5.conf
 	krb5cfg, err := config.Load(krb5ConfPath)
 	if err != nil {
-		log.Printf("Failed to load krb5.conf from %s: %s", krb5ConfPath, err)
-		return conn, errors.New("failed to load Kerberos configuration. Please check the krb5.conf file")
+		log.Printf("Failed to load krb5 configuration file from %s: %s", krb5ConfPath, err)
+		return conn, errors.New("failed to load Kerberos configuration. Please check the krb5 configuration file")
 	}
 
 	// Load credential cache
 	ccPath := kerberosConfig.CcachePath
-	if ccPath == "" {
-		ccPath = getDefaultCCachePath()
-	}
-
-	// Check if credential cache exists before trying to load it
-	if ccPath != "" {
-		if _, err := os.Stat(ccPath); os.IsNotExist(err) {
-			log.Printf("Kerberos credential cache not found at %s", ccPath)
-			return conn, errors.New("Kerberos credential cache not found. Please run 'kinit' to obtain Kerberos tickets first")
-		}
-	}
 
 	cc, err := credentials.LoadCCache(ccPath)
 	if err != nil {
@@ -122,7 +116,7 @@ func dialAndNegotiate(addr string, kerberosConfig KerberosConfig, baseDial func(
 	// Build SPNEGO token for the proxy SPN
 	if err := spnego.SetSPNEGOHeader(krbClient, connect, kerberosConfig.ProxySPN); err != nil {
 		log.Printf("Failed to generate SPNEGO token for SPN '%s': %s", kerberosConfig.ProxySPN, err)
-		return conn, errors.New("failed to generate SPNEGO token. Please check if the SPN is correct")
+		return conn, &NonRetryableError{Message: "failed to generate SPNEGO token. Please check if the SPN is correct"}
 	}
 
 	// spnego.SetSPNEGOHeader sets Authorization: Negotiate <token>
@@ -160,7 +154,7 @@ func dialAndNegotiate(addr string, kerberosConfig KerberosConfig, baseDial func(
 				log.Printf("Proxy-Authenticate: %s", v)
 			}
 			_ = resp.Body.Close()
-			return conn, errors.New("proxy authentication failed. Check SPN and proxy keytab/KDC configuration")
+			return conn, &NonRetryableError{Message: "proxy authentication failed. Check SPN and proxy keytab/KDC configuration"}
 		}
 		_ = resp.Body.Close()
 		return conn, errors.New(http.StatusText(resp.StatusCode))
@@ -176,25 +170,19 @@ func dialAndNegotiate(addr string, kerberosConfig KerberosConfig, baseDial func(
 // This function performs all the same checks as dialAndNegotiate but without actually
 // making network connections, allowing early detection of configuration problems
 func ValidateKerberosSetup(krb5ConfPath, ccachePath, proxySPN string) error {
-	// Validate SPN
-	if proxySPN == "" {
-		return errors.New("Kerberos SPN is required. Use --proxy-kerberos-spn flag or CX_PROXY_KERBEROS_SPN env var")
-	}
-
-	// Use default krb5.conf path if not specified
 	if krb5ConfPath == "" {
-		krb5ConfPath = GetDefaultKrb5ConfPath()
+		krb5ConfPath = GetDefaultKrb5ConfPath() // Use default krb5.conf path if not specified
 	}
 
 	// Check if krb5.conf exists
 	if _, err := os.Stat(krb5ConfPath); os.IsNotExist(err) {
-		return errors.New("Kerberos configuration file not found. Please ensure krb5.conf is properly configured")
+		return errors.New("Kerberos proxy authentication setup failed because no valid Kerberos config file was found. Please ensure that a properly configured krb5.conf/krb5.ini file is available at the specified location.")
 	}
 
 	// Load krb5.conf to validate it's readable
-	_, err := config.Load(krb5ConfPath)
+	krb5cfg, err := config.Load(krb5ConfPath)
 	if err != nil {
-		return errors.New("failed to load Kerberos configuration. Please check the krb5.conf file")
+		return errors.New("Kerberos proxy authentication setup failed because no valid Kerberos config file was found. Please ensure that a properly configured krb5.conf/krb5.ini file is available at the specified location.")
 	}
 
 	// Get default credential cache path if not specified
@@ -205,25 +193,19 @@ func ValidateKerberosSetup(krb5ConfPath, ccachePath, proxySPN string) error {
 	// Check if credential cache exists
 	if ccachePath != "" {
 		if _, err := os.Stat(ccachePath); os.IsNotExist(err) {
-			return errors.New("Kerberos credential cache not found. Please run 'kinit' to obtain Kerberos tickets first")
+			return errors.New("Kerberos proxy authentication setup failed because no Kerberos credential cache was found. Make sure to run 'kinit' to populate the cache before running this command.")
 		}
 	}
 
 	// Try to load credential cache to validate it's usable
 	cc, err := credentials.LoadCCache(ccachePath)
 	if err != nil {
-		return errors.New("failed to load Kerberos credential cache. Please run 'kinit' to obtain valid Kerberos tickets")
-	}
-
-	// Try to create Kerberos client to validate tickets are valid
-	krb5cfg, err := config.Load(krb5ConfPath)
-	if err != nil {
-		return errors.New("failed to reload Kerberos configuration")
+		return errors.New("Kerberos proxy authentication setup failed because no Kerberos credential cache was found. Make sure to run 'kinit' to populate the cache before running this command.")
 	}
 
 	_, err = client.NewFromCCache(cc, krb5cfg)
 	if err != nil {
-		return errors.New("failed to create Kerberos client. Please check your Kerberos tickets with 'klist'")
+		return errors.New("Failed to create Kerberos client. Please check your Kerberos tickets with 'klist'")
 	}
 
 	return nil
@@ -232,7 +214,7 @@ func ValidateKerberosSetup(krb5ConfPath, ccachePath, proxySPN string) error {
 // GetDefaultKrb5ConfPath returns the default krb5.conf path for the current platform
 func GetDefaultKrb5ConfPath() string {
 	switch runtime.GOOS {
-	case "windows":
+	case osWindows:
 		// Windows typically uses krb5.ini
 		if windir := os.Getenv("WINDIR"); windir != "" {
 			return filepath.Join(windir, "krb5.ini")
@@ -262,9 +244,7 @@ func getDefaultCCachePath() string {
 	}
 
 	switch runtime.GOOS {
-	case "windows":
-		// On Windows, use the default credential cache managed by the system
-		// The gokrb5 library should handle this automatically with empty string
+	case osWindows:
 		return ""
 	default:
 		// Linux, macOS, and other Unix-like systems
diff --git a/internal/wrappers/kerberos/windows_sspi.go b/internal/wrappers/kerberos/windows_sspi.go
