100 using spnego similarly like in enceladus to negotiate the auth

[TheLydonKing]

Added Kerberos Auth that can be used:
curl -i --negotiate -u : "http://localhost:9090/token/generate"

The Current implementation is kind of working but testing has been difficult to implement. Currently getting a Bad Credentials Exception. Not sure if it's the Ldap search, the Keytab or the kerberos ticket that is currently causing the issue.

closes #100

[TheLydonKing]

Excuse the messy code if anyone tries to read this, just trying to find a configuration that works. A lot of code is duplicated or in the wrong folders, this will be cleaned up once we get a working solution.

So Far have tried multiple implementations such as those found in Enceladus as well as the official SPNEGO Documentation and Examples

The current implementation is being called correctly in the security filterchain if "curl -i --negotiate -u : "http://localhost:9090/token/generate" is being called. The Security filterchain is also successfully skipping this auth process if Basic Auth is stipulated in the http message and then BasicAuth is used.

The Current issue that's happening is currently getting a BadCredentials exception when trying to test it using MIT Kerberos on Windows. The Specific Error:

2024-06-12 12:52:52.666  WARN 17980 --- [nio-9090-exec-1] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate XXXX

org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null

Current Hypothesis on the issue:

• Something missing from the code. I've been using the above examples to write this code but it's possible that I've misinterpreted something or missed something. Another set of eyes may be able to point this out but currently I'm trying to experiment but not getting any changes.
• Error with Keytab. Keytab was created by Active Directory team but it's possible that a mistake was made or encryption type is incorrect etc.
• KRB5 is incorrect. So far I've tried 2 different KRB5 files and both have given the same output, so not sure if I have the correct data here.
• Testing on windows: Kerberos and keytabs are mostly used on Linux distributions. Attempting to try and use Curl and MIT Kerberos to test this but it's possible that something on Windows is causing issues as kerberos is quite rigid.
• Perhaps a SSL error with verifiying against the Absa KDC specified in the KRB5 files?
• Possibly a cross-domain issue as the test machine is D_ABSA but the Kerberos Keytab and KDC's are CORP domain? Possible that this may be causing issues?

Is anyone able to see a different error that I perhaps missed?

[dk1844]

I am surprised that it is necessary to force the the Kerberos...AuthProvider this way. Isn't this just another AuthenticationProvider just like ConfigUsersAuthenticationProvider and ActiveDirectoryLDAPAuthenticationProvider?

Perhaps it could be provided the same way as those are in AuthManagerConfig.authManager:47?

[TheLydonKing]

So I'm forcing the Authmanager here so that I can try and debug any issues with the kerberos auth specifically. Just trying to make it easier to find the above issue that is being run into.

[TheLydonKing]

Has anyone been able to test this code or find any glaring issues while I was away? I had a think about this during some time off and I don't understand what else is required to work or how to debug what the issue is, as I stated above there's a lot of different issues that could be present.

[github-actions]

JaCoCo code coverage report - scala:2.12.17

File	Coverage [52.46%]	❌
KerberosConfig.scala	100%	🍏
ActiveDirectoryLDAPConfig.scala	90%	🍏
SecurityConfig.scala	87.38%	🍏
TokenController.scala	84.12%	🍏
KerberosUserDetails.scala	74.36%	❌
ServiceAccountConfig.scala	37.27%	❌
KerberosSPNEGOAuthenticationProvider.scala	0%	❌
KerberosUserDetailsService.scala	0%	❌

Total Project Coverage	62.76%	🍏

[dk1844]

LGTM, nicely done!

[dk1844]

Let just maybe strip the dsarena.com domain from the tests?

[TheLydonKing]

Amended