initial version

LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2012 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1 @@
+This repository holds Go packages for accessing Security Support Provider Interface on Windows. 

ntlm/http_test.go

@@ -0,0 +1,183 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package ntlm_test
+
+import (
+	"encoding/base64"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"sspi/ntlm"
+)
+
+var (
+	testURL = flag.String("url", "", "server URL for TestNTLMHTTPClient")
+)
+
+// TODO: implement Negotiate authentication. Probably in a different package.
+// see http://blogs.technet.com/b/tristank/archive/2006/08/02/negotiate-this.aspx
+// for how to disinguish between NTLM and Kerberos during Negotiate
+
+func newRequest() (*http.Request, error) {
+	req, err := http.NewRequest("GET", *testURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+func get(req *http.Request) (*http.Response, string, error) {
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, "", err
+	}
+	defer res.Body.Close()
+
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, "", err
+	}
+	return res, string(body), nil
+}
+
+func canDoNTLM() error {
+	req, err := newRequest()
+	if err != nil {
+		return err
+	}
+	res, _, err := get(req)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode != http.StatusUnauthorized {
+		return fmt.Errorf("Unauthorized expected, but got %v", res.StatusCode)
+	}
+	authHeaders, found := res.Header["Www-Authenticate"]
+	if !found {
+		return fmt.Errorf("Www-Authenticate not found")
+	}
+	for _, h := range authHeaders {
+		if h == "NTLM" {
+			return nil
+		}
+	}
+	return fmt.Errorf("Www-Authenticate header does not contain NTLM, but has %v", authHeaders)
+}
+
+func doNTLMNegotiate(negotiate []byte) ([]byte, error) {
+	req, err := newRequest()
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "NTLM "+base64.StdEncoding.EncodeToString(negotiate))
+	res, _, err := get(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusUnauthorized {
+		return nil, fmt.Errorf("Unauthorized expected, but got %v", res.StatusCode)
+	}
+	authHeaders, found := res.Header["Www-Authenticate"]
+	if !found {
+		return nil, fmt.Errorf("Www-Authenticate not found")
+	}
+	if len(authHeaders) != 1 {
+		return nil, fmt.Errorf("Only one Www-Authenticate header expected, but %d found: %v", len(authHeaders), authHeaders)
+	}
+	if len(authHeaders[0]) < 6 {
+		return nil, fmt.Errorf("Www-Authenticate header is to short: %q", authHeaders[0])
+	}
+	if !strings.HasPrefix(authHeaders[0], "NTLM ") {
+		return nil, fmt.Errorf("Www-Authenticate header is suppose to starts with \"NTLM \", but is %q", authHeaders[0])
+	}
+	authenticate, err := base64.StdEncoding.DecodeString(authHeaders[0][5:])
+	if err != nil {
+		return nil, err
+	}
+	return authenticate, nil
+}
+
+func doNTLMAuthenticate(authenticate []byte) (string, error) {
+	req, err := newRequest()
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", "NTLM "+base64.StdEncoding.EncodeToString(authenticate))
+	res, body, err := get(req)
+	if err != nil {
+		return "", err
+	}
+	if res.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("OK expected, but got %v", res.StatusCode)
+	}
+	return body, nil
+}
+
+func TestNTLMHTTPClient(t *testing.T) {
+	// TODO: combine client and server tests so we don't need external server
+	if len(*testURL) == 0 {
+		t.Skip("Skipping due to empty \"url\" parameter")
+	}
+
+	cred, err := ntlm.AcquireCurrentUserCredentials()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cred.Release()
+
+	secctx, negotiate, err := ntlm.NewClientContext(cred)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer secctx.Release()
+
+	err = canDoNTLM()
+	if err != nil {
+		t.Fatal(err)
+	}
+	challenge, err := doNTLMNegotiate(negotiate)
+	if err != nil {
+		t.Fatal(err)
+	}
+	authenticate, err := secctx.Update(challenge)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = doNTLMAuthenticate(authenticate)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TODO: See http://www.innovation.ch/personal/ronald/ntlm.html#connections about needed to keep connection alive during authentication.
+
+func TestNTLMHTTPServer(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// TODO: implement NTLM authentication here
+		w.Write([]byte("hello"))
+	}))
+	defer ts.Close()
+
+	go func() {
+		res, err := http.Get(ts.URL)
+		if err != nil {
+			t.Fatal(err)
+		}
+		got, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(got) != "hello" {
+			t.Errorf("got %q, want hello", string(got))
+		}
+	}()
+}