fix: ssp krb5 v8 compatibility

Author: oiweiwei

ssp/credential/ccache.go

@@ -9,6 +9,12 @@ import (
 	v8_credentials "github.com/jcmturner/gokrb5/v8/credentials"
 )
 
+type CCacheV8 interface {
+	Credential
+	// CCache V8.
+	CCache() *v8_credentials.CCache
+}
+
 type CCache interface {
 	Credential
 	// CCache.

ssp/credential/credential.go

@@ -25,27 +25,35 @@ func parseUser(un string, opts ...Option) userCred {
 // the domain name, user name, and workstation.
 func parseDomainUserWorkstation(un string, opts ...Option) (string, string, string) {
 
-	wkst := ""
+	wkst, dn := "", ""
 
 	for _, opt := range opts {
 		switch v := opt.(type) {
 		case wkstOpt:
 			wkst = string(v)
+		case domainOpt:
+			dn = string(v)
 		}
 	}
 
 	// down-level logon name.
 	if strings.Contains(un, "\\") {
 		un := strings.SplitN(un, "\\", 2)
+		if dn != "" {
+			return dn, un[1], wkst
+		}
 		return un[0], un[1], wkst
 	}
 
 	if strings.Contains(un, "@") {
 		un := strings.SplitN(un, "@", 2)
+		if dn != "" {
+			return dn, un[0], wkst
+		}
 		return un[1], un[0], wkst
 	}
 
-	return "", un, wkst
+	return dn, un, wkst
 }
 
 // DomainName function returns the domain name from the user name.
@@ -66,3 +74,18 @@ func NewFromString(s string, opts ...Option) Password {
 	}
 	return NewFromPassword(s, "", append(opts, AllowEmptyPassword())...)
 }
+
+func V8ToV9(cred Credential) Credential {
+
+	if cred, ok := (any)(cred).(KeytabV8); ok {
+		return NewFromKeytabV8(cred.UserName(), cred.Keytab(),
+			Workstation(cred.Workstation()), Domain(cred.DomainName()))
+	}
+
+	if cred, ok := (any)(cred).(CCacheV8); ok {
+		return NewFromCCacheV8(cred.UserName(), cred.CCache(),
+			Workstation(cred.Workstation()), Domain(cred.DomainName()))
+	}
+
+	return cred
+}

ssp/credential/keytab.go

@@ -9,6 +9,12 @@ import (
 	v8_keytab "github.com/jcmturner/gokrb5/v8/keytab"
 )
 
+type KeytabV8 interface {
+	Credential
+	// Keytab.
+	Keytab() *v8_keytab.Keytab
+}
+
 // Keytab interface defines the Kerberos 5 Keytab credential.
 type Keytab interface {
 	Credential

ssp/credential/options.go

@@ -21,3 +21,11 @@ func (allowEmptyPassword) is_CredentialOption() {}
 func AllowEmptyPassword() Option {
 	return allowEmptyPassword{}
 }
+
+type domainOpt string
+
+func (domainOpt) is_CredentialOption() {}
+
+func Domain(s string) Option {
+	return domainOpt(s)
+}

ssp/krb5/authentifier.go

@@ -49,7 +49,10 @@ type SecurityService struct {
 }
 
 func (a *Authentifier) makeService(ctx context.Context) (*service.Settings, error) {
-	kt, _ := a.Config.Credential.(credential.Keytab)
+	kt, ok := credential.V8ToV9(a.Config.Credential).(credential.Keytab)
+	if !ok {
+		return nil, fmt.Errorf("krb5: make service: invalid credential type: %T", a.Config.Credential)
+	}
 	return service.NewSettings(kt.Keytab(), a.Config.ServiceSettings()...), nil
 }
 
@@ -106,7 +109,7 @@ func (a *Authentifier) makeClient(ctx context.Context) (*client.Client, error) {
 			a.Config.GetKRB5Config(), a.Config.ClientSettings()...)
 	}
 
-	switch cred := a.Config.Credential.(type) {
+	switch cred := credential.V8ToV9(a.Config.Credential).(type) {
 	case credential.Password:
 		cli.Credentials = creds.WithPassword(cred.Password())
 	case credential.Keytab:

ssp/krb5/config.go

@@ -182,6 +182,10 @@ func parseETypes(s []string, w bool) []int32 {
 
 func IsValidCredential(cred any) bool {
 
+	if genericCred, ok := cred.(credential.Credential); ok {
+		cred = credential.V8ToV9(genericCred)
+	}
+
 	if _, ok := cred.(credential.Keytab); ok {
 		return true
 	}