client exported review

client/ASExchange.go

@@ -23,7 +23,7 @@ func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (
 	}
 	var ASRep messages.ASRep
 
-	rb, err := cl.SendToKDC(b, realm)
+	rb, err := cl.sendToKDC(b, realm)
 	if err != nil {
 		if e, ok := err.(messages.KRBError); ok {
 			switch e.ErrorCode {
@@ -38,7 +38,7 @@ func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (
 				if err != nil {
 					return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed marshaling AS_REQ with PAData")
 				}
-				rb, err = cl.SendToKDC(b, realm)
+				rb, err = cl.sendToKDC(b, realm)
 				if err != nil {
 					if _, ok := err.(messages.KRBError); ok {
 						return messages.ASRep{}, krberror.Errorf(err, krberror.KDCError, "AS Exchange Error: kerberos error response from KDC")

client/TGSExchange.go

@@ -11,14 +11,8 @@ import (
 
 // TGSExchange performs a TGS exchange to retrieve a ticket to the specified SPN.
 // The ticket retrieved is added to the client's cache.
-func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tkt messages.Ticket, sessionKey types.EncryptionKey, renewal bool, referral int) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error) {
-	//// Check what sessions we have for this SPN.
-	//// Will get the session to the default realm if one does not exist for requested SPN
-	//sess, err := cl.GetSessionFromPrincipalName(spn)
-	//if err != nil {
-	//	return tgsReq, tgsRep,  err
-	//}
-	tgsReq, err = messages.NewTGSReq(cl.Credentials.CName, kdcRealm, cl.Config, tkt, sessionKey, spn, renewal)
+func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, renewal bool, referral int) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error) {
+	tgsReq, err = messages.NewTGSReq(cl.Credentials.CName, kdcRealm, cl.Config, tgt, sessionKey, spn, renewal)
 	if err != nil {
 		return tgsReq, tgsRep, krberror.Errorf(err, krberror.KRBMsgError, "TGS Exchange Error: failed to generate a new TGS_REQ")
 	}
@@ -26,7 +20,7 @@ func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tkt mess
 	if err != nil {
 		return tgsReq, tgsRep, krberror.Errorf(err, krberror.EncodingError, "TGS Exchange Error: failed to generate a new TGS_REQ")
 	}
-	r, err := cl.SendToKDC(b, kdcRealm)
+	r, err := cl.sendToKDC(b, kdcRealm)
 	if err != nil {
 		if _, ok := err.(messages.KRBError); ok {
 			return tgsReq, tgsRep, krberror.Errorf(err, krberror.KDCError, "TGS Exchange Error: kerberos error response from KDC")
@@ -73,27 +67,27 @@ func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.Encryptio
 		return tkt, skey, nil
 	}
 	princ := types.NewPrincipalName(nametype.KRB_NT_PRINCIPAL, spn)
-	sess, err := cl.GetSessionFromPrincipalName(princ)
+	sess, err := cl.sessionFromPrincipalName(princ)
 	if err != nil {
 		return tkt, skey, err
 	}
 	// Ensure TGT still valid
-	if time.Now().UTC().After(sess.EndTime) {
+	if time.Now().UTC().After(sess.endTime) {
 		_, err := cl.updateSession(sess)
 		if err != nil {
 			return tkt, skey, err
 		}
 		// Get the session again as it could have been replaced by the update
-		sess, err = cl.GetSessionFromPrincipalName(princ)
+		sess, err = cl.sessionFromPrincipalName(princ)
 		if err != nil {
 			return tkt, skey, err
 		}
 	}
-	_, tgsRep, err := cl.TGSExchange(princ, sess.Realm, sess.TGT, sess.SessionKey, false, 0)
+	_, tgsRep, err := cl.TGSExchange(princ, sess.realm, sess.tgt, sess.sessionKey, false, 0)
 	if err != nil {
 		return tkt, skey, err
 	}
-	cl.Cache.addEntry(
+	cl.cache.addEntry(
 		tgsRep.Ticket,
 		tgsRep.DecryptedEncPart.AuthTime,
 		tgsRep.DecryptedEncPart.StartTime,

client/cache.go

@@ -74,7 +74,7 @@ func (c *Cache) RemoveEntry(spn string) {
 // GetCachedTicket returns a ticket from the cache for the SPN.
 // Only a ticket that is currently valid will be returned.
 func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool) {
-	if e, ok := cl.Cache.getEntry(spn); ok {
+	if e, ok := cl.cache.getEntry(spn); ok {
 		//If within time window of ticket return it
 		if time.Now().UTC().After(e.StartTime) && time.Now().UTC().Before(e.EndTime) {
 			return e.Ticket, e.SessionKey, true
@@ -99,7 +99,7 @@ func (cl *Client) renewTicket(e CacheEntry) (CacheEntry, error) {
 	if err != nil {
 		return e, err
 	}
-	e = cl.Cache.addEntry(
+	e = cl.cache.addEntry(
 		tgsRep.Ticket,
 		tgsRep.DecryptedEncPart.AuthTime,
 		tgsRep.DecryptedEncPart.StartTime,

client/client.go

@@ -21,9 +21,9 @@ import (
 type Client struct {
 	Credentials *credentials.Credentials
 	Config      *config.Config
-	GoKrb5Conf  *Config
+	GoKrb5Conf  Config
 	sessions    *sessions
-	Cache       *Cache
+	cache       *Cache
 }
 
 // Config struct holds GoKRB5 specific client configurations.
@@ -41,11 +41,11 @@ func NewClientWithPassword(username, realm, password string) Client {
 	return Client{
 		Credentials: creds.WithPassword(password),
 		Config:      config.NewConfig(),
-		GoKrb5Conf:  &Config{},
+		GoKrb5Conf:  Config{},
 		sessions: &sessions{
 			Entries: make(map[string]*session),
 		},
-		Cache: NewCache(),
+		cache: NewCache(),
 	}
 }
 
@@ -55,11 +55,11 @@ func NewClientWithKeytab(username, realm string, kt keytab.Keytab) Client {
 	return Client{
 		Credentials: creds.WithKeytab(kt),
 		Config:      config.NewConfig(),
-		GoKrb5Conf:  &Config{},
+		GoKrb5Conf:  Config{},
 		sessions: &sessions{
 			Entries: make(map[string]*session),
 		},
-		Cache: NewCache(),
+		cache: NewCache(),
 	}
 }
 
@@ -70,11 +70,11 @@ func NewClientFromCCache(c credentials.CCache) (Client, error) {
 	cl := Client{
 		Credentials: c.GetClientCredentials(),
 		Config:      config.NewConfig(),
-		GoKrb5Conf:  &Config{},
+		GoKrb5Conf:  Config{},
 		sessions: &sessions{
 			Entries: make(map[string]*session),
 		},
-		Cache: NewCache(),
+		cache: NewCache(),
 	}
 	spn := types.PrincipalName{
 		NameType:   nametype.KRB_NT_SRV_INST,
@@ -90,12 +90,12 @@ func NewClientFromCCache(c credentials.CCache) (Client, error) {
 		return cl, fmt.Errorf("TGT bytes in cache are not valid: %v", err)
 	}
 	cl.sessions.Entries[c.DefaultPrincipal.Realm] = &session{
-		Realm:      c.DefaultPrincipal.Realm,
-		AuthTime:   cred.AuthTime,
-		EndTime:    cred.EndTime,
-		RenewTill:  cred.RenewTill,
-		TGT:        tgt,
-		SessionKey: cred.Key,
+		realm:      c.DefaultPrincipal.Realm,
+		authTime:   cred.AuthTime,
+		endTime:    cred.EndTime,
+		renewTill:  cred.RenewTill,
+		tgt:        tgt,
+		sessionKey: cred.Key,
 	}
 	for _, cred := range c.GetEntries() {
 		var tkt messages.Ticket
@@ -103,7 +103,7 @@ func NewClientFromCCache(c credentials.CCache) (Client, error) {
 		if err != nil {
 			return cl, fmt.Errorf("cache entry ticket bytes are not valid: %v", err)
 		}
-		cl.Cache.addEntry(
+		cl.cache.addEntry(
 			tkt,
 			cred.AuthTime,
 			cred.StartTime,
@@ -175,8 +175,8 @@ func (cl *Client) IsConfigured() (bool, error) {
 	}
 	// Client needs to have either a password, keytab or a session already (later when loading from CCache)
 	if !cl.Credentials.HasPassword() && !cl.Credentials.HasKeytab() {
-		sess, err := cl.GetSessionFromRealm(cl.Credentials.Realm)
-		if err != nil || sess.AuthTime.IsZero() {
+		sess, err := cl.sessionFromRealm(cl.Credentials.Realm)
+		if err != nil || sess.authTime.IsZero() {
 			return false, errors.New("client has neither a keytab nor a password set and no session")
 		}
 	}
@@ -218,6 +218,6 @@ func (cl *Client) Login() error {
 func (cl *Client) Destroy() {
 	creds := credentials.NewCredentials("", "")
 	cl.sessions.destroy()
-	cl.Cache.clear()
+	cl.cache.clear()
 	cl.Credentials = &creds
 }

client/client_integration_test.go

@@ -410,7 +410,7 @@ func TestMultiThreadedClientSession(t *testing.T) {
 		t.Fatalf("failed to log in: %v", err)
 	}
 
-	s, err := cl.GetSessionFromRealm("TEST.GOKRB5")
+	s, err := cl.sessionFromRealm("TEST.GOKRB5")
 	if err != nil {
 		t.Fatalf("error initially getting session: %v", err)
 	}
@@ -429,7 +429,7 @@ func TestMultiThreadedClientSession(t *testing.T) {
 	for i := 0; i < 10; i++ {
 		go func() {
 			defer wg.Done()
-			s, err := cl.GetSessionFromRealm("TEST.GOKRB5")
+			s, err := cl.sessionFromRealm("TEST.GOKRB5")
 			if err != nil {
 				t.Logf("error getting session: %v", err)
 			}

client/network.go

@@ -14,7 +14,7 @@ import (
 )
 
 // SendToKDC performs network actions to send data to the KDC.
-func (cl *Client) SendToKDC(b []byte, realm string) ([]byte, error) {
+func (cl *Client) sendToKDC(b []byte, realm string) ([]byte, error) {
 	var rb []byte
 	if cl.Config.LibDefaults.UDPPreferenceLimit == 1 {
 		//1 means we should always use TCP

client/session.go

@@ -28,57 +28,57 @@ func (s *sessions) destroy() {
 
 // Client session struct.
 type session struct {
-	Realm                string
-	AuthTime             time.Time
-	EndTime              time.Time
-	RenewTill            time.Time
-	TGT                  messages.Ticket
-	SessionKey           types.EncryptionKey
-	SessionKeyExpiration time.Time
+	realm                string
+	authTime             time.Time
+	endTime              time.Time
+	renewTill            time.Time
+	tgt                  messages.Ticket
+	sessionKey           types.EncryptionKey
+	sessionKeyExpiration time.Time
 	cancel               chan bool
 	mux                  sync.RWMutex
 }
 
-func (s *session) update(tkt messages.Ticket, dep messages.EncKDCRepPart) {
+func (s *session) update(tgt messages.Ticket, dep messages.EncKDCRepPart) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
-	s.AuthTime = dep.AuthTime
-	s.EndTime = dep.EndTime
-	s.RenewTill = dep.RenewTill
-	s.TGT = tkt
-	s.SessionKey = dep.Key
-	s.SessionKeyExpiration = dep.KeyExpiration
+	s.authTime = dep.AuthTime
+	s.endTime = dep.EndTime
+	s.renewTill = dep.RenewTill
+	s.tgt = tgt
+	s.sessionKey = dep.Key
+	s.sessionKeyExpiration = dep.KeyExpiration
 }
 
 func (s *session) destroy() {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 	s.cancel <- true
-	s.EndTime = time.Now().UTC()
-	s.RenewTill = s.EndTime
-	s.SessionKeyExpiration = s.EndTime
+	s.endTime = time.Now().UTC()
+	s.renewTill = s.endTime
+	s.sessionKeyExpiration = s.endTime
 }
 
 // AddSession adds a session for a realm with a TGT to the client's session cache.
 // A goroutine is started to automatically renew the TGT before expiry.
-func (cl *Client) AddSession(tkt messages.Ticket, dep messages.EncKDCRepPart) {
+func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart) {
 	cl.sessions.mux.Lock()
 	defer cl.sessions.mux.Unlock()
 	s := &session{
-		Realm:                tkt.SName.NameString[1],
-		AuthTime:             dep.AuthTime,
-		EndTime:              dep.EndTime,
-		RenewTill:            dep.RenewTill,
-		TGT:                  tkt,
-		SessionKey:           dep.Key,
-		SessionKeyExpiration: dep.KeyExpiration,
+		realm:                tgt.SName.NameString[1],
+		authTime:             dep.AuthTime,
+		endTime:              dep.EndTime,
+		renewTill:            dep.RenewTill,
+		tgt:                  tgt,
+		sessionKey:           dep.Key,
+		sessionKeyExpiration: dep.KeyExpiration,
 		cancel:               make(chan bool, 1),
 	}
 	// if a session already exists for this, cancel its auto renew.
-	if i, ok := cl.sessions.Entries[tkt.SName.NameString[1]]; ok {
+	if i, ok := cl.sessions.Entries[tgt.SName.NameString[1]]; ok {
 		i.cancel <- true
 	}
-	cl.sessions.Entries[tkt.SName.NameString[1]] = s
+	cl.sessions.Entries[tgt.SName.NameString[1]] = s
 	cl.enableAutoSessionRenewal(s)
 }
 
@@ -88,7 +88,7 @@ func (cl *Client) enableAutoSessionRenewal(s *session) {
 	go func(s *session) {
 		for {
 			s.mux.RLock()
-			w := (s.EndTime.Sub(time.Now().UTC()) * 5) / 6
+			w := (s.endTime.Sub(time.Now().UTC()) * 5) / 6
 			s.mux.RUnlock()
 			if w < 0 {
 				return
@@ -114,9 +114,9 @@ func (cl *Client) enableAutoSessionRenewal(s *session) {
 func (cl *Client) renewTGT(s *session) error {
 	spn := types.PrincipalName{
 		NameType:   nametype.KRB_NT_SRV_INST,
-		NameString: []string{"krbtgt", s.Realm},
+		NameString: []string{"krbtgt", s.realm},
 	}
-	_, tgsRep, err := cl.TGSExchange(spn, s.TGT.Realm, s.TGT, s.SessionKey, true, 0)
+	_, tgsRep, err := cl.TGSExchange(spn, s.tgt.Realm, s.tgt, s.sessionKey, true, 0)
 	if err != nil {
 		return krberror.Errorf(err, krberror.KRBMsgError, "error renewing TGT")
 	}
@@ -127,7 +127,7 @@ func (cl *Client) renewTGT(s *session) error {
 // updateSession updates either through renewal or creating a new login.
 // The boolean indicates if the update was a renewal.
 func (cl *Client) updateSession(s *session) (bool, error) {
-	if time.Now().UTC().Before(s.RenewTill) {
+	if time.Now().UTC().Before(s.renewTill) {
 		err := cl.renewTGT(s)
 		return true, err
 	}
@@ -135,7 +135,7 @@ func (cl *Client) updateSession(s *session) (bool, error) {
 	return false, err
 }
 
-func (cl *Client) getSessionFromRemoteRealm(realm string) (*session, error) {
+func (cl *Client) sessionFromRemoteRealm(realm string) (*session, error) {
 	cl.sessions.mux.RLock()
 	sess, ok := cl.sessions.Entries[cl.Credentials.Realm]
 	cl.sessions.mux.RUnlock()
@@ -148,7 +148,7 @@ func (cl *Client) getSessionFromRemoteRealm(realm string) (*session, error) {
 		NameString: []string{"krbtgt", realm},
 	}
 
-	_, tgsRep, err := cl.TGSExchange(spn, cl.Credentials.Realm, sess.TGT, sess.SessionKey, false, 0)
+	_, tgsRep, err := cl.TGSExchange(spn, cl.Credentials.Realm, sess.tgt, sess.sessionKey, false, 0)
 	if err != nil {
 		return nil, err
 	}
@@ -160,32 +160,32 @@ func (cl *Client) getSessionFromRemoteRealm(realm string) (*session, error) {
 }
 
 // GetSessionFromRealm returns the session for the realm provided.
-func (cl *Client) GetSessionFromRealm(realm string) (sess *session, err error) {
+func (cl *Client) sessionFromRealm(realm string) (sess *session, err error) {
 	cl.sessions.mux.RLock()
 	s, ok := cl.sessions.Entries[realm]
 	cl.sessions.mux.RUnlock()
 	if !ok {
 		// Try to request TGT from trusted remote Realm
-		s, err = cl.getSessionFromRemoteRealm(realm)
+		s, err = cl.sessionFromRemoteRealm(realm)
 		if err != nil {
 			return
 		}
 	}
 	// Create another session to return to prevent race condition.
 	sess = &session{
-		Realm:                s.Realm,
-		AuthTime:             s.AuthTime,
-		EndTime:              s.EndTime,
-		RenewTill:            s.RenewTill,
-		TGT:                  s.TGT,
-		SessionKey:           s.SessionKey,
-		SessionKeyExpiration: s.SessionKeyExpiration,
+		realm:                s.realm,
+		authTime:             s.authTime,
+		endTime:              s.endTime,
+		renewTill:            s.renewTill,
+		tgt:                  s.tgt,
+		sessionKey:           s.sessionKey,
+		sessionKeyExpiration: s.sessionKeyExpiration,
 	}
 	return
 }
 
 // GetSessionFromPrincipalName returns the session for the realm of the principal provided.
-func (cl *Client) GetSessionFromPrincipalName(spn types.PrincipalName) (*session, error) {
+func (cl *Client) sessionFromPrincipalName(spn types.PrincipalName) (*session, error) {
 	realm := cl.Config.ResolveRealm(spn.NameString[len(spn.NameString)-1])
-	return cl.GetSessionFromRealm(realm)
+	return cl.sessionFromRealm(realm)
 }

messages/KDCReq.go

@@ -154,7 +154,7 @@ func NewASReq(realm string, c *config.Config, cname, sname types.PrincipalName)
 }
 
 // NewTGSReq generates a new KRB_TGS_REQ struct.
-func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tkt Ticket, sessionKey types.EncryptionKey, spn types.PrincipalName, renewal bool) (TGSReq, error) {
+func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tgt Ticket, sessionKey types.EncryptionKey, spn types.PrincipalName, renewal bool) (TGSReq, error) {
 	nonce, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt32))
 	if err != nil {
 		return TGSReq{}, err
@@ -200,7 +200,7 @@ func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tkt
 		types.SetFlag(&a.ReqBody.KDCOptions, flags.Renew)
 		types.SetFlag(&a.ReqBody.KDCOptions, flags.Renewable)
 	}
-	auth, err := types.NewAuthenticator(tkt.Realm, cname)
+	auth, err := types.NewAuthenticator(tgt.Realm, cname)
 	if err != nil {
 		return a, krberror.Errorf(err, krberror.KRBMsgError, "error generating new authenticator")
 	}
@@ -222,7 +222,7 @@ func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tkt
 		CksumType: etype.GetHashID(),
 		Checksum:  cb,
 	}
-	apReq, err := NewAPReq(tkt, sessionKey, auth)
+	apReq, err := NewAPReq(tgt, sessionKey, auth)
 	if err != nil {
 		return a, krberror.Errorf(err, krberror.KRBMsgError, "error generating new AP_REQ")
 	}