Accueil Explorer Aide
S'inscrire Connexion
publics
/
gokrb5.v7
0
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: cbdf1c7592
Branches Tags
gokrb5.v7
/
client
/
session.go

session.go 5.4 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. package client
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"sync"
    6. 

  6. 	"time"
    7. 

  7. 

  8. 	"gopkg.in/jcmturner/gokrb5.v6/iana/nametype"
    9. 

  9. 	"gopkg.in/jcmturner/gokrb5.v6/krberror"
    10. 

  10. 	"gopkg.in/jcmturner/gokrb5.v6/messages"
    11. 

  11. 	"gopkg.in/jcmturner/gokrb5.v6/types"
    12. 

  12. )
    13. 

  13. 

  14. // Sessions keyed on the realm name
    15. 

  15. type sessions struct {
    16. 

  16. 	Entries map[string]*session
    17. 

  17. 	mux     sync.RWMutex
    18. 

  18. }
    19. 

  19. 

  20. func (s *sessions) destroy() {
    21. 

  21. 	s.mux.Lock()
    22. 

  22. 	defer s.mux.Unlock()
    23. 

  23. 	for k, e := range s.Entries {
    24. 

  24. 		e.destroy()
    25. 

  25. 		delete(s.Entries, k)
    26. 

  26. 	}
    27. 

  27. }
    28. 

  28. 

  29. // Client session struct.
    30. 

  30. type session struct {
    31. 

  31. 	realm                string
    32. 

  32. 	authTime             time.Time
    33. 

  33. 	endTime              time.Time
    34. 

  34. 	renewTill            time.Time
    35. 

  35. 	tgt                  messages.Ticket
    36. 

  36. 	sessionKey           types.EncryptionKey
    37. 

  37. 	sessionKeyExpiration time.Time
    38. 

  38. 	cancel               chan bool
    39. 

  39. 	mux                  sync.RWMutex
    40. 

  40. }
    41. 

  41. 

  42. func (s *session) update(tgt messages.Ticket, dep messages.EncKDCRepPart) {
    43. 

  43. 	s.mux.Lock()
    44. 

  44. 	defer s.mux.Unlock()
    45. 

  45. 	s.authTime = dep.AuthTime
    46. 

  46. 	s.endTime = dep.EndTime
    47. 

  47. 	s.renewTill = dep.RenewTill
    48. 

  48. 	s.tgt = tgt
    49. 

  49. 	s.sessionKey = dep.Key
    50. 

  50. 	s.sessionKeyExpiration = dep.KeyExpiration
    51. 

  51. }
    52. 

  52. 

  53. func (s *session) destroy() {
    54. 

  54. 	s.mux.Lock()
    55. 

  55. 	defer s.mux.Unlock()
    56. 

  56. 	s.cancel <- true
    57. 

  57. 	s.endTime = time.Now().UTC()
    58. 

  58. 	s.renewTill = s.endTime
    59. 

  59. 	s.sessionKeyExpiration = s.endTime
    60. 

  60. }
    61. 

  61. 

  62. func (s *session) valid() bool {
    63. 

  63. 	s.mux.RLock()
    64. 

  64. 	defer s.mux.RUnlock()
    65. 

  65. 	t := time.Now().UTC()
    66. 

  66. 	if t.Before(s.endTime) && s.authTime.Before(t) {
    67. 

  67. 		return true
    68. 

  68. 	}
    69. 

  69. 	return false
    70. 

  70. }
    71. 

  71. 

  72. // AddSession adds a session for a realm with a TGT to the client's session cache.
    73. 

  73. // A goroutine is started to automatically renew the TGT before expiry.
    74. 

  74. func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart) {
    75. 

  75. 	cl.sessions.mux.Lock()
    76. 

  76. 	defer cl.sessions.mux.Unlock()
    77. 

  77. 	s := &session{
    78. 

  78. 		realm:                tgt.SName.NameString[1],
    79. 

  79. 		authTime:             dep.AuthTime,
    80. 

  80. 		endTime:              dep.EndTime,
    81. 

  81. 		renewTill:            dep.RenewTill,
    82. 

  82. 		tgt:                  tgt,
    83. 

  83. 		sessionKey:           dep.Key,
    84. 

  84. 		sessionKeyExpiration: dep.KeyExpiration,
    85. 

  85. 		cancel:               make(chan bool, 1),
    86. 

  86. 	}
    87. 

  87. 	// if a session already exists for this, cancel its auto renew.
    88. 

  88. 	if i, ok := cl.sessions.Entries[tgt.SName.NameString[1]]; ok {
    89. 

  89. 		i.cancel <- true
    90. 

  90. 	}
    91. 

  91. 	cl.sessions.Entries[tgt.SName.NameString[1]] = s
    92. 

  92. 	cl.enableAutoSessionRenewal(s)
    93. 

  93. }
    94. 

  94. 

  95. // enableAutoSessionRenewal turns on the automatic renewal for the client's TGT session.
    96. 

  96. func (cl *Client) enableAutoSessionRenewal(s *session) {
    97. 

  97. 	var timer *time.Timer
    98. 

  98. 	go func(s *session) {
    99. 

  99. 		for {
    100. 

  100. 			s.mux.RLock()
    101. 

  101. 			w := (s.endTime.Sub(time.Now().UTC()) * 5) / 6
    102. 

  102. 			s.mux.RUnlock()
    103. 

  103. 			if w < 0 {
    104. 

  104. 				return
    105. 

  105. 			}
    106. 

  106. 			timer = time.NewTimer(w)
    107. 

  107. 			select {
    108. 

  108. 			case <-timer.C:
    109. 

  109. 				renewal, err := cl.updateSession(s)
    110. 

  110. 				if !renewal && err == nil {
    111. 

  111. 					// end this goroutine as there will have been a new login and new auto renewal goroutine created.
    112. 

  112. 					return
    113. 

  113. 				}
    114. 

  114. 			case <-s.cancel:
    115. 

  115. 				// cancel has been called. Stop the timer and exit.
    116. 

  116. 				timer.Stop()
    117. 

  117. 				return
    118. 

  118. 			}
    119. 

  119. 		}
    120. 

  120. 	}(s)
    121. 

  121. }
    122. 

  122. 

  123. // RenewTGT renews the client's TGT session.
    124. 

  124. func (cl *Client) renewTGT(s *session) error {
    125. 

  125. 	spn := types.PrincipalName{
    126. 

  126. 		NameType:   nametype.KRB_NT_SRV_INST,
    127. 

  127. 		NameString: []string{"krbtgt", s.realm},
    128. 

  128. 	}
    129. 

  129. 	_, tgsRep, err := cl.TGSExchange(spn, s.tgt.Realm, s.tgt, s.sessionKey, true, 0)
    130. 

  130. 	if err != nil {
    131. 

  131. 		return krberror.Errorf(err, krberror.KRBMsgError, "error renewing TGT")
    132. 

  132. 	}
    133. 

  133. 	s.update(tgsRep.Ticket, tgsRep.DecryptedEncPart)
    134. 

  134. 	return nil
    135. 

  135. }
    136. 

  136. 

  137. // updateSession updates either through renewal or creating a new login.
    138. 

  138. // The boolean indicates if the update was a renewal.
    139. 

  139. func (cl *Client) updateSession(s *session) (bool, error) {
    140. 

  140. 	if time.Now().UTC().Before(s.renewTill) {
    141. 

  141. 		err := cl.renewTGT(s)
    142. 

  142. 		return true, err
    143. 

  143. 	}
    144. 

  144. 	err := cl.Login()
    145. 

  145. 	return false, err
    146. 

  146. }
    147. 

  147. 

  148. func (cl *Client) sessionFromRemoteRealm(realm string) (*session, error) {
    149. 

  149. 	cl.sessions.mux.RLock()
    150. 

  150. 	sess, ok := cl.sessions.Entries[cl.Credentials.Realm]
    151. 

  151. 	cl.sessions.mux.RUnlock()
    152. 

  152. 	if !ok {
    153. 

  153. 		return nil, fmt.Errorf("client does not have a session for realm %s, login first", cl.Credentials.Realm)
    154. 

  154. 	}
    155. 

  155. 

  156. 	spn := types.PrincipalName{
    157. 

  157. 		NameType:   nametype.KRB_NT_SRV_INST,
    158. 

  158. 		NameString: []string{"krbtgt", realm},
    159. 

  159. 	}
    160. 

  160. 

  161. 	_, tgsRep, err := cl.TGSExchange(spn, cl.Credentials.Realm, sess.tgt, sess.sessionKey, false, 0)
    162. 

  162. 	if err != nil {
    163. 

  163. 		return nil, err
    164. 

  164. 	}
    165. 

  165. 	cl.AddSession(tgsRep.Ticket, tgsRep.DecryptedEncPart)
    166. 

  166. 

  167. 	cl.sessions.mux.RLock()
    168. 

  168. 	defer cl.sessions.mux.RUnlock()
    169. 

  169. 	return cl.sessions.Entries[realm], nil
    170. 

  170. }
    171. 

  171. 

  172. // GetSessionFromRealm returns the session for the realm provided.
    173. 

  173. func (cl *Client) sessionFromRealm(realm string) (sess *session, err error) {
    174. 

  174. 	cl.sessions.mux.RLock()
    175. 

  175. 	s, ok := cl.sessions.Entries[realm]
    176. 

  176. 	cl.sessions.mux.RUnlock()
    177. 

  177. 	if !ok {
    178. 

  178. 		// Try to request TGT from trusted remote Realm
    179. 

  179. 		s, err = cl.sessionFromRemoteRealm(realm)
    180. 

  180. 		if err != nil {
    181. 

  181. 			return
    182. 

  182. 		}
    183. 

  183. 	}
    184. 

  184. 	// Create another session to return to prevent race condition.
    185. 

  185. 	sess = &session{
    186. 

  186. 		realm:                s.realm,
    187. 

  187. 		authTime:             s.authTime,
    188. 

  188. 		endTime:              s.endTime,
    189. 

  189. 		renewTill:            s.renewTill,
    190. 

  190. 		tgt:                  s.tgt,
    191. 

  191. 		sessionKey:           s.sessionKey,
    192. 

  192. 		sessionKeyExpiration: s.sessionKeyExpiration,
    193. 

  193. 	}
    194. 

  194. 	return
    195. 

  195. }
    196. 

  196. 

  197. // GetSessionFromPrincipalName returns the session for the realm of the principal provided.
    198. 

  198. func (cl *Client) sessionFromPrincipalName(spn types.PrincipalName) (*session, error) {
    199. 

  199. 	realm := cl.Config.ResolveRealm(spn.NameString[len(spn.NameString)-1])
    200. 

  200. 	return cl.sessionFromRealm(realm)
    201. 

  201. }
    202.