From c6847f012b326a7e27dbe79d8df0faafdeb2dbef Mon Sep 17 00:00:00 2001

From: Scott Mayhew <smayhew@redhat.com>

Date: Thu, 2 Sep 2021 12:44:27 -0400

Subject: [PATCH] Add an option for minimum lifetime

It's possible for gssproxy to return a cached credential with a very

small remaining lifetime.  This can be problematic for NFS clients since

it requires a round trip to the NFS server to establish a GSS context.

Add a min_lifetime option that represents the lowest value that the

lifetime of the cached credential can be.  Any lower than that, and

gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that

gp_add_krb5_creds() is forced to try to obtain a new credential.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>

[antorres@redhat.com: adjusted lines number for man diff]

---

 examples/99-nfs-client.conf.in |  1 +

 man/gssproxy.conf.5.xml        | 15 +++++++++++++++

 src/gp_config.c                | 12 ++++++++++++

 src/gp_creds.c                 | 12 ++++++++++--

 src/gp_proxy.h                 |  1 +

 5 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in

index c0985d9..9dd1891 100644

--- a/examples/99-nfs-client.conf.in

+++ b/examples/99-nfs-client.conf.in

@@ -7,3 +7,4 @@

   allow_any_uid = yes

   trusted = yes

   euid = 0

+  min_lifetime = 60

diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml

index de846b4..af6ca18 100644

--- a/man/gssproxy.conf.5.xml

+++ b/man/gssproxy.conf.5.xml

@@ -348,6 +348,21 @@

                     </listitem>

                     </varlistentry>

+                <varlistentry>

+                    <term>min_lifetime (integer)</term>

+                    <listitem>

+                        <para>Minimum lifetime of a cached credential, in seconds.</para>

+                        <para>If non-zero, when gssproxy is deciding whether to use

+                            a cached credential, it will compare the lifetime of the

+                            cached credential to this value.  If the lifetime of the

+                            cached credential is lower, gssproxy will treat the cached

+                            credential as expired and will attempt to obtain a new

+                            credential.

+                        </para>

+                        <para>Default: min_lifetime = 15</para>

+                    </listitem>

+                </varlistentry>

+

                 <varlistentry>

                     <term>program (string)</term>

                     <listitem>

diff --git a/src/gp_config.c b/src/gp_config.c

index 4cda579..a0afa73 100644

--- a/src/gp_config.c

+++ b/src/gp_config.c

@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {

 #define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG

 #define DEFAULT_ENFORCED_FLAGS 0

+#define DEFAULT_MIN_LIFETIME 15

 static void free_str_array(const char ***a, int *count)

 {

@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)

                     goto done;

                 }

             }

+

+            cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;

+            ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);

+            if (ret == 0) {

+                if (valnum >= 0) {

+                    cfg->svcs[n]->min_lifetime = valnum;

+                } else {

+                    GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",

+                            valnum, secname);

+                }

+            }

         }

         safefree(secname);

     }

diff --git a/src/gp_creds.c b/src/gp_creds.c

index 92a6f13..843d1a3 100644

--- a/src/gp_creds.c

+++ b/src/gp_creds.c

@@ -492,6 +492,7 @@ done:

 }

 static uint32_t gp_check_cred(uint32_t *min,

+                              struct gp_service *svc,

                               gss_cred_id_t in_cred,

                               gssx_name *desired_name,

                               gss_cred_usage_t cred_usage)

@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,

     if (lifetime == 0) {

         ret_maj = GSS_S_CREDENTIALS_EXPIRED;

     } else {

-        ret_maj = GSS_S_COMPLETE;

+        if (svc->min_lifetime && lifetime < svc->min_lifetime) {

+            GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "

+                    "for service \"%s\" - returning\n",

+                    __func__, lifetime, svc->min_lifetime, svc->name);

+            ret_maj = GSS_S_CREDENTIALS_EXPIRED;

+        } else {

+            ret_maj = GSS_S_COMPLETE;

+        }

     }

 done:

@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,

          * function completely */

         /* just check if it is a valid krb5 cred */

-        ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);

+        ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);

         if (ret_maj == GSS_S_COMPLETE) {

             return GSS_S_COMPLETE;

         } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||

diff --git a/src/gp_proxy.h b/src/gp_proxy.h

index 3f58a43..f56d640 100644

--- a/src/gp_proxy.h

+++ b/src/gp_proxy.h

@@ -45,6 +45,7 @@ struct gp_service {

     gss_cred_usage_t cred_usage;

     uint32_t filter_flags;

     uint32_t enforce_flags;

+    uint32_t min_lifetime;

     char *program;

     uint32_t mechs;

-- 

2.31.1