Blame SOURCES/Properly-renew-expired-credentials.patch

31d59b
From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001
31d59b
From: Simo Sorce <simo@redhat.com>
31d59b
Date: Mon, 13 Mar 2017 08:06:12 -0400
31d59b
Subject: [PATCH] Properly renew expired credentials
31d59b
31d59b
When a caller imports expired credentials, we aim to actually renew them
31d59b
if we can. However due to incorrect checks and not clearing of the
31d59b
ret_maj variable after checks we end up returning an error instead.
31d59b
31d59b
Also fix mechglue to also save and properly report the first call errors
31d59b
when both remote and local fail.
31d59b
31d59b
Resolves: #170
31d59b
31d59b
Signed-off-by: Simo Sorce <simo@redhat.com>
31d59b
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
31d59b
(cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2)
31d59b
---
31d59b
 proxy/src/gp_creds.c                  | 14 +++++++++-----
31d59b
 proxy/src/mechglue/gpp_acquire_cred.c |  5 +++++
31d59b
 2 files changed, 14 insertions(+), 5 deletions(-)
31d59b
31d59b
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
31d59b
index 5d84904..171a724 100644
31d59b
--- a/proxy/src/gp_creds.c
31d59b
+++ b/proxy/src/gp_creds.c
31d59b
@@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
31d59b
         ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
31d59b
         if (ret_maj == GSS_S_COMPLETE) {
31d59b
             return GSS_S_COMPLETE;
31d59b
-        } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
31d59b
-                   ret_maj != GSS_S_NO_CRED) {
31d59b
+        } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
31d59b
+                   ret_maj == GSS_S_NO_CRED) {
31d59b
+            /* continue and try to obtain new creds */
31d59b
+            ret_maj = 0;
31d59b
+            ret_min = 0;
31d59b
+        } else {
31d59b
             *min = ret_min;
31d59b
             return GSS_S_CRED_UNAVAIL;
31d59b
         }
31d59b
@@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
31d59b
     if (acquire_type == ACQ_NORMAL) {
31d59b
         ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
31d59b
                                           &cred_usage, &cred_store);
31d59b
+        if (ret_min) {
31d59b
+            ret_maj = GSS_S_CRED_UNAVAIL;
31d59b
+        }
31d59b
     } else if (desired_name) {
31d59b
         ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
31d59b
     }
31d59b
     if (ret_maj) {
31d59b
         goto done;
31d59b
-    } else if (ret_min) {
31d59b
-        ret_maj = GSS_S_CRED_UNAVAIL;
31d59b
-        goto done;
31d59b
     }
31d59b
 
31d59b
     if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {
31d59b
diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
31d59b
index d876699..514fdd1 100644
31d59b
--- a/proxy/src/mechglue/gpp_acquire_cred.c
31d59b
+++ b/proxy/src/mechglue/gpp_acquire_cred.c
31d59b
@@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
31d59b
     }
31d59b
 
31d59b
     if (behavior == GPP_REMOTE_FIRST) {
31d59b
+        if (maj != GSS_S_COMPLETE) {
31d59b
+            /* save errors */
31d59b
+            tmaj = maj;
31d59b
+            tmin = min;
31d59b
+        }
31d59b
         /* So remote failed, but we can fallback to local, try that */
31d59b
         maj = acquire_local(&min, NULL, name,
31d59b
                             time_req, desired_mechs, cred_usage, cred_store,