|
 |
31d59b |
From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001
|
|
|
31d59b |
From: Simo Sorce <simo@redhat.com>
|
|
|
31d59b |
Date: Mon, 13 Mar 2017 08:06:12 -0400
|
|
|
31d59b |
Subject: [PATCH] Properly renew expired credentials
|
|
|
31d59b |
|
|
|
31d59b |
When a caller imports expired credentials, we aim to actually renew them
|
|
|
31d59b |
if we can. However due to incorrect checks and not clearing of the
|
|
|
31d59b |
ret_maj variable after checks we end up returning an error instead.
|
|
|
31d59b |
|
|
|
31d59b |
Also fix mechglue to also save and properly report the first call errors
|
|
|
31d59b |
when both remote and local fail.
|
|
|
31d59b |
|
|
|
31d59b |
Resolves: #170
|
|
|
31d59b |
|
|
|
31d59b |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
31d59b |
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
31d59b |
(cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2)
|
|
|
31d59b |
---
|
|
|
31d59b |
proxy/src/gp_creds.c | 14 +++++++++-----
|
|
|
31d59b |
proxy/src/mechglue/gpp_acquire_cred.c | 5 +++++
|
|
|
31d59b |
2 files changed, 14 insertions(+), 5 deletions(-)
|
|
|
31d59b |
|
|
|
31d59b |
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
|
|
|
31d59b |
index 5d84904..171a724 100644
|
|
|
31d59b |
--- a/proxy/src/gp_creds.c
|
|
|
31d59b |
+++ b/proxy/src/gp_creds.c
|
|
|
31d59b |
@@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
|
|
|
31d59b |
ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
|
|
|
31d59b |
if (ret_maj == GSS_S_COMPLETE) {
|
|
|
31d59b |
return GSS_S_COMPLETE;
|
|
|
31d59b |
- } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
|
|
|
31d59b |
- ret_maj != GSS_S_NO_CRED) {
|
|
|
31d59b |
+ } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
|
|
|
31d59b |
+ ret_maj == GSS_S_NO_CRED) {
|
|
|
31d59b |
+ /* continue and try to obtain new creds */
|
|
|
31d59b |
+ ret_maj = 0;
|
|
|
31d59b |
+ ret_min = 0;
|
|
|
31d59b |
+ } else {
|
|
|
31d59b |
*min = ret_min;
|
|
|
31d59b |
return GSS_S_CRED_UNAVAIL;
|
|
|
31d59b |
}
|
|
|
31d59b |
@@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
|
|
|
31d59b |
if (acquire_type == ACQ_NORMAL) {
|
|
|
31d59b |
ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
|
|
|
31d59b |
&cred_usage, &cred_store);
|
|
|
31d59b |
+ if (ret_min) {
|
|
|
31d59b |
+ ret_maj = GSS_S_CRED_UNAVAIL;
|
|
|
31d59b |
+ }
|
|
|
31d59b |
} else if (desired_name) {
|
|
|
31d59b |
ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
|
|
|
31d59b |
}
|
|
|
31d59b |
if (ret_maj) {
|
|
|
31d59b |
goto done;
|
|
|
31d59b |
- } else if (ret_min) {
|
|
|
31d59b |
- ret_maj = GSS_S_CRED_UNAVAIL;
|
|
|
31d59b |
- goto done;
|
|
|
31d59b |
}
|
|
|
31d59b |
|
|
|
31d59b |
if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {
|
|
|
31d59b |
diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
|
|
|
31d59b |
index d876699..514fdd1 100644
|
|
|
31d59b |
--- a/proxy/src/mechglue/gpp_acquire_cred.c
|
|
|
31d59b |
+++ b/proxy/src/mechglue/gpp_acquire_cred.c
|
|
|
31d59b |
@@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
|
|
|
31d59b |
}
|
|
|
31d59b |
|
|
|
31d59b |
if (behavior == GPP_REMOTE_FIRST) {
|
|
|
31d59b |
+ if (maj != GSS_S_COMPLETE) {
|
|
|
31d59b |
+ /* save errors */
|
|
|
31d59b |
+ tmaj = maj;
|
|
|
31d59b |
+ tmin = min;
|
|
|
31d59b |
+ }
|
|
|
31d59b |
/* So remote failed, but we can fallback to local, try that */
|
|
|
31d59b |
maj = acquire_local(&min, NULL, name,
|
|
|
31d59b |
time_req, desired_mechs, cred_usage, cred_store,
|