From 1e37dbe2c41ff0339873cd2347cb90c39a59d8ed Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 5 Jun 2017 09:50:22 -0400
Subject: [PATCH] Add code to be able to set default kinit lifetime

This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/constants.py     | 1 +
 ipalib/install/kinit.py | 5 ++++-
 ipaserver/rpcserver.py  | 3 ++-
 pylint_plugins.py       | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index f8a194c1f559db9aeffef058578d700cde41fd0b..5adff97fbd6ad8ab4cfa5322481be2d9056f925a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -153,6 +153,7 @@ DEFAULT_CONFIG = (
     ('session_auth_duration', '20 minutes'),
     # How a session expiration is computed, see SessionManager.set_session_expiration_time()
     ('session_duration_type', 'inactivity_timeout'),
+    ('kinit_lifetime', None),
 
     # Debugging:
     ('verbose', 0),
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 73471f103eabfe39580c8fbd0665157f635fa5c5..91ea5132aa1cb1e192af46b4896d55670e375f7a 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
 
 def kinit_password(principal, password, ccache_name, config=None,
                    armor_ccache_name=None, canonicalize=False,
-                   enterprise=False):
+                   enterprise=False, lifetime=None):
     """
     perform interactive kinit as principal using password. If using FAST for
     web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
                           % armor_ccache_name)
         args.extend(['-T', armor_ccache_name])
 
+    if lifetime:
+        args.extend(['-l', lifetime])
+
     if canonicalize:
         root_logger.debug("Requesting principal canonicalization")
         args.append('-C')
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 32f286148bbdf294f941116b4bdca85714a52837..2990df25985eab63d4bcfc8edf7f2b12da3e9832 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession):
                 password,
                 ccache_name,
                 armor_ccache_name=armor_path,
-                enterprise=True)
+                enterprise=True,
+                lifetime=self.api.env.kinit_lifetime)
 
             if armor_path:
                 self.debug('Cleanup the armor ccache')
diff --git a/pylint_plugins.py b/pylint_plugins.py
index db80efeba8824eb221d988bb494400da173675a9..550f269b308b6c5b21cb13404040aa0934381f0e 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -67,6 +67,7 @@ fake_api_env = {'env': [
     'realm',
     'session_auth_duration',
     'session_duration_type',
+    'kinit_lifetime',
 ]}
 
 # this is due ipaserver.rpcserver.KerberosSession where api is undefined
-- 
2.9.4