From cb8c8af56d306267d6964da217c65e129fe83c82 Mon Sep 17 00:00:00 2001

From: Robbie Harwood <rharwood@redhat.com>

Date: Wed, 26 Feb 2020 18:27:17 -0500

Subject: [PATCH] Refresh manually acquired creds from client keytab

If a client keytab is present but credentials are acquired manually,

the credentials would not be refreshed because no refresh_time config

var is set in the cache.  Change kg_cred_time_to_refresh() to attempt

a refresh from the client keytab on any credentials which will expire

in the next 30 seconds.

[ghudson@mit.edu: adjused code and added test case]

ticket: 7976

(cherry picked from commit 729896467e3c77904666019d6cbbda583ae49b95)

(cherry picked from commit 685aada9eae420cb5156ca7b71c2c7614c0b6e2c)

---

 src/lib/gssapi/krb5/acquire_cred.c  | 14 +++++++++++---

 src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++

 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c

index acc1868f8..4062f4741 100644

--- a/src/lib/gssapi/krb5/acquire_cred.c

+++ b/src/lib/gssapi/krb5/acquire_cred.c

@@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,

 krb5_boolean

 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)

 {

-    krb5_timestamp now;

+    krb5_timestamp now, soon;

     if (krb5_timeofday(context, &now))

         return FALSE;

+    soon = ts_incr(now, 30);

     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {

-        set_refresh_time(context, cred->ccache,

-                         ts_incr(cred->refresh_time, 30));

+        set_refresh_time(context, cred->ccache, soon);

         return TRUE;

     }

+

+    /* If the creds will expire soon, try to refresh even if they weren't

+     * acquired with a client keytab. */

+    if (ts_after(soon, cred->expire)) {

+        set_refresh_time(context, cred->ccache, soon);

+        return TRUE;

+    }

+

     return FALSE;

 }

diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py

index e474a27c7..7847b3ecd 100755

--- a/src/tests/gssapi/t_client_keytab.py

+++ b/src/tests/gssapi/t_client_keytab.py

@@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user'))

 realm.run(['./t_ccselect', phost], env=bad_cktname,

           expected_msg=realm.user_princ)

+mark('refresh of manually acquired creds')

+

+# Test 17: no name/ccache specified, manually acquired creds which

+# will expire soon.  Verify that creds are refreshed using the current

+# client name, with refresh_time set in the refreshed ccache.

+realm.kinit('bob', password('bob'), ['-l', '15s'])

+realm.run(['./t_ccselect', phost], expected_msg='bob')

+realm.run([klist, '-C'], expected_msg='refresh_time = ')

+

+# Test 18: no name/ccache specified, manually acquired creds with a

+# client principal not present in the client keytab.  A refresh is

+# attempted but fails, and an expired ticket error results.

+realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])

+msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',

+        '/Matching credential not found')

+realm.run(['./t_ccselect', phost], expected_code=1,

+          expected_msg='Ticket expired', expected_trace=msgs)

+

 success('Client keytab tests')