1 From fc748ba83eb29f10fd44b6572b04709fa27dc587 Mon Sep 17 00:00:00 2001
2 From: Simo Sorce <simo@redhat.com>
3 Date: Mon, 13 Mar 2017 08:06:12 -0400
4 Subject: [PATCH] Properly renew expired credentials
6 When a caller imports expired credentials, we aim to actually renew them
7 if we can. However due to incorrect checks and not clearing of the
8 ret_maj variable after checks we end up returning an error instead.
10 Also fix mechglue to also save and properly report the first call errors
11 when both remote and local fail.
15 Signed-off-by: Simo Sorce <simo@redhat.com>
16 Reviewed-by: Robbie Harwood <rharwood@redhat.com>
17 (cherry picked from commit dc462321226f59ceaab0d3db47446a694a8ecba2)
19 proxy/src/gp_creds.c | 14 +++++++++-----
20 proxy/src/mechglue/gpp_acquire_cred.c | 5 +++++
21 2 files changed, 14 insertions(+), 5 deletions(-)
23 diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
24 index 5d84904..171a724 100644
25 --- a/proxy/src/gp_creds.c
26 +++ b/proxy/src/gp_creds.c
27 @@ -629,8 +629,12 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
28 ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
29 if (ret_maj == GSS_S_COMPLETE) {
30 return GSS_S_COMPLETE;
31 - } else if (ret_maj != GSS_S_CREDENTIALS_EXPIRED &&
32 - ret_maj != GSS_S_NO_CRED) {
33 + } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
34 + ret_maj == GSS_S_NO_CRED) {
35 + /* continue and try to obtain new creds */
40 return GSS_S_CRED_UNAVAIL;
42 @@ -639,14 +643,14 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
43 if (acquire_type == ACQ_NORMAL) {
44 ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
45 &cred_usage, &cred_store);
47 + ret_maj = GSS_S_CRED_UNAVAIL;
49 } else if (desired_name) {
50 ret_maj = gp_conv_gssx_to_name(&ret_min, desired_name, &req_name);
54 - } else if (ret_min) {
55 - ret_maj = GSS_S_CRED_UNAVAIL;
59 if (!try_impersonate(gpcall->service, cred_usage, acquire_type)) {
60 diff --git a/proxy/src/mechglue/gpp_acquire_cred.c b/proxy/src/mechglue/gpp_acquire_cred.c
61 index d876699..514fdd1 100644
62 --- a/proxy/src/mechglue/gpp_acquire_cred.c
63 +++ b/proxy/src/mechglue/gpp_acquire_cred.c
64 @@ -186,6 +186,11 @@ OM_uint32 gssi_acquire_cred_from(OM_uint32 *minor_status,
67 if (behavior == GPP_REMOTE_FIRST) {
68 + if (maj != GSS_S_COMPLETE) {
73 /* So remote failed, but we can fallback to local, try that */
74 maj = acquire_local(&min, NULL, name,
75 time_req, desired_mechs, cred_usage, cred_store,