+++ /dev/null
-From 5fa4e2d5d484df17ebd9a585a6dfdf4522320426 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Mon, 20 Nov 2017 14:09:04 -0500
-Subject: [PATCH] Properly locate credentials in collection caches in mechglue
-
-Previously, we would just put the credentials in the default cache for
-a collection type, which lead to some mysterious failures.
-
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
-Reviewed-by: Simo Sorce <simo@redhat.com>
-Merges: #221
-(cherry picked from commit 670240a6cd4d5e2ecf13e481621098693cdbaa89)
----
- proxy/src/mechglue/gpp_creds.c | 81 +++++++++++++++++++++++----------
- proxy/src/mechglue/gss_plugin.h | 2 +-
- 2 files changed, 59 insertions(+), 24 deletions(-)
-
-diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
-index 3ebd726..187ada7 100644
---- a/proxy/src/mechglue/gpp_creds.c
-+++ b/proxy/src/mechglue/gpp_creds.c
-@@ -170,7 +170,16 @@ static krb5_error_code gpp_construct_cred(gssx_cred *creds, krb5_context ctx,
- return 0;
- }
-
--uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
-+/* Store creds from remote in a local ccache, updating where possible.
-+ *
-+ * If store_as_default_cred is true, the cred is made default for its
-+ * collection, if there is one. Note that if the ccache is not of a
-+ * collection type, the creds will overwrite the ccache.
-+ *
-+ * If no "ccache" entry is specified in cred_store, the default ccache for a
-+ * new context will be used.
-+ */
-+uint32_t gpp_store_remote_creds(uint32_t *min, bool store_as_default_cred,
- gss_const_key_value_set_t cred_store,
- gssx_cred *creds)
- {
-@@ -179,7 +188,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
- krb5_creds cred;
- krb5_error_code ret;
- char cred_name[creds->desired_name.display_name.octet_string_len + 1];
-- const char *cc_type;
-+ const char *cc_name;
-
- *min = 0;
-
-@@ -191,38 +200,64 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
- goto done;
- }
-
-- if (cred_store) {
-- for (unsigned i = 0; i < cred_store->count; i++) {
-- if (strcmp(cred_store->elements[i].key, "ccache") == 0) {
-- ret = krb5_cc_resolve(ctx, cred_store->elements[i].value,
-- &ccache);
-- if (ret) goto done;
-- break;
-- }
-+ for (unsigned i = 0; cred_store && i < cred_store->count; i++) {
-+ if (strcmp(cred_store->elements[i].key, "ccache") == 0) {
-+ /* krb5 creates new ccaches based off the default name. */
-+ ret = krb5_cc_set_default_name(ctx,
-+ cred_store->elements[i].value);
-+ if (ret)
-+ goto done;
-+
-+ break;
- }
- }
-- if (!ccache) {
-- if (!default_creds) {
-- ret = ENOMEDIUM;
-- goto done;
-- }
-- ret = krb5_cc_default(ctx, &ccache);
-- if (ret) goto done;
-- }
-
-- cc_type = krb5_cc_get_type(ctx, ccache);
-- if (strcmp(cc_type, "FILE") == 0) {
-+ cc_name = krb5_cc_default_name(ctx);
-+ if (strncmp(cc_name, "FILE:", 5) == 0 || !strchr(cc_name, ':')) {
- /* FILE ccaches don't handle updates properly: if they have the same
- * principal name, they are blackholed. We either have to change the
- * name (at which point the file grows forever) or flash the cache on
- * every update. */
-- ret = krb5_cc_initialize(ctx, ccache, cred.client);
-- if (ret != 0) {
-+ ret = krb5_cc_default(ctx, &ccache);
-+ if (ret)
- goto done;
-- }
-+
-+ ret = krb5_cc_initialize(ctx, ccache, cred.client);
-+ if (ret != 0)
-+ goto done;
-+
-+ ret = krb5_cc_store_cred(ctx, ccache, &cred);
-+ goto done;
- }
-
-+ ret = krb5_cc_cache_match(ctx, cred.client, &ccache);
-+ if (ret == KRB5_CC_NOTFOUND) {
-+ /* A new ccache within the collection whose name is based off the
-+ * default_name for the context. krb5_cc_new_unique only accepts the
-+ * leading component of a name as a type. */
-+ char *cc_type;
-+ const char *p;
-+
-+ p = strchr(cc_name, ':'); /* can't be FILE here */
-+ cc_type = strndup(cc_name, p - cc_name);
-+ if (!cc_type) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ ret = krb5_cc_new_unique(ctx, cc_type, NULL, &ccache);
-+ free(cc_type);
-+ }
-+ if (ret)
-+ goto done;
-+
- ret = krb5_cc_store_cred(ctx, ccache, &cred);
-+ if (ret)
-+ goto done;
-+
-+ if (store_as_default_cred) {
-+ ret = krb5_cc_switch(ctx, ccache);
-+ }
-
- done:
- if (ctx) {
-diff --git a/proxy/src/mechglue/gss_plugin.h b/proxy/src/mechglue/gss_plugin.h
-index 333d63c..c0e8870 100644
---- a/proxy/src/mechglue/gss_plugin.h
-+++ b/proxy/src/mechglue/gss_plugin.h
-@@ -76,7 +76,7 @@ uint32_t gpp_cred_handle_init(uint32_t *min, bool defcred, const char *ccache,
- struct gpp_cred_handle **out_handle);
- uint32_t gpp_cred_handle_free(uint32_t *min, struct gpp_cred_handle *handle);
- bool gpp_creds_are_equal(gssx_cred *a, gssx_cred *b);
--uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
-+uint32_t gpp_store_remote_creds(uint32_t *min, bool store_as_default_cred,
- gss_const_key_value_set_t cred_store,
- gssx_cred *creds);
-
Code Review / pti / rtp.git / blobdiff