krb5-auth-dialog r88 - in branches/pkinit: . src
- From: guidog svn gnome org
- To: svn-commits-list gnome org
- Subject: krb5-auth-dialog r88 - in branches/pkinit: . src
- Date: Sun, 4 Jan 2009 16:04:00 +0000 (UTC)
Author: guidog
Date: Sun Jan 4 16:03:59 2009
New Revision: 88
URL: http://svn.gnome.org/viewvc/krb5-auth-dialog?rev=88&view=rev
Log:
separate ticket renewal and interactive ticket acquisition
Modified:
branches/pkinit/ChangeLog
branches/pkinit/src/krb5-auth-applet.h
branches/pkinit/src/krb5-auth-dialog.c
Modified: branches/pkinit/src/krb5-auth-applet.h
==============================================================================
--- branches/pkinit/src/krb5-auth-applet.h (original)
+++ branches/pkinit/src/krb5-auth-applet.h Sun Jan 4 16:03:59 2009
@@ -49,6 +49,7 @@
NotifyNotification* notification;/* notification messages */
#endif /* HAVE_LIBNOTIFY */
char* principal; /* the principal to request */
+ gboolean renewable; /* credentials renewable? */
} Krb5AuthApplet;
Krb5AuthApplet* ka_create_applet();
Modified: branches/pkinit/src/krb5-auth-dialog.c
==============================================================================
--- branches/pkinit/src/krb5-auth-dialog.c (original)
+++ branches/pkinit/src/krb5-auth-dialog.c Sun Jan 4 16:03:59 2009
@@ -51,7 +51,8 @@
static gboolean invalid_password;
static gboolean always_run;
-static int grab_credentials (Krb5AuthApplet* applet, gboolean renewable);
+static int grab_credentials (Krb5AuthApplet* applet);
+static int ka_renew_credentials (Krb5AuthApplet* applet);
static gboolean get_tgt_from_ccache (krb5_context context, krb5_creds *creds);
/* YAY for different Kerberos implementations */
@@ -128,12 +129,12 @@
/* ***************************************************************** */
static gboolean
-credentials_expiring_real (Krb5AuthApplet* applet, gboolean *renewable)
+credentials_expiring_real (Krb5AuthApplet* applet)
{
krb5_creds my_creds;
krb5_timestamp now;
gboolean retval = FALSE;
- *renewable = FALSE;
+ applet->renewable = FALSE;
if (!get_tgt_from_ccache (kcontext, &my_creds)) {
creds_expiry = 0;
@@ -152,7 +153,7 @@
/* If our creds are expiring, determine whether they are renewable */
if (retval && get_cred_renewable(&my_creds) && my_creds.times.renew_till > now) {
- *renewable = TRUE;
+ applet->renewable = TRUE;
}
krb5_free_cred_contents (kcontext, &my_creds);
@@ -215,12 +216,11 @@
krb5_auth_dialog_do_updates (gpointer data)
{
Krb5AuthApplet* applet = (Krb5AuthApplet*)data;
- gboolean refreshable;
g_return_val_if_fail (applet != NULL, FALSE);
/* Update creds_expiry and close the applet if we got the creds by other means (e.g. kinit) */
- if (!credentials_expiring_real(applet, &refreshable)) {
+ if (!credentials_expiring_real(applet)) {
KA_DEBUG("PW Dialog persist is %d", applet->pw_dialog_persist);
if (!applet->pw_dialog_persist)
gtk_widget_hide(applet->pw_dialog);
@@ -394,21 +394,28 @@
}
#endif
-
static gboolean
credentials_expiring (gpointer *data)
{
int retval;
gboolean give_up;
- gboolean renewable;
Krb5AuthApplet* applet = (Krb5AuthApplet*) data;
KA_DEBUG("Checking expiry: %d", applet->pw_prompt_secs);
- if (credentials_expiring_real (applet, &renewable) && is_online && !applet->show_trayicon) {
+ if (credentials_expiring_real (applet) && is_online) {
+
+ if (!ka_renew_credentials (applet)) {
+ KA_DEBUG("Credentials renewed, renewable: %d", applet->renewable);
+ goto out;
+ }
+
+ if (!applet->show_trayicon)
+ goto out;
+
give_up = canceled && (creds_expiry == canceled_creds_expiry);
if (!give_up) {
do {
- retval = grab_credentials (applet, renewable);
+ retval = grab_credentials (applet);
give_up = canceled &&
(creds_expiry == canceled_creds_expiry);
} while ((retval != 0) &&
@@ -418,6 +425,7 @@
!give_up);
}
}
+out:
ka_update_status(applet, creds_expiry);
return TRUE;
}
@@ -453,8 +461,10 @@
/* krb5_get_init_creds_opt_set_address_list(opts, creds->addresses); */
}
+
+/* grab credentials interactively */
static int
-grab_credentials (Krb5AuthApplet* applet, gboolean renewable)
+grab_credentials (Krb5AuthApplet* applet)
{
krb5_error_code retval;
krb5_creds my_creds;
@@ -476,27 +486,10 @@
return retval;
krb5_get_init_creds_opt_init (&opts);
- if (get_tgt_from_ccache (kcontext, &my_creds)) {
- set_options_using_creds (applet, kcontext, &my_creds, &opts);
- creds_expiry = my_creds.times.endtime;
-
- if (renewable) {
- retval = get_renewed_creds (kcontext, &my_creds, kprincipal, ccache, NULL);
-
- /* If we succeeded in renewing the credentials, we store it. */
- if (retval == 0) {
- goto store;
- }
- /* Else, try to get new credentials, so just fall through */
- }
- krb5_free_cred_contents (kcontext, &my_creds);
- } else {
- creds_expiry = 0;
- }
-
retval = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
NULL, auth_dialog_prompter, applet,
0, NULL, &opts);
+ creds_expiry = my_creds.times.endtime;
if (canceled) {
canceled_creds_expiry = creds_expiry;
}
@@ -513,7 +506,6 @@
goto out;
}
-store:
retval = krb5_cc_initialize(kcontext, ccache, kprincipal);
if (retval) {
goto out;
@@ -524,7 +516,6 @@
goto out;
}
- creds_expiry = my_creds.times.endtime;
out:
krb5_free_cred_contents (kcontext, &my_creds);
krb5_cc_close (kcontext, ccache);
@@ -532,6 +523,55 @@
return retval;
}
+/* try to renew the credentials noninteractively */
+static int
+ka_renew_credentials (Krb5AuthApplet* applet)
+{
+ krb5_error_code retval;
+ krb5_creds my_creds;
+ krb5_ccache ccache;
+ krb5_get_init_creds_opt opts;
+
+ memset(&my_creds, 0, sizeof(my_creds));
+
+ if (kprincipal == NULL) {
+ retval = krb5_parse_name(kcontext, applet->principal,
+ &kprincipal);
+ if (retval) {
+ return retval;
+ }
+ }
+
+ retval = krb5_cc_default (kcontext, &ccache);
+ if (retval)
+ return retval;
+
+ krb5_get_init_creds_opt_init (&opts);
+ if (get_tgt_from_ccache (kcontext, &my_creds)) {
+ set_options_using_creds (applet, kcontext, &my_creds, &opts);
+
+ if (applet->renewable) {
+ retval = get_renewed_creds (kcontext, &my_creds, kprincipal, ccache, NULL);
+
+ if (retval != 0) {
+ goto out;
+ }
+ }
+ retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
+ if (retval)
+ goto out;
+ } else
+ retval = -1;
+
+out:
+ creds_expiry = my_creds.times.endtime;
+ krb5_free_cred_contents (kcontext, &my_creds);
+ krb5_cc_close (kcontext, ccache);
+
+ return retval;
+}
+
+
static gboolean
get_tgt_from_ccache (krb5_context context, krb5_creds *creds)
{
@@ -604,13 +644,12 @@
krb5_ccache ccache;
const char* cache;
krb5_error_code ret;
- gboolean renewable;
cache = krb5_cc_default_name(kcontext);
ret = krb5_cc_resolve(kcontext, cache, &ccache);
ret = krb5_cc_destroy (kcontext, ccache);
- credentials_expiring_real(applet, &renewable);
+ credentials_expiring_real(applet);
}
@@ -633,12 +672,12 @@
ka_grab_credentials (Krb5AuthApplet* applet)
{
int retval;
- gboolean renewable, retry;
+ gboolean retry;
applet->pw_dialog_persist = TRUE;
do {
retry = TRUE;
- retval = grab_credentials (applet, FALSE);
+ retval = grab_credentials (applet);
switch (retval) {
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
retry = TRUE;
@@ -656,7 +695,7 @@
} while(retry);
applet->pw_dialog_persist = FALSE;
- credentials_expiring_real(applet, &renewable);
+ credentials_expiring_real(applet);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]