[gnome-online-accounts/gnome-3-12] identity: don't set expiration_time to 0 intermediately while verifying identity

[Debarshi Ray <debarshir src gnome org>]

commit 37948cb990c877606333518ecc67a2ecb5bd6dda
Author: Ray Strode <rstrode redhat com>
Date:   Tue Oct 28 16:54:06 2014 -0400

    identity: don't set expiration_time to 0 intermediately while verifying identity
    
    The top of verify_identity calls
    
    set_expiration_time(self, 0);
    
    as a way to make sure the expiration time is 0'd if the identity's
    credentials are invalidated.  In the case, they are still valid,
    set_expiration_time is called again with the new, most up to date
    value. The problem is the intermediate 0 isn't invisible, there's a
    window where the identity can be read and 0 will get returned, even
    when the identity is valid.
    
    This commit defers setting the expiration time until the very end of
    the function.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=739593

 src/goaidentity/goakerberosidentity.c |   17 ++++++++---------
 1 files changed, 8 insertions(+), 9 deletions(-)
---
diff --git a/src/goaidentity/goakerberosidentity.c b/src/goaidentity/goakerberosidentity.c
index 34d0400..89460ed 100644
--- a/src/goaidentity/goakerberosidentity.c
+++ b/src/goaidentity/goakerberosidentity.c
@@ -545,20 +545,18 @@ set_expiration_time (GoaKerberosIdentity *self,
 
 static gboolean
 credentials_are_expired (GoaKerberosIdentity *self,
-                         krb5_creds          *credentials)
+                         krb5_creds          *credentials,
+                         krb5_timestamp      *expiration_time)
 {
   krb5_timestamp current_time;
-  krb5_timestamp expiration_time;
 
   current_time = get_current_time (self);
 
   G_LOCK (identity_lock);
-  expiration_time = MAX (credentials->times.endtime,
-                         self->priv->expiration_time);
+  *expiration_time = MAX (credentials->times.endtime,
+                          self->priv->expiration_time);
   G_UNLOCK (identity_lock);
 
-  set_expiration_time (self, expiration_time);
-
   if (credentials->times.endtime <= current_time)
     {
       return TRUE;
@@ -575,10 +573,9 @@ verify_identity (GoaKerberosIdentity  *self,
   krb5_cc_cursor cursor;
   krb5_creds credentials;
   krb5_error_code error_code;
+  krb5_timestamp expiration_time = 0;
   VerificationLevel verification_level = VERIFICATION_LEVEL_UNVERIFIED;
 
-  set_expiration_time (self, 0);
-
   if (self->priv->credentials_cache == NULL)
     goto out;
 
@@ -627,7 +624,7 @@ verify_identity (GoaKerberosIdentity  *self,
     {
       if (credentials_validate_existence (self, principal, &credentials))
         {
-          if (!credentials_are_expired (self, &credentials))
+          if (!credentials_are_expired (self, &credentials, &expiration_time))
             verification_level = VERIFICATION_LEVEL_SIGNED_IN;
           else
             verification_level = VERIFICATION_LEVEL_EXISTS;
@@ -672,6 +669,8 @@ verify_identity (GoaKerberosIdentity  *self,
       goto out;
     }
 out:
+  set_expiration_time (self, expiration_time);
+
   if (principal != NULL)
     krb5_free_principal (self->priv->kerberos_context, principal);
   return verification_level;