From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Feb 2024 14:42:37 +0000 (+0100)
Subject: lib/krb5_wrap: add smb_krb5_cc_new_unique_memory()
X-Git-Tag: tdb-1.4.11~844
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48bcc218c980e9478e2a3479e889766e6ca7f1dd;p=thirdparty%2Fsamba.git

lib/krb5_wrap: add smb_krb5_cc_new_unique_memory()

This generates a memory credential cache that is
not visible to a (the default) credential cache collection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 7cc28697e81..0df4d042081 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1093,6 +1093,80 @@ krb5_error_code smb_krb5_principal_get_comp_string(TALLOC_CTX *mem_ctx,
 	return 0;
 }
 
+krb5_error_code smb_krb5_cc_new_unique_memory(krb5_context context,
+					      TALLOC_CTX *mem_ctx,
+					      char **ccache_name,
+					      krb5_ccache *id)
+{
+	krb5_error_code code;
+	const char *type = NULL;
+	const char *name = NULL;
+
+	if (ccache_name != NULL) {
+		*ccache_name = NULL;
+	}
+	*id = NULL;
+
+#ifdef SAMBA4_USES_HEIMDAL
+	/*
+	 * "MEMORY:anonymous" is not visible to
+	 * the credential cache collection iterator
+	 *
+	 * It creates anonymous-POINTER-UNIQUECOUNTTER
+	 * in the background.
+	 */
+	code = krb5_cc_resolve(context, "MEMORY:anonymous", id);
+	if (code != 0) {
+		DBG_ERR("krb5_cc_resolve(MEMORY:anonymous) failed: %s\n",
+			smb_get_krb5_error_message(
+				context, code, mem_ctx));
+		return code;
+	}
+#else /* MIT */
+	/*
+	 * In MIT the "MEMORY:" credential cache collection
+	 * only contains the default cache (at most).
+	 */
+	code = krb5_cc_new_unique(context, "MEMORY", NULL, id);
+	if (code != 0) {
+		DBG_ERR("krb5_cc_new_unique failed: %s\n",
+			smb_get_krb5_error_message(
+				context, code, mem_ctx));
+		return code;
+	}
+#endif /* MIT */
+
+	type = krb5_cc_get_type(context, *id);
+	if (type == NULL) {
+		DBG_ERR("krb5_cc_get_type failed...\n");
+		krb5_cc_destroy(context, *id);
+		*id = NULL;
+		return KRB5_CC_UNKNOWN_TYPE;
+	}
+
+	name = krb5_cc_get_name(context, *id);
+	if (name == NULL) {
+		DBG_ERR("krb5_cc_get_name failed...\n");
+		krb5_cc_destroy(context, *id);
+		*id = NULL;
+		return KRB5_CC_BADNAME;
+	}
+
+	if (ccache_name == NULL) {
+		return 0;
+	}
+
+	*ccache_name = talloc_asprintf(mem_ctx, "%s:%s", type, name);
+	if (*ccache_name == NULL) {
+		DBG_ERR("krb5_cc_get_name failed...\n");
+		krb5_cc_destroy(context, *id);
+		*id = NULL;
+		return ENOMEM;
+	}
+
+	return 0;
+}
+
 /**
  * @brief
  *
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index df6d392c020..a3470c1ea28 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -450,6 +450,11 @@ krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
 	PRINTF_ATTRIBUTE(2, 0);
 #endif
 
+krb5_error_code smb_krb5_cc_new_unique_memory(krb5_context context,
+					      TALLOC_CTX *mem_ctx,
+					      char **ccache_name,
+					      krb5_ccache *id);
+
 krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
 				       krb5_ccache incc, krb5_ccache outcc);