git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Fri, 3 Sep 2021 15:36:01 +0000 (11:36 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 14 Sep 2021 03:14:12 +0000 (23:14 -0400)
commit	3f5a348287646d65700854650fe668b9c4249013
tree	c23c474be6a6100271b687cddf2ecb2977d02a1a	tree
parent	789a4d315f321ef6ac085bf227c4ad1a34367086	commit \| diff

Improve gss_store_cred() behavior

Select an output credential cache using similar logic to kinit.  Do
not require the target cache to be initialized.

Try to use the per-thread cache set by gss_krb5_ccache_name() if no
output cache was specified via a cred store.

When the destination is a collection, honor the default_cred flag by
switching the primary cache to the selected output cache.  When the
destination is not a collection, ignore the default_cred flag.
(Previously the default_cred flag was mandatory for gss_store_cred()
even though it is an advisory flag, and ignored for
gss_store_cred_into() even if no ccache was specified in the cred
store.)

Honor the overwrite_cred flag by refusing to replace an initialized
cache if it is not set.  Stop using gss_acquire_cred() for this
purpose as it could go out and fetch credentials from a client keytab.

Perform atomic replacement of the target cache when possible, using
krb5_cc_move().

Add a test harness for calling gss_store_cred() or
gss_store_cred_into() and a suite of tests.  Fix a broken trace log
message for krb5_cc_move() and update the expected trace logs for an
existing t_credstore.py test.

ticket: 8010

.gitignore		diff \| blob \| blame \| history
doc/appdev/gssapi.rst		diff \| blob \| blame \| history
src/include/k5-trace.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/store_cred.c		diff \| blob \| blame \| history
src/tests/gssapi/Makefile.in		diff \| blob \| blame \| history
src/tests/gssapi/t_credstore.py		diff \| blob \| blame \| history
src/tests/gssapi/t_store_cred.c	[new file with mode: 0644]	blob
src/tests/gssapi/t_store_cred.py	[new file with mode: 0644]	blob