From 219dc85533a310b21c92b0a99502375435b82a33 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 18 Jul 2013 13:32:42 +0300
Subject: WIP: reinit mspac on HTTP TGT acquisition to aid trust-add case

---
 daemons/ipa-kdb/ipa_kdb.c       |  4 ++--
 daemons/ipa-kdb/ipa_kdb.h       |  2 +-
 daemons/ipa-kdb/ipa_kdb_mspac.c | 26 +++++++++++++++++++++++---
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 51b879ca0..cfdafce4c 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -393,8 +393,8 @@ int ipadb_get_connection(struct ipadb_context *ipactx)
         goto done;
     }
 
-    /* get adtrust options */
-    ret = ipadb_reinit_mspac(ipactx);
+    /* get adtrust options using default refresh interval */
+    ret = ipadb_reinit_mspac(ipactx, -1);
     if (ret && ret != ENOENT) {
         /* TODO: log that there is an issue with adtrust settings */
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 9e8e0c6f1..c0e81e0d3 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -250,7 +250,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
                                     krb5_authdata **tgt_auth_data,
                                     krb5_authdata ***signed_auth_data);
 
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx);
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, int interval);
 
 void ipadb_mspac_struct_free(struct ipadb_mspac **mspac);
 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index d6c4f9a6a..fe34859e2 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1282,7 +1282,8 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context,
         return NULL;
     }
 
-    kerr = ipadb_reinit_mspac(ipactx);
+    /* re-init MS-PAC info using default update interval */
+    kerr = ipadb_reinit_mspac(ipactx, -1);
     if (kerr != 0) {
         return NULL;
     }
@@ -1805,6 +1806,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     krb5_error_code kerr;
     krb5_pac pac = NULL;
     krb5_data pac_data;
+    struct ipadb_context *ipactx;
     bool with_pac;
     bool with_pad;
 
@@ -1831,6 +1833,21 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
     is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
 
     if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+        /* Be aggressive here: special case for discovering range type
+         * immediately after establishing the trust by IPA framework */
+        if ((krb5_princ_size(context, ks_client_princ) == 2) &&
+            (strncmp(krb5_princ_component(context, ks_client_princ, 0)->data, "HTTP",
+                     krb5_princ_component(context, ks_client_princ, 0)->length) == 0)) {
+            ipactx = ipadb_get_context(context);
+            if (!ipactx) {
+                goto done;
+            }
+            if (strncmp(krb5_princ_component(context, ks_client_princ, 1)->data,
+                        ipactx->kdc_hostname,
+                        krb5_princ_component(context, ks_client_princ, 1)->length) == 0) {
+                kerr = ipadb_reinit_mspac(ipactx, 1);
+            }
+        }
 
         kerr = ipadb_get_pac(context, client, &pac);
         if (kerr != 0 && kerr != ENOENT) {
@@ -2155,7 +2172,7 @@ done:
     return ret;
 }
 
-krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, int interval)
 {
     char *dom_attrs[] = { "ipaNTFlatName",
                           "ipaNTFallbackPrimaryGroup",
@@ -2174,8 +2191,11 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx)
      * avoid heavy load on the directory server if there are lots of requests
      * from domains which we do not trust. */
     now = time(NULL);
+    if (interval <= 0) {
+        interval = 60;
+    }
     if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
-        (now - ipactx->mspac->last_update) < 60) {
+        (now - ipactx->mspac->last_update) < interval) {
         return 0;
     }
 
-- 
cgit