From fa967f79b5fa0eb42374185a7a0c513ef6eefc24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubom=C3=ADr=20Sedl=C3=A1=C5=99?= <lsedlar@redhat.com>
Date: Tue, 13 Sep 2022 11:54:23 +0200
Subject: [PATCH] Ignore existing kerberos ticket for CTS auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When there is an existing kerberos ticket, it gets precedence over the
environment variable with path to a keytab. That is not expected and the
user ticket can possibly lack permissions in CTS to be able to run the
compose successfully.

This patch fixes that by setting KRB5CCNAME to a fresh path. That way
there will not be any valid ticket, since the credentials cache does not
exist yet.

JIRA: RHELCMP-9742
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
---
 pungi/compose.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pungi/compose.py b/pungi/compose.py
index e289a7a2..88ef7f6f 100644
--- a/pungi/compose.py
+++ b/pungi/compose.py
@@ -102,6 +102,7 @@ def get_compose_info(
             if "$HOSTNAME" in cts_keytab:
                 cts_keytab = cts_keytab.replace("$HOSTNAME", socket.gethostname())
             os.environ["KRB5_CLIENT_KTNAME"] = cts_keytab
+            os.environ["KRB5CCNAME"] = "DIR:%s" % tempfile.mkdtemp()
 
         try:
             # Create compose in CTS and get the reserved compose ID.
@@ -116,6 +117,7 @@ def get_compose_info(
             rv.raise_for_status()
         finally:
             if cts_keytab:
+                shutil.rmtree(os.environ["KRB5CCNAME"].split(":", 1)[1])
                 os.environ.clear()
                 os.environ.update(environ_copy)