52 lines
2.1 KiB
Diff
52 lines
2.1 KiB
Diff
From e69d98add55f25641459fc1dfb973260e85f9b95 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Levin <slev@altlinux.org>
|
|
Date: Jan 30 2024 15:07:56 +0000
|
|
Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache
|
|
|
|
|
|
`ipapython.session_storage.get_data` iterates over
|
|
credentials in a credential cache till `krb5_cc_next_cred` returns
|
|
an error. This function doesn't expect any error on calling
|
|
other kerberos foreign functions during iteration. But that can
|
|
actually happen and KRB5Error exceptions stop an iteration while
|
|
they should be propagated.
|
|
|
|
With this change iteration will exactly stop on `krb5_cc_next_cred`
|
|
error as it was supposed to be.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9519
|
|
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
---
|
|
|
|
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
|
index dc36f54..e890dc9 100644
|
|
--- a/ipapython/session_storage.py
|
|
+++ b/ipapython/session_storage.py
|
|
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
|
|
checkcreds = krb5_creds()
|
|
# the next function will throw an error and break out of the
|
|
# while loop when we try to access past the last cred
|
|
- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
- ctypes.byref(checkcreds))
|
|
+ try:
|
|
+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
+ ctypes.byref(checkcreds))
|
|
+ except KRB5Error:
|
|
+ break
|
|
+
|
|
if (krb5_principal_compare(context, principal,
|
|
checkcreds.client) == 1 and
|
|
krb5_principal_compare(context, srv_princ,
|
|
@@ -328,8 +332,6 @@ def get_data(princ_name, key):
|
|
else:
|
|
krb5_free_cred_contents(context,
|
|
ctypes.byref(checkcreds))
|
|
- except KRB5Error:
|
|
- pass
|
|
finally:
|
|
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
|
|
|
|
|