90796e1d08
- ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck - ipatests: Skip ds_encryption tests on RHEL9 SUT. - adtrustinstance: make sure NetBIOS name defaults are set properly - ipatests: wait for replica update in test_dns_locations - ipapython: Clean up krb5_error - ipapython: Correct return type of krb5_free_cred_contents - ipapython: Propagate KRB5Error exceptions on iterating ccache - ipa-kdb: Fix memory leak during PAC verification - sidgen: ignore staged users when generating SIDs - sidgen: fix missing prototypes - kdb: PAC generator: do not fail if canonical principal is missing - ipatests: fix tasks.wait_for_replication method - ipa-kdb: Rework ipadb_reinit_mspac() - ipa-kdb: Fix double free in ipadb_reinit_mspac()
52 lines
2.1 KiB
Diff
52 lines
2.1 KiB
Diff
From e69d98add55f25641459fc1dfb973260e85f9b95 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Levin <slev@altlinux.org>
|
|
Date: Jan 30 2024 15:07:56 +0000
|
|
Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache
|
|
|
|
|
|
`ipapython.session_storage.get_data` iterates over
|
|
credentials in a credential cache till `krb5_cc_next_cred` returns
|
|
an error. This function doesn't expect any error on calling
|
|
other kerberos foreign functions during iteration. But that can
|
|
actually happen and KRB5Error exceptions stop an iteration while
|
|
they should be propagated.
|
|
|
|
With this change iteration will exactly stop on `krb5_cc_next_cred`
|
|
error as it was supposed to be.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9519
|
|
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
---
|
|
|
|
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
|
index dc36f54..e890dc9 100644
|
|
--- a/ipapython/session_storage.py
|
|
+++ b/ipapython/session_storage.py
|
|
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
|
|
checkcreds = krb5_creds()
|
|
# the next function will throw an error and break out of the
|
|
# while loop when we try to access past the last cred
|
|
- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
- ctypes.byref(checkcreds))
|
|
+ try:
|
|
+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
+ ctypes.byref(checkcreds))
|
|
+ except KRB5Error:
|
|
+ break
|
|
+
|
|
if (krb5_principal_compare(context, principal,
|
|
checkcreds.client) == 1 and
|
|
krb5_principal_compare(context, srv_princ,
|
|
@@ -328,8 +332,6 @@ def get_data(princ_name, key):
|
|
else:
|
|
krb5_free_cred_contents(context,
|
|
ctypes.byref(checkcreds))
|
|
- except KRB5Error:
|
|
- pass
|
|
finally:
|
|
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
|
|
|
|
|