13b7686650
- Resolves: RHEL-23627 IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified - Resolves: RHEL-23625 sidgen plugin does not ignore staged users - Resolves: RHEL-23621 session cookie can't be read - Resolves: RHEL-22372 Gating-DL1 test failure in test_integration/test_dns_locations.py::TestDNSLocations::()::test_ipa_ca_records - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-17996 Memory leak in IdM's KDC Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
54 lines
2.3 KiB
Diff
54 lines
2.3 KiB
Diff
From 59b8a9fb7169561c7ba9168fe84f47ae94e5ce23 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Levin <slev@altlinux.org>
|
|
Date: Tue, 23 Jan 2024 19:52:34 +0300
|
|
Subject: [PATCH] ipapython: Propagate KRB5Error exceptions on iterating ccache
|
|
|
|
`ipapython.session_storage.get_data` iterates over
|
|
credentials in a credential cache till `krb5_cc_next_cred` returns
|
|
an error. This function doesn't expect any error on calling
|
|
other kerberos foreign functions during iteration. But that can
|
|
actually happen and KRB5Error exceptions stop an iteration while
|
|
they should be propagated.
|
|
|
|
With this change iteration will exactly stop on `krb5_cc_next_cred`
|
|
error as it was supposed to be.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9519
|
|
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
---
|
|
ipapython/session_storage.py | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
|
|
index dc36f54939a838bcb933dfb0089410d9b00f9e4d..e890dc9b11475cc26d212ccbe040df3cfbfba6e8 100644
|
|
--- a/ipapython/session_storage.py
|
|
+++ b/ipapython/session_storage.py
|
|
@@ -312,8 +312,12 @@ def get_data(princ_name, key):
|
|
checkcreds = krb5_creds()
|
|
# the next function will throw an error and break out of the
|
|
# while loop when we try to access past the last cred
|
|
- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
- ctypes.byref(checkcreds))
|
|
+ try:
|
|
+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
|
|
+ ctypes.byref(checkcreds))
|
|
+ except KRB5Error:
|
|
+ break
|
|
+
|
|
if (krb5_principal_compare(context, principal,
|
|
checkcreds.client) == 1 and
|
|
krb5_principal_compare(context, srv_princ,
|
|
@@ -328,8 +332,6 @@ def get_data(princ_name, key):
|
|
else:
|
|
krb5_free_cred_contents(context,
|
|
ctypes.byref(checkcreds))
|
|
- except KRB5Error:
|
|
- pass
|
|
finally:
|
|
krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
|
|
|
|
--
|
|
2.43.0
|
|
|