Add an option for minimum lifetime

scottmayhew · simo5 · commit c6847f012b32 · 2021-09-03T15:11:46.000-04:00
It's possible for gssproxy to return a cached credential with a very
small remaining lifetime.  This can be problematic for NFS clients since
it requires a round trip to the NFS server to establish a GSS context.
Add a min_lifetime option that represents the lowest value that the
lifetime of the cached credential can be.  Any lower than that, and
gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
gp_add_krb5_creds() is forced to try to obtain a new credential.

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
@@ -7,3 +7,4 @@
   allow_any_uid = yes
   trusted = yes
   euid = 0
+  min_lifetime = 60
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
@@ -331,6 +331,21 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>min_lifetime (integer)</term>
+                    <listitem>
+                        <para>Minimum lifetime of a cached credential, in seconds.</para>
+                        <para>If non-zero, when gssproxy is deciding whether to use
+                            a cached credential, it will compare the lifetime of the
+                            cached credential to this value.  If the lifetime of the
+                            cached credential is lower, gssproxy will treat the cached
+                            credential as expired and will attempt to obtain a new
+                            credential.
+                        </para>
+                        <para>Default: min_lifetime = 15</para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>program (string)</term>
                     <listitem>
diff --git a/src/gp_config.c b/src/gp_config.c
@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
 
 #define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
 #define DEFAULT_ENFORCED_FLAGS 0
+#define DEFAULT_MIN_LIFETIME 15
 
 static void free_str_array(const char ***a, int *count)
 {
@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
                     goto done;
                 }
             }
+
+            cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
+            ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
+            if (ret == 0) {
+                if (valnum >= 0) {
+                    cfg->svcs[n]->min_lifetime = valnum;
+                } else {
+                    GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
+                            valnum, secname);
+                }
+            }
         }
         safefree(secname);
     }
diff --git a/src/gp_creds.c b/src/gp_creds.c
@@ -492,6 +492,7 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
 }
 
 static uint32_t gp_check_cred(uint32_t *min,
+                              struct gp_service *svc,
                               gss_cred_id_t in_cred,
                               gssx_name *desired_name,
                               gss_cred_usage_t cred_usage)
@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
     if (lifetime == 0) {
         ret_maj = GSS_S_CREDENTIALS_EXPIRED;
     } else {
-        ret_maj = GSS_S_COMPLETE;
+        if (svc->min_lifetime && lifetime < svc->min_lifetime) {
+            GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
+                    "for service \"%s\" - returning\n",
+                    __func__, lifetime, svc->min_lifetime, svc->name);
+            ret_maj = GSS_S_CREDENTIALS_EXPIRED;
+        } else {
+            ret_maj = GSS_S_COMPLETE;
+        }
     }
 
 done:
@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
          * function completely */
 
         /* just check if it is a valid krb5 cred */
-        ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
+        ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
         if (ret_maj == GSS_S_COMPLETE) {
             return GSS_S_COMPLETE;
         } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
@@ -45,6 +45,7 @@ struct gp_service {
     gss_cred_usage_t cred_usage;
     uint32_t filter_flags;
     uint32_t enforce_flags;
+    uint32_t min_lifetime;
     char *program;
 
     uint32_t mechs;

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {`
`32`	`32`
`33`	`33`	`#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG`
`34`	`34`	`#define DEFAULT_ENFORCED_FLAGS 0`
	`35`	`+#define DEFAULT_MIN_LIFETIME 15`
`35`	`36`
`36`	`37`	`static void free_str_array(const char **a, int count)`
`37`	`38`	`{`
`@@ -538,6 +539,17 @@ static int load_services(struct gp_config cfg, struct gp_ini_context ctx)`
`538`	`539`	`goto done;`
`539`	`540`	`}`
`540`	`541`	`}`
	`542`	`+`
	`543`	`+ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;`
	`544`	`+ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);`
	`545`	`+ if (ret == 0) {`
	`546`	`+ if (valnum >= 0) {`
	`547`	`+ cfg->svcs[n]->min_lifetime = valnum;`
	`548`	`+ } else {`
	`549`	`+ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",`
	`550`	`+ valnum, secname);`
	`551`	`+ }`
	`552`	`+ }`
`541`	`553`	`}`
`542`	`554`	`safefree(secname);`
`543`	`555`	`}`