Add an option for minimum lifetime

scottmayhew · scottmayhew · commit d3ce1f9e39d3 · 2021-09-02T13:17:28.000-04:00
It's possible for gssproxy to return a cached credential with a very
small remaining lifetime.  This can be problematic for NFS clients since
it requires a round trip to the NFS server to establish a GSS context.
Add a min_lifetime option that represents the lowest value that the
lifetime of the cached credential can be.  Any lower than that, and
gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
gp_add_krb5_creds() is forced to try to obtain a new credential.

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
@@ -7,3 +7,4 @@
   allow_any_uid = yes
   trusted = yes
   euid = 0
+  min_lifetime = 60
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
@@ -331,6 +331,20 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>min_lifetime (integer)</term>
+                    <listitem>
+                        <para>If non-zero, when gssproxy is deciding whether to use
+                            a cached credential, it will compare the lifetime of the
+                            cached credential to this value.  If the lifetime of the
+                            cached credential is lower, gssproxy will treat the cached
+                            credential as expired and will attempt to obtain a new
+                            credential.
+                        </para>
+                        <para>Default: min_lifetime = 0</para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>program (string)</term>
                     <listitem>
diff --git a/src/gp_config.c b/src/gp_config.c
@@ -538,6 +538,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
                     goto done;
                 }
             }
+
+            cfg->svcs[n]->min_lifetime = 0;
+            ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
+            if (ret == 0) {
+                if (valnum >= 0) {
+                    cfg->svcs[n]->min_lifetime = valnum;
+                } else {
+                    GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
+                            valnum, secname);
+                }
+            }
         }
         safefree(secname);
     }
diff --git a/src/gp_creds.c b/src/gp_creds.c
@@ -492,6 +492,7 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
 }
 
 static uint32_t gp_check_cred(uint32_t *min,
+                              struct gp_call_ctx *gpcall,
                               gss_cred_id_t in_cred,
                               gssx_name *desired_name,
                               gss_cred_usage_t cred_usage)
@@ -506,6 +507,9 @@ static uint32_t gp_check_cred(uint32_t *min,
     gss_cred_usage_t usage;
     uint32_t lifetime;
     int present = 0;
+    struct gp_service *svc;
+
+    svc = gpcall->service;
 
     ret_maj = gss_inquire_cred(&ret_min, in_cred,
                                desired_name?&check_name:NULL,
@@ -563,7 +567,14 @@ static uint32_t gp_check_cred(uint32_t *min,
     if (lifetime == 0) {
         ret_maj = GSS_S_CREDENTIALS_EXPIRED;
     } else {
-        ret_maj = GSS_S_COMPLETE;
+        if (svc->min_lifetime && lifetime < svc->min_lifetime) {
+            GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
+                    "for service \"%s\" - returning GSS_S_CREDENTIALS_EXPIRED\n",
+                    __func__, lifetime, svc->min_lifetime, svc->name);
+            ret_maj = GSS_S_CREDENTIALS_EXPIRED;
+        } else {
+            ret_maj = GSS_S_COMPLETE;
+        }
     }
 
 done:
@@ -622,7 +633,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
          * function completely */
 
         /* just check if it is a valid krb5 cred */
-        ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
+        ret_maj = gp_check_cred(&ret_min, gpcall, in_cred, desired_name, cred_usage);
         if (ret_maj == GSS_S_COMPLETE) {
             return GSS_S_COMPLETE;
         } else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
@@ -45,6 +45,7 @@ struct gp_service {
     gss_cred_usage_t cred_usage;
     uint32_t filter_flags;
     uint32_t enforce_flags;
+    uint32_t min_lifetime;
     char *program;
 
     uint32_t mechs;

Original file line number	Diff line number	Diff line change
`@@ -538,6 +538,17 @@ static int load_services(struct gp_config cfg, struct gp_ini_context ctx)`
`538`	`538`	`goto done;`
`539`	`539`	`}`
`540`	`540`	`}`
	`541`	`+`
	`542`	`+ cfg->svcs[n]->min_lifetime = 0;`
	`543`	`+ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);`
	`544`	`+ if (ret == 0) {`
	`545`	`+ if (valnum >= 0) {`
	`546`	`+ cfg->svcs[n]->min_lifetime = valnum;`
	`547`	`+ } else {`
	`548`	`+ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",`
	`549`	`+ valnum, secname);`
	`550`	`+ }`
	`551`	`+ }`
`541`	`552`	`}`
`542`	`553`	`safefree(secname);`
`543`	`554`	`}`