From 7560de25df6722b625e0d89dfddf11b07b715487 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Nov 2010 16:00:57 +0100
Subject: [PATCH 4/9] Add krb5_renewable_lifetime option

---
 Makefile.am                              |    1 +
 src/config/SSSDConfig.py                 |    1 +
 src/config/SSSDConfigTest.py             |    9 +++++--
 src/config/etc/sssd.api.d/sssd-krb5.conf |    1 +
 src/man/sssd-krb5.5.xml                  |   32 ++++++++++++++++++++++++++++++
 src/providers/ipa/ipa_common.c           |    3 +-
 src/providers/ipa/ipa_common.h           |    2 +-
 src/providers/krb5/krb5_child.c          |   18 +++++++++++++++-
 src/providers/krb5/krb5_common.c         |   24 +++++++++++++++++++++-
 src/providers/krb5/krb5_common.h         |    2 +
 10 files changed, 86 insertions(+), 7 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 6d91cf6..4a8fd59 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -531,6 +531,7 @@ krb5_utils_tests_CFLAGS = \
 krb5_utils_tests_LDADD = \
     $(SSSD_LIBS)\
     $(CARES_LIBS) \
+    $(KRB5_LIBS) \
     $(CHECK_LIBS) \
     libsss_test_common.la
 
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 1f54b47..bb7e424 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -104,6 +104,7 @@ option_strings = {
     'krb5_keytab' : _("Location of the keytab to validate credentials"),
     'krb5_validate' : _("Enable credential validation"),
     'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"),
+    'krb5_renewable_lifetime' : _("Renewable lifetime of the TGT"),
 
     # [provider/krb5/chpass]
     'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 39db49d..b63e40b 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -549,7 +549,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
              'krb5_keytab',
              'krb5_validate',
              'krb5_store_password_if_offline',
-             'krb5_auth_timeout'])
+             'krb5_auth_timeout',
+             'krb5_renewable_lifetime'])
 
         options = domain.list_options()
 
@@ -723,7 +724,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'krb5_keytab',
             'krb5_validate',
             'krb5_store_password_if_offline',
-            'krb5_auth_timeout']
+            'krb5_auth_timeout',
+            'krb5_renewable_lifetime']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
@@ -871,7 +873,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
              'krb5_keytab',
              'krb5_validate',
              'krb5_store_password_if_offline',
-             'krb5_auth_timeout'])
+             'krb5_auth_timeout',
+             'krb5_renewable_lifetime'])
 
         options = domain.list_options()
 
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 0c0aa42..c3cc5bb 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -11,6 +11,7 @@ krb5_ccname_template = str, None, false
 krb5_keytab = str, None, false
 krb5_validate = bool, None, false
 krb5_store_password_if_offline = bool, None, false
+krb5_renewable_lifetime = str, None, false
 
 [provider/krb5/chpass]
 
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index f5c8ad0..0f0c8a2 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -268,6 +268,38 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>krb5_renewable_lifetime (string)</term>
+                    <listitem>
+                        <para>
+                            Request a renewable ticket with a with a total
+                            lifetime given by an integer immediately followed
+                            by one of the following delimiters:
+                        </para>
+                        <para>
+                            <emphasis>s</emphasis> seconds
+                        </para>
+                        <para>
+                            <emphasis>m</emphasis> minutes
+                        </para>
+                        <para>
+                            <emphasis>h</emphasis> hours
+                        </para>
+                        <para>
+                            <emphasis>d</emphasis> days.
+                        </para>
+                        <para>
+                            Please note that it is not possible to mix units.
+                            If you want to set the renewable lifetime to one
+                            and a half hours please use '90m' instead of
+                            '1h30m'.
+                        </para>
+                        <para>
+                            Default: not set, i.e. the TGT is not renewable
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index a7f4494..149a352 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -139,7 +139,8 @@ struct dp_option ipa_def_krb5_opts[] = {
     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
     { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+    { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index ef1cac2..33b325c 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 9
+#define IPA_KRB5_OPTS_TEST 10
 
 enum ipa_basic_opt {
     IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 0e55560..2a2ed9b 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1084,6 +1084,8 @@ static int krb5_cleanup(void *ptr)
 static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
 {
     krb5_error_code kerr = 0;
+    char *lifetime_str;
+    krb5_deltat lifetime;
 
     kr->krb5_ctx = talloc_zero(kr, struct krb5_child_ctx);
     if (kr->krb5_ctx == NULL) {
@@ -1162,9 +1164,23 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
         goto failed;
     }
 
+    lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME);
+    if (lifetime_str == NULL) {
+        DEBUG(7, ("Cannot read [%s] from environment.\n",
+                  SSSD_KRB5_RENEWABLE_LIFETIME));
+    } else {
+        kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
+        if (kerr != 0) {
+            DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n",
+                      lifetime_str));
+            KRB5_DEBUG(1, kerr);
+            goto failed;
+        }
+        krb5_get_init_creds_opt_set_renew_life(kr->options, lifetime);
+    }
+
 /* TODO: set options, e.g.
  *  krb5_get_init_creds_opt_set_tkt_life
- *  krb5_get_init_creds_opt_set_renew_life
  *  krb5_get_init_creds_opt_set_forwardable
  *  krb5_get_init_creds_opt_set_proxiable
  *  krb5_get_init_creds_opt_set_etype_list
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index bf47dcc..1a62bbe 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -40,7 +40,8 @@ struct dp_option default_krb5_opts[] = {
     { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
-    { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }
+    { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 errno_t check_and_export_options(struct dp_option *opts,
@@ -49,6 +50,8 @@ errno_t check_and_export_options(struct dp_option *opts,
     int ret;
     const char *realm;
     const char *dummy;
+    char *str;
+    krb5_deltat lifetime;
 
     realm = dp_opt_get_cstring(opts, KRB5_REALM);
     if (realm == NULL) {
@@ -66,6 +69,25 @@ errno_t check_and_export_options(struct dp_option *opts,
                   SSSD_KRB5_REALM));
     }
 
+    str = dp_opt_get_string(opts, KRB5_RENEWABLE_LIFETIME);
+    if (str == NULL) {
+        DEBUG(5, ("No renewable lifetime configured.\n"));
+    } else {
+        ret = krb5_string_to_deltat(str, &lifetime);
+        if (ret != 0) {
+            DEBUG(1, ("Invalid value [%s] for krb5_renewable_lifetime.\n",
+                      str));
+            return EINVAL;
+        }
+
+        ret = setenv(SSSD_KRB5_RENEWABLE_LIFETIME, str, 1);
+        if (ret != EOK) {
+            DEBUG(2, ("setenv [%s] failed.\n",
+                      SSSD_KRB5_RENEWABLE_LIFETIME));
+            return ret;
+        }
+    }
+
     dummy = dp_opt_get_cstring(opts, KRB5_KDC);
     if (dummy == NULL) {
         DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 139ce40..15ef437 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -35,6 +35,7 @@
 
 #define SSSD_KRB5_KDC "SSSD_KRB5_KDC"
 #define SSSD_KRB5_REALM "SSSD_KRB5_REALM"
+#define SSSD_KRB5_RENEWABLE_LIFETIME "SSSD_KRB5_RENEWABLE_LIFETIME"
 
 #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
 #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -52,6 +53,7 @@ enum krb5_opts {
     KRB5_VALIDATE,
     KRB5_KPASSWD,
     KRB5_STORE_PASSWORD_IF_OFFLINE,
+    KRB5_RENEWABLE_LIFETIME,
 
     KRB5_OPTS
 };
-- 
1.7.3.2