ipa-kdb: apply per-indicator settings from inherited ticket policy

Fixes: https://pagure.io/freeipa/issue/9121 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2022-02-23 09:22:25 +02:00 · 2022-02-23 09:22:25 +02:00 · 2282509934
commit 2282509934
parent 5457fb7f7e
2 changed files with 19 additions and 2 deletions
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@ -161,7 +161,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
        if (pol_limits->max_life != 0) {
            jitter(pol_limits->max_life, lifetime_out);
        } else {
-            jitter(ONE_DAY_SECONDS, lifetime_out);
+            jitter(client->max_life, lifetime_out);
        }

        if (pol_limits->max_renewable_life != 0) {
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@ -585,7 +585,13 @@ static void ipadb_parse_authind_policies(krb5_context kcontext,
    }

    for (size_t i = 0; life_authind_map[i].attribute != NULL; i++) {
-        if (ua & life_authind_map[i].flag) {
+        /* Only change max_life/max_renewable_life per indicator
+         * if the value wasn't set yet. This function gets called twice:
+         * - for the principal entry
+         * - for the associated policy lookup */
+        if ((ua & life_authind_map[i].flag) &&
+            (ied->pol_limits[life_authind_map[i].idx].max_life == 0)) {
+
            ret = ipadb_ldap_attr_to_int(lcontext, lentry,
                                         life_authind_map[i].attribute,
                                         &result);
@ -1287,6 +1293,8 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
        if (!first) {
            kerr = KRB5_KDB_NOENTRY;
        } else {
+            struct ipadb_e_data *ied;
+
            if (polmask & MAXTKTLIFE_BIT) {
                ret = ipadb_ldap_attr_to_int(ipactx->lcontext, first,
                                             "krbmaxticketlife", &result);
@ -1314,6 +1322,15 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                    entry->attributes |= maybe_require_preauth(ipactx, entry);
                }
            }
+
+            ied = (struct ipadb_e_data *)entry->e_data;
+            if (ied && ied->ipa_user == true) {
+            /* Apply default policy to indicators, if any */
+                if (ied->user_auth & ~IPADB_USER_AUTH_NONE) {
+                    ipadb_parse_authind_policies(kcontext, ipactx->lcontext,
+                                                first, entry, ied->user_auth);
+                }
+            }
        }
    }