ipa-kdb: cache local TGS in the driver context

For Kerberos principal lookup we always need to check whether principal is from our realm. Keep the reference to our realm TGS handy to avoid memory allocations on every lookup. Related: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Isaac Boukris <iboukris@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-05-25 19:16:27 +03:00 · 2020-05-25 19:16:27 +03:00 · ef59cb8452
commit ef59cb8452
parent 3611fc5043
2 changed files with 30 additions and 0 deletions
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@ -60,6 +60,7 @@ static void ipadb_context_free(krb5_context kcontext,
        free((*ctx)->supp_encs);
        free((*ctx)->def_encs);
        ipadb_mspac_struct_free(&(*ctx)->mspac);
+        krb5_free_principal(kcontext, (*ctx)->local_tgs);
        krb5_free_default_realm(kcontext, (*ctx)->realm);

        cfg = &(*ctx)->config;
@ -495,6 +496,27 @@ done:
    return 0;
 }

+static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
+                                             struct ipadb_context *ipactx)
+{
+    krb5_principal tgtp;
+    unsigned int length = strlen(ipactx->realm);
+    krb5_error_code kerr = 0;
+
+    kerr = krb5_build_principal_ext(kcontext, &tgtp,
+                                    length,
+                                    ipactx->realm,
+                                    KRB5_TGS_NAME_SIZE,
+                                    KRB5_TGS_NAME,
+                                    length,
+                                    ipactx->realm, 0);
+    if (kerr != 0) {
+        return NULL;
+    }
+
+    return tgtp;
+}
+
 /* INTERFACE */

 static krb5_error_code ipadb_init_library(void)
@ -556,6 +578,12 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
        goto fail;
    }

+    ipactx->local_tgs = ipadb_create_local_tgs(kcontext, ipactx);
+    if (!ipactx->local_tgs) {
+        ret = ENOMEM;
+        goto fail;
+    }
+
    ipactx->base = ipadb_get_base_from_realm(kcontext);
    if (!ipactx->base) {
        ret = ENOMEM;
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -134,6 +134,8 @@ struct ipadb_context {

    /* Don't access this directly, use ipadb_get_global_config(). */
    struct ipadb_global_config config;
+
+    krb5_principal local_tgs;
 };

 struct ipadb_e_pol_limits {