From 68a0790b9da12ccb9f3a9f211f6d806ca604a861 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: May 27 2020 19:19:49 +0000
Subject: ipa-kdb: cache local TGS in the driver context


For Kerberos principal lookup we always need to check whether principal
is from our realm. Keep the reference to our realm TGS handy to avoid
memory allocations on every lookup.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 7bd30be..33d2a67 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -60,6 +60,7 @@ static void ipadb_context_free(krb5_context kcontext,
         free((*ctx)->supp_encs);
         free((*ctx)->def_encs);
         ipadb_mspac_struct_free(&(*ctx)->mspac);
+        krb5_free_principal(kcontext, (*ctx)->local_tgs);
         krb5_free_default_realm(kcontext, (*ctx)->realm);
 
         cfg = &(*ctx)->config;
@@ -495,6 +496,27 @@ done:
     return 0;
 }
 
+static krb5_principal ipadb_create_local_tgs(krb5_context kcontext,
+                                             struct ipadb_context *ipactx)
+{
+    krb5_principal tgtp;
+    unsigned int length = strlen(ipactx->realm);
+    krb5_error_code kerr = 0;
+
+    kerr = krb5_build_principal_ext(kcontext, &tgtp,
+                                    length,
+                                    ipactx->realm,
+                                    KRB5_TGS_NAME_SIZE,
+                                    KRB5_TGS_NAME,
+                                    length,
+                                    ipactx->realm, 0);
+    if (kerr != 0) {
+        return NULL;
+    }
+
+    return tgtp;
+}
+
 /* INTERFACE */
 
 static krb5_error_code ipadb_init_library(void)
@@ -556,6 +578,12 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
         goto fail;
     }
 
+    ipactx->local_tgs = ipadb_create_local_tgs(kcontext, ipactx);
+    if (!ipactx->local_tgs) {
+        ret = ENOMEM;
+        goto fail;
+    }
+
     ipactx->base = ipadb_get_base_from_realm(kcontext);
     if (!ipactx->base) {
         ret = ENOMEM;
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index ae37a5a..5db3a52 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -134,6 +134,8 @@ struct ipadb_context {
 
     /* Don't access this directly, use ipadb_get_global_config(). */
     struct ipadb_global_config config;
+
+    krb5_principal local_tgs;
 };
 
 struct ipadb_e_pol_limits {