After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 693578 - Refresh credentials at startup and network changes
Refresh credentials at startup and network changes
Status: RESOLVED FIXED
Product: gnome-online-accounts
Classification: Core
Component: general
3.6.x
Other All
: Normal normal
: ---
Assigned To: GNOME Online Accounts maintainer(s)
GNOME Online Accounts maintainer(s)
: 686426 732940 746414 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2013-02-11 10:56 UTC by Kamil Páral
Modified: 2017-05-23 14:06 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
daemon: Don't leak the GoaProvider (1.12 KB, patch)
2015-05-28 13:53 UTC, Debarshi Ray
committed Details | Review
daemon: Use g_clear_object wherever applicable (1.37 KB, patch)
2015-05-28 13:54 UTC, Debarshi Ray
committed Details | Review
daemon: Use g_list_free_full wherever applicable (1.80 KB, patch)
2015-05-28 13:54 UTC, Debarshi Ray
committed Details | Review
daemon: Remove redundant NULL check (789 bytes, patch)
2015-05-28 13:55 UTC, Debarshi Ray
committed Details | Review
daemon: Remove redundant function call (1.09 KB, patch)
2015-05-28 13:55 UTC, Debarshi Ray
committed Details | Review
daemon: Check & refresh credentials during startup and network changes (5.70 KB, patch)
2015-05-28 13:56 UTC, Debarshi Ray
committed Details | Review
kerberos: Mark EnsureCredentials failures as authorization errors (1.16 KB, patch)
2015-05-28 14:22 UTC, Debarshi Ray
none Details | Review
daemon: Use g_clear_object wherever applicable (1.45 KB, patch)
2015-05-29 11:36 UTC, Debarshi Ray
committed Details | Review
kerberos: Mark EnsureCredentials failures as authorization errors (1.92 KB, patch)
2015-05-29 13:12 UTC, Debarshi Ray
committed Details | Review
client, identity: Use g_list_free_full wherever applicable (1.38 KB, patch)
2015-05-29 13:54 UTC, Debarshi Ray
committed Details | Review
identity: Simplify the destruction (1.54 KB, patch)
2015-05-29 13:54 UTC, Debarshi Ray
committed Details | Review
identity: Chain up during dispose (948 bytes, patch)
2015-05-29 13:55 UTC, Debarshi Ray
committed Details | Review
daemon: Check & refresh credentials during startup and network changes (5.65 KB, patch)
2015-05-29 14:02 UTC, Debarshi Ray
committed Details | Review
[gnome-3-16] kerberos: Fix ensure credentials when identity isn't yet known (1.99 KB, patch)
2015-05-29 17:13 UTC, Debarshi Ray
committed Details | Review

Description Kamil Páral 2013-02-11 10:56:50 UTC
If I boot my computer inside the company network from the beginning, the kerberos ticket is retrieved fine. But I if boot my computer outside of company network and connect to it afterwards, the kerberos ticket is not retrieved. A few use cases:

* A company network is behind VPN
* A company network is a token-password protected wifi network
* A user boots his laptop at home, then brings it into the office and plugs in the cable

In all these cases, the kerberos ticket can't be retrieved immediately after system start, but can be retrieved later.

I suggest that GOA should try to retrieve a kerberos ticket every time that:
1. a currently active network changes (cable plugged in, wifi changed, VPN connected)
- and -
2. there is currently no valid kerberos ticket

What do you think?

gnome-online-accounts-3.6.2-2.fc18.x86_64
Comment 1 Debarshi Ray 2013-03-05 13:12:45 UTC
*** Bug 686426 has been marked as a duplicate of this bug. ***
Comment 2 Matthias Clasen 2014-12-04 00:16:43 UTC
I think this would be a really useful addition to gnome-online-accounts. We do have easy network monitoring support in glib now, so it shouldn't be hard to do.
Comment 3 Debarshi Ray 2015-05-18 17:27:24 UTC
*** Bug 746414 has been marked as a duplicate of this bug. ***
Comment 4 Debarshi Ray 2015-05-18 17:27:33 UTC
*** Bug 732940 has been marked as a duplicate of this bug. ***
Comment 5 Debarshi Ray 2015-05-28 13:53:46 UTC
Created attachment 304158 [details] [review]
daemon: Don't leak the GoaProvider
Comment 6 Debarshi Ray 2015-05-28 13:54:14 UTC
Created attachment 304159 [details] [review]
daemon: Use g_clear_object wherever applicable
Comment 7 Debarshi Ray 2015-05-28 13:54:42 UTC
Created attachment 304160 [details] [review]
daemon: Use g_list_free_full wherever applicable
Comment 8 Debarshi Ray 2015-05-28 13:55:11 UTC
Created attachment 304161 [details] [review]
daemon: Remove redundant NULL check
Comment 9 Debarshi Ray 2015-05-28 13:55:38 UTC
Created attachment 304162 [details] [review]
daemon: Remove redundant function call
Comment 10 Debarshi Ray 2015-05-28 13:56:07 UTC
Created attachment 304163 [details] [review]
daemon: Check & refresh credentials during startup and network changes
Comment 11 Debarshi Ray 2015-05-28 14:22:11 UTC
Created attachment 304170 [details] [review]
kerberos: Mark EnsureCredentials failures as authorization errors
Comment 12 Ray Strode [halfline] 2015-05-28 18:05:59 UTC
Review of attachment 304158 [details] [review]:

looks right, sort of surprised this didn't get picked up in previous rounds of leak fixes.

::: src/daemon/goadaemon.c
@@ +1202,2 @@
  out:
+  g_clear_object (&provider);

one idea is to drop this and use g_autoptr like the cool kids do these days.
Comment 13 Ray Strode [halfline] 2015-05-28 18:08:18 UTC
Review of attachment 304159 [details] [review]:

::: src/daemon/goadaemon.c
@@ +509,1 @@
   g_object_unref (account);

could do account, too, just to be consistent (or switch to g_autoptr)
Comment 14 Ray Strode [halfline] 2015-05-28 18:11:04 UTC
Review of attachment 304160 [details] [review]:

looks right to me. there's 3 other places outside of goadaemon.c that could be updated, too, though.
Comment 15 Ray Strode [halfline] 2015-05-28 18:11:55 UTC
Review of attachment 304161 [details] [review]:

++
Comment 16 Ray Strode [halfline] 2015-05-28 18:15:29 UTC
Review of attachment 304162 [details] [review]:

sure. you could go a step further and call goa_object_peek_account at the top of the function, to deduplicate even more (though that has the disadvantage of it getting called in some failure cases when it's not needed)
Comment 17 Ray Strode [halfline] 2015-05-28 18:41:24 UTC
Review of attachment 304163 [details] [review]:

looks fine to me from a cursory read through

::: src/daemon/goadaemon.c
@@ +173,3 @@
 
+static gboolean
+queue_check_credentials_timeout (gpointer user_data)

the other timeout in this file is of the form on_..._timeout so this should probably be called on_check_credentials_timeout

@@ +192,3 @@
+    }
+
+  self->credentials_timeout_id = g_timeout_add (200, queue_check_credentials_timeout, self);

I like the idea of a using a timeout to rate limit the checks in the face of a network fumbling up, but i wonder if the interval is right. 200ms seems arbitrary is might be okay, but since we're being arbitrary we might as well do g_timeout_add_seconds(1, ...) so the wake up is aligned with other wake ups...

@@ +1195,3 @@
+          g_dbus_method_invocation_take_error (data->invocation, error);
+          error = NULL;
+        }

you could move the g_clear_error here

@@ +1215,3 @@
     }
+
+  g_clear_error (&error);

then you wouldn't need it here (though I don't have really strong opinions on that)

@@ +1276,3 @@
+      account = goa_object_peek_account (object);
+      if (account == NULL)
+        goto continue_objects;

this could just be "continue;"

@@ +1281,3 @@
+      provider = goa_provider_get_for_provider_type (provider_type);
+      if (provider == NULL)
+        goto continue_objects;

this could just be "continue;"

@@ +1289,3 @@
+                                       ensure_data_new (self, object, NULL));
+
+    continue_objects:

this isn't needed, all the cases goto are used have a NULL provider
Comment 18 Ray Strode [halfline] 2015-05-28 18:47:44 UTC
Review of attachment 304170 [details] [review]:

so looks like this is fallout from commit 7ba73645e6068935f331969e14d56a39544ebca5.

prior to that commit it did:

      translate_error (&lookup_error);
      g_set_error_literal (error,
                           GOA_ERROR,
                           GOA_ERROR_NOT_AUTHORIZED,
                           lookup_error->message);
      g_error_free (lookup_error);

::: src/goabackend/goakerberosprovider.c
@@ +1407,3 @@
+            {
+              (*error)->domain = GOA_ERROR;
+              (*error)->code = GOA_ERROR_NOT_AUTHORIZED;

which i like slightly better than this ^ but whatever.
Comment 19 Debarshi Ray 2015-05-29 11:26:27 UTC
(In reply to Ray Strode [halfline] from comment #12)
> Review of attachment 304158 [details] [review] [review]:
> 
> looks right, sort of surprised this didn't get picked up in previous rounds
> of leak fixes.

We probably didn't check the EnsureCredentials code path.

> ::: src/daemon/goadaemon.c
> @@ +1202,2 @@
>   out:
> +  g_clear_object (&provider);
> 
> one idea is to drop this and use g_autoptr like the cool kids do these days.

Yes, I would love to switch to g_autoptr and G_DECLARE_*, but I want to hold back a bit so that it is still easy to back port patches to older branches. My motivation threshold for older non-RHEL branches is "as long as cherry-pick works". :)
Comment 20 Debarshi Ray 2015-05-29 11:32:34 UTC
(In reply to Ray Strode [halfline] from comment #13)
> Review of attachment 304159 [details] [review] [review]:
> 
> ::: src/daemon/goadaemon.c
> @@ +509,1 @@
>    g_object_unref (account);
> 
> could do account, too, just to be consistent (or switch to g_autoptr)

Ok. Consistency is good.
Comment 21 Debarshi Ray 2015-05-29 11:36:44 UTC
Created attachment 304239 [details] [review]
daemon: Use g_clear_object wherever applicable

Committed after making the suggested change to retain consistency.
Comment 22 Debarshi Ray 2015-05-29 12:20:17 UTC
(In reply to Ray Strode [halfline] from comment #17)
> Review of attachment 304163 [details] [review] [review]:
> 
> looks fine to me from a cursory read through
> 
> ::: src/daemon/goadaemon.c
> @@ +173,3 @@
>  
> +static gboolean
> +queue_check_credentials_timeout (gpointer user_data)
> 
> the other timeout in this file is of the form on_..._timeout so this should
> probably be called on_check_credentials_timeout

Good point. Fixed.

> @@ +192,3 @@
> +    }
> +
> +  self->credentials_timeout_id = g_timeout_add (200,
> queue_check_credentials_timeout, self);
> 
> I like the idea of a using a timeout to rate limit the checks in the face of
> a network fumbling up, but i wonder if the interval is right. 200ms seems
> arbitrary is might be okay, but since we're being arbitrary we might as well
> do g_timeout_add_seconds(1, ...) so the wake up is aligned with other wake
> ups...

Good point. I used 200 ms to mimic the other timeout that we use for file monitor changes. Would it be a big deal if we change that to 1 second too? Probably not, I guess.

> @@ +1195,3 @@
> +          g_dbus_method_invocation_take_error (data->invocation, error);
> +          error = NULL;
> +        }
> 
> you could move the g_clear_error here
> 
> @@ +1215,3 @@
>      }
> +
> +  g_clear_error (&error);
> 
> then you wouldn't need it here (though I don't have really strong opinions
> on that)

Done.

> @@ +1276,3 @@
> +      account = goa_object_peek_account (object);
> +      if (account == NULL)
> +        goto continue_objects;
> 
> this could just be "continue;"
> 
> @@ +1281,3 @@
> +      provider = goa_provider_get_for_provider_type (provider_type);
> +      if (provider == NULL)
> +        goto continue_objects;
> 
> this could just be "continue;"
> 
> @@ +1289,3 @@
> +                                       ensure_data_new (self, object,
> NULL));
> +
> +    continue_objects:
> 
> this isn't needed, all the cases goto are used have a NULL provider

Fixed.
Comment 23 Debarshi Ray 2015-05-29 13:12:51 UTC
Created attachment 304257 [details] [review]
kerberos: Mark EnsureCredentials failures as authorization errors

Changed the structure to match the original style.
Comment 24 Debarshi Ray 2015-05-29 13:54:12 UTC
Created attachment 304262 [details] [review]
client, identity: Use g_list_free_full wherever applicable
Comment 25 Debarshi Ray 2015-05-29 13:54:40 UTC
Created attachment 304263 [details] [review]
identity: Simplify the destruction
Comment 26 Debarshi Ray 2015-05-29 13:55:06 UTC
Created attachment 304264 [details] [review]
identity: Chain up during dispose
Comment 27 Ray Strode [halfline] 2015-05-29 13:58:51 UTC
Review of attachment 304257 [details] [review]:

++
Comment 28 Ray Strode [halfline] 2015-05-29 13:59:29 UTC
Review of attachment 304262 [details] [review]:

++
Comment 29 Debarshi Ray 2015-05-29 14:02:46 UTC
Created attachment 304265 [details] [review]
daemon: Check & refresh credentials during startup and network changes

Committed after making the suggested changes - changed the timeout to 1s, got rid of an unnecessary goto, and moved the g_clear_error higher up in the function.
Comment 30 Ray Strode [halfline] 2015-05-29 14:03:11 UTC
Review of attachment 304263 [details] [review]:

This is okay (though keeping it all in dispose is okay too, not sure what's better)
Comment 31 Ray Strode [halfline] 2015-05-29 14:04:32 UTC
Review of attachment 304264 [details] [review]:

oh weird, good catch
Comment 32 Debarshi Ray 2015-05-29 14:06:58 UTC
Thanks for all the review, halfline!
Comment 33 Kamil Páral 2015-05-29 14:11:40 UTC
Thanks for implementing this, guys.
Comment 34 Debarshi Ray 2015-05-29 17:13:39 UTC
Created attachment 304279 [details] [review]
[gnome-3-16] kerberos: Fix ensure credentials when identity isn't yet known

Committed after reviewing and testing in #gnome-os on GIMPNet. This particular issue got resolved in master as a side-effect of commit 7ba73645e6068935f331969e14d56a39544ebca5
Comment 35 Debarshi Ray 2015-05-29 17:14:37 UTC
(In reply to Kamil Páral from comment #33)
> Thanks for implementing this, guys.

You're welcome. Apologies for taking so long.
Comment 36 romu 2015-05-30 12:46:20 UTC
Thanks for the fix, can't wait to use it. An idea of the time we've to wait to get it released? Thanks again.
Comment 37 Debarshi Ray 2015-06-04 06:54:25 UTC
(In reply to romu from comment #36)
> Thanks for the fix, can't wait to use it. An idea of the time we've to wait
> to get it released? Thanks again.

Next 3.6.x bug-fix release. Maybe 3.14.x too.
Comment 38 Bastien Nocera 2015-06-04 09:12:07 UTC
(In reply to Debarshi Ray from comment #37)
> (In reply to romu from comment #36)
> > Thanks for the fix, can't wait to use it. An idea of the time we've to wait
> > to get it released? Thanks again.
> 
> Next 3.6.x bug-fix release. Maybe 3.14.x too.

I'm guessing you mean the next 3.16 release.
Comment 39 Debarshi Ray 2015-06-04 09:37:46 UTC
(In reply to Bastien Nocera from comment #38)
> (In reply to Debarshi Ray from comment #37)
> > (In reply to romu from comment #36)
> > > Thanks for the fix, can't wait to use it. An idea of the time we've to wait
> > > to get it released? Thanks again.
> > 
> > Next 3.6.x bug-fix release. Maybe 3.14.x too.
> 
> I'm guessing you mean the next 3.16 release.

Yes, of course. Next 3.16.x release. Sorry for the confusion.
Comment 40 romu 2015-09-15 10:00:17 UTC
Hi,
Obviously the fix has been release because I don't need to manually refresh my Windows credentials anymore. So, I just want to say THANK YOU! This changes a bit the life when working with Gnome within a Windows network.
Comment 41 romu 2017-01-11 09:19:47 UTC
Hello,
For some days, I experience regressions in this area on F25. This morning I had to switch off/on again the "Use for Network Resources" switch of my Kerberos account to be able to connect some of my network shared folders. Could we re-open this bug?
Comment 42 Bastien Nocera 2017-01-11 09:31:34 UTC
(In reply to romu from comment #41)
> Hello,
> For some days, I experience regressions in this area on F25. This morning I
> had to switch off/on again the "Use for Network Resources" switch of my
> Kerberos account to be able to connect some of my network shared folders.
> Could we re-open this bug?

Why do you think it's the same problem that you're experiencing?
You're better off filing a new bug.
Comment 43 Bastien Nocera 2017-01-11 09:32:06 UTC
And a year and a half after...
Comment 44 romu 2017-01-11 09:37:38 UTC
@Bastien, is there any real need to be so harsh in your answer? I do what I can do to participate to Gnome: reporting problems, and try to help on diagnosis, etc. But I can also leave and take more benefit of my time than reading so unpleasant messages.
Comment 45 romu 2017-01-11 09:41:06 UTC
And I think this could be the same problem because I'm on the user side, not the developer one. And from the user point of view, on a pure functional aspect, this is the same problem...a regression.

In the code this may be a different bug, but I'm not in the code.
Comment 46 Debarshi Ray 2017-01-11 09:44:01 UTC
(In reply to romu from comment #41)
> For some days, I experience regressions in this area on F25. This morning I
> had to switch off/on again the "Use for Network Resources" switch of my
> Kerberos account to be able to connect some of my network shared folders.
> Could we re-open this bug?

Yes, as Bastien said, it would be better to open a new bug. I doubt it is the same problem as this one.

Were there some changes to the networking that made you toggle the switch? eg., you turned on a VPN or connected to WiFi or Ethernet. Whenever we refresh the credentials due to networking changes, we log a debug message. So, if you had G_MESSAGES_DEBUG=all set in your environment, you will see this in the logs:
  "Calling EnsureCredentials due to network changes"

Those are some of the things I would check when filing the bug.
Comment 47 Bastien Nocera 2017-01-11 09:48:01 UTC
(In reply to romu from comment #44)
> @Bastien, is there any real need to be so harsh in your answer?

You're reading it wrongly. It's not harsh, it's a question.

(In reply to romu from comment #45)
> And I think this could be the same problem because I'm on the user side, not
> the developer one. And from the user point of view, on a pure functional
> aspect, this is the same problem...a regression.
> 
> In the code this may be a different bug, but I'm not in the code.

If you're only seeing the problem a year and a half after your own last message, where you tested things, it's not the same problem. GNOME releases every 6 months, which would mean that you found a problem 3 releases later. You might want to link to this bug, but reopening it will not help (it makes the original bug and the follow-up problem harder to read by carrying around nearly 50 comments).

Looking forward to your new bug, thanks.
Comment 48 romu 2017-01-11 09:52:47 UTC
ok, let's keep calm.

I'll take some few days to diagnose a bit more and give you more insight of what happens to provide in the bug report...if needed. I didn't change anything on my network, but may have changed the wifi network I connect (we run 2 wifi networks).

Newbie question: how can I set G_MESSAGES_DEBUG=all?
Comment 49 Debarshi Ray 2017-01-11 10:48:42 UTC
(In reply to romu from comment #48)
> Newbie question: how can I set G_MESSAGES_DEBUG=all?

Easiest option is to run goa-daemon as:
$ G_MESSAGES_DEBUG=all /path/to/goa-daemon --replace &