pub struct ArmorCache { /* private fields */ }Expand description
A FILE: credential cache holding the machine (armor) ticket.
Implementations§
Source§impl ArmorCache
impl ArmorCache
pub fn new(path: impl Into<PathBuf>) -> Self
pub fn path(&self) -> &Path
Sourcepub fn cache_name(&self) -> String
pub fn cache_name(&self) -> String
The FILE:<path> form kinit/klist/kdestroy expect.
Sourcepub fn is_valid(&self, tools: &Tools) -> bool
pub fn is_valid(&self, tools: &Tools) -> bool
Does the cache exist and hold a non-expired ticket? (klist -s)
Sourcepub fn renew(&self, tools: &Tools, identity: &MachineIdentity) -> Result<()>
pub fn renew(&self, tools: &Tools, identity: &MachineIdentity) -> Result<()>
Renew the existing ticket in place (kinit -R).
No keytab and no fresh authentication needed. Renewal only works while
the current ticket is still unexpired (AD machine tickets live
~10 h); the ~7-day renewable lifetime is the outer bound reachable via
repeated pre-expiry renewals, not a grace period after expiry — an
expired ticket always needs Self::mint. Use Self::ensure to get
the fallback automatically.
The expected principal is passed explicitly, so a cache that somehow holds a different principal fails here (“Matching credential not found”) instead of being silently renewed as the wrong identity.
Sourcepub fn mint(&self, tools: &Tools, identity: &MachineIdentity) -> Result<()>
pub fn mint(&self, tools: &Tools, identity: &MachineIdentity) -> Result<()>
Mint a brand-new ticket from the machine keytab (kinit -k).
Needs read access to the keytab — root, in practice.
Sourcepub fn ensure(
&self,
tools: &Tools,
identity: &MachineIdentity,
) -> Result<Freshness>
pub fn ensure( &self, tools: &Tools, identity: &MachineIdentity, ) -> Result<Freshness>
Make sure the cache holds a valid ticket for this identity: renew
if possible (cheapest, keeps the same established ticket), mint from
the keytab otherwise. The result is verified with klist -s before
returning. A cache holding a foreign principal fails the renew and is
overwritten by the mint — the cache self-heals.
Sourcepub fn set_access(&self, gid: u32) -> Result<()>
pub fn set_access(&self, gid: u32) -> Result<()>
Restrict the cache to root:<gid> 0640 so group members (and only
they) can use the armor ticket. kinit re-creates the file 0600 on
every renew/mint, so call this after ensure.
Only the group is changed (owner stays whoever kinit ran as), so this
works under a minimal capability set (CAP_CHOWN). Race-free against
symlink swaps: the file is opened with O_NOFOLLOW and the ownership/
mode changes are applied through the file descriptor (fchown/
fchmod), so there is no check-to-use window on the path.
Sourcepub fn klist_text(&self, tools: &Tools) -> Result<String>
pub fn klist_text(&self, tools: &Tools) -> Result<String>
Raw klist text for status display (LC_ALL=C, so stable format).
Trait Implementations§
Source§impl Clone for ArmorCache
impl Clone for ArmorCache
Source§fn clone(&self) -> ArmorCache
fn clone(&self) -> ArmorCache
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more