From b24503b636e101d7c4afb946d10245bc05a60032 Mon Sep 17 00:00:00 2001
From: Xavier Guimard <x.guimard@free.fr>
Date: Tue, 13 Mar 2018 15:04:19 +0100
Subject: [PATCH] Don't reuse Kerberos ticket (#1389)

---
 TODO-2.0.md                                           |  1 +
 .../lib/Lemonldap/NG/Portal/Auth/Kerberos.pm          | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/TODO-2.0.md b/TODO-2.0.md
index aa0f36eb3..cc8c01438 100644
--- a/TODO-2.0.md
+++ b/TODO-2.0.md
@@ -1,3 +1,4 @@
+
 * Minimal authn level system (choice only)
 * (2ndF/OTP mail)
 * Combination/Choice for password (using session data)
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
index 30f22c973..4b7afb607 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Kerberos.pm
@@ -33,6 +33,13 @@ sub init {
 
 sub extractFormInfo {
     my ( $self, $req ) = @_;
+
+    if ( $req->datas->{_krbUser} ) {
+        $self->logger->debug( 'Kerberos ticket already validated for '
+              . $req->datas->{_krbUser} );
+        return PE_OK;
+    }
+
     my $auth = $req->env->{HTTP_AUTHORIZATION};
     unless ($auth) {
 
@@ -138,7 +145,7 @@ sub extractFormInfo {
         return PE_ERROR;
     }
     $self->userLogger->notice("$client_name authentified by Kerberos");
-    $req->{_krbUser} = $client_name;
+    $req->datas->{_krbUser} = $client_name;
     if ( $self->conf->{krbRemoveDomain} ) {
         $client_name =~ s/^(.*)@.*$/$1/;
     }
@@ -157,7 +164,7 @@ sub authLogout {
 sub setAuthSessionInfo {
     my ( $self, $req ) = @_;
     $req->{sessionInfo}->{authenticationLevel} = $self->conf->{krbAuthnLevel};
-    $req->{sessionInfo}->{_krbUser}            = $req->{_krbUser};
+    $req->{sessionInfo}->{_krbUser}            = $req->datas->{_krbUser};
     PE_OK;
 }