From 2beefd11c924456754d759c43453bdaf93eb62f9 Mon Sep 17 00:00:00 2001
From: Ben Pope <ben@redpanda.com>
Date: Thu, 26 Jan 2023 00:11:06 +0000
Subject: [PATCH] security: Refactor gssapi_authenticator 5/5

Eliminate `finish`, reset `impl` when authentication is complete.

Signed-off-by: Ben Pope <ben@redpanda.com>
---
 src/v/security/gssapi_authenticator.cc | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/v/security/gssapi_authenticator.cc b/src/v/security/gssapi_authenticator.cc
index d9291b900bb99..70ab91a6e4db8 100644
--- a/src/v/security/gssapi_authenticator.cc
+++ b/src/v/security/gssapi_authenticator.cc
@@ -138,7 +138,6 @@ class gssapi_authenticator::impl {
     state_result<bytes> ssfcap(bytes_view);
     state_result<bytes> ssfreq(bytes_view);
     state_result<void> check();
-    void finish();
     void
     fail_impl(OM_uint32 maj_stat, OM_uint32 min_stat, std::string_view msg);
     template<typename... Args>
@@ -172,6 +171,15 @@ gssapi_authenticator::gssapi_authenticator(
 gssapi_authenticator::~gssapi_authenticator() = default;
 
 ss::future<result<bytes>> gssapi_authenticator::authenticate(bytes auth_bytes) {
+    if (!_impl) {
+        vlog(
+          seclog.warn,
+          "authenticate received after handshake complete {} bytes",
+          _state,
+          auth_bytes.size());
+        co_return errc::invalid_gssapi_state;
+    }
+
     vlog(
       seclog.trace,
       "gss {} authenticate received {} bytes",
@@ -187,6 +195,7 @@ ss::future<result<bytes>> gssapi_authenticator::authenticate(bytes auth_bytes) {
     if (_state == state::complete) {
         _principal = co_await _worker.submit(
           [this]() { return _impl->principal(); });
+        _impl.reset();
     }
     co_return std::move(res.result);
 }
@@ -400,7 +409,7 @@ gssapi_authenticator::impl::ssfreq(bytes_view auth_bytes) {
 
     bytes ret{};
     vlog(seclog.trace, "gss {} sending {} bytes", _state, ret.size());
-    finish();
+    _state = state::complete;
     return {_state, ret};
 }
 
@@ -474,12 +483,6 @@ gssapi_authenticator::impl::check() {
     return {_state, outcome::success()};
 }
 
-void gssapi_authenticator::impl::finish() {
-    _context.reset();
-    _server_creds.reset();
-    _state = state::complete;
-}
-
 void gssapi_authenticator::impl::fail_impl(
   OM_uint32 maj_stat, OM_uint32 min_stat, std::string_view msg) {
     if (maj_stat != 0 || min_stat != 0) {