From 41820ba179c91d1d5452b303884b542d708a4911 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Tue, 21 Feb 2023 12:07:04 -0500
Subject: goakerberosidentity: Ensure old_verification_level is initialized

verify_identity has a short-circuit at the top of the file if the
active credentials cache is already known. In that case it bypasses
the search for a credentials cache. Unfortunately it also inadvertently
bypasses initialization of old_verification_level, leading to the
code thinking the identity is always going unexpired.

This commit fixes that.
---
 src/goaidentity/goakerberosidentity.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/goaidentity/goakerberosidentity.c b/src/goaidentity/goakerberosidentity.c
index 0eb0a9c..e4f09e1 100644
--- a/src/goaidentity/goakerberosidentity.c
+++ b/src/goaidentity/goakerberosidentity.c
@@ -886,6 +886,10 @@ verify_identity (GoaKerberosIdentity  *self,
   VerificationLevel best_verification_level = VERIFICATION_LEVEL_UNVERIFIED;
   GHashTableIter iter;
 
+  G_LOCK (identity_lock);
+  old_verification_level = self->cached_verification_level;
+  G_UNLOCK (identity_lock);
+
   if (self->active_credentials_cache_name != NULL)
     {
       G_LOCK (identity_lock);
@@ -923,10 +927,6 @@ verify_identity (GoaKerberosIdentity  *self,
         }
   }
 
-  G_LOCK (identity_lock);
-  old_verification_level = self->cached_verification_level;
-  G_UNLOCK (identity_lock);
-
   G_LOCK (identity_lock);
   g_hash_table_iter_init (&iter, self->credentials_caches);
   while (g_hash_table_iter_next (&iter, (gpointer *) &name, (gpointer*) &credentials_cache))
-- 
cgit v1.2.1