Add support to domain controller through env var

auth/kerberos/src/krb.cpp

@@ -608,6 +608,7 @@ std::pair<int, std::string> get_gmsa_krb_ticket( std::string domain_name,
                                                  const std::string& krb_cc_name,
                                                  creds_fetcher::CF_logger& cf_logger )
 {
+    std::string domain_controller_gmsa( "DOMAIN_CONTROLLER_GMSA" );
     std::vector<std::string> results;
 
     if ( domain_name.empty() || gmsa_account_name.empty() )
@@ -624,28 +625,34 @@ std::pair<int, std::string> get_gmsa_krb_ticket( std::string domain_name,
     }
     base_dn.pop_back(); // Remove last comma
 
-    std::pair<int, std::vector<std::string>> domain_ips = get_domain_ips( domain_name );
-    if ( domain_ips.first != 0 )
-    {
-        cf_logger.logger( LOG_ERR, "ERROR: Cannot resolve domain IPs of %s", __func__, __LINE__,
-                          domain_name );
-        return std::make_pair( -1, std::string( "" ) );
-    }
 
     std::string fqdn;
-    for ( auto domain_ip : domain_ips.second )
+    fqdn = retrieve_secret_from_ecs_config(domain_controller_gmsa);
+
+    if(fqdn.empty())
     {
-        auto fqdn_result = get_fqdn_from_domain_ip( domain_ip, domain_name );
-        if ( fqdn_result.first == 0 )
+        std::pair<int, std::vector<std::string>> domain_ips = get_domain_ips( domain_name );
+        if ( domain_ips.first != 0 )
         {
-            fqdn = fqdn_result.second;
-            break;
+            cf_logger.logger( LOG_ERR, "ERROR: Cannot resolve domain IPs of %s", __func__, __LINE__,
+                              domain_name );
+            return std::make_pair( -1, std::string( "" ) );
+        }
+
+        for ( auto domain_ip : domain_ips.second )
+        {
+            auto fqdn_result = get_fqdn_from_domain_ip( domain_ip, domain_name );
+            if ( fqdn_result.first == 0 )
+            {
+                fqdn = fqdn_result.second;
+                break;
+            }
+        }
+        if ( fqdn.empty() )
+        {
+            std::cout << "************ERROR***********" << std::endl;
+            return std::make_pair( -1, std::string( "" ) );
         }
-    }
-    if ( fqdn.empty() )
-    {
-        std::cout << "************ERROR***********" << std::endl;
-        return std::make_pair( -1, std::string( "" ) );
     }
 
     /**
@@ -943,6 +950,29 @@ std::vector<std::string> delete_krb_tickets( std::string krb_files_dir, std::str
     return delete_krb_ticket_paths;
 }
 
+std::string retrieve_secret_from_ecs_config(std::string ecs_variable_name)
+{
+    const char* ecs_config_file_name = "/etc/ecs/ecs.config"; // TBD:: Add commandline if needed
+
+    std::ifstream config_file( ecs_config_file_name );
+    std::string line;
+    std::vector<std::string> results;
+
+    while ( std::getline( config_file, line ) )
+    {
+        // TBD: Error handling for incorrectly formatted /etc/ecs/ecs.config
+        boost::split( results, line, []( char c ) { return c == '='; } );
+        std::string key = results[0];
+        std::string value = results[1];
+        if ( ecs_variable_name.compare( key ) == 0 )
+        {
+            value.erase( std::remove( value.begin(), value.end(), '"' ), value.end() );
+            return value;
+        }
+    }
+    return "";
+}
+
 /**
  * trim from start (in place)
  * @param s - string input

common/daemon.h

@@ -154,6 +154,7 @@ int renewal_failure_krb_dir_not_found_test();
 int parse_options( int argc, const char* argv[], creds_fetcher::Daemon& cf_daemon );
 
 int parse_config_file( creds_fetcher::Daemon& cf_daemon );
+std::string retrieve_secret_from_ecs_config(std::string ecs_variable_name);
 
 /**
  * Methods in api module

config/src/config.cpp

@@ -11,11 +11,9 @@
 
 int parse_options( int argc, const char* argv[], creds_fetcher::Daemon& cf_daemon )
 {
-    const char* ecs_config_file_name = "/etc/ecs/ecs.config"; // TBD:: Add commandline if needed
-    std::string domainless_gmsa_field( "CREDENTIALS_FETCHER_SECRET_NAME_FOR_DOMAINLESS_GMSA" );
-
     try
     {
+        std::string domainless_gmsa_field( "CREDENTIALS_FETCHER_SECRET_NAME_FOR_DOMAINLESS_GMSA" );
         namespace po = boost::program_options;
 
         /* Declare the supported options */
@@ -59,24 +57,8 @@ int parse_options( int argc, const char* argv[], creds_fetcher::Daemon& cf_daemo
                 << "Option selected for domainless operation, AWS secrets manager secret-name = "
                 << cf_daemon.aws_sm_secret_name << std::endl;
         }
-
-        std::ifstream config_file( ecs_config_file_name );
-        std::string line;
-        std::vector<std::string> results;
-
-        while ( std::getline( config_file, line ) )
-        {
-            // TBD: Error handling for incorrectly formatted /etc/ecs/ecs.config
-            boost::split( results, line, []( char c ) { return c == '='; } );
-            std::string key = results[0];
-            std::string value = results[1];
-            if ( domainless_gmsa_field.compare( key ) == 0 )
-            {
-                value.erase( std::remove( value.begin(), value.end(), '"' ), value.end() );
-                std::cout << "Using " << value << " for domainless gMSA" << std::endl;
-                cf_daemon.aws_sm_secret_name = value;
-            }
-        }
+        std::string aws_sm_secret_name = retrieve_secret_from_ecs_config(domainless_gmsa_field);
+        cf_daemon.aws_sm_secret_name = aws_sm_secret_name;
     }
     catch ( const boost::program_options::error& ex )
     {

daemon/src/daemon.cpp

@@ -255,3 +255,4 @@ int main( int argc, const char* argv[] )
 
     return EXIT_SUCCESS;
 }
+