[gnome-online-accounts/maybe-fix-kcm-issue] identity: Don't add temporary accounts for expired credentials

[Ray Strode <halfline src gnome org>]

commit f000f3440e184d19f1434f445f82d5afd8f8af98
Author: Ray Strode <rstrode redhat com>
Date:   Thu Oct 13 16:11:54 2022 -0400

    identity: Don't add temporary accounts for expired credentials
    
    The identity service creates a "temporary" kerberos account when
    a user manually does kinit, to handle automatic renewal, etc.
    
    Unfortunately, it also picks up expired cruft that builds up in
    KCM based credential caches, and creates temporary accounts for
    that as well.
    
    This commit tries to avoid that.
    
    Closes https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/issues/32

 src/goabackend/goakerberosprovider.c  | 2 +-
 src/goaidentity/goaidentityservice.c  | 2 +-
 src/goaidentity/goakerberosidentity.c | 9 ++++++---
 3 files changed, 8 insertions(+), 5 deletions(-)
---
diff --git a/src/goabackend/goakerberosprovider.c b/src/goabackend/goakerberosprovider.c
index b3ffc3f5..83ba608d 100644
--- a/src/goabackend/goakerberosprovider.c
+++ b/src/goabackend/goakerberosprovider.c
@@ -1159,7 +1159,7 @@ ensure_credentials_sync (GoaProvider    *provider,
       g_mutex_unlock (&identity_manager_mutex);
       ticket_synced = get_ticket_sync (GOA_KERBEROS_PROVIDER (provider),
                                        object,
-                                       FALSE /* Don't allow interaction */,
+                                       TRUE, /* Allow interaction */,
                                        cancellable,
                                        &lookup_error);
       g_mutex_lock (&identity_manager_mutex);
diff --git a/src/goaidentity/goaidentityservice.c b/src/goaidentity/goaidentityservice.c
index 3dd27060..a25de416 100644
--- a/src/goaidentity/goaidentityservice.c
+++ b/src/goaidentity/goaidentityservice.c
@@ -1097,7 +1097,7 @@ on_identity_added (GoaIdentityManager *identity_manager,
 
   object = find_object_with_principal (self, identifier, FALSE);
 
-  if (object == NULL)
+  if (object == NULL && goa_identity_is_signed_in (identity))
     add_temporary_account (self, identity);
 
   g_clear_object (&object);
diff --git a/src/goaidentity/goakerberosidentity.c b/src/goaidentity/goakerberosidentity.c
index 45d54f4d..46dc808d 100644
--- a/src/goaidentity/goakerberosidentity.c
+++ b/src/goaidentity/goakerberosidentity.c
@@ -986,8 +986,10 @@ goa_kerberos_identity_initable_init (GInitable     *initable,
     {
       self->identifier = get_identifier (self, error);
 
-      if (self->identifier != NULL)
-        queue_notify (self, &self->identifier_idle_id, "identifier");
+      if (self->identifier == NULL)
+          return FALSE;
+
+       queue_notify (self, &self->identifier_idle_id, "identifier");
     }
 
   verification_error = NULL;
@@ -1388,7 +1390,8 @@ goa_kerberos_identity_update (GoaKerberosIdentity *self,
 
   if (new_verification_level != old_verification_level)
     {
-      if (old_verification_level == VERIFICATION_LEVEL_SIGNED_IN &&
+      if ((old_verification_level == VERIFICATION_LEVEL_SIGNED_IN ||
+           old_verification_level == VERIFICATION_LEVEL_UNVERIFIED) &&
           new_verification_level == VERIFICATION_LEVEL_EXISTS)
         {
           G_LOCK (identity_lock);