- if (context->session == NULL || context->closing || context->super)
- return NULL;
- if (!context->refreshing)
- return NULL;
- if (!context->refreshed) {
- afb_session_new_token (context->session);
- context->refreshed = 1;
+ struct afb_cred *ocred = context->credentials;
+ if (ocred != cred) {
+ context->credentials = afb_cred_addref(cred);
+ afb_cred_unref(ocred);
+ }
+}
+
+void afb_context_change_token(struct afb_context *context, struct afb_token *token)
+{
+ struct afb_token *otoken = context->token;
+ if (otoken != token) {
+ context->token = afb_token_addref(token);
+ afb_token_unref(otoken);
+ }
+}
+
+const char *afb_context_on_behalf_export(struct afb_context *context)
+{
+ return context->credentials ? afb_cred_export(context->credentials) : NULL;
+}
+
+int afb_context_on_behalf_import(struct afb_context *context, const char *exported)
+{
+ int rc;
+ struct afb_cred *imported, *ocred;
+
+ if (!exported || !*exported)
+ rc = 0;
+ else {
+ if (afb_context_has_permission(context, afb_permission_on_behalf_credential)) {
+ imported = afb_cred_import(exported);
+ if (!imported) {
+ ERROR("Can't import on behalf credentials: %m");
+ rc = -1;
+ } else {
+ ocred = context->credentials;
+ context->credentials = imported;
+ afb_cred_unref(ocred);
+ rc = 0;
+ }
+ } else {
+ ERROR("On behalf credentials refused");
+ rc = -1;
+ }