def __call__(self, environ, start_response):
'''
'''
logger.debug('WSGI xmlserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_name is None:
logger.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
# Redirect to /ipa/xml if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
logger.debug('xmlserver_session.__call_: ccache expired, deleting '
'session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the session data in the per-thread context
setattr(context, 'ccache_name', ccache_name)
try:
response = super(xmlserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def get_environ_creds(self, environ):
# If we have a ccache ...
ccache_name = environ.get('KRB5CCNAME')
if ccache_name is None:
logger.debug('no ccache, need login')
return None
# ... make sure we have a name ...
principal = environ.get('GSS_NAME')
if principal is None:
logger.debug('no Principal Name, need login')
return None
# ... and use it to resolve the ccache name (Issue: 6972 )
gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
# Fail if Kerberos credentials are expired or missing
creds = get_credentials_if_valid(name=gss_name,
ccache_name=ccache_name)
if not creds:
logger.debug(
'ccache expired or invalid, deleting session, need login')
return None
return ccache_name
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI xmlserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_name is None:
self.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
# Redirect to /ipa/xml if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the session data in the per-thread context
setattr(context, 'ccache_name', ccache_name)
try:
response = super(xmlserver_session, self).__call__(environ, start_response)
finally:
destroy_context()
return response
def get_environ_creds(self, environ):
# If we have a ccache ...
ccache_name = environ.get('KRB5CCNAME')
if ccache_name is None:
logger.debug('no ccache, need login')
return
# ... make sure we have a name ...
principal = environ.get('GSS_NAME')
if principal is None:
logger.debug('no Principal Name, need login')
return
# ... and use it to resolve the ccache name (Issue: 6972 )
gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
# Fail if Kerberos credentials are expired or missing
creds = get_credentials_if_valid(name=gss_name,
ccache_name=ccache_name)
if not creds:
logger.debug(
'ccache expired or invalid, deleting session, need login')
return
return ccache_name
def valid_creds(principal):
"""
Get valid credintials matching the princial
"""
creds = get_credentials_if_valid()
if creds and \
creds.lifetime > 0 and \
"%s@" % principal in creds.name.display_as(creds.name.name_type):
return True
return False
def valid_creds(module, principal):
"""
Get valid credintials matching the princial, try GSSAPI first
"""
if "KRB5CCNAME" in os.environ:
ccache = os.environ["KRB5CCNAME"]
module.debug('KRB5CCNAME set to %s' % ccache)
try:
cred = gssapi.Credentials(usage='initiate',
store={'ccache': ccache})
except gssapi.raw.misc.GSSError as e:
module.fail_json(msg='Failed to find default ccache: %s' % e)
else:
module.debug("Using principal %s" % str(cred.name))
return True
elif "KRB5_CLIENT_KTNAME" in os.environ:
keytab = os.environ.get('KRB5_CLIENT_KTNAME', None)
module.debug('KRB5_CLIENT_KTNAME set to %s' % keytab)
ccache_name = "MEMORY:%s" % str(uuid.uuid4())
os.environ["KRB5CCNAME"] = ccache_name
try:
cred = kinit_keytab(principal, keytab, ccache_name)
except gssapi.raw.misc.GSSError as e:
module.fail_json(msg='Kerberos authentication failed : %s' % e)
else:
module.debug("Using principal %s" % str(cred.name))
return True
creds = get_credentials_if_valid()
if creds and \
creds.lifetime > 0 and \
"%s@" % principal in creds.name.display_as(creds.name.name_type):
return True
return False
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to login if no Kerberos credentials
if ccache_name is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the ccache name in the per-thread context
setattr(context, 'ccache_name', ccache_name)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Load the session data
session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id,
fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to login if no Kerberos credentials
if ccache_data is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = creds.lifetime + time.time()
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ipa_ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session, self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if 'ccache_data' in session_data:
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Load the session data
session_mgr = get_session_mgr()
session_data = session_mgr.load_session_data(
environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug(
'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id, fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to login if no Kerberos credentials
if ccache_data is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = creds.lifetime + time.time()
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ipa_ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if 'ccache_data' in session_data:
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response