def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_response, headers=None): if headers is None: headers = [] # Retrieve the session data (or newly create) session_mgr = get_session_mgr() session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug('finalize_kerberos_acquisition: %s ccache_name="%s" session_id="%s"', who, ccache_name, session_id) # Copy the ccache file contents into the session data session_data['ccache_data'] = load_ccache_data(ccache_name) # Set when the session will expire creds = get_credentials(ccache_name=ccache_name) endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data now that it's been updated with the ccache session_mgr.store_session_data(session_data) # The request is finished with the ccache, destroy it. release_ipa_ccache(ccache_name) # Return success and set session cookie session_cookie = session_mgr.generate_cookie('/ipa', session_id, session_data['session_expiration_timestamp']) headers.append(('Set-Cookie', session_cookie)) start_response(HTTP_STATUS_SUCCESS, headers) return ['']
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_mgr = get_session_mgr() session_data = session_mgr.load_session_data( environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug( 'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_mgr = get_session_mgr() session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response