def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Redirect to login if no Kerberos credentials
ccache_name = self.get_environ_creds(environ)
if ccache_name is None:
return self.need_login(start_response)
# Store the ccache name in the per-thread context
setattr(context, 'ccache_name', ccache_name)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session, self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
self.debug('KerberosWSGIExecutioner.__call__:')
user_ccache = environ.get('KRB5CCNAME')
self.headers = [('Content-Type',
'%s; charset=utf-8' % self.content_type)]
if user_ccache is None:
status = HTTP_STATUS_SERVER_ERROR
self.log.error(
'%s: %s', status, 'KerberosWSGIExecutioner.__call__: '
'KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
logout_cookie = getattr(context, 'logout_cookie', None)
if logout_cookie:
self.headers.append(('IPASESSION', logout_cookie))
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner,
self).__call__(environ, start_response)
except PublicError as e:
status = HTTP_STATUS_SUCCESS
response = status.encode('utf-8')
start_response(status, self.headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
logger.debug('WSGI jsonserver_session.__call__:')
# Redirect to login if no Kerberos credentials
ccache_name = self.get_environ_creds(environ)
if ccache_name is None:
return self.need_login(start_response)
# Store the ccache name in the per-thread context
setattr(context, 'ccache_name', ccache_name)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
except errors.DatabaseError as e:
# account is disable but user has a valid ticket
msg = str(e)
if "account inactivated" in msg.lower():
return self.unauthorized(environ, start_response, str(e),
"account disabled")
else:
return self.service_unavailable(environ, start_response, msg)
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI xmlserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_name is None:
self.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
# Redirect to /ipa/xml if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the session data in the per-thread context
setattr(context, 'ccache_name', ccache_name)
try:
response = super(xmlserver_session, self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
self.debug('KerberosWSGIExecutioner.__call__:')
user_ccache=environ.get('KRB5CCNAME')
object.__setattr__(
self, 'headers',
[('Content-Type', '%s; charset=utf-8' % self.content_type)]
)
if user_ccache is None:
status = HTTP_STATUS_SERVER_ERROR
self.log.error(
'%s: %s', status,
'KerberosWSGIExecutioner.__call__: '
'KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner, self).__call__(
environ, start_response)
except PublicError as e:
status = HTTP_STATUS_SUCCESS
response = status.encode('utf-8')
start_response(status, self.headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
logger.debug('WSGI xmlserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_name is None:
logger.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
# Redirect to /ipa/xml if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
logger.debug('xmlserver_session.__call_: ccache expired, deleting '
'session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the session data in the per-thread context
setattr(context, 'ccache_name', ccache_name)
try:
response = super(xmlserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
logger.debug('KerberosWSGIExecutioner.__call__:')
user_ccache = environ.get('KRB5CCNAME')
object.__setattr__(
self, 'headers',
[('Content-Type', '%s; charset=utf-8' % self.content_type)])
if user_ccache is None:
status = HTTP_STATUS_SERVER_ERROR
logger.error(
'%s: %s', status, 'KerberosWSGIExecutioner.__call__: '
'KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner,
self).__call__(environ, start_response)
except PublicError as e:
status = HTTP_STATUS_SUCCESS
response = status.encode('utf-8')
start_response(status, self.headers)
return [self.marshal(None, e)]
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
self.debug('KerberosWSGIExecutioner.__call__:')
user_ccache=environ.get('KRB5CCNAME')
headers = [('Content-Type', '%s; charset=utf-8' % self.content_type)]
if user_ccache is None:
status = HTTP_STATUS_SERVER_ERROR
response_headers = [('Content-Type', 'text/html; charset=utf-8')]
self.log.error(
'%s: %s', status,
'KerberosWSGIExecutioner.__call__: '
'KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner, self).__call__(
environ, start_response)
session_data = getattr(context, 'session_data', None)
if (session_data is None and self.env.context != 'lite'):
self.finalize_kerberos_acquisition(
'xmlserver', user_ccache, environ, start_response, headers)
except PublicError as e:
status = HTTP_STATUS_SUCCESS
response = status
start_response(status, headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
self.debug('KerberosWSGIExecutioner.__call__:')
user_ccache = environ.get('KRB5CCNAME')
headers = [('Content-Type', '%s; charset=utf-8' % self.content_type)]
if user_ccache is None:
status = HTTP_STATUS_SERVER_ERROR
self.log.error(
'%s: %s', status, 'KerberosWSGIExecutioner.__call__: '
'KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner,
self).__call__(environ, start_response)
session_data = getattr(context, 'session_data', None)
if (session_data is None and self.env.context != 'lite'):
self.finalize_kerberos_acquisition('xmlserver', user_ccache,
environ, start_response,
headers)
except PublicError as e:
status = HTTP_STATUS_SUCCESS
response = status
start_response(status, headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
logger.debug('WSGI jsonserver_session.__call__:')
# Redirect to login if no Kerberos credentials
ccache_name = self.get_environ_creds(environ)
if ccache_name is None:
return self.need_login(start_response)
# Store the ccache name in the per-thread context
setattr(context, 'ccache_name', ccache_name)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def execute(self, _name, *args, **options):
try:
if _name not in self.Command:
raise CommandError(name=_name)
return self.Command[_name](*args, **options)
except PublicError:
raise
except Exception as e:
logger.exception('non-public: %s: %s', e.__class__.__name__,
str(e))
raise InternalError()
finally:
destroy_context()
def execute(self, _name, *args, **options):
try:
if _name not in self.Command:
raise CommandError(name=_name)
return self.Command[_name](*args, **options)
except PublicError:
raise
except Exception as e:
logger.exception(
'non-public: %s: %s', e.__class__.__name__, str(e)
)
raise InternalError()
finally:
destroy_context()
def execute(self, _name, *args, **options):
error = None
try:
if _name not in self.Command:
raise CommandError(name=_name)
result = self.Command[_name](*args, **options)
except PublicError as e:
error = e
except Exception as e:
self.exception('non-public: %s: %s', e.__class__.__name__, str(e))
error = InternalError()
destroy_context()
if error is None:
return result
assert isinstance(error, PublicError)
raise error #pylint: disable=E0702
def execute(self, _name, *args, **options):
error = None
try:
if _name not in self.Command:
raise CommandError(name=_name)
result = self.Command[_name](*args, **options)
except PublicError as e:
error = e
except Exception as e:
logger.exception(
'non-public: %s: %s', e.__class__.__name__, str(e)
)
error = InternalError()
destroy_context()
if error is None:
return result
assert isinstance(error, PublicError)
raise error #pylint: disable=E0702
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_kerb.__call__:')
user_ccache=environ.get('KRB5CCNAME')
if user_ccache is None:
self.internal_error(environ, start_response,
'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
self.create_context(ccache=user_ccache)
try:
response = super(jsonserver_kerb, self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_kerb.__call__:')
user_ccache = environ.get('KRB5CCNAME')
if user_ccache is None:
self.internal_error(
environ, start_response,
'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment'
)
return self.marshal(None, CCacheError())
self.create_context(ccache=user_ccache)
try:
response = super(jsonserver_kerb,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_kerb.__call__:')
user_ccache=environ.get('KRB5CCNAME')
if user_ccache is None:
self.internal_error(environ, start_response,
'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
self.create_context(ccache=user_ccache)
try:
response = super(jsonserver_kerb, self).__call__(environ, start_response)
if (getattr(context, 'session_data', None) is None and
self.env.context != 'lite'):
self.finalize_kerberos_acquisition('jsonserver', user_ccache,
environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
ccache_name = environ.get('KRB5CCNAME')
# Redirect to login if no Kerberos credentials
if ccache_name is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the ccache name in the per-thread context
setattr(context, 'ccache_name', ccache_name)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI xmlserver_session.__call__:')
# Load the session data
session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug('xmlserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id,
fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_data is None:
self.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to /ipa/xml if Kerberos credentials are expired
cc = KRB5_CCache(ipa_ccache_name)
if not cc.valid(self.api.env.host, self.api.env.realm):
self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = cc.endtime(self.api.env.host, self.api.env.realm)
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
environ['KRB5CCNAME'] = ipa_ccache_name
try:
response = super(xmlserver_session, self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if session_data.has_key('ccache_data'):
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
self.internal_error(environ, start_response,
'xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment')
return self.marshal(None, CCacheError())
try:
self.create_context(ccache=user_ccache)
response = super(xmlserver, self).__call__(environ, start_response)
if getattr(context, 'session_data', None) is None and \
self.env.context != 'lite':
self.finalize_kerberos_acquisition('xmlserver', user_ccache, environ, start_response, headers)
except PublicError, e:
status = HTTP_STATUS_SUCCESS
response = status
start_response(status, headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
def listMethods(self, *params):
return tuple(name.decode('UTF-8') for name in self.Command)
def methodSignature(self, *params):
return u'methodSignature not implemented'
def methodHelp(self, *params):
return u'methodHelp not implemented'
def unmarshal(self, data):
(params, name) = xml_loads(data)
(args, options) = params_2_args_options(params)
return (name, args, options, None)
def teardown_class(self):
request.destroy_context()
class jsonserver_session(jsonserver, KerberosSession):
"""
JSON RPC server protected with session auth.
"""
key = '/session/json'
def __init__(self):
super(jsonserver_session, self).__init__()
auth_mgr = AuthManagerKerb(self.__class__.__name__)
session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)
def _on_finalize(self):
super(jsonserver_session, self)._on_finalize()
self.kerb_session_on_finalize()
def need_login(self, start_response):
status = '401 Unauthorized'
headers = []
response = ''
self.debug('jsonserver_session: %s need login', status)
start_response(status, headers)
return [response]
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Load the session data
session_data = session_mgr.load_session_data(
environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug(
'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id, fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to login if no Kerberos credentials
if ccache_data is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to login if Kerberos credentials are expired
cc = KRB5_CCache(ipa_ccache_name)
if not cc.valid(self.api.env.host, self.api.env.realm):
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = cc.endtime(self.api.env.host, self.api.env.realm)
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ipa_ccache_name)
except ACIError, e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if session_data.has_key('ccache_data'):
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Load the session data
session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id,
fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to login if no Kerberos credentials
if ccache_data is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = creds.lifetime + time.time()
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ipa_ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session, self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if 'ccache_data' in session_data:
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
def __call__(self, environ, start_response):
self.debug('WSGI wsgi_dispatch.__call__:')
try:
return self.route(environ, start_response)
finally:
destroy_context()
def tearDown(self):
"""
nose tear-down fixture.
"""
request.destroy_context()
def fin():
ipa_request.destroy_context()
try:
self.create_context(ccache=user_ccache)
response = super(KerberosWSGIExecutioner,
self).__call__(environ, start_response)
session_data = getattr(context, 'session_data', None)
if (session_data is None and self.env.context != 'lite'):
self.finalize_kerberos_acquisition('xmlserver', user_ccache,
environ, start_response,
headers)
except PublicError, e:
status = HTTP_STATUS_SUCCESS
response = status
start_response(status, headers)
return self.marshal(None, e)
finally:
destroy_context()
return response
class xmlserver(KerberosWSGIExecutioner):
"""
Execution backend plugin for XML-RPC server.
Also see the `ipalib.rpc.xmlclient` plugin.
"""
content_type = 'text/xml'
key = '/xml'
def listMethods(self, *params):
"""list methods for XML-RPC introspection"""
def destroy_context(self):
destroy_context()
def teardown_class(cls):
request.destroy_context()
def tearDown(self):
"""
nose tear-down fixture.
"""
request.destroy_context()
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI xmlserver_session.__call__:')
# Load the session data
session_data = session_mgr.load_session_data(
environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug(
'xmlserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id, fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to /ipa/xml if no Kerberos credentials
if ccache_data is None:
self.debug('xmlserver_session.__call_: no ccache, need TGT')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to /ipa/xml if Kerberos credentials are expired
cc = KRB5_CCache(ipa_ccache_name)
if not cc.valid(self.api.env.host, self.api.env.realm):
self.debug(
'xmlserver_session.__call_: ccache expired, deleting session, need login'
)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = cc.endtime(self.api.env.host, self.api.env.realm)
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
environ['KRB5CCNAME'] = ipa_ccache_name
try:
response = super(xmlserver_session,
self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if session_data.has_key('ccache_data'):
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
def __call__(self, environ, start_response):
logger.debug('WSGI wsgi_dispatch.__call__:')
try:
return self.route(environ, start_response)
finally:
destroy_context()
def teardown_class(cls):
request.destroy_context()
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
# Load the session data
session_mgr = get_session_mgr()
session_data = session_mgr.load_session_data(
environ.get('HTTP_COOKIE'))
session_id = session_data['session_id']
self.debug(
'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
session_id, fmt_time(session_data['session_start_timestamp']),
fmt_time(session_data['session_access_timestamp']),
fmt_time(session_data['session_expiration_timestamp']))
ccache_data = session_data.get('ccache_data')
# Redirect to login if no Kerberos credentials
if ccache_data is None:
self.debug('no ccache, need login')
return self.need_login(start_response)
ipa_ccache_name = bind_ipa_ccache(ccache_data)
# Redirect to login if Kerberos credentials are expired
creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
return self.need_login(start_response)
# Update the session expiration based on the Kerberos expiration
endtime = creds.lifetime + time.time()
self.update_session_expiration(session_data, endtime)
# Store the session data in the per-thread context
setattr(context, 'session_data', session_data)
# This may fail if a ticket from wrong realm was handled via browser
try:
self.create_context(ccache=ipa_ccache_name)
except ACIError as e:
return self.unauthorized(environ, start_response, str(e), 'denied')
try:
response = super(jsonserver_session,
self).__call__(environ, start_response)
finally:
# Kerberos may have updated the ccache data during the
# execution of the command therefore we need refresh our
# copy of it in the session data so the next command sees
# the same state of the ccache.
#
# However we must be careful not to restore the ccache
# data in the session data if it was explicitly deleted
# during the execution of the command. For example the
# logout command removes the ccache data from the session
# data to invalidate the session credentials.
if 'ccache_data' in session_data:
session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)
# The request is finished with the ccache, destroy it.
release_ipa_ccache(ipa_ccache_name)
# Store the session data.
session_mgr.store_session_data(session_data)
destroy_context()
return response
