Esempio n. 1
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI jsonserver_session.__call__:')

        # Load the session data
        session_data = session_mgr.load_session_data(
            environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

        self.debug(
            'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
            session_id, fmt_time(session_data['session_start_timestamp']),
            fmt_time(session_data['session_access_timestamp']),
            fmt_time(session_data['session_expiration_timestamp']))

        ccache_data = session_data.get('ccache_data')

        # Redirect to login if no Kerberos credentials
        if ccache_data is None:
            self.debug('no ccache, need login')
            return self.need_login(start_response)

        ipa_ccache_name = bind_ipa_ccache(ccache_data)

        # Redirect to login if Kerberos credentials are expired
        cc = KRB5_CCache(ipa_ccache_name)
        if not cc.valid(self.api.env.host, self.api.env.realm):
            self.debug('ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)

        # Update the session expiration based on the Kerberos expiration
        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
        self.update_session_expiration(session_data, endtime)

        # Store the session data in the per-thread context
        setattr(context, 'session_data', session_data)

        # This may fail if a ticket from wrong realm was handled via browser
        try:
            self.create_context(ccache=ipa_ccache_name)
        except ACIError, e:
            return self.unauthorized(environ, start_response, str(e), 'denied')
Esempio n. 2
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI jsonserver_session.__call__:')

        # Load the session data
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

        self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
                   session_id,
                   fmt_time(session_data['session_start_timestamp']),
                   fmt_time(session_data['session_access_timestamp']),
                   fmt_time(session_data['session_expiration_timestamp']))

        ccache_data = session_data.get('ccache_data')

        # Redirect to login if no Kerberos credentials
        if ccache_data is None:
            self.debug('no ccache, need login')
            return self.need_login(start_response)

        ipa_ccache_name = bind_ipa_ccache(ccache_data)

        # Redirect to login if Kerberos credentials are expired
        cc = KRB5_CCache(ipa_ccache_name)
        if not cc.valid(self.api.env.host, self.api.env.realm):
            self.debug('ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)

        # Update the session expiration based on the Kerberos expiration
        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
        self.update_session_expiration(session_data, endtime)

        # Store the session data in the per-thread context
        setattr(context, 'session_data', session_data)

        # This may fail if a ticket from wrong realm was handled via browser
        try:
            self.create_context(ccache=ipa_ccache_name)
        except ACIError, e:
            return self.unauthorized(environ, start_response, str(e), 'denied')
Esempio n. 3
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI jsonserver_session.__call__:')

        # Load the session data
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

        self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
                   session_id,
                   fmt_time(session_data['session_start_timestamp']),
                   fmt_time(session_data['session_access_timestamp']),
                   fmt_time(session_data['session_expiration_timestamp']))

        ccache_data = session_data.get('ccache_data')

        # Redirect to login if no Kerberos credentials
        if ccache_data is None:
            self.debug('no ccache, need login')
            return self.need_login(start_response)

        ipa_ccache_name = bind_ipa_ccache(ccache_data)

        # Redirect to login if Kerberos credentials are expired
        creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
        if not creds:
            self.debug('ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)

        # Update the session expiration based on the Kerberos expiration
        endtime = creds.lifetime + time.time()
        self.update_session_expiration(session_data, endtime)

        # Store the session data in the per-thread context
        setattr(context, 'session_data', session_data)

        # This may fail if a ticket from wrong realm was handled via browser
        try:
            self.create_context(ccache=ipa_ccache_name)
        except ACIError as e:
            return self.unauthorized(environ, start_response, str(e), 'denied')

        try:
            response = super(jsonserver_session, self).__call__(environ, start_response)
        finally:
            # Kerberos may have updated the ccache data during the
            # execution of the command therefore we need refresh our
            # copy of it in the session data so the next command sees
            # the same state of the ccache.
            #
            # However we must be careful not to restore the ccache
            # data in the session data if it was explicitly deleted
            # during the execution of the command. For example the
            # logout command removes the ccache data from the session
            # data to invalidate the session credentials.

            if 'ccache_data' in session_data:
                session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)

            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            # Store the session data.
            session_mgr.store_session_data(session_data)
            destroy_context()

        return response
Esempio n. 4
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI xmlserver_session.__call__:')

        # Load the session data
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

        self.debug('xmlserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
                   session_id,
                   fmt_time(session_data['session_start_timestamp']),
                   fmt_time(session_data['session_access_timestamp']),
                   fmt_time(session_data['session_expiration_timestamp']))

        ccache_data = session_data.get('ccache_data')

        # Redirect to /ipa/xml if no Kerberos credentials
        if ccache_data is None:
            self.debug('xmlserver_session.__call_: no ccache, need TGT')
            return self.need_login(start_response)

        ipa_ccache_name = bind_ipa_ccache(ccache_data)

        # Redirect to /ipa/xml if Kerberos credentials are expired
        cc = KRB5_CCache(ipa_ccache_name)
        if not cc.valid(self.api.env.host, self.api.env.realm):
            self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)

        # Update the session expiration based on the Kerberos expiration
        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
        self.update_session_expiration(session_data, endtime)

        # Store the session data in the per-thread context
        setattr(context, 'session_data', session_data)

        environ['KRB5CCNAME'] = ipa_ccache_name

        try:
            response = super(xmlserver_session, self).__call__(environ, start_response)
        finally:
            # Kerberos may have updated the ccache data during the
            # execution of the command therefore we need refresh our
            # copy of it in the session data so the next command sees
            # the same state of the ccache.
            #
            # However we must be careful not to restore the ccache
            # data in the session data if it was explicitly deleted
            # during the execution of the command. For example the
            # logout command removes the ccache data from the session
            # data to invalidate the session credentials.

            if session_data.has_key('ccache_data'):
                session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)

            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            # Store the session data.
            session_mgr.store_session_data(session_data)
            destroy_context()

        return response
Esempio n. 5
0
    def __call__(self, environ, start_response):
        '''
        '''

        self.debug('WSGI xmlserver_session.__call__:')

        # Load the session data
        session_data = session_mgr.load_session_data(
            environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

        self.debug(
            'xmlserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s',
            session_id, fmt_time(session_data['session_start_timestamp']),
            fmt_time(session_data['session_access_timestamp']),
            fmt_time(session_data['session_expiration_timestamp']))

        ccache_data = session_data.get('ccache_data')

        # Redirect to /ipa/xml if no Kerberos credentials
        if ccache_data is None:
            self.debug('xmlserver_session.__call_: no ccache, need TGT')
            return self.need_login(start_response)

        ipa_ccache_name = bind_ipa_ccache(ccache_data)

        # Redirect to /ipa/xml if Kerberos credentials are expired
        cc = KRB5_CCache(ipa_ccache_name)
        if not cc.valid(self.api.env.host, self.api.env.realm):
            self.debug(
                'xmlserver_session.__call_: ccache expired, deleting session, need login'
            )
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)

        # Update the session expiration based on the Kerberos expiration
        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
        self.update_session_expiration(session_data, endtime)

        # Store the session data in the per-thread context
        setattr(context, 'session_data', session_data)

        environ['KRB5CCNAME'] = ipa_ccache_name

        try:
            response = super(xmlserver_session,
                             self).__call__(environ, start_response)
        finally:
            # Kerberos may have updated the ccache data during the
            # execution of the command therefore we need refresh our
            # copy of it in the session data so the next command sees
            # the same state of the ccache.
            #
            # However we must be careful not to restore the ccache
            # data in the session data if it was explicitly deleted
            # during the execution of the command. For example the
            # logout command removes the ccache data from the session
            # data to invalidate the session credentials.

            if session_data.has_key('ccache_data'):
                session_data['ccache_data'] = load_ccache_data(ipa_ccache_name)

            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            # Store the session data.
            session_mgr.store_session_data(session_data)
            destroy_context()

        return response