def __call__(self, environ, start_response): ''' ''' logger.debug('WSGI xmlserver_session.__call__:') ccache_name = environ.get('KRB5CCNAME') # Redirect to /ipa/xml if no Kerberos credentials if ccache_name is None: logger.debug('xmlserver_session.__call_: no ccache, need TGT') return self.need_login(start_response) # Redirect to /ipa/xml if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ccache_name) if not creds: logger.debug('xmlserver_session.__call_: ccache expired, deleting ' 'session, need login') # The request is finished with the ccache, destroy it. return self.need_login(start_response) # Store the session data in the per-thread context setattr(context, 'ccache_name', ccache_name) try: response = super(xmlserver_session, self).__call__(environ, start_response) finally: destroy_context() return response
def get_environ_creds(self, environ): # If we have a ccache ... ccache_name = environ.get('KRB5CCNAME') if ccache_name is None: logger.debug('no ccache, need login') return None # ... make sure we have a name ... principal = environ.get('GSS_NAME') if principal is None: logger.debug('no Principal Name, need login') return None # ... and use it to resolve the ccache name (Issue: 6972 ) gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) # Fail if Kerberos credentials are expired or missing creds = get_credentials_if_valid(name=gss_name, ccache_name=ccache_name) if not creds: logger.debug( 'ccache expired or invalid, deleting session, need login') return None return ccache_name
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI xmlserver_session.__call__:') ccache_name = environ.get('KRB5CCNAME') # Redirect to /ipa/xml if no Kerberos credentials if ccache_name is None: self.debug('xmlserver_session.__call_: no ccache, need TGT') return self.need_login(start_response) # Redirect to /ipa/xml if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ccache_name) if not creds: self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. return self.need_login(start_response) # Store the session data in the per-thread context setattr(context, 'ccache_name', ccache_name) try: response = super(xmlserver_session, self).__call__(environ, start_response) finally: destroy_context() return response
def get_environ_creds(self, environ): # If we have a ccache ... ccache_name = environ.get('KRB5CCNAME') if ccache_name is None: logger.debug('no ccache, need login') return # ... make sure we have a name ... principal = environ.get('GSS_NAME') if principal is None: logger.debug('no Principal Name, need login') return # ... and use it to resolve the ccache name (Issue: 6972 ) gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) # Fail if Kerberos credentials are expired or missing creds = get_credentials_if_valid(name=gss_name, ccache_name=ccache_name) if not creds: logger.debug( 'ccache expired or invalid, deleting session, need login') return return ccache_name
def valid_creds(principal): """ Get valid credintials matching the princial """ creds = get_credentials_if_valid() if creds and \ creds.lifetime > 0 and \ "%s@" % principal in creds.name.display_as(creds.name.name_type): return True return False
def valid_creds(module, principal): """ Get valid credintials matching the princial, try GSSAPI first """ if "KRB5CCNAME" in os.environ: ccache = os.environ["KRB5CCNAME"] module.debug('KRB5CCNAME set to %s' % ccache) try: cred = gssapi.Credentials(usage='initiate', store={'ccache': ccache}) except gssapi.raw.misc.GSSError as e: module.fail_json(msg='Failed to find default ccache: %s' % e) else: module.debug("Using principal %s" % str(cred.name)) return True elif "KRB5_CLIENT_KTNAME" in os.environ: keytab = os.environ.get('KRB5_CLIENT_KTNAME', None) module.debug('KRB5_CLIENT_KTNAME set to %s' % keytab) ccache_name = "MEMORY:%s" % str(uuid.uuid4()) os.environ["KRB5CCNAME"] = ccache_name try: cred = kinit_keytab(principal, keytab, ccache_name) except gssapi.raw.misc.GSSError as e: module.fail_json(msg='Kerberos authentication failed : %s' % e) else: module.debug("Using principal %s" % str(cred.name)) return True creds = get_credentials_if_valid() if creds and \ creds.lifetime > 0 and \ "%s@" % principal in creds.name.display_as(creds.name.name_type): return True return False
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') ccache_name = environ.get('KRB5CCNAME') # Redirect to login if no Kerberos credentials if ccache_name is None: self.debug('no ccache, need login') return self.need_login(start_response) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. return self.need_login(start_response) # Store the ccache name in the per-thread context setattr(context, 'ccache_name', ccache_name) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: destroy_context() return response
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_mgr = get_session_mgr() session_data = session_mgr.load_session_data( environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug( 'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response