def __call__(self, environ, start_response): """ WSGI application for execution. """ self.debug('WSGI WSGIExecutioner.__call__:') try: status = HTTP_STATUS_SUCCESS response = self.wsgi_execute(environ) headers = [('Content-Type', self.content_type + '; charset=utf-8')] except Exception: self.exception('WSGI %s.__call__():', self.name) status = HTTP_STATUS_SERVER_ERROR response = status headers = [('Content-Type', 'text/plain; charset=utf-8')] session_data = getattr(context, 'session_data', None) if session_data is not None: # Send session cookie back and store session data # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded session_mgr = get_session_mgr() session_cookie = session_mgr.generate_cookie( '/ipa', session_data['session_id'], session_data['session_expiration_timestamp']) headers.append(('Set-Cookie', session_cookie)) start_response(status, headers) return [response]
def update_session_expiration(self, session_data, krb_endtime): ''' Each time a session is created or accessed we need to update it's expiration time. The expiration time is set inside the session_data. :parameters: session_data The session data whose expiration is being updatded. krb_endtime The UNIX timestamp for when the Kerberos credentials expire. :returns: None ''' # Account for clock skew and/or give us some time leeway krb_expiration = krb_endtime - krb_ticket_expiration_threshold # Set the session expiration time session_mgr = get_session_mgr() session_mgr.set_session_expiration_time( session_data, duration=self.session_auth_duration, max_age=krb_expiration, duration_type=self.api.env.session_duration_type)
def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_response, headers=None): if headers is None: headers = [] # Retrieve the session data (or newly create) session_mgr = get_session_mgr() session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug('finalize_kerberos_acquisition: %s ccache_name="%s" session_id="%s"', who, ccache_name, session_id) # Copy the ccache file contents into the session data session_data['ccache_data'] = load_ccache_data(ccache_name) # Set when the session will expire creds = get_credentials(ccache_name=ccache_name) endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data now that it's been updated with the ccache session_mgr.store_session_data(session_data) # The request is finished with the ccache, destroy it. release_ipa_ccache(ccache_name) # Return success and set session cookie session_cookie = session_mgr.generate_cookie('/ipa', session_id, session_data['session_expiration_timestamp']) headers.append(('Set-Cookie', session_cookie)) start_response(HTTP_STATUS_SUCCESS, headers) return ['']
def __call__(self, environ, start_response): """ WSGI application for execution. """ self.debug('WSGI WSGIExecutioner.__call__:') try: status = HTTP_STATUS_SUCCESS response = self.wsgi_execute(environ) headers = [('Content-Type', self.content_type + '; charset=utf-8')] except Exception as e: self.exception('WSGI %s.__call__():', self.name) status = HTTP_STATUS_SERVER_ERROR response = status headers = [('Content-Type', 'text/plain; charset=utf-8')] session_data = getattr(context, 'session_data', None) if session_data is not None: # Send session cookie back and store session data # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded session_mgr = get_session_mgr() session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'], session_data['session_expiration_timestamp']) headers.append(('Set-Cookie', session_cookie)) start_response(status, headers) return [response]
def execute(self, *args, **options): session_data = getattr(context, 'session_data', None) if session_data is None: self.debug('session logout command: no session_data found') else: session_id = session_data.get('session_id') self.debug('session logout command: session_id=%s', session_id) # Notifiy registered listeners session_mgr = get_session_mgr() session_mgr.auth_mgr.logout(session_data) return dict(result=None)
def update_session_expiration(self, session_data, krb_endtime): ''' Each time a session is created or accessed we need to update it's expiration time. The expiration time is set inside the session_data. :parameters: session_data The session data whose expiration is being updatded. krb_endtime The UNIX timestamp for when the Kerberos credentials expire. :returns: None ''' # Account for clock skew and/or give us some time leeway krb_expiration = krb_endtime - krb_ticket_expiration_threshold # Set the session expiration time session_mgr = get_session_mgr() session_mgr.set_session_expiration_time(session_data, duration=self.session_auth_duration, max_age=krb_expiration, duration_type=self.api.env.session_duration_type)
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_mgr = get_session_mgr() session_data = session_mgr.load_session_data( environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug( 'jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response
def __init__(self, api): super(jsonserver_session, self).__init__(api) name = '{0}_{1}'.format(self.__class__.__name__, id(self)) auth_mgr = AuthManagerKerb(name) session_mgr = get_session_mgr() session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)
def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') # Load the session data session_mgr = get_session_mgr() session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) session_id = session_data['session_id'] self.debug('jsonserver_session.__call__: session_id=%s start_timestamp=%s access_timestamp=%s expiration_timestamp=%s', session_id, fmt_time(session_data['session_start_timestamp']), fmt_time(session_data['session_access_timestamp']), fmt_time(session_data['session_expiration_timestamp'])) ccache_data = session_data.get('ccache_data') # Redirect to login if no Kerberos credentials if ccache_data is None: self.debug('no ccache, need login') return self.need_login(start_response) ipa_ccache_name = bind_ipa_ccache(ccache_data) # Redirect to login if Kerberos credentials are expired creds = get_credentials_if_valid(ccache_name=ipa_ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) return self.need_login(start_response) # Update the session expiration based on the Kerberos expiration endtime = creds.lifetime + time.time() self.update_session_expiration(session_data, endtime) # Store the session data in the per-thread context setattr(context, 'session_data', session_data) # This may fail if a ticket from wrong realm was handled via browser try: self.create_context(ccache=ipa_ccache_name) except ACIError as e: return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_session, self).__call__(environ, start_response) finally: # Kerberos may have updated the ccache data during the # execution of the command therefore we need refresh our # copy of it in the session data so the next command sees # the same state of the ccache. # # However we must be careful not to restore the ccache # data in the session data if it was explicitly deleted # during the execution of the command. For example the # logout command removes the ccache data from the session # data to invalidate the session credentials. if 'ccache_data' in session_data: session_data['ccache_data'] = load_ccache_data(ipa_ccache_name) # The request is finished with the ccache, destroy it. release_ipa_ccache(ipa_ccache_name) # Store the session data. session_mgr.store_session_data(session_data) destroy_context() return response