add session manager and cache krb auth

This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.

1 files changed, 166 insertions, 6 deletions

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 955c11b7f..a2fd64149 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -30,13 +30,17 @@ from ipalib.backend import Executioner
 from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError
 from ipalib.request import context, Connection, destroy_context
 from ipalib.rpc import xml_dumps, xml_loads
-from ipalib.util import make_repr
+from ipalib.util import make_repr, parse_time_duration
 from ipalib.compat import json
+from ipalib.session import session_mgr, read_krbccache_file, store_krbccache_file, delete_krbccache_file, fmt_time, default_max_session_lifetime
+from ipalib.backend import Backend
+from ipalib.krb_utils import krb5_parse_ccache, KRB5_CCache, krb5_format_tgt_principal_name, krb5_format_service_principal_name, krb_ticket_expiration_threshold
 from wsgiref.util import shift_path_info
 from ipapython.version import VERSION
 import base64
 import os
 import string
+import datetime
 from decimal import Decimal
 _not_found_template = """<html>
 <head>
@@ -139,8 +143,8 @@ class session(Executioner):
         return key in self.__apps
 
     def __call__(self, environ, start_response):
+        self.debug('WSGI session.__call__:')
         try:
-            self.create_context(ccache=environ.get('KRB5CCNAME'))
             return self.route(environ, start_response)
         finally:
             destroy_context()
@@ -200,9 +204,7 @@ class WSGIExecutioner(Executioner):
         name = None
         args = ()
         options = {}
-        if not 'KRB5CCNAME' in environ:
-            return self.marshal(result, CCacheError(), _id)
-        self.debug('Request environment: %s' % environ)
+
         if not 'HTTP_REFERER' in environ:
             return self.marshal(result, RefererError(referer='missing'), _id)
         if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree:
@@ -263,15 +265,25 @@ class WSGIExecutioner(Executioner):
         """
         WSGI application for execution.
         """
+
+        self.debug('WSGI WSGIExecutioner.__call__:')
         try:
             status = '200 OK'
             response = self.wsgi_execute(environ)
             headers = [('Content-Type', self.content_type + '; charset=utf-8')]
         except StandardError, e:
-            self.exception('%s.__call__():', self.name)
+            self.exception('WSGI %s.__call__():', self.name)
             status = '500 Internal Server Error'
             response = status
             headers = [('Content-Type', 'text/plain')]
+
+        session_data = getattr(context, 'session_data', None)
+        if session_data is not None:
+            # Send session cookie back and store session data
+            # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded
+            session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'])
+            headers.append(('Set-Cookie', session_cookie))
+
         start_response(status, headers)
         return [response]
 
@@ -300,6 +312,18 @@ class xmlserver(WSGIExecutioner):
         }
         super(xmlserver, self)._on_finalize()
 
+    def __call__(self, environ, start_response):
+        '''
+        '''
+
+        self.debug('WSGI xmlserver.__call__:')
+        self.create_context(ccache=environ.get('KRB5CCNAME'))
+        try:
+            response = super(xmlserver, self).__call__(environ, start_response)
+        finally:
+            destroy_context()
+        return response
+
     def listMethods(self, *params):
         return tuple(name.decode('UTF-8') for name in self.Command)
 
@@ -461,6 +485,69 @@ class jsonserver(WSGIExecutioner):
     content_type = 'application/json'
     key = 'json'
 
+    def need_login(self, start_response):
+        status = '401 Unauthorized'
+        headers = []
+        response = ''
+
+        self.debug('jsonserver: %s', status)
+
+        start_response(status, headers)
+        return [response]
+
+    def __call__(self, environ, start_response):
+        '''
+        '''
+
+        self.debug('WSGI jsonserver.__call__:')
+
+        # Load the session data
+        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
+        session_id = session_data['session_id']
+
+        self.debug('jsonserver.__call__: session_id=%s start_timestamp=%s write_timestamp=%s expiration_timestamp=%s',
+                   session_id,
+                   fmt_time(session_data['session_start_timestamp']),
+                   fmt_time(session_data['session_write_timestamp']),
+                   fmt_time(session_data['session_expiration_timestamp']))
+
+        ccache_data = session_data.get('ccache_data')
+
+        # Redirect to login if no Kerberos credentials
+        if ccache_data is None:
+            self.debug('no ccache, need login')
+            return self.need_login(start_response)
+
+        krbccache_pathname = store_krbccache_file(ccache_data)
+
+        # Redirect to login if Kerberos credentials are expired
+        cc = KRB5_CCache(krbccache_pathname)
+        ldap_principal = krb5_format_service_principal_name('ldap', self.api.env.host, self.api.env.realm)
+        tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm)
+        if not (cc.credential_is_valid(ldap_principal) or cc.credential_is_valid(tgt_principal)):
+            self.debug('ccache expired, deleting session, need login')
+            session_mgr.delete_session_data(session_id)
+            delete_krbccache_file(krbccache_pathname)
+            return self.need_login(start_response)
+
+        # Store the session data in the per-thread context
+        setattr(context, 'session_data', session_data)
+
+        self.create_context(ccache=krbccache_pathname)
+
+        try:
+            response = super(jsonserver, self).__call__(environ, start_response)
+        finally:
+            # Kerberos may have updated the ccache data, refresh our copy of it
+            session_data['ccache_data'] = read_krbccache_file(krbccache_pathname)
+            # Delete the temporary ccache file we used
+            delete_krbccache_file(krbccache_pathname)
+            # Store the session data.
+            session_mgr.store_session_data(session_data)
+            destroy_context()
+
+        return response
+
     def marshal(self, result, error, _id=None):
         if error:
             assert isinstance(error, PublicError)
@@ -512,3 +599,76 @@ class jsonserver(WSGIExecutioner):
             )
         options = dict((str(k), v) for (k, v) in options.iteritems())
         return (method, args, options, _id)
+
+class krblogin(Backend):
+    key = 'login'
+
+    def __init__(self):
+        super(krblogin, self).__init__()
+
+    def _on_finalize(self):
+        super(krblogin, self)._on_finalize()
+        self.api.Backend.session.mount(self, self.key)
+
+        # Set the session expiration time
+        try:
+            seconds = parse_time_duration(self.api.env.session_auth_duration)
+            self.session_auth_duration = int(seconds)
+            self.debug("session_auth_duration: %s", datetime.timedelta(seconds=self.session_auth_duration))
+        except Exception, e:
+            self.session_auth_duration = default_max_session_lifetime
+            self.error('unable to parse session_auth_duration, defaulting to %d: %s',
+                       self.session_auth_duration, e)
+
+
+    def __call__(self, environ, start_response):
+        headers = []
+
+        self.debug('WSGI krblogin.__call__:')
+
+        # Get the ccache created by mod_auth_kerb
+        ccache=environ.get('KRB5CCNAME')
+        if ccache is None:
+            status = '500 Internal Error'
+            response = 'KRB5CCNAME not defined'
+            start_response(status, headers)
+            return [response]
+
+        ccache_scheme, ccache_location = krb5_parse_ccache(ccache)
+        assert ccache_scheme == 'FILE'
+
+        # Retrieve the session data (or newly create)
+        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
+        session_id = session_data['session_id']
+
+        # Copy the ccache file contents into the session data
+        session_data['ccache_data'] = read_krbccache_file(ccache_location)
+
+        # Compute when the session will expire
+        cc = KRB5_CCache(ccache)
+        tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm)
+        authtime, starttime, endtime, renew_till = cc.get_credential_times(tgt_principal)
+
+        # Account for clock skew and/or give us some time leeway
+        krb_expiration = endtime - krb_ticket_expiration_threshold
+
+        # Set the session expiration time
+        session_mgr.set_session_expiration_time(session_data,
+                                                lifetime=self.session_auth_duration,
+                                                max_age=krb_expiration)
+
+        # Store the session data now that it's been updated with the ccache
+        session_mgr.store_session_data(session_data)
+
+        self.debug('krblogin: ccache="%s" session_id="%s" ccache="%s"',
+                   ccache, session_id, ccache)
+
+        # Return success and set session cookie
+        status = '200 Success'
+        response = ''
+
+        session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'])
+        headers.append(('Set-Cookie', session_cookie))
+
+        start_response(status, headers)
+        return [response]