summaryrefslogtreecommitdiffstats
path: root/ipaserver
diff options
context:
space:
mode:
authorJohn Dennis <jdennis@redhat.com>2012-02-06 13:29:56 -0500
committerEndi S. Dewata <edewata@redhat.com>2012-02-09 13:20:45 -0600
commitbba4ccb3a01125ebc9f074f624f106905bbb4fed (patch)
treef4e2100ac7bba2077597f49e14b45ca49c5b91cb /ipaserver
parentd1e0c1b606fe2a8edce5965cee9ab023a5e27676 (diff)
downloadfreeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.gz
freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.xz
freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.zip
add session manager and cache krb auth
This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
Diffstat (limited to 'ipaserver')
-rw-r--r--ipaserver/plugins/xmlserver.py3
-rw-r--r--ipaserver/rpcserver.py172
2 files changed, 168 insertions, 7 deletions
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index 1771a9342..03bca9a80 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -25,7 +25,8 @@ Loads WSGI server plugins.
from ipalib import api
if 'in_server' in api.env and api.env.in_server is True:
- from ipaserver.rpcserver import session, xmlserver, jsonserver
+ from ipaserver.rpcserver import session, xmlserver, jsonserver, krblogin
api.register(session)
api.register(xmlserver)
api.register(jsonserver)
+ api.register(krblogin)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 955c11b7f..a2fd64149 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -30,13 +30,17 @@ from ipalib.backend import Executioner
from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError
from ipalib.request import context, Connection, destroy_context
from ipalib.rpc import xml_dumps, xml_loads
-from ipalib.util import make_repr
+from ipalib.util import make_repr, parse_time_duration
from ipalib.compat import json
+from ipalib.session import session_mgr, read_krbccache_file, store_krbccache_file, delete_krbccache_file, fmt_time, default_max_session_lifetime
+from ipalib.backend import Backend
+from ipalib.krb_utils import krb5_parse_ccache, KRB5_CCache, krb5_format_tgt_principal_name, krb5_format_service_principal_name, krb_ticket_expiration_threshold
from wsgiref.util import shift_path_info
from ipapython.version import VERSION
import base64
import os
import string
+import datetime
from decimal import Decimal
_not_found_template = """<html>
<head>
@@ -139,8 +143,8 @@ class session(Executioner):
return key in self.__apps
def __call__(self, environ, start_response):
+ self.debug('WSGI session.__call__:')
try:
- self.create_context(ccache=environ.get('KRB5CCNAME'))
return self.route(environ, start_response)
finally:
destroy_context()
@@ -200,9 +204,7 @@ class WSGIExecutioner(Executioner):
name = None
args = ()
options = {}
- if not 'KRB5CCNAME' in environ:
- return self.marshal(result, CCacheError(), _id)
- self.debug('Request environment: %s' % environ)
+
if not 'HTTP_REFERER' in environ:
return self.marshal(result, RefererError(referer='missing'), _id)
if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree:
@@ -263,15 +265,25 @@ class WSGIExecutioner(Executioner):
"""
WSGI application for execution.
"""
+
+ self.debug('WSGI WSGIExecutioner.__call__:')
try:
status = '200 OK'
response = self.wsgi_execute(environ)
headers = [('Content-Type', self.content_type + '; charset=utf-8')]
except StandardError, e:
- self.exception('%s.__call__():', self.name)
+ self.exception('WSGI %s.__call__():', self.name)
status = '500 Internal Server Error'
response = status
headers = [('Content-Type', 'text/plain')]
+
+ session_data = getattr(context, 'session_data', None)
+ if session_data is not None:
+ # Send session cookie back and store session data
+ # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded
+ session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'])
+ headers.append(('Set-Cookie', session_cookie))
+
start_response(status, headers)
return [response]
@@ -300,6 +312,18 @@ class xmlserver(WSGIExecutioner):
}
super(xmlserver, self)._on_finalize()
+ def __call__(self, environ, start_response):
+ '''
+ '''
+
+ self.debug('WSGI xmlserver.__call__:')
+ self.create_context(ccache=environ.get('KRB5CCNAME'))
+ try:
+ response = super(xmlserver, self).__call__(environ, start_response)
+ finally:
+ destroy_context()
+ return response
+
def listMethods(self, *params):
return tuple(name.decode('UTF-8') for name in self.Command)
@@ -461,6 +485,69 @@ class jsonserver(WSGIExecutioner):
content_type = 'application/json'
key = 'json'
+ def need_login(self, start_response):
+ status = '401 Unauthorized'
+ headers = []
+ response = ''
+
+ self.debug('jsonserver: %s', status)
+
+ start_response(status, headers)
+ return [response]
+
+ def __call__(self, environ, start_response):
+ '''
+ '''
+
+ self.debug('WSGI jsonserver.__call__:')
+
+ # Load the session data
+ session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
+ session_id = session_data['session_id']
+
+ self.debug('jsonserver.__call__: session_id=%s start_timestamp=%s write_timestamp=%s expiration_timestamp=%s',
+ session_id,
+ fmt_time(session_data['session_start_timestamp']),
+ fmt_time(session_data['session_write_timestamp']),
+ fmt_time(session_data['session_expiration_timestamp']))
+
+ ccache_data = session_data.get('ccache_data')
+
+ # Redirect to login if no Kerberos credentials
+ if ccache_data is None:
+ self.debug('no ccache, need login')
+ return self.need_login(start_response)
+
+ krbccache_pathname = store_krbccache_file(ccache_data)
+
+ # Redirect to login if Kerberos credentials are expired
+ cc = KRB5_CCache(krbccache_pathname)
+ ldap_principal = krb5_format_service_principal_name('ldap', self.api.env.host, self.api.env.realm)
+ tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm)
+ if not (cc.credential_is_valid(ldap_principal) or cc.credential_is_valid(tgt_principal)):
+ self.debug('ccache expired, deleting session, need login')
+ session_mgr.delete_session_data(session_id)
+ delete_krbccache_file(krbccache_pathname)
+ return self.need_login(start_response)
+
+ # Store the session data in the per-thread context
+ setattr(context, 'session_data', session_data)
+
+ self.create_context(ccache=krbccache_pathname)
+
+ try:
+ response = super(jsonserver, self).__call__(environ, start_response)
+ finally:
+ # Kerberos may have updated the ccache data, refresh our copy of it
+ session_data['ccache_data'] = read_krbccache_file(krbccache_pathname)
+ # Delete the temporary ccache file we used
+ delete_krbccache_file(krbccache_pathname)
+ # Store the session data.
+ session_mgr.store_session_data(session_data)
+ destroy_context()
+
+ return response
+
def marshal(self, result, error, _id=None):
if error:
assert isinstance(error, PublicError)
@@ -512,3 +599,76 @@ class jsonserver(WSGIExecutioner):
)
options = dict((str(k), v) for (k, v) in options.iteritems())
return (method, args, options, _id)
+
+class krblogin(Backend):
+ key = 'login'
+
+ def __init__(self):
+ super(krblogin, self).__init__()
+
+ def _on_finalize(self):
+ super(krblogin, self)._on_finalize()
+ self.api.Backend.session.mount(self, self.key)
+
+ # Set the session expiration time
+ try:
+ seconds = parse_time_duration(self.api.env.session_auth_duration)
+ self.session_auth_duration = int(seconds)
+ self.debug("session_auth_duration: %s", datetime.timedelta(seconds=self.session_auth_duration))
+ except Exception, e:
+ self.session_auth_duration = default_max_session_lifetime
+ self.error('unable to parse session_auth_duration, defaulting to %d: %s',
+ self.session_auth_duration, e)
+
+
+ def __call__(self, environ, start_response):
+ headers = []
+
+ self.debug('WSGI krblogin.__call__:')
+
+ # Get the ccache created by mod_auth_kerb
+ ccache=environ.get('KRB5CCNAME')
+ if ccache is None:
+ status = '500 Internal Error'
+ response = 'KRB5CCNAME not defined'
+ start_response(status, headers)
+ return [response]
+
+ ccache_scheme, ccache_location = krb5_parse_ccache(ccache)
+ assert ccache_scheme == 'FILE'
+
+ # Retrieve the session data (or newly create)
+ session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
+ session_id = session_data['session_id']
+
+ # Copy the ccache file contents into the session data
+ session_data['ccache_data'] = read_krbccache_file(ccache_location)
+
+ # Compute when the session will expire
+ cc = KRB5_CCache(ccache)
+ tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm)
+ authtime, starttime, endtime, renew_till = cc.get_credential_times(tgt_principal)
+
+ # Account for clock skew and/or give us some time leeway
+ krb_expiration = endtime - krb_ticket_expiration_threshold
+
+ # Set the session expiration time
+ session_mgr.set_session_expiration_time(session_data,
+ lifetime=self.session_auth_duration,
+ max_age=krb_expiration)
+
+ # Store the session data now that it's been updated with the ccache
+ session_mgr.store_session_data(session_data)
+
+ self.debug('krblogin: ccache="%s" session_id="%s" ccache="%s"',
+ ccache, session_id, ccache)
+
+ # Return success and set session cookie
+ status = '200 Success'
+ response = ''
+
+ session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'])
+ headers.append(('Set-Cookie', session_cookie))
+
+ start_response(status, headers)
+ return [response]