Change session handling

Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 18 insertions, 12 deletions

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8178d4e29..8628572a7 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -32,7 +32,7 @@ from ipalib.util import (
 import ipaclient.install.ntpconf
 from ipaserver.install import (
     bindinstance, ca, cainstance, certs, dns, dsinstance,
-    httpinstance, installutils, kra, krbinstance, memcacheinstance,
+    httpinstance, installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, replication, service,
     sysupgrade)
 from ipaserver.install.installutils import (
@@ -804,10 +804,6 @@ def install(installer):
     # generated
     ds.add_cert_to_service()
 
-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', host_name,
-                             ipautil.realm_to_suffix(realm_name))
-
     otpd = otpdinstance.OtpdInstance()
     otpd.create_instance('OTPD', host_name,
                          ipautil.realm_to_suffix(realm_name))
@@ -1052,7 +1048,6 @@ def uninstall(installer):
     if _server_trust_ad_installed:
         adtrustinstance.ADTRUSTInstance(fstore).uninstall()
     custodiainstance.CustodiaInstance().uninstall()
-    memcacheinstance.MemcacheInstance().uninstall()
     otpdinstance.OtpdInstance().uninstall()
     tasks.restore_hostname(fstore, sstore)
     fstore.restore_all_files()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index fcb979c15..649184cbe 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -37,7 +37,7 @@ from ipalib.util import (
 from ipaclient.install.client import configure_krb5_conf, purge_host_keytab
 from ipaserver.install import (
     bindinstance, ca, certs, dns, dsinstance, httpinstance,
-    installutils, kra, krbinstance, memcacheinstance,
+    installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import (
     create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
@@ -163,9 +163,6 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
         pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
                                        "http_pin.txt")
 
-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', config.host_name,
-                             ipautil.realm_to_suffix(config.realm_name))
 
     http = httpinstance.HTTPInstance()
     http.create_instance(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0e034efac..2bdf6eede 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -34,7 +34,6 @@ from ipaplatform.paths import paths
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
 from ipaserver.install import httpinstance
-from ipaserver.install import memcacheinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import bindinstance
 from ipaserver.install import service
@@ -74,6 +73,21 @@ def uninstall_ipa_kpasswd():
     if enabled is not None and not enabled:
         ipa_kpasswd.remove()
 
+
+def uninstall_ipa_memcached():
+    """
+    We can't use the full service uninstaller because that will attempt
+    to stop and disable the service which by now doesn't exist. We just
+    want to clean up sysrestore.state to remove all references to
+    ipa_kpasswd.
+    """
+    ipa_memcached = service.SimpleServiceInstance('ipa_memcached')
+
+    enabled = not ipa_memcached.restore_state("enabled")
+
+    if enabled is not None and not enabled:
+        ipa_memcached.remove()
+
 def backup_file(filename, ext):
     """Make a backup of filename using ext as the extension. Do not overwrite
        previous backups."""
@@ -1570,6 +1584,7 @@ def upgrade_configuration():
 
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
+    uninstall_ipa_memcached()
 
     removed_sysconfig_file = paths.SYSCONFIG_HTTPD
     if fstore.has_file(removed_sysconfig_file):
@@ -1620,7 +1635,6 @@ def upgrade_configuration():
     uninstall_dogtag_9(ds, http)
 
     simple_service_list = (
-        (memcacheinstance.MemcacheInstance(), 'MEMCACHE'),
         (otpdinstance.OtpdInstance(), 'OTPD'),
     )