Change session handling

Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

7 files changed, 22 insertions, 39 deletions

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ab2596c8c..8602f59ca 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -64,7 +64,7 @@ if six.PY3:
 # Used to determine install status
 IPA_MODULES = [
     'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'ntpd',
-    'named', 'ipa_memcached']
+    'named']
 
 
 class BadHostError(Exception):
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 536914638..4ba61e529 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -36,11 +36,13 @@ from ipapython import admintool
 from ipapython.dn import DN
 from ipaserver.install.replication import wait_for_task
 from ipaserver.install import installutils
-from ipaserver.session import ISO8601_DATETIME_FMT
 from ipapython import ipaldap
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 
+
+ISO8601_DATETIME_FMT = '%Y-%m-%dT%H:%M:%S'
+
 """
 A test gpg can be generated like this:
 
diff --git a/ipaserver/install/memcacheinstance.py b/ipaserver/install/memcacheinstance.py
deleted file mode 100644
index 547ac2ba4..000000000
--- a/ipaserver/install/memcacheinstance.py
+++ /dev/null
@@ -1,24 +0,0 @@
-# Authors: John Dennis <jdennis@redhat.com>
-#
-# Copyright (C) 2011  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-from ipaserver.install import service
-
-class MemcacheInstance(service.SimpleServiceInstance):
-    def __init__(self):
-        service.SimpleServiceInstance.__init__(self, "ipa_memcached")
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 8178d4e29..8628572a7 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -32,7 +32,7 @@ from ipalib.util import (
 import ipaclient.install.ntpconf
 from ipaserver.install import (
     bindinstance, ca, cainstance, certs, dns, dsinstance,
-    httpinstance, installutils, kra, krbinstance, memcacheinstance,
+    httpinstance, installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, replication, service,
     sysupgrade)
 from ipaserver.install.installutils import (
@@ -804,10 +804,6 @@ def install(installer):
     # generated
     ds.add_cert_to_service()
 
-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', host_name,
-                             ipautil.realm_to_suffix(realm_name))
-
     otpd = otpdinstance.OtpdInstance()
     otpd.create_instance('OTPD', host_name,
                          ipautil.realm_to_suffix(realm_name))
@@ -1052,7 +1048,6 @@ def uninstall(installer):
     if _server_trust_ad_installed:
         adtrustinstance.ADTRUSTInstance(fstore).uninstall()
     custodiainstance.CustodiaInstance().uninstall()
-    memcacheinstance.MemcacheInstance().uninstall()
     otpdinstance.OtpdInstance().uninstall()
     tasks.restore_hostname(fstore, sstore)
     fstore.restore_all_files()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index fcb979c15..649184cbe 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -37,7 +37,7 @@ from ipalib.util import (
 from ipaclient.install.client import configure_krb5_conf, purge_host_keytab
 from ipaserver.install import (
     bindinstance, ca, certs, dns, dsinstance, httpinstance,
-    installutils, kra, krbinstance, memcacheinstance,
+    installutils, kra, krbinstance,
     ntpinstance, otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import (
     create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
@@ -163,9 +163,6 @@ def install_http(config, auto_redirect, ca_is_configured, ca_file,
         pkcs12_info = make_pkcs12_info(config.dir, "httpcert.p12",
                                        "http_pin.txt")
 
-    memcache = memcacheinstance.MemcacheInstance()
-    memcache.create_instance('MEMCACHE', config.host_name,
-                             ipautil.realm_to_suffix(config.realm_name))
 
     http = httpinstance.HTTPInstance()
     http.create_instance(
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0e034efac..2bdf6eede 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -34,7 +34,6 @@ from ipaplatform.paths import paths
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
 from ipaserver.install import httpinstance
-from ipaserver.install import memcacheinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import bindinstance
 from ipaserver.install import service
@@ -74,6 +73,21 @@ def uninstall_ipa_kpasswd():
     if enabled is not None and not enabled:
         ipa_kpasswd.remove()
 
+
+def uninstall_ipa_memcached():
+    """
+    We can't use the full service uninstaller because that will attempt
+    to stop and disable the service which by now doesn't exist. We just
+    want to clean up sysrestore.state to remove all references to
+    ipa_kpasswd.
+    """
+    ipa_memcached = service.SimpleServiceInstance('ipa_memcached')
+
+    enabled = not ipa_memcached.restore_state("enabled")
+
+    if enabled is not None and not enabled:
+        ipa_memcached.remove()
+
 def backup_file(filename, ext):
     """Make a backup of filename using ext as the extension. Do not overwrite
        previous backups."""
@@ -1570,6 +1584,7 @@ def upgrade_configuration():
 
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
+    uninstall_ipa_memcached()
 
     removed_sysconfig_file = paths.SYSCONFIG_HTTPD
     if fstore.has_file(removed_sysconfig_file):
@@ -1620,7 +1635,6 @@ def upgrade_configuration():
     uninstall_dogtag_9(ds, http)
 
     simple_service_list = (
-        (memcacheinstance.MemcacheInstance(), 'MEMCACHE'),
         (otpdinstance.OtpdInstance(), 'OTPD'),
     )
 
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fbe3f23e5..b80044f4b 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -46,7 +46,6 @@ SERVICE_LIST = {
     'KDC': ('krb5kdc', 10),
     'KPASSWD': ('kadmin', 20),
     'DNS': ('named', 30),
-    'MEMCACHE': ('ipa_memcached', 39),
     'HTTP': ('httpd', 40),
     'KEYS': ('ipa-custodia', 41),
     'NTP': ('ntpd', 45),