diff options
author | John Dennis <jdennis@redhat.com> | 2012-02-06 13:29:56 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2012-02-09 13:20:45 -0600 |
commit | bba4ccb3a01125ebc9f074f624f106905bbb4fed (patch) | |
tree | f4e2100ac7bba2077597f49e14b45ca49c5b91cb /ipaserver | |
parent | d1e0c1b606fe2a8edce5965cee9ab023a5e27676 (diff) | |
download | freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.gz freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.tar.xz freeipa-bba4ccb3a01125ebc9f074f624f106905bbb4fed.zip |
add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/plugins/xmlserver.py | 3 | ||||
-rw-r--r-- | ipaserver/rpcserver.py | 172 |
2 files changed, 168 insertions, 7 deletions
diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py index 1771a9342..03bca9a80 100644 --- a/ipaserver/plugins/xmlserver.py +++ b/ipaserver/plugins/xmlserver.py @@ -25,7 +25,8 @@ Loads WSGI server plugins. from ipalib import api if 'in_server' in api.env and api.env.in_server is True: - from ipaserver.rpcserver import session, xmlserver, jsonserver + from ipaserver.rpcserver import session, xmlserver, jsonserver, krblogin api.register(session) api.register(xmlserver) api.register(jsonserver) + api.register(krblogin) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 955c11b7f..a2fd64149 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -30,13 +30,17 @@ from ipalib.backend import Executioner from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError from ipalib.request import context, Connection, destroy_context from ipalib.rpc import xml_dumps, xml_loads -from ipalib.util import make_repr +from ipalib.util import make_repr, parse_time_duration from ipalib.compat import json +from ipalib.session import session_mgr, read_krbccache_file, store_krbccache_file, delete_krbccache_file, fmt_time, default_max_session_lifetime +from ipalib.backend import Backend +from ipalib.krb_utils import krb5_parse_ccache, KRB5_CCache, krb5_format_tgt_principal_name, krb5_format_service_principal_name, krb_ticket_expiration_threshold from wsgiref.util import shift_path_info from ipapython.version import VERSION import base64 import os import string +import datetime from decimal import Decimal _not_found_template = """<html> <head> @@ -139,8 +143,8 @@ class session(Executioner): return key in self.__apps def __call__(self, environ, start_response): + self.debug('WSGI session.__call__:') try: - self.create_context(ccache=environ.get('KRB5CCNAME')) return self.route(environ, start_response) finally: destroy_context() @@ -200,9 +204,7 @@ class WSGIExecutioner(Executioner): name = None args = () options = {} - if not 'KRB5CCNAME' in environ: - return self.marshal(result, CCacheError(), _id) - self.debug('Request environment: %s' % environ) + if not 'HTTP_REFERER' in environ: return self.marshal(result, RefererError(referer='missing'), _id) if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree: @@ -263,15 +265,25 @@ class WSGIExecutioner(Executioner): """ WSGI application for execution. """ + + self.debug('WSGI WSGIExecutioner.__call__:') try: status = '200 OK' response = self.wsgi_execute(environ) headers = [('Content-Type', self.content_type + '; charset=utf-8')] except StandardError, e: - self.exception('%s.__call__():', self.name) + self.exception('WSGI %s.__call__():', self.name) status = '500 Internal Server Error' response = status headers = [('Content-Type', 'text/plain')] + + session_data = getattr(context, 'session_data', None) + if session_data is not None: + # Send session cookie back and store session data + # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded + session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id']) + headers.append(('Set-Cookie', session_cookie)) + start_response(status, headers) return [response] @@ -300,6 +312,18 @@ class xmlserver(WSGIExecutioner): } super(xmlserver, self)._on_finalize() + def __call__(self, environ, start_response): + ''' + ''' + + self.debug('WSGI xmlserver.__call__:') + self.create_context(ccache=environ.get('KRB5CCNAME')) + try: + response = super(xmlserver, self).__call__(environ, start_response) + finally: + destroy_context() + return response + def listMethods(self, *params): return tuple(name.decode('UTF-8') for name in self.Command) @@ -461,6 +485,69 @@ class jsonserver(WSGIExecutioner): content_type = 'application/json' key = 'json' + def need_login(self, start_response): + status = '401 Unauthorized' + headers = [] + response = '' + + self.debug('jsonserver: %s', status) + + start_response(status, headers) + return [response] + + def __call__(self, environ, start_response): + ''' + ''' + + self.debug('WSGI jsonserver.__call__:') + + # Load the session data + session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) + session_id = session_data['session_id'] + + self.debug('jsonserver.__call__: session_id=%s start_timestamp=%s write_timestamp=%s expiration_timestamp=%s', + session_id, + fmt_time(session_data['session_start_timestamp']), + fmt_time(session_data['session_write_timestamp']), + fmt_time(session_data['session_expiration_timestamp'])) + + ccache_data = session_data.get('ccache_data') + + # Redirect to login if no Kerberos credentials + if ccache_data is None: + self.debug('no ccache, need login') + return self.need_login(start_response) + + krbccache_pathname = store_krbccache_file(ccache_data) + + # Redirect to login if Kerberos credentials are expired + cc = KRB5_CCache(krbccache_pathname) + ldap_principal = krb5_format_service_principal_name('ldap', self.api.env.host, self.api.env.realm) + tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm) + if not (cc.credential_is_valid(ldap_principal) or cc.credential_is_valid(tgt_principal)): + self.debug('ccache expired, deleting session, need login') + session_mgr.delete_session_data(session_id) + delete_krbccache_file(krbccache_pathname) + return self.need_login(start_response) + + # Store the session data in the per-thread context + setattr(context, 'session_data', session_data) + + self.create_context(ccache=krbccache_pathname) + + try: + response = super(jsonserver, self).__call__(environ, start_response) + finally: + # Kerberos may have updated the ccache data, refresh our copy of it + session_data['ccache_data'] = read_krbccache_file(krbccache_pathname) + # Delete the temporary ccache file we used + delete_krbccache_file(krbccache_pathname) + # Store the session data. + session_mgr.store_session_data(session_data) + destroy_context() + + return response + def marshal(self, result, error, _id=None): if error: assert isinstance(error, PublicError) @@ -512,3 +599,76 @@ class jsonserver(WSGIExecutioner): ) options = dict((str(k), v) for (k, v) in options.iteritems()) return (method, args, options, _id) + +class krblogin(Backend): + key = 'login' + + def __init__(self): + super(krblogin, self).__init__() + + def _on_finalize(self): + super(krblogin, self)._on_finalize() + self.api.Backend.session.mount(self, self.key) + + # Set the session expiration time + try: + seconds = parse_time_duration(self.api.env.session_auth_duration) + self.session_auth_duration = int(seconds) + self.debug("session_auth_duration: %s", datetime.timedelta(seconds=self.session_auth_duration)) + except Exception, e: + self.session_auth_duration = default_max_session_lifetime + self.error('unable to parse session_auth_duration, defaulting to %d: %s', + self.session_auth_duration, e) + + + def __call__(self, environ, start_response): + headers = [] + + self.debug('WSGI krblogin.__call__:') + + # Get the ccache created by mod_auth_kerb + ccache=environ.get('KRB5CCNAME') + if ccache is None: + status = '500 Internal Error' + response = 'KRB5CCNAME not defined' + start_response(status, headers) + return [response] + + ccache_scheme, ccache_location = krb5_parse_ccache(ccache) + assert ccache_scheme == 'FILE' + + # Retrieve the session data (or newly create) + session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE')) + session_id = session_data['session_id'] + + # Copy the ccache file contents into the session data + session_data['ccache_data'] = read_krbccache_file(ccache_location) + + # Compute when the session will expire + cc = KRB5_CCache(ccache) + tgt_principal = krb5_format_tgt_principal_name(self.api.env.realm) + authtime, starttime, endtime, renew_till = cc.get_credential_times(tgt_principal) + + # Account for clock skew and/or give us some time leeway + krb_expiration = endtime - krb_ticket_expiration_threshold + + # Set the session expiration time + session_mgr.set_session_expiration_time(session_data, + lifetime=self.session_auth_duration, + max_age=krb_expiration) + + # Store the session data now that it's been updated with the ccache + session_mgr.store_session_data(session_data) + + self.debug('krblogin: ccache="%s" session_id="%s" ccache="%s"', + ccache, session_id, ccache) + + # Return success and set session cookie + status = '200 Success' + response = '' + + session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id']) + headers.append(('Set-Cookie', session_cookie)) + + start_response(status, headers) + return [response] |