From c1ae93acad645c7725041cc10bf14b10fb94533c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 6 Mar 2017 18:47:56 -0500
Subject: Store session cookie in a ccache option

Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 ipalib/rpc.py | 27 +++++----------------------
 1 file changed, 5 insertions(+), 22 deletions(-)

(limited to 'ipalib')

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8d1bba5a8..3a589cb52 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -56,7 +56,7 @@ from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
-from ipapython import kernel_keyring
+from ipapython import session_storage
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
@@ -84,19 +84,11 @@ if six.PY3:
     unicode = str
 
 COOKIE_NAME = 'ipa_session'
-KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME
+CCACHE_COOKIE_KEY = 'X-IPA-Session-Cookie'
 
 errors_by_code = dict((e.errno, e) for e in public_errors)
 
 
-def client_session_keyring_keyname(principal):
-    '''
-    Return the key name used for storing the client session data for
-    the given principal.
-    '''
-
-    return KEYRING_COOKIE_NAME % principal
-
 def update_persistent_client_session_data(principal, data):
     '''
     Given a principal create or update the session data for that
@@ -106,13 +98,10 @@ def update_persistent_client_session_data(principal, data):
     '''
 
     try:
-        keyname = client_session_keyring_keyname(principal)
+        session_storage.store_data(principal, CCACHE_COOKIE_KEY, data)
     except Exception as e:
         raise ValueError(str(e))
 
-    # kernel_keyring only raises ValueError (why??)
-    kernel_keyring.update_key(keyname, data)
-
 def read_persistent_client_session_data(principal):
     '''
     Given a principal return the stored session data for that
@@ -122,13 +111,10 @@ def read_persistent_client_session_data(principal):
     '''
 
     try:
-        keyname = client_session_keyring_keyname(principal)
+        return session_storage.get_data(principal, CCACHE_COOKIE_KEY)
     except Exception as e:
         raise ValueError(str(e))
 
-    # kernel_keyring only raises ValueError (why??)
-    return kernel_keyring.read_key(keyname)
-
 def delete_persistent_client_session_data(principal):
     '''
     Given a principal remove the session data for that
@@ -138,13 +124,10 @@ def delete_persistent_client_session_data(principal):
     '''
 
     try:
-        keyname = client_session_keyring_keyname(principal)
+        session_storage.remove_data(principal, CCACHE_COOKIE_KEY)
     except Exception as e:
         raise ValueError(str(e))
 
-    # kernel_keyring only raises ValueError (why??)
-    kernel_keyring.del_key(keyname)
-
 def xml_wrap(value, version):
     """
     Wrap all ``str`` in ``xmlrpc.client.Binary``.
-- 
cgit