From a901ec1ce988b0b3d0c8e7a063de260eb9ede7e8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 29 Jun 2016 15:53:52 +0200
Subject: session: do not initialize session manager on import

Removes the side effect of attempting to connect to memcached when the
session module is imported, which caused user visible warnings and/or
SELinux AVC denials.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/session.py | 7 +++----
 ipaserver/rpcserver.py       | 9 ++++++++-
 ipaserver/session.py         | 9 ++++++++-
 3 files changed, 19 insertions(+), 6 deletions(-)

(limited to 'ipaserver')

diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py
index 9daa1426b..0efb53c88 100644
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-from ipalib import api, Command
+from ipalib import Command
 from ipalib.request import context
 from ipalib.plugable import Registry
-
-if api.env.in_server:
-    from ipaserver.session import session_mgr
+from ipaserver.session import get_session_mgr
 
 register = Registry()
 
@@ -28,6 +26,7 @@ class session_logout(Command):
             self.debug('session logout command: session_id=%s', session_id)
 
             # Notifiy registered listeners
+            session_mgr = get_session_mgr()
             session_mgr.auth_mgr.logout(session_data)
 
         return dict(result=None)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index ac27ae7f6..676149748 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -51,7 +51,7 @@ from ipalib.util import parse_time_duration, normalize_name
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.session import (
-    session_mgr, AuthManager, get_ipa_ccache_name,
+    get_session_mgr, AuthManager, get_ipa_ccache_name,
     load_ccache_data, bind_ipa_ccache, release_ipa_ccache, fmt_time,
     default_max_session_duration, krbccache_dir, krbccache_prefix)
 from ipalib.backend import Backend
@@ -415,6 +415,7 @@ class WSGIExecutioner(Executioner):
         if session_data is not None:
             # Send session cookie back and store session data
             # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded
+            session_mgr = get_session_mgr()
             session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'],
                                                          session_data['session_expiration_timestamp'])
             headers.append(('Set-Cookie', session_cookie))
@@ -576,6 +577,7 @@ class KerberosSession(object):
         krb_expiration = krb_endtime - krb_ticket_expiration_threshold
 
         # Set the session expiration time
+        session_mgr = get_session_mgr()
         session_mgr.set_session_expiration_time(session_data,
                                                 duration=self.session_auth_duration,
                                                 max_age=krb_expiration,
@@ -587,6 +589,7 @@ class KerberosSession(object):
             headers = []
 
         # Retrieve the session data (or newly create)
+        session_mgr = get_session_mgr()
         session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
         session_id = session_data['session_id']
 
@@ -752,6 +755,7 @@ class jsonserver_session(jsonserver, KerberosSession):
         super(jsonserver_session, self).__init__(api)
         name = '{0}_{1}'.format(self.__class__.__name__, id(self))
         auth_mgr = AuthManagerKerb(name)
+        session_mgr = get_session_mgr()
         session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)
 
     def _on_finalize(self):
@@ -775,6 +779,7 @@ class jsonserver_session(jsonserver, KerberosSession):
         self.debug('WSGI jsonserver_session.__call__:')
 
         # Load the session data
+        session_mgr = get_session_mgr()
         session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
         session_id = session_data['session_id']
 
@@ -1211,6 +1216,7 @@ class xmlserver_session(xmlserver, KerberosSession):
         super(xmlserver_session, self).__init__(api)
         name = '{0}_{1}'.format(self.__class__.__name__, id(self))
         auth_mgr = AuthManagerKerb(name)
+        session_mgr = get_session_mgr()
         session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)
 
     def _on_finalize(self):
@@ -1234,6 +1240,7 @@ class xmlserver_session(xmlserver, KerberosSession):
         self.debug('WSGI xmlserver_session.__call__:')
 
         # Load the session data
+        session_mgr = get_session_mgr()
         session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
         session_id = session_data['session_id']
 
diff --git a/ipaserver/session.py b/ipaserver/session.py
index 35eb554b4..11cc39f73 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -1275,4 +1275,11 @@ def release_ipa_ccache(ccache_name):
     else:
         raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name)
 
-session_mgr = MemcacheSessionManager()
+_session_mgr = None
+
+
+def get_session_mgr():
+    global _session_mgr
+    if _session_mgr is None:
+        _session_mgr = MemcacheSessionManager()
+    return _session_mgr
-- 
cgit