[Freeipa-devel] [freeipa PR#805][synchronized] Fix rare race condition with missing ccache file

Wed, 24 May 2017 05:21:08 -0700 

   URL: https://github.com/freeipa/freeipa/pull/805
Author: simo5
 Title: #805: Fix rare race condition with missing ccache file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/805/head:pr805
git checkout pr805

From 6ba2d059ae7fb13cec40581a69eddbd995bf9bf7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Mon, 22 May 2017 10:56:41 -0400
Subject: [PATCH] Fix rare race condition with missing ccache file

In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.

This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.

Ticket: #6972

Signed-off-by: Simo Sorce <s...@redhat.com>
---
 ipaserver/rpcserver.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 4cde2815a0..32f286148b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -777,8 +777,17 @@ def __call__(self, environ, start_response):
             self.debug('no ccache, need login')
             return self.need_login(start_response)
 
+        # If we have a ccache, make sure we have a GSS_NAME and use
+        # it to resolve the ccache name (Issue: 6972 )
+        principal = environ.get('GSS_NAME')
+        if principal is None:
+            self.debug('no GSS Name, need login')
+            return self.need_login(start_response)
+        gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
         # Redirect to login if Kerberos credentials are expired
-        creds = get_credentials_if_valid(ccache_name=ccache_name)
+        creds = get_credentials_if_valid(name=gss_name,
+                                         ccache_name=ccache_name)
         if not creds:
             self.debug('ccache expired, deleting session, need login')
             # The request is finished with the ccache, destroy it.

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to