Close connection after each request, avoid NSS shutdown problem.

The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail, and potentially other places like adding host keys during client enrollment.

rob
>From c53e283986f2b00db53e28009829ba09d62930aa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 17 Oct 2012 16:58:54 -0400
Subject: [PATCH] Close connection after each request, avoid NSS shutdown
 problem.

The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180
---
 ipalib/rpc.py       | 30 +++++++++++++++++++++++++-----
 ipapython/nsslib.py |  6 ++++++
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index e97536d9de5c455d3ff58c081fca37f16d087370..8389396e0e23623b5edb60d634041949f95711ce 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -257,16 +257,24 @@ class SSLTransport(LanguageAwareTransport):
         # If we an existing connection exists using the same NSS database
         # there is no need to re-initialize. Pass thsi into the NSS
         # connection creator.
+        if sys.version_info > (2, 6):
+            if self._connection and host == self._connection[0]:
+                return self._connection[1]
+
         dbdir = '/etc/pki/nssdb'
         no_init = self.__nss_initialized(dbdir)
-        (major, minor, micro, releaselevel, serial) = sys.version_info
-        if major == 2 and minor < 7:
+        if sys.version_info < (2, 7):
             conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
         else:
             conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init)
         self.dbdir=dbdir
+
         conn.connect()
-        return conn
+        if sys.version_info < (2, 7):
+            return conn
+        else:
+            self._connection = host, conn
+            return self._connection[1]
 
 
 class KerbTransport(SSLTransport):
@@ -331,6 +339,13 @@ class KerbTransport(SSLTransport):
 
         return (host, extra_headers, x509)
 
+
+    def single_request(self, host, handler, request_body, verbose=0):
+        try:
+            return SSLTransport.single_request(self, host, handler, request_body, verbose)
+        finally:
+            self.close()
+
     def parse_response(self, response):
         session_cookie = response.getheader('Set-Cookie')
         if session_cookie:
@@ -371,7 +386,8 @@ class xmlclient(Connectible):
         """
         if not hasattr(self.conn, '_ServerProxy__transport'):
             return None
-        if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
+        if (isinstance(self.conn._ServerProxy__transport, KerbTransport) or
+            isinstance(self.conn._ServerProxy__transport, DelegatedKerbTransport)):
             scheme = "https"
         else:
             scheme = "http"
@@ -493,7 +509,11 @@ class xmlclient(Connectible):
         return serverproxy
 
     def destroy_connection(self):
-        pass
+        if sys.version_info > (2, 6):
+            conn = getattr(context, self.id, None)
+            if conn is not None:
+                conn = conn.conn._ServerProxy__transport
+                conn.close()
 
     def forward(self, name, *args, **kw):
         """
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 06bcba64895b0ba7a6b814ed6748eff8bf5ff9b3..7afccd5685baccdb8e9eff737cb7dd4b11d46630 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -238,6 +238,12 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
     def connect(self):
         self.connect_socket(self.host, self.port)
 
+    def close(self):
+        """Close the connection to the HTTP server."""
+        if self.sock:
+            self.sock.close()   # close it manually... there may be other refs
+            self.sock = None
+
     def endheaders(self, message=None):
         """
         Explicitly close the connection if an error is returned after the
-- 
1.7.12.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to