Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.

[Jan Cholasta]

Hi,

Dne 28.10.2014 v 23:17 Endi Sukma Dewata napsal(a):

On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote:

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

Ticket #4638


New patch attached. It's identical except for the ticket URL in the
commit log.


ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.

[Petr Viktorin]

On 11/11/2014 09:02 AM, Jan Cholasta wrote:

Hi,

Dne 28.10.2014 v 23:17 Endi Sukma Dewata napsal(a):

On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote:

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

Ticket #4638


New patch attached. It's identical except for the ticket URL in the
commit log.


ACK.

Honza



Pushed to master: 80a8df3f193aa800740f1627a269e6973f57aa0a

--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.

[Endi Sukma Dewata]

On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote:

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

Ticket #4638


New patch attached. It's identical except for the ticket URL in the 
commit log.


--
Endi S. Dewata
From 34bd77959687673db9fbf71c443b6ffe5ed4ca71 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Tue, 16 Sep 2014 20:11:35 -0400
Subject: [PATCH] Modififed NSSConnection not to shutdown existing database.

The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

https://fedorahosted.org/freeipa/ticket/4638
---
 ipalib/rpc.py   | 34 +++---
 ipapython/nsslib.py | 35 +++
 2 files changed, 42 insertions(+), 27 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 
5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..001b7f1ca06edadfc7aad635d9d564e517008a63
 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -63,6 +63,7 @@ from ipaplatform.paths import paths
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
+import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, 
KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, 
KRB5_REALM_CANT_RESOLVE
@@ -450,14 +451,10 @@ class LanguageAwareTransport(MultiProtocolTransport):
 class SSLTransport(LanguageAwareTransport):
 Handles an HTTPS transaction to an XML-RPC server.
 
-def __nss_initialized(self, dbdir):
+def get_connection_dbdir(self):
 
-If there is another connections open it may have already
-initialized NSS. This is likely to lead to an NSS shutdown
-failure.  One way to mitigate this is to tell NSS to not
-initialize if it has already been done in another open connection.
-
-Returns True if another connection is using the same db.
+If there is a connections open it may have already initialized
+NSS database. Return the database location used by the connection.
 
 for value in context.__dict__.values():
 if not isinstance(value, Connection):
@@ -466,25 +463,32 @@ class SSLTransport(LanguageAwareTransport):
 getattr(value.conn, '_ServerProxy__transport', None),
 SSLTransport):
 continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \
-  value.conn._ServerProxy__transport.dbdir == dbdir:
-return True
-return False
+if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
+return value.conn._ServerProxy__transport.dbdir
+return None
 
 def make_connection(self, host):
 host, self._extra_headers, x509 = self.get_host_info(host)
 # Python 2.7 changed the internal class used in xmlrpclib from
 # HTTP to HTTPConnection. We need to use the proper subclass
 
-# If we an existing connection exists using the same NSS database
-# there is no need to re-initialize. Pass thsi into the NSS
-# connection creator.
 if sys.version_info = (2, 7):
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
 dbdir = getattr(context, 'nss_dir', paths.IPA_NSSDB_DIR)
-no_init = self.__nss_initialized(dbdir)
+connection_dbdir = self.get_connection_dbdir()
+
+if connection_dbdir:
+# If an existing connection is already using the same NSS
+# database there is no need to re-initialize.
+no_init = dbdir == connection_dbdir
+
+else:
+# If the NSS database is already being used there is no
+# need to re-initialize.
+no_init = dbdir == ipapython.nsslib.current_dbdir
+
 if sys.version_info  (2, 7):
 conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init)
 else:
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 
93b0c56fcff4fc69841a6823aae8f694c1f76ff0..1452a2a5844a5fb017d4408aadf56f7fcfc7fa25
 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -31,6 +31,9 @@ import nss.ssl as ssl
 import nss.error as error
 from ipaplatform.paths import paths
 
+# NSS database currently open
+current_dbdir = None
+
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
 cert_is_valid = False
 
@@ -184,19 +187,27 @@ class NSSConnection(httplib.HTTPConnection,