From 2a42a7e90eb8154a6722ae93d93f8cf6796f4a21 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 26 Aug 2016 08:59:10 +1000
Subject: [PATCH] Allow Dogtag RestClient to perform requests without logging
 in

Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.

To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'.  It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/dogtag.py | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 01e5f1383..f3fb2703f 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2071,26 +2071,38 @@ class RestClient(Backend):
         )
         self.cookie = None
 
-    def _ssldo(self, method, path, headers=None, body=None):
+    def _ssldo(self, method, path, headers=None, body=None, use_session=True):
         """
-        :param url: The URL to post to.
-        :param kw:  Keyword arguments to encode into POST body.
+        Perform an HTTPS request.
+
+        :param method: HTTP method to use
+        :param path: Path component. This will *extend* the path defined for
+            the class (if any).
+        :param headers: Additional headers to include in the request.
+        :param body: Request body.
+        :param use_session: If ``True``, session cookie is added to request
+            (client must be logged in).
+
         :return:   (http_status, http_headers, http_body)
                    as (integer, dict, str)
 
-        Perform an HTTPS request
+        :raises: ``RemoteRetrieveError`` if ``use_session`` is not ``False``
+            and client is not logged in.
+
         """
-        if self.cookie is None:
-            raise errors.RemoteRetrieveError(
-                reason=_("REST API is not logged in."))
-
         headers = headers or {}
-        headers['Cookie'] = self.cookie
 
+        if use_session:
+            if self.cookie is None:
+                raise errors.RemoteRetrieveError(
+                    reason=_("REST API is not logged in."))
+            headers['Cookie'] = self.cookie
+
+        resource = '/ca/rest'
+        if self.path is not None:
+            resource = os.path.join(resource, self.path)
         if path is not None:
-            resource = os.path.join('/ca/rest', self.path, path)
-        else:
-            resource = os.path.join('/ca/rest', self.path)
+            resource = os.path.join(resource, path)
 
         # perform main request
         status, resp_headers, resp_body = dogtag.https_request(