session: do not initialize session manager on import

Removes the side effect of attempting to connect to memcached when the session module is imported, which caused user visible warnings and/or SELinux AVC denials. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-29 15:53:52 +02:00
parent dcf8b47471
commit a901ec1ce9
3 changed files with 19 additions and 6 deletions
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #

-from ipalib import api, Command
+from ipalib import Command
 from ipalib.request import context
 from ipalib.plugable import Registry
-
-if api.env.in_server:
-    from ipaserver.session import session_mgr
+from ipaserver.session import get_session_mgr

 register = Registry()

@@ -28,6 +26,7 @@ class session_logout(Command):
            self.debug('session logout command: session_id=%s', session_id)

            # Notifiy registered listeners
+            session_mgr = get_session_mgr()
            session_mgr.auth_mgr.logout(session_data)

        return dict(result=None)
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -51,7 +51,7 @@ from ipalib.util import parse_time_duration, normalize_name
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.session import (
-    session_mgr, AuthManager, get_ipa_ccache_name,
+    get_session_mgr, AuthManager, get_ipa_ccache_name,
    load_ccache_data, bind_ipa_ccache, release_ipa_ccache, fmt_time,
    default_max_session_duration, krbccache_dir, krbccache_prefix)
 from ipalib.backend import Backend
@@ -415,6 +415,7 @@ class WSGIExecutioner(Executioner):
        if session_data is not None:
            # Send session cookie back and store session data
            # FIXME: the URL path should be retreived from somewhere (but where?), not hardcoded
+            session_mgr = get_session_mgr()
            session_cookie = session_mgr.generate_cookie('/ipa', session_data['session_id'],
                                                         session_data['session_expiration_timestamp'])
            headers.append(('Set-Cookie', session_cookie))
@@ -576,6 +577,7 @@ class KerberosSession(object):
        krb_expiration = krb_endtime - krb_ticket_expiration_threshold

        # Set the session expiration time
+        session_mgr = get_session_mgr()
        session_mgr.set_session_expiration_time(session_data,
                                                duration=self.session_auth_duration,
                                                max_age=krb_expiration,
@@ -587,6 +589,7 @@ class KerberosSession(object):
            headers = []

        # Retrieve the session data (or newly create)
+        session_mgr = get_session_mgr()
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

@@ -752,6 +755,7 @@ class jsonserver_session(jsonserver, KerberosSession):
        super(jsonserver_session, self).__init__(api)
        name = '{0}_{1}'.format(self.__class__.__name__, id(self))
        auth_mgr = AuthManagerKerb(name)
+        session_mgr = get_session_mgr()
        session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)

    def _on_finalize(self):
@@ -775,6 +779,7 @@ class jsonserver_session(jsonserver, KerberosSession):
        self.debug('WSGI jsonserver_session.__call__:')

        # Load the session data
+        session_mgr = get_session_mgr()
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

@@ -1211,6 +1216,7 @@ class xmlserver_session(xmlserver, KerberosSession):
        super(xmlserver_session, self).__init__(api)
        name = '{0}_{1}'.format(self.__class__.__name__, id(self))
        auth_mgr = AuthManagerKerb(name)
+        session_mgr = get_session_mgr()
        session_mgr.auth_mgr.register(auth_mgr.name, auth_mgr)

    def _on_finalize(self):
@@ -1234,6 +1240,7 @@ class xmlserver_session(xmlserver, KerberosSession):
        self.debug('WSGI xmlserver_session.__call__:')

        # Load the session data
+        session_mgr = get_session_mgr()
        session_data = session_mgr.load_session_data(environ.get('HTTP_COOKIE'))
        session_id = session_data['session_id']

--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -1275,4 +1275,11 @@ def release_ipa_ccache(ccache_name):
    else:
        raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name)

-session_mgr = MemcacheSessionManager()
+_session_mgr = None
+
+
+def get_session_mgr():
+    global _session_mgr
+    if _session_mgr is None:
+        _session_mgr = MemcacheSessionManager()
+    return _session_mgr