Generate a unique cache for each connection

Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>

install/share/ipa.conf.template

@@ -1,5 +1,5 @@
 #
-# VERSION 31 - DO NOT REMOVE THIS LINE
+# VERSION 32 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -76,6 +76,7 @@ WSGIScriptReloading Off
   GssapiImpersonate On
   GssapiDelegCcacheDir $IPA_CCACHES
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
@@ -117,6 +118,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
   AuthType none
   GssapiDelegCcacheDir $IPA_CCACHES
   GssapiDelegCcachePerms mode:0660 gid:ipaapi
+  GssapiDelegCcacheUnique On
   SSLVerifyClient require
   SSLUserName SSL_CLIENT_CERT
   LookupUserByCertificate On

install/tools/Makefile.am

@@ -6,6 +6,7 @@ SUBDIRS = 			\
 
 dist_noinst_DATA =		\
 	ipa-ca-install.in		\
+	ipa-ccache-sweeper.in	\
 	ipa-dns-install.in		\
 	ipa-kra-install.in		\
 	ipa-server-install.in	\
@@ -70,6 +71,7 @@ nodist_sbin_SCRIPTS =		\
 
 appdir = $(libexecdir)/ipa/
 nodist_app_SCRIPTS =		\
+	ipa-ccache-sweeper	\
 	ipa-custodia		\
 	ipa-custodia-check	\
 	ipa-httpd-kdcproxy	\

install/tools/ipa-ccache-sweeper.in

@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+
+# Based heavily on
+# https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py
+
+# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
+
+# If one uses both sessions and unique ccache names, then the filesystem will
+# become littered with ccache files unless the accessed application cleans
+# them up itself.  This script will minimize ccache file proliferation by
+# removing any ccaches that have expired from the filesystem, and serves as an
+# example of how this cleaning can be performed.
+
+import argparse
+import os
+import stat
+import sys
+import time
+
+from gssapi.raw import acquire_cred_from
+from ipaplatform.paths import paths
+
+
+# process file as a ccache and indicate whether it is expired
+def should_delete(fname, t, minlife):
+    try:
+        # skip directories and other non-files
+        st = os.stat(fname)
+        if not stat.S_ISREG(st.st_mode):
+            return False
+
+        # ignore files that are newer than minlife minutes
+        if t - st.st_mtime < minlife * 60:
+            return False
+
+        creds = acquire_cred_from({b"ccache": fname.encode("UTF-8")})
+    except FileNotFoundError:
+        # someone else did the work for us
+        return False
+    except Exception as e:
+        print("Not deleting %s due to error %s" % (fname, e))
+        return False
+
+    return creds.lifetime == 0
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Sweep expired ccaches")
+    parser.add_argument("-m", dest="minlife", type=int,
+                        help="ignore newer files than this (default: 30)",
+                        default=30)
+    args = parser.parse_args()
+
+    os.environ["GSS_USE_PROXY"] = "yes"
+    os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST"
+
+    print("Running sweeper...")
+
+    t = time.time()
+
+    os.chdir(paths.IPA_CCACHES)
+    for fname in os.listdir(paths.IPA_CCACHES):
+        if should_delete(fname, t, args.minlife):
+            os.unlink(fname)
+
+    print("Sweeper finished successfully!")
+    sys.exit(0)