mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 08:51:50 -06:00
3c900ba7a8
8 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Tomas Babej
|
4d2ef43f28 |
ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com> |
||
John Dennis
|
9269e5d6dd |
Compliant client side session cookie behavior
In summary this patch does:
* Follow the defined rules for cookies when:
- receiving a cookie (process the attributes)
- storing a cookie (store cookie + attributes)
- sending a cookie
+ validate the cookie domain against the request URL
+ validate the cookie path against the request URL
+ validate the cookie expiration
+ if valid then send only the cookie, no attribtues
* Modifies how a request URL is stored during a XMLRPC
request/response sequence.
* Refactors a bit of the request/response logic to allow for making
the decision whether to send a session cookie instead of full
Kerberous auth easier.
* The server now includes expiration information in the session cookie
it sends to the client. The server always had the information
available to prevent using an expired session cookie. Now that
expiration timestamp is returned to the client as well and now the
client will not send an expired session cookie back to the server.
* Adds a new module and unit test for cookies (see below)
Formerly we were always returning the session cookie no matter what
the domain or path was in the URL. We were also sending the cookie
attributes which are for the client only (used to determine if to
return a cookie). The attributes are not meant to be sent to the
server and the previous behavior was a protocol violation. We also
were not checking the cookie expiration.
Cookie library issues:
We need a library to create, parse, manipulate and format cookies both
in a client context and a server context. Core Python has two cookie
libraries, Cookie.py and cookielib.py. Why did we add a new cookie
module instead of using either of these two core Python libaries?
Cookie.py is designed for server side generation but can be used to
parse cookies on the client. It's the library we were using in the
server. However when I tried to use it in the client I discovered it
has some serious bugs. There are 7 defined cookie elements, it fails
to correctly parse 3 of the 7 elements which makes it unusable because
we depend on those elements. Since Cookie.py was designed for server
side cookie processing it's not hard to understand how fails to
correctly parse a cookie because that's a client side need. (Cookie.py
also has an awkward baroque API and is missing some useful
functionality we would have to build on top of it).
cookielib.py is designed for client side. It's fully featured and obeys
all the RFC's. It would be great to use however it's tightly coupled
with another core library, urllib2.py. The http request and response
objects must be urllib2 objects. But we don't use urllib2, rather we use
httplib because xmlrpclib uses httplib. I don't see a reason why a
cookie library should be so tightly coupled to a protocol library, but
it is and that means we can't use it (I tried to just pick some isolated
entrypoints for our use but I kept hitting interaction/dependency problems).
I decided to solve the cookie library problems by writing a minimal
cookie library that does what we need and no more than that. It is a
new module in ipapython shared by both client and server and comes
with a new unit test. The module has plenty of documentation, no need
to repeat it here.
Request URL issues:
We also had problems in rpc.py whereby information from the request
which is needed when we process the response is not available. Most
important was the requesting URL. It turns out that the way the class
and object relationships are structured it's impossible to get this
information. Someone else must have run into the same issue because
there was a routine called reconstruct_url() which attempted to
recreate the request URL from other available
information. Unfortunately reconstruct_url() was not callable from
inside the response handler. So I decided to store the information in
the thread context and when the request is received extract it from
the thread context. It's perhaps not an ideal solution but we do
similar things elsewhere so at least it's consistent. I removed the
reconstruct_url() function because the exact information is now in the
context and trying to apply heuristics to recreate the url is probably
not robust.
Ticket https://fedorahosted.org/freeipa/ticket/3022
|
||
Yuri Chornoivan
|
8bbb42b410 |
Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089 |
||
|
John Dennis
|
94d457e83c |
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
|
||
|
John Dennis
|
ee780df13c |
Implement password based session login
* Adjust URL's - rename /ipa/login -> /ipa/session/login_kerberos - add /ipa/session/login_password * Adjust Kerberos protection on URL's in ipa.conf * Bump VERSION in httpd ipa.conf to pick up session changes. * Adjust login URL in ipa.js * Add InvalidSessionPassword to errors.py * Rename krblogin class to login_kerberos for consistency with new login_password class * Implement login_password.kinit() method which invokes /usr/bin/kinit as a subprocess * Add login_password class for WSGI dispatch, accepts POST application/x-www-form-urlencoded user & password parameters. We form the Kerberos principal from the server's realm. * Add function krb5_unparse_ccache() * Refactor code to share common code * Clean up use of ccache names, be consistent * Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file() with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache(). bind_ipa_ccache() now sets environment KRB5CCNAME variable. release_ipa_ccache() now clears environment KRB5CCNAME variable. * ccache names should now support any ccache storage scheme, not just FILE based ccaches * Add utilies to return HTTP status from wsgi handlers, use constants for HTTP status code for consistency. Use utilies for returning from wsgi handlers rather than duplicated code. * Add KerberosSession.finalize_kerberos_acquisition() method so different login handlers can share common code. * add Requires: krb5-workstation to server (server now calls kinit) * Fix test_rpcserver.py to use new dispatch inside route() method https://fedorahosted.org/freeipa/ticket/2095 |
||
|
John Dennis
|
059a90702e |
Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392 |
||
|
John Dennis
|
9753fd4230 |
Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362 |
||
|
John Dennis
|
bba4ccb3a0 |
add session manager and cache krb auth
This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed. |