areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0042-Prevent-churn-on-ccaches.patch

483b06
From df5600dc012465f2f18a54aa451353f0fd9d5453 Mon Sep 17 00:00:00 2001
483b06
From: Simo Sorce <simo@redhat.com>
483b06
Date: Thu, 23 Mar 2017 17:49:27 -0400
483b06
Subject: [PATCH] Prevent churn on ccaches
483b06
483b06
We slice down the received cookie so that just the content that matter
483b06
is preserved. Thi is ok because servers can't trust anything else anyway
483b06
and will accept a cookie with the ancillary data missing.
483b06
483b06
By removing variable parts like the expiry component added by
483b06
mod_session or the Expiration or Max-Age metadata we keep only the part
483b06
of the cookie that changes only when a new session is generated.
483b06
483b06
This way when storing the cookie we actually add a new entry in the
483b06
ccache only when the session actually changes, and this prevents churn
483b06
on FILE based ccaches.
483b06
483b06
Related https://pagure.io/freeipa/issue/6775
483b06
483b06
Signed-off-by: Simo Sorce <simo@redhat.com>
483b06
Reviewed-By: Christian Heimes <cheimes@redhat.com>
483b06
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
483b06
---
483b06
 ipalib/rpc.py | 17 ++++++++++++++++-
483b06
 1 file changed, 16 insertions(+), 1 deletion(-)
483b06
483b06
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
483b06
index c1ceeec197c4a9c55f303f0fd431e86adb389598..5c49bd2456b7e564043a886c840fa2678060f9e3 100644
483b06
--- a/ipalib/rpc.py
483b06
+++ b/ipalib/rpc.py
483b06
@@ -38,6 +38,7 @@ import os
483b06
 import locale
483b06
 import base64
483b06
 import json
483b06
+import re
483b06
 import socket
483b06
 import gzip
483b06
 
483b06
@@ -737,6 +738,20 @@ class KerbTransport(SSLTransport):
483b06
             self.send_content(connection, request_body)
483b06
             return connection
483b06
 
483b06
+    # Find all occurrences of the expiry component
483b06
+    expiry_re = re.compile(r'.*?(&expiry=\d+).*?')
483b06
+
483b06
+    def _slice_session_cookie(self, session_cookie):
483b06
+        # Keep only the cookie value and strip away all other info.
483b06
+        # This is to reduce the churn on FILE ccaches which grow every time we
483b06
+        # set new data. The expiration time for the cookie is set in the
483b06
+        # encrypted data anyway and will be enforced by the server
483b06
+        http_cookie = session_cookie.http_cookie()
483b06
+        # We also remove the "expiry" part from the data which is not required
483b06
+        for exp in self.expiry_re.findall(http_cookie):
483b06
+            http_cookie = http_cookie.replace(exp, '')
483b06
+        return http_cookie
483b06
+
483b06
     def store_session_cookie(self, cookie_header):
483b06
         '''
483b06
         Given the contents of a Set-Cookie header scan the header and
483b06
@@ -787,7 +802,7 @@ class KerbTransport(SSLTransport):
483b06
         if session_cookie is None:
483b06
             return
483b06
 
483b06
-        cookie_string = str(session_cookie)
483b06
+        cookie_string = self._slice_session_cookie(session_cookie)
483b06
         root_logger.debug("storing cookie '%s' for principal %s", cookie_string, principal)
483b06
         try:
483b06
             update_persistent_client_session_data(principal, cookie_string)
483b06
-- 
483b06
2.12.1
483b06