From df5600dc012465f2f18a54aa451353f0fd9d5453 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 23 Mar 2017 17:49:27 -0400
Subject: [PATCH] Prevent churn on ccaches

We slice down the received cookie so that just the content that matter
is preserved. Thi is ok because servers can't trust anything else anyway
and will accept a cookie with the ancillary data missing.

By removing variable parts like the expiry component added by
mod_session or the Expiration or Max-Age metadata we keep only the part
of the cookie that changes only when a new session is generated.

This way when storing the cookie we actually add a new entry in the
ccache only when the session actually changes, and this prevents churn
on FILE based ccaches.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/rpc.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index c1ceeec197c4a9c55f303f0fd431e86adb389598..5c49bd2456b7e564043a886c840fa2678060f9e3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -38,6 +38,7 @@ import os
 import locale
 import base64
 import json
+import re
 import socket
 import gzip
 
@@ -737,6 +738,20 @@ class KerbTransport(SSLTransport):
             self.send_content(connection, request_body)
             return connection
 
+    # Find all occurrences of the expiry component
+    expiry_re = re.compile(r'.*?(&expiry=\d+).*?')
+
+    def _slice_session_cookie(self, session_cookie):
+        # Keep only the cookie value and strip away all other info.
+        # This is to reduce the churn on FILE ccaches which grow every time we
+        # set new data. The expiration time for the cookie is set in the
+        # encrypted data anyway and will be enforced by the server
+        http_cookie = session_cookie.http_cookie()
+        # We also remove the "expiry" part from the data which is not required
+        for exp in self.expiry_re.findall(http_cookie):
+            http_cookie = http_cookie.replace(exp, '')
+        return http_cookie
+
     def store_session_cookie(self, cookie_header):
         '''
         Given the contents of a Set-Cookie header scan the header and
@@ -787,7 +802,7 @@ class KerbTransport(SSLTransport):
         if session_cookie is None:
             return
 
-        cookie_string = str(session_cookie)
+        cookie_string = self._slice_session_cookie(session_cookie)
         root_logger.debug("storing cookie '%s' for principal %s", cookie_string, principal)
         try:
             update_persistent_client_session_data(principal, cookie_string)
-- 
2.12.1