Adding Sweeper to clean up expired tokens

2023-02-17 08:23:49 -05:00 · 2023-02-17 08:23:49 -05:00 · a128021328
commit a128021328
parent aad9b69b77
2 changed files with 103 additions and 0 deletions
--- a/roles/ipa/server/files/sweeper.py
+++ b/roles/ipa/server/files/sweeper.py
@ -0,0 +1,84 @@
 #!/usr/bin/env python3
 # Works with both python2 and python3; please preserve this property
 # Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
 # If one uses both sessions and unique ccache names, then the filesystem will
 # become littered with ccache files unless the accessed application cleans
 # them up itself.  This script will minimize ccache file proliferation by
 # removing any ccaches that have expired from the filesystem, and serves as an
 # example of how this cleaning can be performed.
 # gssproxy note: in order to sweep credentials, the sweeper needs to connect
 # to gssproxy as if it were mod_auth_gssapi.  In the configuration provided
 # with mod_auth_gssapi (80-httpd.conf), this just consists of matching the
 # gssproxy uid - so run it as the appropriate user (i.e., apache).  Custom
 # configurations require careful consideration of how to match the sweeper
 # connection to the correct service in gssproxy; this script is just an
 # example.  This script will not attempt to contact gssproxy unless -g is
 # passed.
 import argparse
 import os
 import stat
 import time
 # try importing this first to provide a more useful error message
 import gssapi
 del gssapi
 try:
    from gssapi.raw import acquire_cred_from
 except ImportError:
    print("Your GSSAPI does not provide cred store extension; exiting!")
    exit(1)
 # process file as a ccache and indicate whether it is expired
 def should_delete(fname, t):
    try:
        # skip directories and other non-files
        st = os.stat(fname)
        if not stat.S_ISREG(st.st_mode):
            return False
        # ignore files that are newer than 30 minutes
        if t - st.st_mtime < 30 * 60:
            return False
        creds = acquire_cred_from({b"ccache": fname.encode("UTF-8")})
    except FileNotFoundError:
        # someone else did the work for us
        return False
    except Exception as e:
        print("Not deleting %s due to error %s" % (fname, e))
        return False
    return creds.lifetime == 0
 if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Sweep expired ccaches")
    parser.add_argument("-g", dest="gssproxy", action="store_true",
                        help="is gssproxy in use (default: no)")
    parser.add_argument("dirs", nargs='+')
    args = parser.parse_args()
    if args.gssproxy:
        os.environ["GSS_USE_PROXY"] = "yes"
        os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST"
    print("System looks okay; running sweeper...")
    t = time.time()
    for basedir in args.dirs:
        os.chdir(basedir)
        print("Sweeping %s" % basedir)
        for fname in os.listdir(basedir):
            if should_delete(fname, t):
                os.unlink(fname)
    print("Sweeper finished successfully!")
    exit(0)
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@ -675,3 +675,22 @@
  tags:
  - ipa/server
  - config
 - name: Copy sweeper script to /usr/local/bin/
  copy:
    src: sweeper.py
    dest: /usr/local/bin/sweeper
    mode: 0755
  tags:
    - ipa/server
    - config
 - name: Set sweeper script on a cron schedule
  cron:
    name: "clean up mod_auth_gssapi tokens"
    hour: "3"
    user: root
    job: "python3 sweeper"
  tags:
    - ipa/server
    - config