Merge pull request #84 from altlinux/krb5cache_destroy

KRB5CCACHE destroy

gpoa/gpoa

@@ -27,7 +27,10 @@ from frontend.frontend_manager import frontend_manager, determine_username
 from plugin import plugin_manager
 
 from util.util import get_machine_name
-from util.kerberos import machine_kinit
+from util.kerberos import (
+      machine_kinit
+    , machine_kdestroy
+)
 from util.users import (
     is_root,
     get_process_user
@@ -73,7 +76,7 @@ class gpoa_controller:
             user = get_machine_name()
             self.is_machine = True
         set_loglevel(self.__args.loglevel)
-        self.__kinit_successful = machine_kinit()
+        self.cache_path = '/var/cache/gpupdate/creds/krb5cc_{}'.format(os.getpid())
 
         uname = get_process_user()
         uid = os.getuid()
@@ -88,9 +91,14 @@ class gpoa_controller:
         '''
         GPOA controller entry point
         '''
+        self.__kinit_successful = machine_kinit(self.cache_path)
+        if self.__kinit_successful:
+            os.environ['KRB5CCNAME'] = 'FILE:{}'.format(self.cache_path)
         self.start_plugins()
         self.start_backend()
         self.start_frontend()
+        if self.__kinit_successful:
+            machine_kdestroy()
 
     def start_backend(self):
         '''
@@ -133,6 +141,7 @@ def main():
     controller.run()
 
 if __name__ == "__main__":
+    default_handler = signal.getsignal(signal.SIGINT)
     signal.signal(signal.SIGINT, signal_handler)
     main()
 

gpoa/util/kerberos.py

@@ -16,6 +16,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 import logging
 import subprocess
 
@@ -23,15 +24,36 @@ from .util import get_machine_name
 from .logging import slogm
 
 
-def machine_kinit():
+def machine_kinit(cache_name=None):
     '''
     Perform kinit with machine credentials
     '''
     host = get_machine_name()
-    subprocess.call(['kinit', '-k', host])
+    kinit_cmd = ['kinit', '-k', host]
+    if cache_name:
+        kinit_cmd.extend(['-c', cache_name])
+    subprocess.call(kinit_cmd)
     return check_krb_ticket()
 
 
+def machine_kdestroy(cache_name=None):
+    '''
+    Perform kdestroy for machine credentials
+    '''
+    host = get_machine_name()
+    kdestroy_cmd = ['kdestroy']
+    if cache_name:
+        kdestroy_cmd.extend(['-c', cache_name])
+    subprocess.call(kdestroy_cmd)
+
+    if cache_name and os.path.exists(cache_name):
+        os.unlink(cache_name)
+    elif 'KRB5CCNAME' in os.environ:
+        path = os.environ['KRB5CCNAME'][5:]
+        if os.path.exists(path):
+            os.unlink(path)
+
+
 def check_krb_ticket():
     '''
     Check if Kerberos 5 ticket present

gpoa/util/signals.py

@@ -16,16 +16,20 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+
+import os
 import signal
-from sys import exit
 
 from .arguments import ExitCodeUpdater
-
-default_handler = signal.getsignal(signal.SIGINT)
+from .kerberos import machine_kdestroy
 
 def signal_handler(sig_number, frame):
+    print('Received signal, exiting gracefully')
     # Ignore extra signals
     signal.signal(sig_number, signal.SIG_IGN)
-    print('Received signal, exiting gracefully')
-    exit(ExitCodeUpdater.EXIT_SIGINT)
+
+    # Kerberos cache cleanup on interrupt
+    machine_kdestroy()
+
+    os._exit(ExitCodeUpdater.EXIT_SIGINT)
 

gpupdate.spec

@@ -41,7 +41,8 @@ cp -r gpoa \
 mkdir -p \
 	%buildroot%_bindir/ \
 	%buildroot%_sbindir/ \
-	%buildroot%_cachedir/%name/
+	%buildroot%_cachedir/%name/ \
+	%buildroot%_cachedir/%name/creds
 
 ln -s %python3_sitelibdir/gpoa/gpoa \
 	%buildroot%_sbindir/gpoa
@@ -84,7 +85,8 @@ install -Dm0644 doc/gpupdate.1 %buildroot/%_man1dir/gpupdate.1
 %dir %_sysconfdir/%name
 %config(noreplace) %_sysconfdir/%name/environment
 %config(noreplace) %_sysconfdir/pam.d/system-policy-%name
-%dir %_cachedir/%name
+%dir %attr(0700, root, root) %_cachedir/%name
+%dir %attr(0700, root, root) %_cachedir/%name/creds
 %exclude %python3_sitelibdir/gpoa/.pylintrc
 %exclude %python3_sitelibdir/gpoa/.prospector.yaml
 %exclude %python3_sitelibdir/gpoa/Makefile