Import Upstream version 4.12.4

2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
--- a/install/tools/ipa-ccache-sweeper.in
+++ b/install/tools/ipa-ccache-sweeper.in
@@ -0,0 +1,75 @@
+#!/usr/bin/python3
+
+# Based heavily on
+# https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py
+
+# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
+
+# If one uses both sessions and unique ccache names, then the filesystem will
+# become littered with ccache files unless the accessed application cleans
+# them up itself.  This script will minimize ccache file proliferation by
+# removing any ccaches that have expired from the filesystem, and serves as an
+# example of how this cleaning can be performed.
+
+import argparse
+import os
+import stat
+import sys
+import time
+
+from ipalib.krb_utils import get_credentials_if_valid
+from ipaplatform.paths import paths
+
+
+def should_delete(fname, t, minlife):
+    """Process file as a ccache and indicate whether it is expired"""
+    # skip directories and other non-files
+    st = os.stat(fname)
+    if not stat.S_ISREG(st.st_mode):
+        return False
+
+    # ignore files that are newer than minlife minutes
+    if t - st.st_mtime < minlife * 60:
+        return False
+
+    # gssproxy inquires input credentials. If they are expired
+    # then gssproxy acquires creds from cred_store according to
+    # the configuration of gssproxy's service, which in this case
+    # hasn't cred_store(besides `keytab:`, used for decryption of
+    # ccache). If there is no ccache within cred_store then gssproxy
+    # adds its own one("MEMORY:internal_%d"), which hasn't
+    # any credentials, thus, scan_ccache fails with KRB5_FCC_NOFILE.
+    # Since the caller requires INITIATE-ONLY and the client keytab
+    # is not provided in cred_store the result of gss_acquire_cred_from
+    # is KRB5_FCC_NOFILE, which is mapped by gssproxy to
+    # 0x04200000 + KRB5_FCC_NOFILE.
+    creds = get_credentials_if_valid(ccache_name=fname)
+    return creds is None
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Sweep expired ccaches")
+    parser.add_argument("-m", dest="minlife", type=int,
+                        help="ignore newer files than this (default: 30)",
+                        default=30)
+    args = parser.parse_args()
+
+    os.environ["GSS_USE_PROXY"] = "yes"
+    os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_ONLY"
+    os.environ["GSSPROXY_SOCKET"] = paths.IPA_CCACHE_SWEEPER_GSSPROXY_SOCK
+
+    print("Running sweeper...")
+
+    t = time.time()
+
+    os.chdir(paths.IPA_CCACHES)
+    for fname in os.listdir(paths.IPA_CCACHES):
+        try:
+            if should_delete(fname, t, args.minlife):
+                os.unlink(fname)
+        except FileNotFoundError:
+            # someone else did the work for us
+            pass
+
+    print("Sweeper finished successfully!")
+    sys.exit(0)