File: sweeper.py

package info (click to toggle)
libapache2-mod-auth-gssapi 1.6.4-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, forky, sid, trixie
  • size: 912 kB
  • sloc: ansic: 9,927; python: 1,114; yacc: 163; sh: 147; makefile: 132; lex: 25
file content (83 lines) | stat: -rwxr-xr-x 2,804 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
#!/usr/bin/env python3
# Works with both python2 and python3; please preserve this property

# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms

# If one uses both sessions and unique ccache names, then the filesystem will
# become littered with ccache files unless the accessed application cleans
# them up itself.  This script will minimize ccache file proliferation by
# removing any ccaches that have expired from the filesystem, and serves as an
# example of how this cleaning can be performed.

# gssproxy note: in order to sweep credentials, the sweeper needs to connect
# to gssproxy as if it were mod_auth_gssapi.  In the configuration provided
# with mod_auth_gssapi (80-httpd.conf), this just consists of matching the
# gssproxy uid - so run it as the appropriate user (i.e., apache).  Custom
# configurations require careful consideration of how to match the sweeper
# connection to the correct service in gssproxy; this script is just an
# example.  This script will not attempt to contact gssproxy unless -g is
# passed.

import argparse
import os
import stat
import time

# try importing this first to provide a more useful error message
import gssapi
del gssapi
try:
    from gssapi.raw import acquire_cred_from
except ImportError:
    print("Your GSSAPI does not provide cred store extension; exiting!")
    exit(1)


# process file as a ccache and indicate whether it is expired
def should_delete(fname, t):
    try:
        # skip directories and other non-files
        st = os.stat(fname)
        if not stat.S_ISREG(st.st_mode):
            return False

        # ignore files that are newer than 30 minutes
        if t - st.st_mtime < 30 * 60:
            return False

        creds = acquire_cred_from({b"ccache": fname.encode("UTF-8")})
    except FileNotFoundError:
        # someone else did the work for us
        return False
    except Exception as e:
        print("Not deleting %s due to error %s" % (fname, e))
        return False

    return creds.lifetime == 0


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Sweep expired ccaches")
    parser.add_argument("-g", dest="gssproxy", action="store_true",
                        help="is gssproxy in use (default: no)")
    parser.add_argument("dirs", nargs='+')
    args = parser.parse_args()

    if args.gssproxy:
        os.environ["GSS_USE_PROXY"] = "yes"
        os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST"

    print("System looks okay; running sweeper...")

    t = time.time()

    for basedir in args.dirs:
        os.chdir(basedir)
        print("Sweeping %s" % basedir)

        for fname in os.listdir(basedir):
            if should_delete(fname, t):
                os.unlink(fname)

    print("Sweeper finished successfully!")
    exit(0)