On ma, 25 touko 2020, Peter Tselios via FreeIPA-users wrote:
Hello,
How do I perform a "session logout" in the API?
I am using the ansible's URI module and so far I tried a few different options, like
for example this:
- name: Logout from IdM API
uri:
url: "https://{{ ipa_master }}/ipa/session/json"
headers:
Content-type: "application/json"
Accept: "application/json"
Referer: "https://{{ ipa_master }}/ipa"
Cookie: "{{ ipa_session }}"
method: POST
body_format: json
body: |
{
"id": 0,
"method": "session_logout/1",
"params": [
{
"version": "{{ ipa_api_version | default('2.231')
}}"
}
]
}
which gives me the following error:
message: 'Invalid JSON-RPC request: params must contain [args, options]'
You did not have arguments in the list of parameters, only dict of
options.
[root@master ~]# ipa -vvv console
(Custom IPA interactive Python console)
api: IPA API object
pp: pretty printer
>> api.Command.session_logout()
ipa: INFO: Request: {
"id": 0,
"method": "session_logout/1",
"params": [
[],
{
"version": "2.237"
}
]
}
send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding:
gzip\r\nAccept-Language: en-us\r\nReferer:
https://master.ipa.test/ipa/xml\r\nCookie:
ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding:
gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length:
135\r\n\r\n'
send: b'{\n "id": 0,\n "method":
"session_logout/1",\n "params": [\n [],\n {\n
"version": "2.237"\n }\n ]\n}'
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Mon, 25 May 2020 14:50:58 GMT
header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8
mod_auth_gssapi/1.6.1
header: Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure;
header: X-Frame-Options: DENY
header: Content-Security-Policy: frame-ancestors 'none'
header: Cache-Control: no-cache, private
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Transfer-Encoding: chunked
header: Content-Type: application/json; charset=utf-8
body: b'{"result": {"result": null}, "error": null,
"id": 0, "principal": "admin(a)IPA.TEST", "version":
"4.9.0.dev202005250900+git"}'
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "admin(a)IPA.TEST",
"result": {
"result": null
},
"version": "4.9.0.dev202005250900+git"
}
{'result': None}
However, this is not really logging out because it only removes a
credentials cache stored at a server side, if any. The client still
needs to remove its own cookies. If it will be re-sending the cookies
back, mod_auth_gssapi will reinstall the same session as if that wasn't
removed:
>> api.Command.ping()
ipa: INFO: Request: {
"id": 0,
"method": "ping/1",
"params": [
[],
{
"version": "2.237"
}
]
}
send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding:
gzip\r\nAccept-Language: en-us\r\nReferer:
https://master.ipa.test/ipa/xml\r\nCookie:
ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding:
gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length:
125\r\n\r\n'
send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding:
gzip\r\nAccept-Language: en-us\r\nReferer:
https://master.ipa.test/ipa/xml\r\nCookie:
ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding:
gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length:
125\r\n\r\n'
send: b'{\n "id": 0,\n "method": "ping/1",\n
"params": [\n [],\n {\n "version":
"2.237"\n }\n ]\n}'
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Mon, 25 May 2020 14:52:17 GMT
header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8
mod_auth_gssapi/1.6.1
header: X-Frame-Options: DENY
header: Content-Security-Policy: frame-ancestors 'none'
header: Cache-Control: no-cache, private
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Transfer-Encoding: chunked
header: Content-Type: application/json; charset=utf-8
body: b'{"result": {"summary": "IPA server version
4.9.0.dev202005250900+git. API version 2.237"}, "error": null,
"id": 0, "principal": "admin(a)IPA.TEST", "version":
"4.9.0.dev202005250900+git"}'
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "admin(a)IPA.TEST",
"result": {
"summary": "IPA server version 4.9.0.dev202005250900+git. API
version 2.237"
},
"version": "4.9.0.dev202005250900+git"
}
{'summary': 'IPA server version 4.9.0.dev202005250900+git. API version
2.237'}
Only if you would do explicit disconnect from the client side, the
cookie will be thrown away:
>>> api.Backend.rpcclient.disconnect()
>> api.Command.ping()
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 450, in
__call__
return self.__do_call(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 478, in
__do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 801, in run
return self.forward(*args, **options)
File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 823, in
forward
return self.Backend.rpcclient.forward(self.forwarded_name,
File "/usr/lib/python3.8/site-packages/ipalib/rpc.py", line 1139, in forward
command = getattr(self.conn, name)
File "/usr/lib/python3.8/site-packages/ipalib/backend.py", line 104, in
__get_conn
raise AttributeError(
AttributeError: rpcclient is not connected (rpcclient_140385907720256 in MainThread)
So for your own 'client' in Ansible just forget the cookie. If you are
using normal 'ipa' CLI tool or Python bindings we provide, 'kdestroy' is
enough to remove the credential cache where a ticket and a cookie is
stored.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland