From 64937571fdf3534b89d8db9ccb8b5ac1abfb5a6d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Aug 05 2024 07:34:17 +0000
Subject: Force a logout in KerberosSession if a login is needed


Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.

This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.

Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.

Fixes: https://pagure.io/freeipa/issue/9624

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 73e60e4..2e97d93 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -664,6 +664,10 @@ class KerberosSession(HTTP_Status):
         headers = []
         response = b''
 
+        logout_cookie = getattr(context, 'logout_cookie', None)
+        if logout_cookie is not None:
+            headers.append(('IPASESSION', logout_cookie))
+
         logger.debug('%s need login', status)
 
         start_response(status, headers)
@@ -689,6 +693,7 @@ class KerberosSession(HTTP_Status):
         creds = get_credentials_if_valid(name=gss_name,
                                          ccache_name=ccache_name)
         if not creds:
+            setattr(context, 'logout_cookie', 'MagBearerToken=')
             logger.debug(
                 'ccache expired or invalid, deleting session, need login')
             return None