Hello, How do I perform a "session logout" in the API? I am using the ansible's URI module and so far I tried a few different options, like for example this:
- name: Logout from IdM API uri: url: "https://%7B%7B ipa_master }}/ipa/session/json" headers: Content-type: "application/json" Accept: "application/json" Referer: "https://%7B%7B ipa_master }}/ipa" Cookie: "{{ ipa_session }}" method: POST body_format: json body: | { "id": 0, "method": "session_logout/1", "params": [ { "version": "{{ ipa_api_version | default('2.231') }}" } ] }
which gives me the following error:
message: 'Invalid JSON-RPC request: params must contain [args, options]'
I also tried to simply visit the /ipa/session/session_logout, or the /ipa/session_logout. Both options gave me a 404.
So, how do I "logout"?
On ma, 25 touko 2020, Peter Tselios via FreeIPA-users wrote:
Hello, How do I perform a "session logout" in the API? I am using the ansible's URI module and so far I tried a few different options, like for example this:
- name: Logout from IdM API
uri: url: "https://%7B%7B ipa_master }}/ipa/session/json" headers: Content-type: "application/json" Accept: "application/json" Referer: "https://%7B%7B ipa_master }}/ipa" Cookie: "{{ ipa_session }}" method: POST body_format: json body: | { "id": 0, "method": "session_logout/1", "params": [ { "version": "{{ ipa_api_version | default('2.231') }}" } ] }
which gives me the following error:
message: 'Invalid JSON-RPC request: params must contain [args, options]'
You did not have arguments in the list of parameters, only dict of options.
[root@master ~]# ipa -vvv console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer
api.Command.session_logout()
ipa: INFO: Request: { "id": 0, "method": "session_logout/1", "params": [ [], { "version": "2.237" } ] } send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml%5Cr%5CnCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 135\r\n\r\n' send: b'{\n "id": 0,\n "method": "session_logout/1",\n "params": [\n [],\n {\n "version": "2.237"\n }\n ]\n}' reply: 'HTTP/1.1 200 Success\r\n' header: Date: Mon, 25 May 2020 14:50:58 GMT header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8 mod_auth_gssapi/1.6.1 header: Set-Cookie: ipa_session=;Max-Age=0;path=/ipa;httponly;secure; header: X-Frame-Options: DENY header: Content-Security-Policy: frame-ancestors 'none' header: Cache-Control: no-cache, private header: Vary: Accept-Encoding header: Content-Encoding: gzip header: Transfer-Encoding: chunked header: Content-Type: application/json; charset=utf-8 body: b'{"result": {"result": null}, "error": null, "id": 0, "principal": "admin@IPA.TEST", "version": "4.9.0.dev202005250900+git"}' ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin@IPA.TEST", "result": { "result": null }, "version": "4.9.0.dev202005250900+git" } {'result': None}
However, this is not really logging out because it only removes a credentials cache stored at a server side, if any. The client still needs to remove its own cookies. If it will be re-sending the cookies back, mod_auth_gssapi will reinstall the same session as if that wasn't removed:
api.Command.ping()
ipa: INFO: Request: { "id": 0, "method": "ping/1", "params": [ [], { "version": "2.237" } ] } send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml%5Cr%5CnCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n' send: b'POST /ipa/session/json HTTP/1.1\r\nHost: master.ipa.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://master.ipa.test/ipa/xml%5Cr%5CnCookie: ipa_session=MagBearerToken=fVUOtxZUFWDcuqtaxhXJrti%2fmwo956b2cFNVeKtA6iz8Eb0tVkM2qAl%2boMzqnC0EO%2bG3rxT6dMNXjfUEb5%2bUB8%2f%2bhRU2fddmyBn%2fuDnHgRGwTqcHC7Lh8HluiKiSbXf007rIZGNHxPVEthp3J1Awd4VF5rR2nsC23DrLAE5A8Iw%3d;\r\nAccept-Encoding: gzip\r\nUser-Agent: Python-xmlrpc/3.8\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n' send: b'{\n "id": 0,\n "method": "ping/1",\n "params": [\n [],\n {\n "version": "2.237"\n }\n ]\n}' reply: 'HTTP/1.1 200 Success\r\n' header: Date: Mon, 25 May 2020 14:52:17 GMT header: Server: Apache/2.4.43 (Fedora) OpenSSL/1.1.1g mod_wsgi/4.6.8 Python/3.8 mod_auth_gssapi/1.6.1 header: X-Frame-Options: DENY header: Content-Security-Policy: frame-ancestors 'none' header: Cache-Control: no-cache, private header: Vary: Accept-Encoding header: Content-Encoding: gzip header: Transfer-Encoding: chunked header: Content-Type: application/json; charset=utf-8 body: b'{"result": {"summary": "IPA server version 4.9.0.dev202005250900+git. API version 2.237"}, "error": null, "id": 0, "principal": "admin@IPA.TEST", "version": "4.9.0.dev202005250900+git"}' ipa: INFO: Response: { "error": null, "id": 0, "principal": "admin@IPA.TEST", "result": { "summary": "IPA server version 4.9.0.dev202005250900+git. API version 2.237" }, "version": "4.9.0.dev202005250900+git" } {'summary': 'IPA server version 4.9.0.dev202005250900+git. API version 2.237'}
Only if you would do explicit disconnect from the client side, the cookie will be thrown away:
api.Backend.rpcclient.disconnect() api.Command.ping()
Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 478, in __do_call ret = self.run(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 801, in run return self.forward(*args, **options) File "/usr/lib/python3.8/site-packages/ipalib/frontend.py", line 823, in forward return self.Backend.rpcclient.forward(self.forwarded_name, File "/usr/lib/python3.8/site-packages/ipalib/rpc.py", line 1139, in forward command = getattr(self.conn, name) File "/usr/lib/python3.8/site-packages/ipalib/backend.py", line 104, in __get_conn raise AttributeError( AttributeError: rpcclient is not connected (rpcclient_140385907720256 in MainThread)
So for your own 'client' in Ansible just forget the cookie. If you are using normal 'ipa' CLI tool or Python bindings we provide, 'kdestroy' is enough to remove the credential cache where a ticket and a cookie is stored.
freeipa-users@lists.fedorahosted.org