Adapt and document sweeper.py for gssproxy

.travis.sh

@@ -11,7 +11,7 @@ if [ -f /etc/debian_version ]; then
             $PYTHON{,-dev,-requests} lib{socket,nss}-wrapper \
             flex bison krb5-{kdc,admin-server,pkinit}
 
-    apt-get -y install $PYTHON-requests-gssapi || true
+    apt-get -y install $PYTHON-requests-gssapi 2>/dev/null || true
 
     flake8
 elif [ -f /etc/redhat-release ]; then
@@ -28,7 +28,7 @@ elif [ -f /etc/redhat-release ]; then
         autoconf automake libtool which bison make $PYTHON \
         flex mod_session redhat-rpm-config /usr/bin/virtualenv
 
-    $DY -y install python-requests-gssapi || true
+    $DY -y install python-requests-gssapi 2>/dev/null || true
 else
     echo "Distro not found!"
     false

README

@@ -245,7 +245,8 @@ suffix.
 
 **Note:** Consuming application must delete the ccache otherwise it will
 litter the filesystem if sessions are used.  An example sweeper can be found
-in the contrib directory.
+in the contrib directory.  If using with gssproxy, see note at the top of that
+file.
 
 #### Example
     GssapiDelegCcacheUnique On

contrib/sweeper.py

@@ -9,9 +9,18 @@
 # removing any ccaches that have expired from the filesystem, and serves as an
 # example of how this cleaning can be performed.
 
+# gssproxy note: in order to sweep credentials, the sweeper needs to connect
+# to gssproxy as if it were mod_auth_gssapi.  In the configuration provided
+# with mod_auth_gssapi (80-httpd.conf), this just consists of matching the
+# gssproxy uid - so run it as the appropriate user (i.e., apache).  Custom
+# configurations require careful consideration of how to match the sweeper
+# connection to the correct service in gssproxy; this script is just an
+# example.  This script will not attempt to contact gssproxy unless -g is
+# passed.
+
+import argparse
 import os
 import stat
-import sys
 import time
 
 # try importing this first to provide a more useful error message
@@ -48,16 +57,21 @@ def should_delete(fname, t):
 
 
 if __name__ == "__main__":
-    dirs = sys.argv[1:]
-    if len(dirs) < 1:
-        print("Usage: %s dir1 [dir2...]" % sys.argv[0])
-        exit(1)
+    parser = argparse.ArgumentParser(description="Sweep expired ccaches")
+    parser.add_argument("-g", dest="gssproxy", action="store_true",
+                        help="is gssproxy in use (default: no)")
+    parser.add_argument("dirs", nargs='+')
+    args = parser.parse_args()
+
+    if args.gssproxy:
+        os.environ["GSS_USE_PROXY"] = "yes"
+        os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_FIRST"
 
     print("System looks okay; running sweeper...")
 
     t = time.time()
 
-    for basedir in dirs:
+    for basedir in args.dirs:
         os.chdir(basedir)
         print("Sweeping %s" % basedir)