From 7509b157e9c02ed05c0c3454b6d829402aca8fdb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrn=20Brodersen?= <brodersen@univention.de>
Date: Thu, 25 Jul 2019 21:53:49 +0200
Subject: Lock auth


diff --git a/management/univention-management-console/univention-management-console-web-server b/management/univention-management-console/univention-management-console-web-server
index f3b25c92f3..9670dad339 100755
--- a/management/univention-management-console/univention-management-console-web-server
+++ b/management/univention-management-console/univention-management-console-web-server
@@ -616,6 +616,8 @@ class Ressource(object):
 			# we must not change the session ID cookie as this might cause
 			# race conditions in the frontend during login, especially when logged in via SAML
 			return self.get_session_id()
+		CORE.process('new_sID')
+		CORE.process(str(traceback.format_stack()))
 		if random:
 			return str(uuid.uuid4())
 		return sessionidhash()
@@ -699,6 +701,10 @@ class Ressource(object):
 
 class CPgeneric(Ressource):
 
+	def __init__(self):
+		self._auth_lock = threading.Lock()
+		super(CPgeneric, self).__init__()
+
 	def get_request(self, path, args):
 		return Request(['generic'], opts={})
 
@@ -740,7 +746,10 @@ class CPgeneric(Ressource):
 	def default(self, *path, **kwargs):
 		self._log('info', 'got new request')
 		self.check_saml_session_validity()
-		return self.get_response(self.create_sessionid(), path, self.get_arguments(kwargs))
+		with self._auth_lock:
+			sessionid = self.get_session_id()
+			self.ensure_auth(sessionid)
+		return self.get_response(sessionid, path, self.get_arguments(kwargs))
 
 	def get_arguments(self, kwargs):
 		if cherrypy.request.headers.get('Content-Type', '').startswith('application/json'):  # normal (json) request
@@ -760,22 +769,24 @@ class CPgeneric(Ressource):
 				args['flavor'] = kwargs['flavor']
 		return args
 
-	def get_response(self, sessionid, path, args):
-		# create new UMCP request
-		req = self.get_request('/'.join(path), args)
-
+	def ensure_auth(self, sessionid):
 		user = self.get_user()
+		CORE.process('ensure_auth')
 		client = UMCP_Dispatcher.sessions.get(sessionid)
 		if user and (user.password or user.saml) and (not client or client and (not client._auth_response or client._auth_response.status != 200)):
 			auth = Request('AUTH')
 			auth.body = {'username': user.username, 'password': user.saml.message if user.saml else user.password, 'auth_type': "SAML" if user.saml else None}
 			try:
+				CORE.process('auth')
 				self.make_queue_request(sessionid, auth)
 				self.set_session(sessionid, user.username, password=user.password)
 			except UMC_HTTPError:
 				self.expire_session()
 				raise
 
+	def get_response(self, sessionid, path, args):
+		# create new UMCP request
+		req = self.get_request('/'.join(path), args)
 		response = self.make_queue_request(sessionid, req)
 		body = response.body
 		if response.mimetype == 'application/json':