[Kimchi-devel] [PATCH V2 1/2] auth enhancement: expire the session when the request access periodically

Aline Manera alinefm at linux.vnet.ibm.com
Tue Mar 4 18:38:09 UTC 2014 

On 03/04/2014 06:45 AM, shaohef at linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>
> Now UI will access the vms and host periodically.
> That will never make the session expire.
> This patch fix this problem.
> Now the UI can set "Kimchi-Robot" header when it wants to access the vms
> and host periodically.
> If the all requests with "Kimchi-Robot" header access for a long time, kimchi
> will expire the session.
>
> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
> ---
>   src/kimchi/auth.py | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
>
> diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
> index f8ccea1..8a07e05 100644
> --- a/src/kimchi/auth.py
> +++ b/src/kimchi/auth.py
> @@ -22,6 +22,7 @@ import cherrypy
>   import grp
>   import PAM
>   import re
> +import time
>
>
>   from kimchi import template
> @@ -32,6 +33,7 @@ from kimchi.utils import run_command
>   USER_ID = 'userid'
>   USER_GROUPS = 'groups'
>   USER_SUDO = 'sudo'
> +REFRESH = 'robot-refresh'
>
>
>   def debug(msg):
> @@ -131,6 +133,15 @@ def check_auth_session():
>       cherrypy.session.release_lock()
>       if session is not None:
>           debug("Session authenticated for user %s" % session)
> +        kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
> +        if kimchiRobot and kimchiRobot.startswith("kimchi-robot"):
> +            if (time.time() - cherrypy.session[REFRESH] >
> +               cherrypy.session.timeout * 60):
> +                cherrypy.session[USER_ID] = None
> +                cherrypy.lib.sessions.expire()

> +                raise cherrypy.HTTPError(403)

You should use 401 to ask the user to login again. 403 is used when user 
is logged
in but does not have enough permissions to perform an operation

401 Unauthorized
The request requires user authentication.

403 Forbidden
The server understood the request, but is refusing to fulfill it.



> +        else:
> +            cherrypy.session[REFRESH] = time.time()
>           return True
>
>       debug("Session not found")
> @@ -172,6 +183,7 @@ def login(userid, password):
>       cherrypy.session[USER_ID] = userid
>       cherrypy.session[USER_GROUPS] = user.get_groups()
>       cherrypy.session[USER_SUDO] = user.has_sudo()
> +    cherrypy.session[REFRESH] = time.time()
>       cherrypy.session.release_lock()
>       return user.get_user()
>
> @@ -179,6 +191,7 @@ def login(userid, password):
>   def logout():
>       cherrypy.session.acquire_lock()
>       cherrypy.session[USER_ID] = None
> +    cherrypy.session[REFRESH] = 0
>       cherrypy.session.release_lock()
>       cherrypy.lib.sessions.expire()
>

More information about the Kimchi-devel mailing list