[Kimchi-devel] [PATCH V3 2/3] auth enhancement: expire the session when the request access periodically

shaohef at linux.vnet.ibm.com shaohef at linux.vnet.ibm.com
Wed Mar 5 00:52:38 UTC 2014 

From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>

Now UI will access the vms and host periodically.
That will never make the session expire.
This patch fix this problem.
Now the UI can set "Kimchi-Robot" header when it wants to access the vms
and host periodically.
If the all requests with "Kimchi-Robot" header access for a long time, kimchi
will expire the session.

Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
---
 src/kimchi/auth.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py
index af3b610..b042d73 100644
--- a/src/kimchi/auth.py
+++ b/src/kimchi/auth.py
@@ -22,6 +22,7 @@ import cherrypy
 import grp
 import PAM
 import re
+import time
 
 
 from kimchi import template
@@ -32,6 +33,7 @@ from kimchi.utils import run_command
 USER_ID = 'userid'
 USER_GROUPS = 'groups'
 USER_SUDO = 'sudo'
+REFRESH = 'robot-refresh'
 
 
 def debug(msg):
@@ -131,6 +133,15 @@ def check_auth_session():
     cherrypy.session.release_lock()
     if session is not None:
         debug("Session authenticated for user %s" % session)
+        kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot')
+        if kimchiRobot == "kimchi-robot":
+            if (time.time() - cherrypy.session[REFRESH] >
+               cherrypy.session.timeout * 60):
+                cherrypy.session[USER_ID] = None
+                cherrypy.lib.sessions.expire()
+                raise cherrypy.HTTPError(401)
+        else:
+            cherrypy.session[REFRESH] = time.time()
         return True
 
     debug("Session not found")
@@ -172,6 +183,7 @@ def login(userid, password):
     cherrypy.session[USER_ID] = userid
     cherrypy.session[USER_GROUPS] = user.get_groups()
     cherrypy.session[USER_SUDO] = user.has_sudo()
+    cherrypy.session[REFRESH] = time.time()
     cherrypy.session.release_lock()
     return user.get_user()
 
@@ -179,6 +191,7 @@ def login(userid, password):
 def logout():
     cherrypy.session.acquire_lock()
     cherrypy.session[USER_ID] = None
+    cherrypy.session[REFRESH] = 0
     cherrypy.session.release_lock()
     cherrypy.lib.sessions.expire()
 
-- 
1.8.4.2

More information about the Kimchi-devel mailing list