On 03/04/2014 06:45 AM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index f8ccea1..8a07e05 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time
from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh'
def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot and kimchiRobot.startswith("kimchi-robot"): + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire()
+ raise cherrypy.HTTPError(403)
You should use 401 to ask the user to login again. 403 is used when user is logged in but does not have enough permissions to perform an operation 401 Unauthorized The request requires user authentication. 403 Forbidden The server understood the request, but is refusing to fulfill it.
+ else: + cherrypy.session[REFRESH] = time.time() return True
debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire()