[PATCH V3 0/4] et session expire when request access periodically
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> V3 -> V4 updage test case V2 -> V3 raise 401 http error when expire. Set the timeout of sessions 10 minutes explicitly. V1 -> V2 Address ming's comment, raise 403 http error when expire. Send UI patch. UI still need to improve as Adam king said. Hong Liang will improve it. ShaoHe Feng (4): add timeout for sessions auth enhancement: expire the session when the request access periodically UI: set kimchi robot header for some request. session expire: update test case src/kimchi/auth.py | 13 +++++++++++++ src/kimchi/config.py.in | 4 ++++ tests/test_config.py.in | 2 ++ ui/js/src/kimchi.api.js | 2 ++ 4 files changed, 21 insertions(+) -- 1.8.4.2
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> The default timeout of sessions is 60 minutes. Set the timeout of sessions 10 minutes explicitly. Kimchi should have 10 minutes of time out value for the browser login session. If session got inactive for 10 minutes then it should expire automatically. And should ask user for relogin. This is required for the security reason. But this timeout will not take effect on some tabs, such as guest tab. The root cause is because the front end refreshes the vm list every 5 seconds by sending the "GET /vms" REST API call to the server. The follow patch will solve this problem. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/config.py.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d73a8f4..426fbd1 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -150,6 +150,9 @@ class UIConfig(dict): class KimchiConfig(dict): + # session time out is 10 minutes + SESSIONSTIMEOUT = 10 + kimchi_config = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -159,6 +162,7 @@ class KimchiConfig(dict): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/data/screenshots': { 'tools.staticdir.on': True, -- 1.8.4.2
Reviewed-by: Royce Lv<lvroyce@linux.vnet.ibm.com> On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
The default timeout of sessions is 60 minutes.
Set the timeout of sessions 10 minutes explicitly.
Kimchi should have 10 minutes of time out value for the browser login session. If session got inactive for 10 minutes then it should expire automatically. And should ask user for relogin. This is required for the security reason.
But this timeout will not take effect on some tabs, such as guest tab. The root cause is because the front end refreshes the vm list every 5 seconds by sending the "GET /vms" REST API call to the server.
The follow patch will solve this problem.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/config.py.in | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d73a8f4..426fbd1 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -150,6 +150,9 @@ class UIConfig(dict):
class KimchiConfig(dict): + # session time out is 10 minutes + SESSIONSTIMEOUT = 10 + kimchi_config = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -159,6 +162,7 @@ class KimchiConfig(dict): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/data/screenshots': { 'tools.staticdir.on': True,
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index af3b610..b042d73 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh' def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot == "kimchi-robot": + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(401) + else: + cherrypy.session[REFRESH] = time.time() return True debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user() @@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire() -- 1.8.4.2
Reviewed-by: Royce Lv<lvroyce@linux.vnet.ibm.com> On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index af3b610..b042d73 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time
from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh'
def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot == "kimchi-robot": + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(401) + else: + cherrypy.session[REFRESH] = time.time() return True
debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user()
@@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire()
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Then session will expire when these request access periodically. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Hongliang Wang <hlwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc, -- 1.8.4.2
Reviewed-by: Royce Lv<lvroyce@linux.vnet.ibm.com> On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Then session will expire when these request access periodically.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Hongliang Wang <hlwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc,
Reviewed-by: Royce Lv<lvroyce@linux.vnet.ibm.com> On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
Then session will expire when these request access periodically.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Hongliang Wang <hlwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc,
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> update test_config.py.in Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- tests/test_config.py.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 06f9300..a2d5f9d 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -90,6 +90,7 @@ class ConfigTests(unittest.TestCase): Paths.get_prefix = PluginPaths.get_prefix = get_prefix paths = Paths() CACHEEXPIRES = 31536000 + SESSIONSTIMEOUT = 10 configObj = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -99,6 +100,7 @@ class ConfigTests(unittest.TestCase): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/css': { 'tools.staticdir.on': True, -- 1.8.4.2
On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
update test_config.py.in
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- tests/test_config.py.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 06f9300..a2d5f9d 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -90,6 +90,7 @@ class ConfigTests(unittest.TestCase): Paths.get_prefix = PluginPaths.get_prefix = get_prefix paths = Paths() CACHEEXPIRES = 31536000 + SESSIONSTIMEOUT = 10 configObj = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -99,6 +100,7 @@ class ConfigTests(unittest.TestCase): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/css': { 'tools.staticdir.on': True, Well, I'm not sure this test is enough, for common scenerio, we check if given error is triggered after timeout. Can you consider this way?
On 03/06/2014 11:09 AM, Royce Lv wrote:
On 2014年03月06日 07:44, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
update test_config.py.in
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- tests/test_config.py.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 06f9300..a2d5f9d 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -90,6 +90,7 @@ class ConfigTests(unittest.TestCase): Paths.get_prefix = PluginPaths.get_prefix = get_prefix paths = Paths() CACHEEXPIRES = 31536000 + SESSIONSTIMEOUT = 10 configObj = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -99,6 +100,7 @@ class ConfigTests(unittest.TestCase): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/css': { 'tools.staticdir.on': True, Well, I'm not sure this test is enough, for common scenerio, we check if given error is triggered after timeout. Can you consider this way? Sure, The intention of this patch is just fix the broken of test_config after set sessions timeout explicitly.
Sure, I can add a test to get arbitrary URL with the extra header. But I need to hack the code. For the sessions timeout is set as 10 minutes. No tester wants to wait 10 minutes.
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
participants (4)
-
Aline Manera -
Royce Lv -
shaohef@linux.vnet.ibm.com -
Sheldon