[PATCH V3 0/3] let session expire when request access periodically
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> V2 -> V3 raise 401 http error when expire. Set the timeout of sessions 10 minutes explicitly. V1 -> V2 Address ming's comment, raise 403 http error when expire. Send UI patch. UI still need to improve as Adam king said. Hong Liang will improve it. ShaoHe Feng (3): add timeout for sessions auth enhancement: expire the session when the request access periodically UI: set kimchi robot header for some request. src/kimchi/auth.py | 13 +++++++++++++ src/kimchi/config.py.in | 4 ++++ ui/js/src/kimchi.api.js | 2 ++ 3 files changed, 19 insertions(+) -- 1.8.4.2
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> The default timeout of sessions is 60 minutes. Set the timeout of sessions 10 minutes explicitly. Kimchi should have 10 minutes of time out value for the browser login session. If session got inactive for 10 minutes then it should expire automatically. And should ask user for relogin. This is required for the security reason. But this timeout will not take effect on some tabs, such as guest tab. The root cause is because the front end refreshes the vm list every 5 seconds by sending the "GET /vms" REST API call to the server. The follow patch will solve this problem. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/config.py.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d73a8f4..426fbd1 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -150,6 +150,9 @@ class UIConfig(dict): class KimchiConfig(dict): + # session time out is 10 minutes + SESSIONSTIMEOUT = 10 + kimchi_config = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -159,6 +162,7 @@ class KimchiConfig(dict): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/data/screenshots': { 'tools.staticdir.on': True, -- 1.8.4.2
in order to test this patch set, please: change the + SESSIONSTIMEOUT = 10 as + SESSIONSTIMEOUT = 1 then $ ./autogen $ make $ sudo PYTHONPATH=src ./src/kimchid --host "0.0.0.0" $ firefox http://localhost:8000/#tabs/guests and waiting 1 minute. Thanks. On 03/05/2014 08:52 AM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
The default timeout of sessions is 60 minutes.
Set the timeout of sessions 10 minutes explicitly.
Kimchi should have 10 minutes of time out value for the browser login session. If session got inactive for 10 minutes then it should expire automatically. And should ask user for relogin. This is required for the security reason.
But this timeout will not take effect on some tabs, such as guest tab. The root cause is because the front end refreshes the vm list every 5 seconds by sending the "GET /vms" REST API call to the server.
The follow patch will solve this problem.
Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/config.py.in | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d73a8f4..426fbd1 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -150,6 +150,9 @@ class UIConfig(dict):
class KimchiConfig(dict): + # session time out is 10 minutes + SESSIONSTIMEOUT = 10 + kimchi_config = { '/': {'tools.trailing_slash.on': False, 'request.methods_with_bodies': ('POST', 'PUT'), @@ -159,6 +162,7 @@ class KimchiConfig(dict): 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', + 'tools.sessions.timeout': SESSIONSTIMEOUT, 'tools.kimchiauth.on': False}, '/data/screenshots': { 'tools.staticdir.on': True,
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Now UI will access the vms and host periodically. That will never make the session expire. This patch fix this problem. Now the UI can set "Kimchi-Robot" header when it wants to access the vms and host periodically. If the all requests with "Kimchi-Robot" header access for a long time, kimchi will expire the session. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index af3b610..b042d73 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -22,6 +22,7 @@ import cherrypy import grp import PAM import re +import time from kimchi import template @@ -32,6 +33,7 @@ from kimchi.utils import run_command USER_ID = 'userid' USER_GROUPS = 'groups' USER_SUDO = 'sudo' +REFRESH = 'robot-refresh' def debug(msg): @@ -131,6 +133,15 @@ def check_auth_session(): cherrypy.session.release_lock() if session is not None: debug("Session authenticated for user %s" % session) + kimchiRobot = cherrypy.request.headers.get('Kimchi-Robot') + if kimchiRobot == "kimchi-robot": + if (time.time() - cherrypy.session[REFRESH] > + cherrypy.session.timeout * 60): + cherrypy.session[USER_ID] = None + cherrypy.lib.sessions.expire() + raise cherrypy.HTTPError(401) + else: + cherrypy.session[REFRESH] = time.time() return True debug("Session not found") @@ -172,6 +183,7 @@ def login(userid, password): cherrypy.session[USER_ID] = userid cherrypy.session[USER_GROUPS] = user.get_groups() cherrypy.session[USER_SUDO] = user.has_sudo() + cherrypy.session[REFRESH] = time.time() cherrypy.session.release_lock() return user.get_user() @@ -179,6 +191,7 @@ def login(userid, password): def logout(): cherrypy.session.acquire_lock() cherrypy.session[USER_ID] = None + cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() cherrypy.lib.sessions.expire() -- 1.8.4.2
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Then session will expire when these request access periodically. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Hongliang Wang <hlwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.api.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index fdd9cfc..c93426f 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -84,6 +84,7 @@ var kimchi = { type : 'GET', resend: true, contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', success : suc, error: err @@ -335,6 +336,7 @@ var kimchi = { url : kimchi.url + 'vms', type : 'GET', contentType : 'application/json', + headers: {'Kimchi-Robot': 'kimchi-robot'}, dataType : 'json', resend: true, success : suc, -- 1.8.4.2
Need to update the test cases ====================================================================== FAIL: test_kimchi_config (test_config.ConfigTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/alinefm/kimchi/tests/test_config.py", line 160, in test_kimchi_config self.assertEquals(kimchi_config, configObj) AssertionError: {'/data/screenshots': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/data/screenshots', 'tools.staticdir.on': True}, '/data/debugreports': {'tools.kimchiauth.on': True, 'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/data/debugreports', 'tools.staticdir.content_types': {'xz': 'application/x-xz'}, 'tools.staticdir.on': True}, '/libs': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/libs', 'tools.expires.secs': 31536000, 'tools.staticdir.on': True}, '/help': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/pages/help', 'tools.staticdir.on': True}, '/favicon.ico': {'tools.staticfile.on': True, 'tools.staticfile.filename': '/home/alinefm/kimchi/ui/images/logo.ico'}, '/config/ui/tabs.xml': {'tools.nocache.on': True, 'tools.staticfile.on': True, 'tools.staticfile.filename': '/home/alinefm/kimchi/config/ui/tabs.xml'}, '/images': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/images', 'tools.staticdir.on': True}, '/css': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/css', 'tools.expires.secs': 31536000, 'tools.staticdir.on': True}, '/': {'tools.sessions.httponly': True, 'tools.sessions.on': True, 'tools.nocache.on': True, 'tools.sessions.storage_type': 'ram', 'tools.sessions.timeout': 10, 'request.methods_with_bodies': ('POST', 'PUT'), 'tools.trailing_slash.on': False, 'tools.kimchiauth.on': False, 'tools.sessions.name': 'kimchi', 'tools.sessions.locking': 'explicit'}, '/js': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/js', 'tools.expires.secs': 31536000, 'tools.staticdir.on': True}} != {'/data/screenshots': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/data/screenshots', 'tools.staticdir.on': True}, '/data/debugreports': {'tools.kimchiauth.on': True, 'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/data/debugreports', 'tools.staticdir.content_types': {'xz': 'application/x-xz'}, 'tools.staticdir.on': True}, '/libs': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.expires.secs': 31536000, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/libs', 'tools.staticdir.on': True}, '/config/ui/tabs.xml': {'tools.nocache.on': True, 'tools.staticfile.on': True, 'tools.staticfile.filename': '/home/alinefm/kimchi/config/ui/tabs.xml'}, '/favicon.ico': {'tools.staticfile.on': True, 'tools.staticfile.filename': '/home/alinefm/kimchi/ui/images/logo.ico'}, '/js': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.expires.secs': 31536000, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/js', 'tools.staticdir.on': True}, '/images': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/images', 'tools.staticdir.on': True}, '/help': {'tools.nocache.on': False, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/pages/help', 'tools.staticdir.on': True}, '/css': {'tools.expires.on': True, 'tools.nocache.on': False, 'tools.expires.secs': 31536000, 'tools.staticdir.dir': '/home/alinefm/kimchi/ui/css', 'tools.staticdir.on': True}, '/': {'tools.sessions.httponly': True, 'tools.sessions.on': True, 'tools.nocache.on': True, 'tools.sessions.storage_type': 'ram', 'request.methods_with_bodies': ('POST', 'PUT'), 'tools.trailing_slash.on': False, 'tools.kimchiauth.on': False, 'tools.sessions.name': 'kimchi', 'tools.sessions.locking': 'explicit'}} ---------------------------------------------------------------------- Ran 158 tests in 149.610s FAILED (failures=1) [05/Mar/2014:15:50:05] ENGINE Waiting for child threads to terminate... make[3]: *** [check-local] Error 1 make[3]: Leaving directory `/home/alinefm/kimchi/tests' make[2]: *** [check-am] Error 2 make[2]: Leaving directory `/home/alinefm/kimchi/tests' make[1]: *** [check] Error 2 make[1]: Leaving directory `/home/alinefm/kimchi/tests' make: *** [check-recursive] Error 1 On 03/04/2014 09:52 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
V2 -> V3 raise 401 http error when expire. Set the timeout of sessions 10 minutes explicitly.
V1 -> V2 Address ming's comment, raise 403 http error when expire. Send UI patch.
UI still need to improve as Adam king said.
Hong Liang will improve it.
ShaoHe Feng (3): add timeout for sessions auth enhancement: expire the session when the request access periodically UI: set kimchi robot header for some request.
src/kimchi/auth.py | 13 +++++++++++++ src/kimchi/config.py.in | 4 ++++ ui/js/src/kimchi.api.js | 2 ++ 3 files changed, 19 insertions(+)
Applied. Thanks. Regards, Aline Manera
participants (4)
-
Aline Manera -
Ramon Medeiros -
shaohef@linux.vnet.ibm.com -
Sheldon