[ https://issues.apache.org/jira/browse/KNOX-2777?focusedWorklogId=793657&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-793657 ]
ASF GitHub Bot logged work on KNOX-2777: ---------------------------------------- Author: ASF GitHub Bot Created on: 21/Jul/22 10:09 Start Date: 21/Jul/22 10:09 Worklog Time Spent: 10m Work Description: smolnar82 commented on code in PR #608: URL: https://github.com/apache/knox/pull/608#discussion_r926499605 ########## gateway-spi-common/src/main/java/org/apache/knox/gateway/session/control/ConcurrentSessionVerifier.java: ########## @@ -0,0 +1,102 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.session.control; + + +import org.apache.knox.gateway.config.GatewayConfig; + +import java.util.Map; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; + +public class ConcurrentSessionVerifier { + public static final ConcurrentSessionVerifier INSTANCE = new ConcurrentSessionVerifier(); + private Set<String> privilegedUsers; + private Set<String> nonPrivilegedUsers; + private int privilegedUserConcurrentSessionLimit; + private int nonPrivilegedUserConcurrentSessionLimit; + private Map<String, Integer> concurrentSessionCounter; + private final Lock sessionCountModifyLock = new ReentrantLock(); + + private ConcurrentSessionVerifier() { + } + + public static ConcurrentSessionVerifier getInstance() { + return INSTANCE; + } + + public void init(GatewayConfig config) { + this.privilegedUsers = config.getPrivilegedUsers(); + this.nonPrivilegedUsers = config.getNonPrivilegedUsers(); + this.privilegedUserConcurrentSessionLimit = config.getPrivilegedUsersConcurrentSessionLimit(); + this.nonPrivilegedUserConcurrentSessionLimit = config.getNonPrivilegedUsersConcurrentSessionLimit(); + this.concurrentSessionCounter = new ConcurrentHashMap<>(); + } + + public boolean verifySessionForUser(String username) { + if (!privilegedUsers.contains(username) && !nonPrivilegedUsers.contains(username)) { + return true; + } + + sessionCountModifyLock.lock(); + try { + concurrentSessionCounter.putIfAbsent(username, 0); + if (privilegedUserCheckLimitReached(username) || nonPrivilegedUserCheckLimitReached(username)) { + return false; + } + concurrentSessionCounter.compute(username, (key, value) -> value + 1); + } finally { + sessionCountModifyLock.unlock(); + } + return true; + } + + private boolean privilegedUserCheckLimitReached(String username) { + if (privilegedUserConcurrentSessionLimit < 0) { + return false; + } + return privilegedUsers.contains(username) && (concurrentSessionCounter.get(username) >= privilegedUserConcurrentSessionLimit); + } + + private boolean nonPrivilegedUserCheckLimitReached(String username) { + if (nonPrivilegedUserConcurrentSessionLimit < 0) { + return false; + } + return nonPrivilegedUsers.contains(username) && (concurrentSessionCounter.get(username) >= nonPrivilegedUserConcurrentSessionLimit); + } + + public void sessionEndedForUser(String username) { + if (concurrentSessionCounter.containsKey(username)) { + sessionCountModifyLock.lock(); + try { + int count = concurrentSessionCounter.get(username); Review Comment: I agree; this is a better approach. Nice catch, Attila! :) Issue Time Tracking ------------------- Worklog Id: (was: 793657) Time Spent: 3h (was: 2h 50m) > Implement concurrent session verifier > ------------------------------------- > > Key: KNOX-2777 > URL: https://issues.apache.org/jira/browse/KNOX-2777 > Project: Apache Knox > Issue Type: Sub-task > Components: Server > Affects Versions: 2.0.0 > Reporter: Sandor Molnar > Assignee: Balazs Marton > Priority: Major > Fix For: 2.0.0 > > Time Spent: 3h > Remaining Estimate: 0h > > The following needs to be implemented in the scope of this JIRA: > * we need 4 new Gateway-level configurations: > ** privileged user list (defaults to an empty collection) > ** non-privileged user list (defaults to an empty collection) > ** session limit for privileged users (defaults to 3) > ** session limit for non-privileged users (defaults to 2) > * if a session limit for any of the groups is set to a negative number, that > means the users in that group are allowed to have an unlimited number of > sessions > * In addition to the new configs, a verifier has to be implemented that > enforces the following business logic: if a user is listed in the > above-introduced privileged/non-privileged collection AND is about to pass a > configured session limit the verification should fail. The verification > should succeed if the given user is declared neither a privileged nor a > non-privileged user. > The new verifier implementation may be placed in the {{gateway-spi-common}} > project for now. -- This message was sent by Atlassian Jira (v8.20.10#820010)