Yair Zaslavsky has uploaded a new change for review. Change subject: aaa: Added usage of AuthRecord.VALID_TO ......................................................................
aaa: Added usage of AuthRecord.VALID_TO The SessionDataContainer cleans sessions after UserSessionTimeoutInterval minutes (30 minutes). AuthRecord.VALID_TO may contain a date in the future that holds the time the session should expire. If this time is bigger than the time of the next sessions invalidation interval, the sessions invalidation of the session data container will invalid it anyway. If it is smaller than the next interval, and a login attempt is performed using this session, and the expiration time has arrived, the session will be removed from the session data container, and the user will be notified the session was timed out. Change-Id: I53e4a371c1bae8d2480ddd2af921a560c6fe9a85 Topic: AAA Signed-off-by: Yair Zaslavsky <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java M backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java M backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java 4 files changed, 71 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/75/26975/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java index 5d032de..0274ebc 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/LoginBaseCommand.java @@ -1,15 +1,20 @@ package org.ovirt.engine.core.bll; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.Collections; +import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang.time.DateUtils; import org.ovirt.engine.api.extensions.Base; import org.ovirt.engine.api.extensions.ExtMap; import org.ovirt.engine.api.extensions.aaa.Authn; import org.ovirt.engine.api.extensions.aaa.Mapping; +import org.ovirt.engine.api.extensions.aaa.Authn.AuthRecord; import org.ovirt.engine.core.aaa.AuthenticationProfile; import org.ovirt.engine.core.aaa.AuthenticationProfileRepository; import org.ovirt.engine.core.aaa.AuthzUtils; @@ -23,6 +28,8 @@ import org.ovirt.engine.core.common.action.LoginUserParameters; import org.ovirt.engine.core.common.action.VdcLoginReturnValueBase; import org.ovirt.engine.core.common.businessentities.DbUser; +import org.ovirt.engine.core.common.config.Config; +import org.ovirt.engine.core.common.config.ConfigValues; import org.ovirt.engine.core.common.errors.VdcBllMessages; import org.ovirt.engine.core.compat.Guid; import org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector; @@ -58,6 +65,8 @@ private ExtensionProxy authnExtension; private AuthenticationProfile profile; + + private ExtMap authRecord; public LoginBaseCommand(T parameters) { super(parameters); @@ -100,10 +109,27 @@ } protected boolean attachUserToSession() { + Date validTo = null; if (!StringUtils.isEmpty(getParameters().getSessionId())) { + validTo = SessionDataContainer.getInstance() + .getValidTo(getParameters().getSessionId()); + if (validTo.compareTo(new Date(System.currentTimeMillis())) < 0) { + SessionDataContainer.getInstance().removeSession(getParameters().getSessionId()); + return failCanDoAction(VdcBllMessages.USER_CANNOT_LOGIN_SESSION_MISSING); + } SessionDataContainer.getInstance().setUser(getParameters().getSessionId(), getCurrentUser()); - } else if (!SessionDataContainer.getInstance().setUser(getCurrentUser())) { - return failCanDoAction(VdcBllMessages.USER_CANNOT_LOGIN_SESSION_MISSING); + } else { + if (!SessionDataContainer.getInstance().setUser(getCurrentUser())) { + return failCanDoAction(VdcBllMessages.USER_CANNOT_LOGIN_SESSION_MISSING); + } + try { + validTo = + new SimpleDateFormat("yyyy-MM-dd HH:mm:ssZ").parse(authRecord.<String> get(AuthRecord.VALID_TO)); + } catch (ParseException e) { + log.warn("Error parsing AuthRecord.VALID_TO . Default VALID_TO value will be set on session"); + validTo = DateUtils.addMinutes(new Date(System.currentTimeMillis()), Config.<Integer> getValue(ConfigValues.UserSessionTimeOutInterval)); + } + SessionDataContainer.getInstance().setValidTo(validTo); } return true; } @@ -184,7 +210,7 @@ password = curPassword; } // Perform the actual authentication: - ExtMap authRecord = authenticate(loginName, password); + authRecord = authenticate(loginName, password); if (authRecord != null) { DirectoryUser directoryUser = AuthzUtils.fetchPrincipalRecord(profile.getAuthz(), authRecord); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java index fa6973d..6a736cf 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/session/SessionDataContainer.java @@ -1,5 +1,6 @@ package org.ovirt.engine.core.bll.session; +import java.util.Date; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; @@ -18,6 +19,7 @@ private static final String USER_PARAMETER_NAME = "user"; private static final String PASSWORD_PARAMETER_NAME = "password"; + private static final String VALID_TO_PARAMETER_NAME = "valid_to"; private static SessionDataContainer dataProviderInstance = new SessionDataContainer(); @@ -188,6 +190,10 @@ return setData(USER_PARAMETER_NAME, user); } + public final void setValidTo(Date validTo) { + setData(VALID_TO_PARAMETER_NAME, validTo); + } + /** * @param sessionId The session to get the user for * @param refresh Whether refreshing the session is needed @@ -230,4 +236,8 @@ public String getPassword() { return (String) getData(PASSWORD_PARAMETER_NAME, false); } + + public Date getValidTo(String sessionId) { + return (Date) getData(sessionId, VALID_TO_PARAMETER_NAME, false); + } } diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java index fa82edd..f8d7aed 100644 --- a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthn.java @@ -1,11 +1,17 @@ package org.ovirt.engine.extensions.aaa.builtin.internal; +import java.text.SimpleDateFormat; +import java.util.Date; import java.util.List; import java.util.Properties; + +import org.apache.commons.lang.time.DateUtils; import org.ovirt.engine.api.extensions.Base; import org.ovirt.engine.api.extensions.ExtMap; import org.ovirt.engine.api.extensions.Extension; import org.ovirt.engine.api.extensions.aaa.Authn; +import org.ovirt.engine.core.common.config.Config; +import org.ovirt.engine.core.common.config.ConfigValues; /** * This authenticator authenticates the internal user as specified in the {@code AdminUser} and {@code AdminPassword} @@ -44,6 +50,14 @@ new ExtMap().mput( Authn.AuthRecord.PRINCIPAL, adminUser + ).mput( + Authn.AuthRecord.VALID_TO, + new SimpleDateFormat("yyyy-MM-dd HH:mm:ssZ").format( + DateUtils.addMinutes( + new Date(System.currentTimeMillis()), + Config.<Integer> getValue(ConfigValues.UserSessionTimeOutInterval) + ) + ) ) ); output.put(Authn.InvokeKeys.RESULT, Authn.AuthResult.SUCCESS); diff --git a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java index fb8fe90..1399438 100644 --- a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java +++ b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapAuthenticateUserCommand.java @@ -1,9 +1,15 @@ package org.ovirt.engine.extensions.aaa.builtin.kerberosldap; +import java.text.SimpleDateFormat; +import java.util.Date; + +import org.apache.commons.lang.time.DateUtils; import org.ovirt.engine.api.extensions.ExtMap; import org.ovirt.engine.api.extensions.aaa.Authn; import org.ovirt.engine.core.common.businessentities.LdapUser; +import org.ovirt.engine.core.common.config.Config; +import org.ovirt.engine.core.common.config.ConfigValues; import org.ovirt.engine.core.utils.kerberos.AuthenticationResult; import org.ovirt.engine.core.utils.log.Log; import org.ovirt.engine.core.utils.log.LogFactory; @@ -60,7 +66,18 @@ new ExtMap().mput( Authn.AuthRecord.PRINCIPAL, user.getUserName() - )); + ).mput( + Authn.AuthRecord.VALID_TO, + new SimpleDateFormat("yyyy-MM-dd HH:mm:ssZ").format( + DateUtils.addMinutes( + new Date(System.currentTimeMillis()), + Config.<Integer> getValue(ConfigValues.UserSessionTimeOutInterval) + ) + ) + ) + ); + + setSucceeded(true); } else { log.errorFormat("Failed authenticating. Domain is {0}. User is {1}. The user doesn't have a UPN", -- To view, visit http://gerrit.ovirt.org/26975 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I53e4a371c1bae8d2480ddd2af921a560c6fe9a85 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
