mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 199 Wiki Activity
Browse Source

Keep track of valid user sessions (#21058). 

git-svn-id: http://svn.redmine.org/redmine/trunk@14735 e93f8b46-1217-0410-a6f0-8f06a7374b81
tags/3.2.0
Jean-Philippe Lang 8 years ago
parent
a371c8d850
commit
4cd22dcc55
12 changed files with 340 additions and 208 deletions
Split View Show Diff Stats
  1. 5
    29
      app/controllers/application_controller.rb
  2. 2
    3
      app/controllers/my_controller.rb
  3. 10
    2
      app/models/token.rb
  4. 22
    2
      app/models/user.rb
  5. 3
    0
      config/environments/test.rb
  6. 10
    0
      db/migrate/20151024082034_add_tokens_updated_on.rb
  7. 0
    12
      test/functional/my_controller_test.rb
  8. 138
    0
      test/functional/sessions_controller_test.rb
  9. 0
    132
      test/functional/sessions_test.rb
  10. 40
    28
      test/integration/account_test.rb
  11. 97
    0
      test/integration/sessions_test.rb
  12. 13
    0
      test/unit/token_test.rb

+ 5
- 29
app/controllers/application_controller.rb View File

@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
end
end

before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization
before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization

rescue_from ::Unauthorized, :with => :deny_access
rescue_from ::ActionView::MissingTemplate, :with => :missing_template
@@ -63,36 +63,23 @@ class ApplicationController < ActionController::Base
include Redmine::SudoMode::Controller

def session_expiration
if session[:user_id]
if session[:user_id] && Rails.application.config.redmine_verify_sessions != false
if session_expired? && !try_to_autologin
set_localization(User.active.find_by_id(session[:user_id]))
self.logged_user = nil
flash[:error] = l(:error_session_expired)
require_login
else
session[:atime] = Time.now.utc.to_i
end
end
end

def session_expired?
if Setting.session_lifetime?
unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60)
return true
end
end
if Setting.session_timeout?
unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60)
return true
end
end
false
! User.verify_session_token(session[:user_id], session[:tk])
end

def start_user_session(user)
session[:user_id] = user.id
session[:ctime] = Time.now.utc.to_i
session[:atime] = Time.now.utc.to_i
session[:tk] = user.generate_session_token
if user.must_change_password?
session[:pwd] = '1'
end
@@ -149,18 +136,6 @@ class ApplicationController < ActionController::Base
user
end

def force_logout_if_password_changed
passwd_changed_on = User.current.passwd_changed_on || Time.at(0)
# Make sure we force logout only for web browser sessions, not API calls
# if the password was changed after the session creation.
if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i
reset_session
set_localization
flash[:error] = l(:error_session_expired)
redirect_to signin_url
end
end

def autologin_cookie_name
Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
end
@@ -193,6 +168,7 @@ class ApplicationController < ActionController::Base
if User.current.logged?
cookies.delete(autologin_cookie_name)
Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]])
self.logged_user = nil
end
end

+ 2
- 3
app/controllers/my_controller.rb View File

@@ -103,9 +103,8 @@ class MyController < ApplicationController
@user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
@user.must_change_passwd = false
if @user.save
# Reset the session creation time to not log out this session on next
# request due to ApplicationController#force_logout_if_password_changed
session[:ctime] = User.current.passwd_changed_on.utc.to_i
# The session token was destroyed by the password change, generate a new one
session[:tk] = @user.generate_session_token
flash[:notice] = l(:notice_account_password_updated)
redirect_to my_account_path
end

+ 10
- 2
app/models/token.rb View File

@@ -36,7 +36,7 @@ class Token < ActiveRecord::Base

# Delete all expired tokens
def self.destroy_expired
Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api'], Time.now - validity_time).delete_all
Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all
end

# Returns the active user who owns the key for the given action
@@ -79,7 +79,15 @@ class Token < ActiveRecord::Base
# Removes obsolete tokens (same user and action)
def delete_previous_tokens
if user
Token.where(:user_id => user.id, :action => action).delete_all
scope = Token.where(:user_id => user.id, :action => action)
if action == 'session'
ids = scope.order(:updated_on => :desc).offset(9).ids
if ids.any?
Token.delete(ids)
end
else
scope.delete_all
end
end
end
end

+ 22
- 2
app/models/user.rb View File

@@ -394,6 +394,26 @@ class User < Principal
api_token.value
end

# Generates a new session token and returns its value
def generate_session_token
token = Token.create!(:user_id => id, :action => 'session')
token.value
end

# Returns true if token is a valid session token for the user whose id is user_id
def self.verify_session_token(user_id, token)
return false if user_id.blank? || token.blank?

scope = Token.where(:user_id => user_id, :value => token.to_s, :action => 'session')
if Setting.session_lifetime?
scope = scope.where("created_on > ?", Setting.session_lifetime.to_i.minutes.ago)
end
if Setting.session_timeout?
scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago)
end
scope.update_all(:updated_on => Time.now) == 1
end

# Return an array of project ids for which the user has explicitly turned mail notifications on
def notified_projects_ids
@notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
@@ -764,8 +784,8 @@ class User < Principal
# This helps to keep the account secure in case the associated email account
# was compromised.
def destroy_tokens
if hashed_password_changed?
tokens = ['recovery', 'autologin']
if hashed_password_changed? || (status_changed? && !active?)
tokens = ['recovery', 'autologin', 'session']
Token.where(:user_id => id, :action => tokens).delete_all
end
end

+ 3
- 0
config/environments/test.rb View File

@@ -26,6 +26,9 @@ Rails.application.configure do
# Disable request forgery protection in test environment.
config.action_controller.allow_forgery_protection = false

# Disable sessions verifications in test environment.
config.redmine_verify_sessions = false

# Print deprecation notices to stderr and the Rails logger.
config.active_support.deprecation = [:stderr, :log]


+ 10
- 0
db/migrate/20151024082034_add_tokens_updated_on.rb View File

@@ -0,0 +1,10 @@
class AddTokensUpdatedOn < ActiveRecord::Migration
def self.up
add_column :tokens, :updated_on, :timestamp
Token.update_all("updated_on = created_on")
end

def self.down
remove_column :tokens, :updated_on
end
end

+ 0
- 12
test/functional/my_controller_test.rb View File

@@ -185,18 +185,6 @@ class MyControllerTest < ActionController::TestCase
assert User.try_to_login('jsmith', 'secret123')
end

def test_change_password_kills_other_sessions
@request.session[:ctime] = (Time.now - 30.minutes).utc.to_i

jsmith = User.find(2)
jsmith.passwd_changed_on = Time.now
jsmith.save!

get 'account'
assert_response 302
assert flash[:error].match(/Your session has expired/)
end

def test_change_password_should_redirect_if_user_cannot_change_its_password
User.find(2).update_attribute(:auth_source_id, 1)


+ 138
- 0
test/functional/sessions_controller_test.rb View File

@@ -0,0 +1,138 @@
# Redmine - project management software
# Copyright (C) 2006-2015 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

require File.expand_path('../../test_helper', __FILE__)

class SessionsControllerTest < ActionController::TestCase
include Redmine::I18n
tests WelcomeController

fixtures :users, :email_addresses

def setup
Rails.application.config.redmine_verify_sessions = true
end

def teardown
Rails.application.config.redmine_verify_sessions = false
end

def test_session_token_should_be_updated
created = 10.hours.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

get :index, {}, {:user_id => 2, :tk => token.value}
assert_response :success
token.reload
assert_equal created, token.created_on
assert_not_equal created, token.updated_on
assert token.updated_on > created
end

def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
created = 2.years.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_lifetime => '0', :session_timeout => '0' do
get :index, {}, {:user_id => 2, :tk => token.value}
assert_response :success
end
end

def test_user_session_without_token_should_be_reset
get :index, {}, {:user_id => 2}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end

def test_expired_user_session_should_be_reset_if_lifetime_enabled
created = 2.days.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_timeout => '720' do
get :index, {}, {:user_id => 2, :tk => token.value}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_valid_user_session_should_not_be_reset_if_lifetime_enabled
created = 3.hours.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_timeout => '720' do
get :index, {}, {:user_id => 2, :tk => token.value}
assert_response :success
end
end

def test_expired_user_session_should_be_reset_if_timeout_enabled
created = 4.hours.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_timeout => '60' do
get :index, {}, {:user_id => 2, :tk => token.value}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_valid_user_session_should_not_be_reset_if_timeout_enabled
created = 10.minutes.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_timeout => '60' do
get :index, {}, {:user_id => 2, :tk => token.value}
assert_response :success
end
end

def test_expired_user_session_should_be_restarted_if_autologin
created = 2.hours.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
autologin_token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
@request.cookies['autologin'] = autologin_token.value

get :index, {}, {:user_id => 2, :tk => token.value}
assert_equal 2, session[:user_id]
assert_response :success
assert_not_equal token.value, session[:tk]
end
end

def test_expired_user_session_should_set_locale
set_language_if_valid 'it'
user = User.find(2)
user.language = 'fr'
user.save!
created = 4.hours.ago
token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)

with_settings :session_timeout => '60' do
get :index, {}, {:user_id => user.id, :tk => token.value}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
assert_include "Veuillez vous reconnecter", flash[:error]
assert_equal :fr, current_language
end
end

def test_anonymous_session_should_not_be_reset
with_settings :session_lifetime => '720', :session_timeout => '60' do
get :index
assert_response :success
end
end
end

+ 0
- 132
test/functional/sessions_test.rb View File

@@ -1,132 +0,0 @@
# Redmine - project management software
# Copyright (C) 2006-2015 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

require File.expand_path('../../test_helper', __FILE__)

class SessionStartTest < ActionController::TestCase
tests AccountController

fixtures :users

def test_login_should_set_session_timestamps
post :login, :username => 'jsmith', :password => 'jsmith'
assert_response 302
assert_equal 2, session[:user_id]
assert_not_nil session[:ctime]
assert_not_nil session[:atime]
end
end

class SessionsTest < ActionController::TestCase
include Redmine::I18n
tests WelcomeController

fixtures :users, :email_addresses

def test_atime_from_user_session_should_be_updated
created = 2.hours.ago.utc.to_i
get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
assert_response :success
assert_equal created, session[:ctime]
assert_not_equal created, session[:atime]
assert session[:atime] > created
end

def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
with_settings :session_lifetime => '0', :session_timeout => '0' do
get :index, {}, {:user_id => 2}
assert_response :success
end
end

def test_user_session_without_ctime_should_be_reset_if_lifetime_enabled
with_settings :session_lifetime => '720' do
get :index, {}, {:user_id => 2}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_user_session_with_expired_ctime_should_be_reset_if_lifetime_enabled
with_settings :session_timeout => '720' do
get :index, {}, {:user_id => 2, :atime => 2.days.ago.utc.to_i}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_user_session_with_valid_ctime_should_not_be_reset_if_lifetime_enabled
with_settings :session_timeout => '720' do
get :index, {}, {:user_id => 2, :atime => 3.hours.ago.utc.to_i}
assert_response :success
end
end

def test_user_session_without_atime_should_be_reset_if_timeout_enabled
with_settings :session_timeout => '60' do
get :index, {}, {:user_id => 2}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_user_session_with_expired_atime_should_be_reset_if_timeout_enabled
with_settings :session_timeout => '60' do
get :index, {}, {:user_id => 2, :atime => 4.hours.ago.utc.to_i}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
end
end

def test_user_session_with_valid_atime_should_not_be_reset_if_timeout_enabled
with_settings :session_timeout => '60' do
get :index, {}, {:user_id => 2, :atime => 10.minutes.ago.utc.to_i}
assert_response :success
end
end

def test_expired_user_session_should_be_restarted_if_autologin
with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
@request.cookies['autologin'] = token.value
created = 2.hours.ago.utc.to_i

get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
assert_equal 2, session[:user_id]
assert_response :success
assert_not_equal created, session[:ctime]
assert session[:ctime] >= created
end
end

def test_expired_user_session_should_set_locale
set_language_if_valid 'it'
user = User.find(2)
user.language = 'fr'
user.save!

with_settings :session_timeout => '60' do
get :index, {}, {:user_id => user.id, :atime => 4.hours.ago.utc.to_i}
assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
assert_include "Veuillez vous reconnecter", flash[:error]
assert_equal :fr, current_language
end
end

def test_anonymous_session_should_not_be_reset
with_settings :session_lifetime => '720', :session_timeout => '60' do
get :index
assert_response :success
end
end
end

+ 40
- 28
test/integration/account_test.rb View File

@@ -30,35 +30,47 @@ class AccountTest < Redmine::IntegrationTest
assert_template "my/account"
end

def test_login_should_set_session_token
assert_difference 'Token.count' do
log_user('jsmith', 'jsmith')

assert_equal 2, session[:user_id]
assert_not_nil session[:tk]
end
end

def test_autologin
user = User.find(1)
Setting.autologin = "7"
Token.delete_all

# User logs in with 'autologin' checked
post '/login', :username => user.login, :password => 'admin', :autologin => 1
assert_redirected_to '/my/page'
token = Token.first
assert_not_nil token
assert_equal user, token.user
assert_equal 'autologin', token.action
assert_equal user.id, session[:user_id]
assert_equal token.value, cookies['autologin']

# Session is cleared
reset!
User.current = nil
# Clears user's last login timestamp
user.update_attribute :last_login_on, nil
assert_nil user.reload.last_login_on

# User comes back with user's autologin cookie
cookies[:autologin] = token.value
get '/my/page'
assert_response :success
assert_template 'my/page'
assert_equal user.id, session[:user_id]
assert_not_nil user.reload.last_login_on
with_settings :autologin => '7' do
assert_difference 'Token.count', 2 do
# User logs in with 'autologin' checked
post '/login', :username => user.login, :password => 'admin', :autologin => 1
assert_redirected_to '/my/page'
end
token = Token.where(:action => 'autologin').order(:id => :desc).first
assert_not_nil token
assert_equal user, token.user
assert_equal 'autologin', token.action
assert_equal user.id, session[:user_id]
assert_equal token.value, cookies['autologin']
# Session is cleared
reset!
User.current = nil
# Clears user's last login timestamp
user.update_attribute :last_login_on, nil
assert_nil user.reload.last_login_on
# User comes back with user's autologin cookie
cookies[:autologin] = token.value
get '/my/page'
assert_response :success
assert_template 'my/page'
assert_equal user.id, session[:user_id]
assert_not_nil user.reload.last_login_on
end
end

def test_autologin_should_use_autologin_cookie_name
@@ -69,7 +81,7 @@ class AccountTest < Redmine::IntegrationTest
Redmine::Configuration.stubs(:[]).with('sudo_mode_timeout').returns(15)

with_settings :autologin => '7' do
assert_difference 'Token.count' do
assert_difference 'Token.count', 2 do
post '/login', :username => 'admin', :password => 'admin', :autologin => 1
assert_response 302
end
@@ -82,7 +94,7 @@ class AccountTest < Redmine::IntegrationTest
get '/my/page'
assert_response :success

assert_difference 'Token.count', -1 do
assert_difference 'Token.count', -2 do
post '/logout'
end
assert cookies['custom_autologin'].blank?
@@ -119,7 +131,7 @@ class AccountTest < Redmine::IntegrationTest
assert_equal 'Password was successfully updated.', flash[:notice]

log_user('jsmith', 'newpass123')
assert_equal 0, Token.count
assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted"
end

def test_user_with_must_change_passwd_should_be_forced_to_change_its_password

+ 97
- 0
test/integration/sessions_test.rb View File

@@ -0,0 +1,97 @@
# Redmine - project management software
# Copyright (C) 2006-2015 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

require File.expand_path('../../test_helper', __FILE__)

class SessionsTest < Redmine::IntegrationTest
fixtures :users, :email_addresses, :roles

def setup
Rails.application.config.redmine_verify_sessions = true
end

def teardown
Rails.application.config.redmine_verify_sessions = false
end

def test_change_password_kills_sessions
log_user('jsmith', 'jsmith')

jsmith = User.find(2)
jsmith.password = "somenewpassword"
jsmith.save!

get '/my/account'
assert_response 302
assert flash[:error].match(/Your session has expired/)
end

def test_lock_user_kills_sessions
log_user('jsmith', 'jsmith')

jsmith = User.find(2)
assert jsmith.lock!
assert jsmith.activate!

get '/my/account'
assert_response 302
assert flash[:error].match(/Your session has expired/)
end

def test_update_user_does_not_kill_sessions
log_user('jsmith', 'jsmith')

jsmith = User.find(2)
jsmith.firstname = 'Robert'
jsmith.save!

get '/my/account'
assert_response 200
end

def test_change_password_generates_a_new_token_for_current_session
log_user('jsmith', 'jsmith')
assert_not_nil token = session[:tk]

get '/my/password'
assert_response 200
post '/my/password', :password => 'jsmith',
:new_password => 'secret123',
:new_password_confirmation => 'secret123'
assert_response 302
assert_not_equal token, session[:tk]

get '/my/account'
assert_response 200
end

def test_simultaneous_sessions_should_be_valid
first = open_session do |session|
session.post "/login", :username => 'jsmith', :password => 'jsmith'
end
other = open_session do |session|
session.post "/login", :username => 'jsmith', :password => 'jsmith'
end

first.get '/my/account'
assert_equal 200, first.response.response_code
first.post '/logout'

other.get '/my/account'
assert_equal 200, other.response.response_code
end
end

+ 13
- 0
test/unit/token_test.rb View File

@@ -36,6 +36,19 @@ class TokenTest < ActiveSupport::TestCase
assert Token.exists?(t2.id)
end

def test_create_session_token_should_keep_last_10_tokens
Token.delete_all
user = User.find(1)

assert_difference 'Token.count', 10 do
10.times { Token.create!(:user => user, :action => 'session') }
end

assert_no_difference 'Token.count' do
Token.create!(:user => user, :action => 'session')
end
end

def test_destroy_expired_should_not_destroy_feeds_and_api_tokens
Token.delete_all


Write Preview
Loading…
Cancel
Save