diff --git a/alembic/versions/ab1167fc8260_add_user_last_session_id.py b/alembic/versions/ab1167fc8260_add_user_last_session_id.py new file mode 100644 index 00000000..b1039571 --- /dev/null +++ b/alembic/versions/ab1167fc8260_add_user_last_session_id.py @@ -0,0 +1,28 @@ +"""add_user_last_session_id + +Revision ID: ab1167fc8260 +Revises: c5deba1826be +Create Date: 2019-05-15 16:25:48.766451 + +""" +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import postgresql + +# revision identifiers, used by Alembic. +revision = 'ab1167fc8260' +down_revision = 'c5deba1826be' +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.add_column('users', sa.Column('last_session_id', postgresql.UUID(as_uuid=True), nullable=True)) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_column('users', 'last_session_id') + # ### end Alembic commands ### diff --git a/atst/app.py b/atst/app.py index c729c65a..ccecd534 100644 --- a/atst/app.py +++ b/atst/app.py @@ -2,7 +2,7 @@ import os import re import pathlib from configparser import ConfigParser -from flask import Flask, request, g +from flask import Flask, request, g, session from flask_session import Session import redis from unipath import Path @@ -30,6 +30,7 @@ from atst.utils.form_cache import FormCache from atst.utils.json import CustomJSONEncoder from atst.queue import queue from atst.utils.notification_sender import NotificationSender +from atst.utils.session_limiter import SessionLimiter from logging.config import dictConfig from atst.utils.logging import JsonFormatter, RequestContextFilter @@ -70,6 +71,7 @@ def make_app(config): db.init_app(app) csrf.init_app(app) Session(app) + make_session_limiter(app, session, config) assets_environment.init_app(app) make_error_pages(app) @@ -162,6 +164,9 @@ def map_config(config): "DISABLE_CRL_CHECK": config.getboolean("default", "DISABLE_CRL_CHECK"), "CRL_FAIL_OPEN": config.getboolean("default", "CRL_FAIL_OPEN"), "LOG_JSON": config.getboolean("default", "LOG_JSON"), + "LIMIT_CONCURRENT_SESSIONS": config.getboolean( + "default", "LIMIT_CONCURRENT_SESSIONS" + ), } @@ -253,6 +258,10 @@ def make_notification_sender(app): app.notification_sender = NotificationSender(queue) +def make_session_limiter(app, session, config): + app.session_limiter = SessionLimiter(config, session, app.redis) + + def apply_json_logger(): dictConfig( { diff --git a/atst/domain/users.py b/atst/domain/users.py index baf5acb0..daf69c68 100644 --- a/atst/domain/users.py +++ b/atst/domain/users.py @@ -89,6 +89,12 @@ class Users(object): db.session.add(user) db.session.commit() + @classmethod + def update_last_session_id(cls, user, session_id): + user.last_session_id = session_id + db.session.add(user) + db.session.commit() + @classmethod def finalize(cls, user): user.provisional = False diff --git a/atst/models/user.py b/atst/models/user.py index c1693a37..61ba0c79 100644 --- a/atst/models/user.py +++ b/atst/models/user.py @@ -58,6 +58,7 @@ class User( designation = Column(String) date_latest_training = Column(Date) last_login = Column(TIMESTAMP(timezone=True), nullable=True) + last_session_id = Column(UUID(as_uuid=True), nullable=True) provisional = Column(Boolean) diff --git a/atst/routes/__init__.py b/atst/routes/__init__.py index f923517f..94acb897 100644 --- a/atst/routes/__init__.py +++ b/atst/routes/__init__.py @@ -8,9 +8,9 @@ from flask import ( url_for, request, make_response, + current_app as app, ) -from flask import current_app as app from jinja2.exceptions import TemplateNotFound import pendulum import os @@ -125,6 +125,7 @@ def redirect_after_login_url(): def current_user_setup(user): session["user_id"] = user.id session["last_login"] = user.last_login + app.session_limiter.on_login(user) Users.update_last_login(user) diff --git a/atst/utils/session_limiter.py b/atst/utils/session_limiter.py new file mode 100644 index 00000000..cae43c5d --- /dev/null +++ b/atst/utils/session_limiter.py @@ -0,0 +1,19 @@ +from atst.domain.users import Users + + +class SessionLimiter(object): + def __init__(self, config, session, redis): + self.limit_logins = config["LIMIT_CONCURRENT_SESSIONS"] + self.session = session + self.redis = redis + + def on_login(self, user): + if not self.limit_logins: + return + + session_id = self.session.sid + self._delete_session(user.last_session_id) + Users.update_last_session_id(user, session_id) + + def _delete_session(self, session_id): + self.redis.delete("session:{}".format(session_id)) diff --git a/config/base.ini b/config/base.ini index 36f1e0a7..ce98fbf2 100644 --- a/config/base.ini +++ b/config/base.ini @@ -34,3 +34,4 @@ STORAGE_SECRET='' STORAGE_PROVIDER=LOCAL STORAGE_CRL_ARCHIVE_NAME = dod_crls.tar.bz WTF_CSRF_ENABLED = true +LIMIT_CONCURRENT_SESSIONS = false diff --git a/config/prod.ini b/config/prod.ini index bbbf8f8b..ebc1dc40 100644 --- a/config/prod.ini +++ b/config/prod.ini @@ -1,3 +1,4 @@ [default] SESSION_COOKIE_SECURE=True SESSION_COOKIE_DOMAIN=atat.codes +LIMIT_CONCURRENT_SESSIONS=True diff --git a/tests/utils/test_logging.py b/tests/utils/test_logging.py index cb8198d3..fd934d07 100644 --- a/tests/utils/test_logging.py +++ b/tests/utils/test_logging.py @@ -2,6 +2,7 @@ from io import StringIO import json import logging from uuid import uuid4 +from unittest.mock import Mock import pytest @@ -62,13 +63,16 @@ def test_json_formatter_for_exceptions(logger, log_stream_content): assert log.get("details") -def test_request_context_filter(logger, log_stream_content, request_ctx): - user = UserFactory.create() - uuid = str(uuid4()) +def test_request_context_filter(logger, log_stream_content, request_ctx, monkeypatch): + request_uuid = str(uuid4()) + user_uuid = str(uuid4()) - request_ctx.g.current_user = user - request_ctx.request.environ["HTTP_X_REQUEST_ID"] = uuid + user = Mock(spec=["id"]) + user.id = user_uuid + + monkeypatch.setattr("atst.utils.logging.g", Mock(current_user=user)) + request_ctx.request.environ["HTTP_X_REQUEST_ID"] = request_uuid logger.info("this user is doing something") log = json.loads(log_stream_content()) - assert log["user_id"] == str(user.id) - assert log["request_id"] == uuid + assert log["user_id"] == str(user_uuid) + assert log["request_id"] == request_uuid diff --git a/tests/utils/test_session_limiter.py b/tests/utils/test_session_limiter.py new file mode 100644 index 00000000..4595d4e3 --- /dev/null +++ b/tests/utils/test_session_limiter.py @@ -0,0 +1,51 @@ +import pytest +from redis import Redis +from unittest.mock import Mock +from uuid import uuid4 + +from atst.utils.session_limiter import SessionLimiter +from tests.factories import UserFactory +from atst.models.user import User + + +@pytest.fixture +def mock_redis(): + return Mock(spec=Redis) + + +@pytest.fixture +def mock_session(): + mock = Mock(spec=["sid"]) + mock.sid = uuid4() + return mock + + +def test_session_limiter_deletes_users_old_session(mock_redis, mock_session): + last_session_id = uuid4() + current_session_id = uuid4() + + mock_session.sid = current_session_id + + session_limiter = SessionLimiter( + {"LIMIT_CONCURRENT_SESSIONS": True}, mock_session, mock_redis + ) + user = UserFactory.create(last_session_id=last_session_id) + session_limiter.on_login(user) + + mock_redis.delete.assert_called_with("session:{}".format(last_session_id)) + + +def test_session_limiter_updates_users_last_sesion_id(mock_redis, mock_session, db): + last_session_id = uuid4() + current_session_id = uuid4() + + mock_session.sid = current_session_id + + session_limiter = SessionLimiter( + {"LIMIT_CONCURRENT_SESSIONS": True}, mock_session, mock_redis + ) + user = UserFactory.create(last_session_id=last_session_id) + session_limiter.on_login(user) + + user = db.session.query(User).get(user.id) + assert user.last_session_id == current_session_id