Skip to content

Commit

Permalink
Expire session when update user password (#15219)
Browse files Browse the repository at this point in the history
  • Loading branch information
ruanwenjun authored Nov 26, 2023
1 parent 0016b96 commit 12f8138
Show file tree
Hide file tree
Showing 25 changed files with 326 additions and 473 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import org.apache.dolphinscheduler.common.enums.UserType;
import org.apache.dolphinscheduler.common.utils.JSONUtils;
import org.apache.dolphinscheduler.common.utils.OkHttpUtils;
import org.apache.dolphinscheduler.dao.entity.Session;
import org.apache.dolphinscheduler.dao.entity.User;

import org.apache.commons.lang3.StringUtils;
Expand Down Expand Up @@ -160,20 +161,13 @@ public Result ssoLogin(HttpServletRequest request) {
return Result.success();
}

/**
* sign out
*
* @param loginUser login user
* @param request request
* @return sign out result
*/
@Operation(summary = "signOut", description = "SIGNOUT_NOTES")
@PostMapping(value = "/signOut")
@ApiException(SIGN_OUT_ERROR)
public Result signOut(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser,
HttpServletRequest request) {
String ip = getClientIpAddress(request);
sessionService.signOut(ip, loginUser);
sessionService.expireSession(loginUser.getId());
// clear session
request.removeAttribute(Constants.SESSION_USER);
return success();
Expand Down Expand Up @@ -244,13 +238,10 @@ public void loginByAuth2(@RequestParam String code, @RequestParam String provide
if (user == null) {
user = usersService.createUser(UserType.GENERAL_USER, username, null);
}
String sessionId = sessionService.createSession(user, null);
if (sessionId == null) {
log.error("Failed to create session, userName:{}.", user.getUserName());
}
Session session = sessionService.createSessionIfAbsent(user);
response.setStatus(HttpStatus.SC_MOVED_TEMPORARILY);
response.sendRedirect(String.format("%s?sessionId=%s&authType=%s", oAuth2ClientProperties.getCallbackUrl(),
sessionId, "oauth2"));
session.getId(), "oauth2"));
} catch (Exception ex) {
log.error(ex.getMessage(), ex);
response.setStatus(HttpStatus.SC_MOVED_TEMPORARILY);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,18 +76,6 @@ public class UsersController extends BaseController {
@Autowired
private UsersService usersService;

/**
* create user
*
* @param loginUser login user
* @param userName user name
* @param userPassword user password
* @param email email
* @param tenantId tenant id
* @param phone phone
* @param queue queue
* @return create result code
*/
@Operation(summary = "createUser", description = "CREATE_USER_NOTES")
@Parameters({
@Parameter(name = "userName", description = "USER_NAME", required = true, schema = @Schema(implementation = String.class)),
Expand Down Expand Up @@ -172,19 +160,27 @@ public Result queryUserList(@Parameter(hidden = true) @RequestAttribute(value =
@PostMapping(value = "/update")
@ResponseStatus(HttpStatus.OK)
@ApiException(UPDATE_USER_ERROR)
public Result updateUser(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser,
@RequestParam(value = "id") int id,
@RequestParam(value = "userName") String userName,
@RequestParam(value = "userPassword") String userPassword,
@RequestParam(value = "queue", required = false, defaultValue = "") String queue,
@RequestParam(value = "email") String email,
@RequestParam(value = "tenantId") int tenantId,
@RequestParam(value = "phone", required = false) String phone,
@RequestParam(value = "state", required = false) int state,
@RequestParam(value = "timeZone", required = false) String timeZone) throws Exception {
Map<String, Object> result = usersService.updateUser(loginUser, id, userName, userPassword, email, tenantId,
phone, queue, state, timeZone);
return returnDataList(result);
public Result<User> updateUser(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser,
@RequestParam(value = "id") int id,
@RequestParam(value = "userName") String userName,
@RequestParam(value = "userPassword") String userPassword,
@RequestParam(value = "queue", required = false, defaultValue = "") String queue,
@RequestParam(value = "email") String email,
@RequestParam(value = "tenantId") int tenantId,
@RequestParam(value = "phone", required = false) String phone,
@RequestParam(value = "state", required = false) int state,
@RequestParam(value = "timeZone", required = false) String timeZone) throws Exception {
User user = usersService.updateUser(loginUser,
id,
userName,
userPassword,
email,
tenantId,
phone,
queue,
state,
timeZone);
return Result.success(user);
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,19 @@

import javax.servlet.http.HttpServletRequest;

import lombok.NonNull;

public interface Authenticator {

/**
* Verifying legality via username and password
*
* @param username user name
* @param password user password
* @param extra extra info
* @param ip client ip
* @return result object
*/
Result<Map<String, String>> authenticate(String username, String password, String extra);
Result<Map<String, String>> authenticate(@NonNull String username, String password, @NonNull String ip);

/**
* Get authenticated user
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,20 @@
import org.apache.dolphinscheduler.dao.entity.Session;
import org.apache.dolphinscheduler.dao.entity.User;

import org.apache.commons.lang3.StringUtils;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;

import lombok.NonNull;
import lombok.extern.slf4j.Slf4j;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.util.WebUtils;

@Slf4j
public abstract class AbstractAuthenticator implements Authenticator {
Expand All @@ -56,15 +61,14 @@ public abstract class AbstractAuthenticator implements Authenticator {
*
* @param userId user identity field
* @param password user login password
* @param extra extra user login field
* @return user object in databse
*/
public abstract User login(String userId, String password, String extra);
public abstract User login(@NonNull String userId, String password);

@Override
public Result<Map<String, String>> authenticate(String userId, String password, String extra) {
public Result<Map<String, String>> authenticate(@NonNull String userId, String password, @NonNull String ip) {
Result<Map<String, String>> result = new Result<>();
User user = login(userId, password, extra);
User user = login(userId, password);
if (user == null) {
if (Objects.equals(securityConfig.getType(), AuthenticationType.CASDOOR_SSO.name())) {
log.error("State or code entered incorrectly.");
Expand All @@ -87,9 +91,8 @@ public Result<Map<String, String>> authenticate(String userId, String password,
}

// create session
String sessionId = sessionService.createSession(user, extra);
if (sessionId == null) {
log.error("Failed to create session, userName:{}.", user.getUserName());
Session session = sessionService.createSessionIfAbsent(user);
if (session == null) {
result.setCode(Status.LOGIN_SESSION_FAILED.getCode());
result.setMsg(Status.LOGIN_SESSION_FAILED.getMsg());
return result;
Expand All @@ -98,7 +101,7 @@ public Result<Map<String, String>> authenticate(String userId, String password,
log.info("Session is created, userName:{}.", user.getUserName());

Map<String, String> data = new HashMap<>();
data.put(Constants.SESSION_ID, sessionId);
data.put(Constants.SESSION_ID, session.getId());
data.put(Constants.SECURITY_CONFIG_TYPE, securityConfig.getType());

result.setData(data);
Expand All @@ -109,9 +112,15 @@ public Result<Map<String, String>> authenticate(String userId, String password,

@Override
public User getAuthUser(HttpServletRequest request) {
Session session = sessionService.getSession(request);
String sessionId = request.getHeader(Constants.SESSION_ID);
if (StringUtils.isBlank(sessionId)) {
Cookie cookie = WebUtils.getCookie(request, Constants.SESSION_ID);
if (cookie != null) {
sessionId = cookie.getValue();
}
}
Session session = sessionService.getSession(sessionId);
if (session == null) {
log.info("session info is null ");
return null;
}
// get user object from session
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;
import org.apache.dolphinscheduler.dao.entity.User;

import lombok.NonNull;

import org.springframework.beans.factory.annotation.Autowired;

public class LdapAuthenticator extends AbstractAuthenticator {
Expand All @@ -28,7 +30,7 @@ public class LdapAuthenticator extends AbstractAuthenticator {
LdapService ldapService;

@Override
public User login(String userId, String password, String extra) {
public User login(@NonNull String userId, String password) {
User user = null;
String ldapEmail = ldapService.ldapLogin(userId, password);
if (ldapEmail != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
public class PasswordAuthenticator extends AbstractAuthenticator {

@Override
public User login(String userId, String password, String extra) {
public User login(String userId, String password) {
return userService.queryUser(userId, password);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@

import javax.servlet.http.HttpServletRequest;

import lombok.NonNull;

import org.casbin.casdoor.entity.CasdoorUser;
import org.casbin.casdoor.service.CasdoorAuthService;
import org.springframework.beans.factory.annotation.Autowired;
Expand All @@ -46,7 +48,7 @@ public class CasdoorAuthenticator extends AbstractSsoAuthenticator {
private String adminUserName;

@Override
public User login(String state, String code, String extra) {
public User login(@NonNull String state, String code) {
ServletRequestAttributes servletRequestAttributes =
(ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
if (servletRequestAttributes == null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,36 +20,13 @@
import org.apache.dolphinscheduler.dao.entity.Session;
import org.apache.dolphinscheduler.dao.entity.User;

import javax.servlet.http.HttpServletRequest;

/**
* session service
*/
public interface SessionService {

/**
* get user session from request
*
* @param request request
* @return session
*/
Session getSession(HttpServletRequest request);
Session getSession(String sessionId);

Session createSessionIfAbsent(User user);

/**
* create session
*
* @param user user
* @param ip ip
* @return session string
*/
String createSession(User user, String ip);
void expireSession(Integer userId);

/**
* sign out
* remove ip restrictions
*
* @param ip no use
* @param loginUser login user
*/
void signOut(String ip, User loginUser);
boolean isSessionExpire(Session session);
}
Original file line number Diff line number Diff line change
Expand Up @@ -114,24 +114,16 @@ User createUser(String userName, String userPassword, String email,
*/
Result queryUserList(User loginUser, String searchVal, Integer pageNo, Integer pageSize);

/**
* updateProcessInstance user
*
*
* @param loginUser
* @param userId user id
* @param userName user name
* @param userPassword user password
* @param email email
* @param tenantId tennat id
* @param phone phone
* @param queue queue
* @return update result code
* @throws Exception exception
*/
Map<String, Object> updateUser(User loginUser, int userId, String userName, String userPassword, String email,
int tenantId, String phone, String queue, int state,
String timeZone) throws IOException;
User updateUser(User loginUser,
Integer userId,
String userName,
String userPassword,
String email,
Integer tenantId,
String phone,
String queue,
int state,
String timeZone) throws IOException;

/**
* delete user
Expand Down
Loading

0 comments on commit 12f8138

Please sign in to comment.