influxdb/session.go

package influxdb

import (
	"context"
	"time"

	"github.com/influxdata/influxdb/v2/kit/platform"
	"github.com/influxdata/influxdb/v2/kit/platform/errors"
)

// ErrSessionNotFound is the error messages for a missing sessions.
const ErrSessionNotFound = "session not found"

// ErrSessionExpired is the error message for expired sessions.
const ErrSessionExpired = "session has expired"

// RenewSessionTime is the time to extend session, currently set to 5min.
var RenewSessionTime = time.Duration(time.Second * 300)

// DefaultSessionLength is the default session length on initial creation.
var DefaultSessionLength = time.Hour

var (
	// OpFindSession represents the operation that looks for sessions.
	OpFindSession = "FindSession"
	// OpExpireSession represents the operation that expires sessions.
	OpExpireSession = "ExpireSession"
	// OpCreateSession represents the operation that creates a session for a given user.
	OpCreateSession = "CreateSession"
	// OpRenewSession = "RenewSession"
	OpRenewSession = "RenewSession"
)

// SessionAuthorizationKind defines the type of authorizer
const SessionAuthorizationKind = "session"

// Session is a user session.
type Session struct {
	// ID is only required for auditing purposes.
	ID          platform.ID  `json:"id"`
	Key         string       `json:"key"`
	CreatedAt   time.Time    `json:"createdAt"`
	ExpiresAt   time.Time    `json:"expiresAt"`
	UserID      platform.ID  `json:"userID,omitempty"`
	Permissions []Permission `json:"permissions,omitempty"`
}

// Expired returns an error if the session is expired.
func (s *Session) Expired() error {
	if time.Now().After(s.ExpiresAt) {
		return &errors.Error{
			Code: errors.EForbidden,
			Msg:  ErrSessionExpired,
		}
	}

	return nil
}

// PermissionSet returns the set of permissions associated with the session.
func (s *Session) PermissionSet() (PermissionSet, error) {
	if err := s.Expired(); err != nil {
		return nil, &errors.Error{
			Code: errors.EUnauthorized,
			Err:  err,
		}
	}

	return s.Permissions, nil
}

// Kind returns session and is used for auditing.
func (s *Session) Kind() string { return SessionAuthorizationKind }

// Identifier returns the sessions ID and is used for auditing.
func (s *Session) Identifier() platform.ID { return s.ID }

// GetUserID returns the user id.
func (s *Session) GetUserID() platform.ID {
	return s.UserID
}

// EphemeralAuth generates an Authorization that is not stored
// but at the user's max privs.
func (s *Session) EphemeralAuth(orgID platform.ID) *Authorization {
	return &Authorization{
		ID:          s.ID,
		OrgID:       orgID,
		Status:      Active,
		UserID:      s.UserID,
		Permissions: s.Permissions,
	}
}

// SessionService represents a service for managing user sessions.
type SessionService interface {
	FindSession(ctx context.Context, key string) (*Session, error)
	ExpireSession(ctx context.Context, key string) error
	CreateSession(ctx context.Context, user string) (*Session, error)
	// TODO: update RenewSession to take a ID instead of a session.
	// By taking a session object it could be confused to update more things about the session
	RenewSession(ctx context.Context, session *Session, newExpiration time.Time) error
}
chore: rename imports from platform to influxdb I did this with a dumb editor macro, so some comments changed too. Also rename root package from platform to influxdb. In interest of minimizing risk, anyone importing the root package has now aliased it to "platform" so that no changes beyond imports were necessary in those files. Lastly, replace the old platform module to local path /dev/null so that nobody can accidentally reintroduce a platform dependency while migrating platform code to influxdb. 2019-01-08 00:37:16 +00:00			`package influxdb`
feat(platform): add session service 2018-09-25 19:13:38 +00:00
			`import (`
			`"context"`
			`"time"`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00
			`"github.com/influxdata/influxdb/v2/kit/platform"`
			`"github.com/influxdata/influxdb/v2/kit/platform/errors"`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			`)`

feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`// ErrSessionNotFound is the error messages for a missing sessions.`
			`const ErrSessionNotFound = "session not found"`

			`// ErrSessionExpired is the error message for expired sessions.`
			`const ErrSessionExpired = "session has expired"`

chore: remove duplicate word in comments (#23685) Signed-off-by: Abirdcfly <fp544037857@gmail.com> Signed-off-by: Abirdcfly <fp544037857@gmail.com> 2022-09-09 20:40:21 +00:00			`// RenewSessionTime is the time to extend session, currently set to 5min.`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`var RenewSessionTime = time.Duration(time.Second * 300)`

feat(authentication): Add cli args for specifying session length and renewal (#13924) Co-authored-by: Jade McGough <jade@influxdata.com> * Add session renew option to launcher and use in middlewhere * pass session options to services * Update SessionAutoRenew to SessionRenewDisabled * Add test for service constructor defaults * Update changelog 2019-05-15 17:16:47 +00:00			`// DefaultSessionLength is the default session length on initial creation.`
			`var DefaultSessionLength = time.Hour`

feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`var (`
			`// OpFindSession represents the operation that looks for sessions.`
			`OpFindSession = "FindSession"`
			`// OpExpireSession represents the operation that expires sessions.`
			`OpExpireSession = "ExpireSession"`
			`// OpCreateSession represents the operation that creates a session for a given user.`
			`OpCreateSession = "CreateSession"`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`// OpRenewSession = "RenewSession"`
			`OpRenewSession = "RenewSession"`
feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`)`

fix: correct various typos (#19987) Co-authored-by: kumakichi <xyesan@gmail.com> 2020-11-11 18:54:21 +00:00			`// SessionAuthorizationKind defines the type of authorizer`
			`const SessionAuthorizationKind = "session"`
Allow session authorization for tasks 2019-02-14 21:47:16 +00:00
feat(platform): add session service 2018-09-25 19:13:38 +00:00			`// Session is a user session.`
			`type Session struct {`
test(http): add signin test 2018-09-26 18:17:03 +00:00			`// ID is only required for auditing purposes.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			ID platform.ID `json:"id"`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			Key string `json:"key"`
			CreatedAt time.Time `json:"createdAt"`
			ExpiresAt time.Time `json:"expiresAt"`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			UserID platform.ID `json:"userID,omitempty"`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			Permissions []Permission `json:"permissions,omitempty"`
			`}`

test(bolt): ensure boltdb session service conforms to tests 2018-09-26 19:56:06 +00:00			`// Expired returns an error if the session is expired.`
feat(bolt): add bolt implementation of session service 2018-09-26 18:48:19 +00:00			`func (s *Session) Expired() error {`
			`if time.Now().After(s.ExpiresAt) {`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`return &errors.Error{`
			`Code: errors.EForbidden,`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`Msg: ErrSessionExpired,`
			`}`
feat(bolt): add bolt implementation of session service 2018-09-26 18:48:19 +00:00			`}`

			`return nil`
			`}`

refactor!: replace authorizer.Allowed method with PermissionSet (#17959) * refactor!: replace Allow method with PermissionSet * chore(changelog): update changelog to reflect changes to authorizer 2020-05-13 11:27:46 +00:00			`// PermissionSet returns the set of permissions associated with the session.`
			`func (s *Session) PermissionSet() (PermissionSet, error) {`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`if err := s.Expired(); err != nil {`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`return nil, &errors.Error{`
			`Code: errors.EUnauthorized,`
refactor!: replace authorizer.Allowed method with PermissionSet (#17959) * refactor!: replace Allow method with PermissionSet * chore(changelog): update changelog to reflect changes to authorizer 2020-05-13 11:27:46 +00:00			`Err: err,`
			`}`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`}`

refactor!: replace authorizer.Allowed method with PermissionSet (#17959) * refactor!: replace Allow method with PermissionSet * chore(changelog): update changelog to reflect changes to authorizer 2020-05-13 11:27:46 +00:00			`return s.Permissions, nil`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`}`

feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00			`// Kind returns session and is used for auditing.`
fix: correct various typos (#19987) Co-authored-by: kumakichi <xyesan@gmail.com> 2020-11-11 18:54:21 +00:00			`func (s *Session) Kind() string { return SessionAuthorizationKind }`
feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00
			`// Identifier returns the sessions ID and is used for auditing.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *Session) Identifier() platform.ID { return s.ID }`
feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00
add http for telegraf 2018-10-24 15:13:30 +00:00			`// GetUserID returns the user id.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *Session) GetUserID() platform.ID {`
add http for telegraf 2018-10-24 15:13:30 +00:00			`return s.UserID`
			`}`

feat(http): convert user sessions to auth for query service Co-Authored-By: Kelvin Wang <sherkrainwang@gmail.com> Co-Authored-By: Michael Desa <mjdesa@gmail.com> Co-Authored-By: Christopher M. Wolff <chris.wolff@influxdata.com> 2019-03-07 21:32:48 +00:00			`// EphemeralAuth generates an Authorization that is not stored`
			`// but at the user's max privs.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s Session) EphemeralAuth(orgID platform.ID) Authorization {`
feat(http): convert user sessions to auth for query service Co-Authored-By: Kelvin Wang <sherkrainwang@gmail.com> Co-Authored-By: Michael Desa <mjdesa@gmail.com> Co-Authored-By: Christopher M. Wolff <chris.wolff@influxdata.com> 2019-03-07 21:32:48 +00:00			`return &Authorization{`
			`ID: s.ID,`
			`OrgID: orgID,`
			`Status: Active,`
			`UserID: s.UserID,`
			`Permissions: s.Permissions,`
			`}`
			`}`

feat(platform): add session service 2018-09-25 19:13:38 +00:00			`// SessionService represents a service for managing user sessions.`
			`type SessionService interface {`
			`FindSession(ctx context.Context, key string) (*Session, error)`
			`ExpireSession(ctx context.Context, key string) error`
			`CreateSession(ctx context.Context, user string) (*Session, error)`
feat(session): Build out a new session service (#17950) This new session service has the ability to work independant of other systems it relies on having its own store type which should allow us to be more flexible then using the built in kv system. I have included an in mem session store. 2020-05-11 21:04:11 +00:00			`// TODO: update RenewSession to take a ID instead of a session.`
			`// By taking a session object it could be confused to update more things about the session`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`RenewSession(ctx context.Context, session *Session, newExpiration time.Time) error`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			`}`