influxdb/session.go

package influxdb

import (
	"context"
	"time"
)

// ErrSessionNotFound is the error messages for a missing sessions.
const ErrSessionNotFound = "session not found"

// ErrSessionExpired is the error message for expired sessions.
const ErrSessionExpired = "session has expired"

// RenewSessionTime is the the time to extend session, currently set to 5min.
var RenewSessionTime = time.Duration(time.Second * 300)

var (
	// OpFindSession represents the operation that looks for sessions.
	OpFindSession = "FindSession"
	// OpExpireSession represents the operation that expires sessions.
	OpExpireSession = "ExpireSession"
	// OpCreateSession represents the operation that creates a session for a given user.
	OpCreateSession = "CreateSession"
	// OpRenewSession = "RenewSession"
	OpRenewSession = "RenewSession"
)

// SessionAuthorizionKind defines the type of authorizer
const SessionAuthorizionKind = "session"

// Session is a user session.
type Session struct {
	// ID is only required for auditing purposes.
	ID          ID           `json:"id"`
	Key         string       `json:"key"`
	CreatedAt   time.Time    `json:"createdAt"`
	ExpiresAt   time.Time    `json:"expiresAt"`
	UserID      ID           `json:"userID,omitempty"`
	Permissions []Permission `json:"permissions,omitempty"`
}

// Expired returns an error if the session is expired.
func (s *Session) Expired() error {
	if time.Now().After(s.ExpiresAt) {
		return &Error{
			Code: EForbidden,
			Msg:  ErrSessionExpired,
		}
	}

	return nil
}

// Allowed returns true if the authorization is unexpired and request permission
// exists in the sessions list of permissions.
func (s *Session) Allowed(p Permission) bool {
	if err := s.Expired(); err != nil {
		return false
	}

	return PermissionAllowed(p, s.Permissions)
}

// Kind returns session and is used for auditing.
func (s *Session) Kind() string { return SessionAuthorizionKind }

// Identifier returns the sessions ID and is used for auditing.
func (s *Session) Identifier() ID { return s.ID }

// GetUserID returns the user id.
func (s *Session) GetUserID() ID {
	return s.UserID
}

// EphemeralAuth generates an Authorization that is not stored
// but at the user's max privs.
func (s *Session) EphemeralAuth(orgID ID) *Authorization {
	return &Authorization{
		ID:          s.ID,
		OrgID:       orgID,
		Status:      Active,
		UserID:      s.UserID,
		Permissions: s.Permissions,
	}
}

// SessionService represents a service for managing user sessions.
type SessionService interface {
	FindSession(ctx context.Context, key string) (*Session, error)
	ExpireSession(ctx context.Context, key string) error
	CreateSession(ctx context.Context, user string) (*Session, error)
	RenewSession(ctx context.Context, session *Session, newExpiration time.Time) error
}
chore: rename imports from platform to influxdb I did this with a dumb editor macro, so some comments changed too. Also rename root package from platform to influxdb. In interest of minimizing risk, anyone importing the root package has now aliased it to "platform" so that no changes beyond imports were necessary in those files. Lastly, replace the old platform module to local path /dev/null so that nobody can accidentally reintroduce a platform dependency while migrating platform code to influxdb. 2019-01-08 00:37:16 +00:00			`package influxdb`
feat(platform): add session service 2018-09-25 19:13:38 +00:00
			`import (`
			`"context"`
			`"time"`
			`)`

feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`// ErrSessionNotFound is the error messages for a missing sessions.`
			`const ErrSessionNotFound = "session not found"`

			`// ErrSessionExpired is the error message for expired sessions.`
			`const ErrSessionExpired = "session has expired"`

feat(http): add renew session 2019-01-11 22:07:50 +00:00			`// RenewSessionTime is the the time to extend session, currently set to 5min.`
			`var RenewSessionTime = time.Duration(time.Second * 300)`

feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`var (`
			`// OpFindSession represents the operation that looks for sessions.`
			`OpFindSession = "FindSession"`
			`// OpExpireSession represents the operation that expires sessions.`
			`OpExpireSession = "ExpireSession"`
			`// OpCreateSession represents the operation that creates a session for a given user.`
			`OpCreateSession = "CreateSession"`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`// OpRenewSession = "RenewSession"`
			`OpRenewSession = "RenewSession"`
feat(session): error constants and variables 2018-12-19 15:24:02 +00:00			`)`

feat(http): convert user sessions to auth for query service Co-Authored-By: Kelvin Wang <sherkrainwang@gmail.com> Co-Authored-By: Michael Desa <mjdesa@gmail.com> Co-Authored-By: Christopher M. Wolff <chris.wolff@influxdata.com> 2019-03-07 21:32:48 +00:00			`// SessionAuthorizionKind defines the type of authorizer`
Allow session authorization for tasks 2019-02-14 21:47:16 +00:00			`const SessionAuthorizionKind = "session"`

feat(platform): add session service 2018-09-25 19:13:38 +00:00			`// Session is a user session.`
			`type Session struct {`
test(http): add signin test 2018-09-26 18:17:03 +00:00			`// ID is only required for auditing purposes.`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			ID ID `json:"id"`
			Key string `json:"key"`
			CreatedAt time.Time `json:"createdAt"`
			ExpiresAt time.Time `json:"expiresAt"`
			UserID ID `json:"userID,omitempty"`
			Permissions []Permission `json:"permissions,omitempty"`
			`}`

test(bolt): ensure boltdb session service conforms to tests 2018-09-26 19:56:06 +00:00			`// Expired returns an error if the session is expired.`
feat(bolt): add bolt implementation of session service 2018-09-26 18:48:19 +00:00			`func (s *Session) Expired() error {`
			`if time.Now().After(s.ExpiresAt) {`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`return &Error{`
			`Code: EForbidden,`
			`Msg: ErrSessionExpired,`
			`}`
feat(bolt): add bolt implementation of session service 2018-09-26 18:48:19 +00:00			`}`

			`return nil`
			`}`

feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`// Allowed returns true if the authorization is unexpired and request permission`
			`// exists in the sessions list of permissions.`
			`func (s *Session) Allowed(p Permission) bool {`
			`if err := s.Expired(); err != nil {`
			`return false`
			`}`

fix(platform): check for matching ids when permission matching 2019-01-09 16:16:02 +00:00			`return PermissionAllowed(p, s.Permissions)`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`}`

feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00			`// Kind returns session and is used for auditing.`
Allow session authorization for tasks 2019-02-14 21:47:16 +00:00			`func (s *Session) Kind() string { return SessionAuthorizionKind }`
feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00
			`// Identifier returns the sessions ID and is used for auditing.`
			`func (s *Session) Identifier() ID { return s.ID }`

add http for telegraf 2018-10-24 15:13:30 +00:00			`// GetUserID returns the user id.`
			`func (s *Session) GetUserID() ID {`
			`return s.UserID`
			`}`

feat(http): convert user sessions to auth for query service Co-Authored-By: Kelvin Wang <sherkrainwang@gmail.com> Co-Authored-By: Michael Desa <mjdesa@gmail.com> Co-Authored-By: Christopher M. Wolff <chris.wolff@influxdata.com> 2019-03-07 21:32:48 +00:00			`// EphemeralAuth generates an Authorization that is not stored`
			`// but at the user's max privs.`
			`func (s Session) EphemeralAuth(orgID ID) Authorization {`
			`return &Authorization{`
			`ID: s.ID,`
			`OrgID: orgID,`
			`Status: Active,`
			`UserID: s.UserID,`
			`Permissions: s.Permissions,`
			`}`
			`}`

feat(platform): add session service 2018-09-25 19:13:38 +00:00			`// SessionService represents a service for managing user sessions.`
			`type SessionService interface {`
			`FindSession(ctx context.Context, key string) (*Session, error)`
			`ExpireSession(ctx context.Context, key string) error`
			`CreateSession(ctx context.Context, user string) (*Session, error)`
feat(http): add renew session 2019-01-11 22:07:50 +00:00			`RenewSession(ctx context.Context, session *Session, newExpiration time.Time) error`
feat(platform): add session service 2018-09-25 19:13:38 +00:00			`}`