Skip to content

Commit

Permalink
display session information, fix usability in user list, editing users
Browse files Browse the repository at this point in the history 
 - use better overflow when users have many roles, fixes #2526
 - ignore non-updatable properties in ChangeUserRequest fixes #2528
 - show session information in the user list fixes #2540
  • Loading branch information
@kroepke
kroepke committed Jul 26, 2016
1 parent 51d5bc9 commit 6bb3437
Show file tree
Hide file tree
Showing 8 changed files with 142 additions and 66 deletions.
3 changes: 3 additions & 0 deletions ...-server/src/main/java/org/graylog2/bindings/providers/DefaultSecurityManagerProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@
import javax.inject.Provider;
import javax.inject.Singleton;

import java.util.concurrent.TimeUnit;

import static com.google.common.collect.ImmutableList.of;

@Singleton
Expand Down Expand Up @@ -74,6 +76,7 @@ public boolean isSessionStorageEnabled(Subject subject) {
final DefaultSessionManager defaultSessionManager = (DefaultSessionManager) sm.getSessionManager();
defaultSessionManager.setSessionDAO(mongoDbSessionDAO);
defaultSessionManager.setDeleteInvalidSessions(true);
defaultSessionManager.setSessionValidationInterval(TimeUnit.MINUTES.toMillis(5));
defaultSessionManager.setCacheManager(new MemoryConstrainedCacheManager());
// DO NOT USE global session timeout!!! It's fucky.
//defaultSessionManager.setGlobalSessionTimeout(TimeUnit.SECONDS.toMillis(5));
Expand Down
2 changes: 2 additions & 0 deletions graylog2-server/src/main/java/org/graylog2/rest/models/users/requests/ChangeUserRequest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.auto.value.AutoValue;
import org.hibernate.validator.constraints.Email;
Expand All @@ -29,6 +30,7 @@

@JsonAutoDetect
@AutoValue
@JsonIgnoreProperties(ignoreUnknown = true)
public abstract class ChangeUserRequest {
@JsonProperty
@Nullable
Expand Down
26 changes: 22 additions & 4 deletions graylog2-server/src/main/java/org/graylog2/rest/models/users/responses/UserSummary.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import com.google.auto.value.AutoValue;

import javax.annotation.Nullable;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
Expand Down Expand Up @@ -58,7 +59,7 @@ public abstract class UserSummary {
@Nullable
public abstract Long sessionTimeoutMs();

@JsonProperty
@JsonProperty("read_only")
public abstract boolean readOnly();

@JsonProperty
Expand All @@ -72,6 +73,17 @@ public abstract class UserSummary {
@Nullable
public abstract Set<String> roles();

@JsonProperty("session_active")
public abstract boolean sessionActive();

@JsonProperty("last_activity")
@Nullable
public abstract Date lastActivity();

@JsonProperty("client_address")
@Nullable
public abstract String clientAddress();

@JsonCreator
public static UserSummary create(@JsonProperty("id") @Nullable String id,
@JsonProperty("username") String username,
Expand All @@ -81,10 +93,13 @@ public static UserSummary create(@JsonProperty("id") @Nullable String id,
@JsonProperty("preferences") @Nullable Map<String, Object> preferences,
@JsonProperty("timezone") @Nullable String timezone,
@JsonProperty("session_timeout_ms") @Nullable Long sessionTimeoutMs,
@JsonProperty("readonly") boolean readOnly,
@JsonProperty("read_only") boolean readOnly,
@JsonProperty("external") boolean external,
@JsonProperty("startpage") @Nullable Map<String, String> startpage,
@JsonProperty("roles") @Nullable Set<String> roles) {
@JsonProperty("roles") @Nullable Set<String> roles,
@JsonProperty("session_active") boolean sessionActive,
@JsonProperty("last_activity") @Nullable Date lastActivity,
@JsonProperty("client_address") @Nullable String clientAddress) {
return new AutoValue_UserSummary(id,
username,
email,
Expand All @@ -96,6 +111,9 @@ public static UserSummary create(@JsonProperty("id") @Nullable String id,
readOnly,
external,
startpage,
roles);
roles,
sessionActive,
lastActivity,
clientAddress);
}
}
7 changes: 5 additions & 2 deletions graylog2-server/src/main/java/org/graylog2/rest/resources/roles/RolesResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,8 +199,11 @@ public RoleMembershipResponse getMembers(@ApiParam(name = "rolename", required =
user.isReadOnly(),
user.isExternalUser(),
user.getStartpage(),
roleNames
));
roleNames,
// there is no session information available in this call, so we set it to null
false,
null,
null));
}

return RoleMembershipResponse.create(role.getName(), userSummaries);
Expand Down
23 changes: 13 additions & 10 deletions graylog2-server/src/main/java/org/graylog2/rest/resources/system/SessionsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,20 +118,24 @@ public SessionResponse newSession(@Context ContainerRequestContext requestContex
if (sessionId != null && !sessionId.isEmpty()) {
id = sessionId;
}
final Subject subject = new Subject.Builder().sessionId(id).buildSubject();

final String remoteAddrFromRequest = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets);
final Subject subject = new Subject.Builder().sessionId(id).host(remoteAddrFromRequest).buildSubject();
ThreadContext.bind(subject);
final Session s = subject.getSession();
try {

subject.login(new UsernamePasswordToken(createRequest.username(), createRequest.password()));
final User user = userService.load(createRequest.username());
if (user != null) {
long timeoutInMillis = user.getSessionTimeoutMs();
subject.getSession().setTimeout(timeoutInMillis);
s.setAttribute("username", user.getName());
s.setTimeout(timeoutInMillis);
} else {
// set a sane default. really we should be able to load the user from above.
subject.getSession().setTimeout(TimeUnit.HOURS.toMillis(8));
s.setTimeout(TimeUnit.HOURS.toMillis(8));
}
subject.getSession().touch();
s.touch();

// save subject in session, otherwise we can't get the username back in subsequent requests.
((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);
Expand All @@ -143,21 +147,20 @@ public SessionResponse newSession(@Context ContainerRequestContext requestContex
}

if (subject.isAuthenticated()) {
final Session session = subject.getSession();
id = session.getId();
id = s.getId();

final Map<String, Object> auditLogContext = ImmutableMap.of(
"session_id", id,
"remote_address", RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets)
"session_id", id,
"remote_address", remoteAddrFromRequest
);
auditLogger.success(createRequest.username(), "create", "session", auditLogContext);

// TODO is the validUntil attribute even used by anyone yet?
return SessionResponse.create(new DateTime(session.getLastAccessTime(), DateTimeZone.UTC).plus(session.getTimeout()).toDate(),
return SessionResponse.create(new DateTime(s.getLastAccessTime(), DateTimeZone.UTC).plus(s.getTimeout()).toDate(),
id.toString());
} else {
final Map<String, Object> auditLogContext = ImmutableMap.of(
"remote_address", RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets)
"remote_address", remoteAddrFromRequest
);
auditLogger.failure(createRequest.username(), "create", "session", auditLogContext);

Expand Down
Loading

0 comments on commit 6bb3437

Please sign in to comment.