Remove expired SAML2 sessions

Run a cherrypy background task to sift through the sessions database and find expired entries and remove them. From my testing if a previous execution of the background task is still executing when the next one is scheduled to run, it will skip it. In other words, you can't end up with multiple expirations running at the same time. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
author: Rob Crittenden <rcritten@redhat.com> 2015-04-20 16:44:41 -0400
committer: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-05-12 00:39:28 +0200
commit: 6437f6c9385e5e59cb21de7a3addedd904ee2825 (patch)
tree: 206545171b8863848c7bf6d8dc343de485192441 /ipsilon/providers/saml2
parent: 085327baa87a990d0d986861a23305dc03530d71 (diff)
download: ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.tar.gz
ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.tar.xz
ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.zip
1 files changed, 37 insertions, 8 deletions
diff --git a/ipsilon/providers/saml2/sessions.py b/ipsilon/providers/saml2/sessions.py
index d01bb6e..6b3d860 100644
--- a/ipsilon/providers/saml2/sessions.py
+++ b/ipsilon/providers/saml2/sessions.py
@@ -1,7 +1,9 @@
 # Copyright (C) 2015 Ipsilon project Contributors, for license see COPYING
 
+from cherrypy import config as cherrypy_config
 from ipsilon.util.log import Log
 from ipsilon.util.data import SAML2SessionStore
+import datetime
 
 LOGGED_IN = 1
 INIT_LOGOUT = 2
@@ -9,6 +11,23 @@ LOGGING_OUT = 4
 LOGGED_OUT = 8
 
 
+def expire_sessions():
+    """
+    Find all expired sessions and remove them. This is executed as a
+    background cherrypy task.
+    """
+    ss = SAML2SessionStore()
+    data = ss.get_data()
+    now = datetime.datetime.now()
+    for idval in data:
+        r = data[idval]
+        exp = r.get('expiration_time', None)
+        if exp is not None:
+            exp = datetime.datetime.strptime(exp, '%Y-%m-%d %H:%M:%S.%f')
+            if exp < now:
+                ss.remove_session(idval)
+
+
 class SAMLSession(Log):
     """
     A SAML login session.
@@ -26,10 +45,12 @@ class SAMLSession(Log):
                     logout response will include an InResponseTo value
                     which matches this.
        logout_request - the Logout request object
+       expiration_time - the time the login session expires
     """
     def __init__(self, uuidval, session_id, provider_id, user,
                  login_session, logoutstate=None, relaystate=None,
-                 logout_request=None, request_id=None):
+                 logout_request=None, request_id=None,
+                 expiration_time=None):
 
         self.uuidval = uuidval
         self.session_id = session_id
@@ -40,6 +61,7 @@ class SAMLSession(Log):
         self.relaystate = relaystate
         self.request_id = request_id
         self.logout_request = logout_request
+        self.expiration_time = expiration_time
 
     def set_logoutstate(self, relaystate=None, request=None, request_id=None):
         """
@@ -76,6 +98,7 @@ class SAMLSession(Log):
         data['relaystate'] = self.relaystate
         data['logout_request'] = self.logout_request
         data['request_id'] = self.request_id
+        data['expiration_time'] = self.expiration_time
 
         return {self.uuidval: data}
 
@@ -111,7 +134,8 @@ class SAMLSessionFactory(Log):
                            data.get('logoutstate'),
                            data.get('relaystate'),
                            data.get('logout_request'),
-                           data.get('request_id'))
+                           data.get('request_id'),
+                           data.get('expiration_time'))
 
     def add_session(self, session_id, provider_id, user, login_session,
                     request_id=None):
@@ -120,11 +144,16 @@ class SAMLSessionFactory(Log):
         """
         self.user = user
 
+        timeout = cherrypy_config['tools.sessions.timeout']
+        t = datetime.timedelta(seconds=timeout * 60)
+        expiration_time = datetime.datetime.now() + t
+
         data = {'session_id': session_id,
                 'provider_id': provider_id,
                 'user': user,
                 'login_session': login_session,
-                'logoutstate': LOGGED_IN}
+                'logoutstate': LOGGED_IN,
+                'expiration_time': expiration_time}
         if request_id:
             data['request_id'] = request_id
 
@@ -132,7 +161,8 @@ class SAMLSessionFactory(Log):
 
         return SAMLSession(uuidval, session_id, provider_id, user,
                            login_session, LOGGED_IN,
-                           request_id=request_id)
+                           request_id=request_id,
+                           expiration_time=expiration_time)
 
     def get_session_by_id(self, session_id):
         """
@@ -254,13 +284,12 @@ class SAMLSessionFactory(Log):
             count += 1
 
 if __name__ == '__main__':
-    import cherrypy
-
     provider1 = "http://127.0.0.10/saml2"
     provider2 = "http://127.0.0.11/saml2"
 
-    # temporary database location for testing
-    cherrypy.config['saml2.sessions.db'] = '/tmp/saml2sessions.sqlite'
+    # temporary values to simulate cherrypy
+    cherrypy_config['saml2.sessions.db'] = '/tmp/saml2sessions.sqlite'
+    cherrypy_config['tools.sessions.timeout'] = 60
 
     factory = SAMLSessionFactory()
     factory.wipe_data()
author	Rob Crittenden <rcritten@redhat.com>	2015-04-20 16:44:41 -0400
committer	Patrick Uiterwijk <puiterwijk@redhat.com>	2015-05-12 00:39:28 +0200
commit	6437f6c9385e5e59cb21de7a3addedd904ee2825 (patch)
tree	206545171b8863848c7bf6d8dc343de485192441 /ipsilon/providers/saml2
parent	085327baa87a990d0d986861a23305dc03530d71 (diff)
download	ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.tar.gz ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.tar.xz ipsilon-6437f6c9385e5e59cb21de7a3addedd904ee2825.zip