Fix audit code to include unique session id again
Previously I broke the audit code paths and had them logging a different string for the session identifier. Instead build a new token that is not valid for authentication. Change-Id: Idf7273795021acf0e8dc9dd577f54a7aa7d8b099
This commit is contained in:
Shawn O. Pearce
@@ -162,14 +162,14 @@ public final class CacheBasedWebSession implements WebSession {
|
||||
}
|
||||
|
||||
key = manager.createKey(id);
|
||||
val = manager.createVal(key, id, rememberMe, identity);
|
||||
val = manager.createVal(key, id, rememberMe, identity, null);
|
||||
saveCookie();
|
||||
}
|
||||
|
||||
/** Set the user account for this current request only. */
|
||||
public void setUserAccountId(Account.Id id) {
|
||||
key = new Key("id:" + id);
|
||||
val = new Val(id, 0, false, null, 0);
|
||||
val = new Val(id, 0, false, null, 0, null);
|
||||
}
|
||||
|
||||
public void logout() {
|
||||
@@ -181,6 +181,11 @@ public final class CacheBasedWebSession implements WebSession {
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSessionId() {
|
||||
return val != null ? val.getSessionId() : null;
|
||||
}
|
||||
|
||||
private void saveCookie() {
|
||||
final String token;
|
||||
final int ageSeconds;
|
||||
|
||||
@@ -77,7 +77,7 @@ class HttpLogoutServlet extends HttpServlet {
|
||||
protected void doGet(final HttpServletRequest req,
|
||||
final HttpServletResponse rsp) throws IOException {
|
||||
|
||||
final String sid = webSession.get().getAuthorization();
|
||||
final String sid = webSession.get().getSessionId();
|
||||
final CurrentUser currentUser = webSession.get().getCurrentUser();
|
||||
final String what = "sign out";
|
||||
final long when = System.currentTimeMillis();
|
||||
|
||||
@@ -36,4 +36,6 @@ public interface WebSession {
|
||||
public void setUserAccountId(Account.Id id);
|
||||
|
||||
public void logout();
|
||||
|
||||
public String getSessionId();
|
||||
}
|
||||
|
||||
@@ -90,11 +90,11 @@ class WebSessionManager {
|
||||
final Account.Id who = val.getAccountId();
|
||||
final boolean remember = val.isPersistentCookie();
|
||||
final AccountExternalId.Key lastLogin = val.getExternalId();
|
||||
return createVal(key, who, remember, lastLogin);
|
||||
return createVal(key, who, remember, lastLogin, val.sessionId);
|
||||
}
|
||||
|
||||
Val createVal(final Key key, final Account.Id who, final boolean remember,
|
||||
final AccountExternalId.Key lastLogin) {
|
||||
final AccountExternalId.Key lastLogin, String sid) {
|
||||
// Refresh the cookie every hour or when it is half-expired.
|
||||
// This reduces the odds that the user session will be kicked
|
||||
// early but also avoids us needing to refresh the cookie on
|
||||
@@ -106,8 +106,11 @@ class WebSessionManager {
|
||||
final long now = now();
|
||||
final long refreshCookieAt = now + refresh;
|
||||
final long expiresAt = now + sessionMaxAgeMillis;
|
||||
if (sid == null) {
|
||||
sid = createKey(who).token;
|
||||
}
|
||||
|
||||
Val val = new Val(who, refreshCookieAt, remember, lastLogin, expiresAt);
|
||||
Val val = new Val(who, refreshCookieAt, remember, lastLogin, expiresAt, sid);
|
||||
self.put(key.token, val);
|
||||
return val;
|
||||
}
|
||||
@@ -171,15 +174,17 @@ class WebSessionManager {
|
||||
private transient boolean persistentCookie;
|
||||
private transient AccountExternalId.Key externalId;
|
||||
private transient long expiresAt;
|
||||
private transient String sessionId;
|
||||
|
||||
Val(final Account.Id accountId, final long refreshCookieAt,
|
||||
final boolean persistentCookie, final AccountExternalId.Key externalId,
|
||||
final long expiresAt) {
|
||||
final long expiresAt, final String sessionId) {
|
||||
this.accountId = accountId;
|
||||
this.refreshCookieAt = refreshCookieAt;
|
||||
this.persistentCookie = persistentCookie;
|
||||
this.externalId = externalId;
|
||||
this.expiresAt = expiresAt;
|
||||
this.sessionId = sessionId;
|
||||
}
|
||||
|
||||
Account.Id getAccountId() {
|
||||
@@ -190,6 +195,10 @@ class WebSessionManager {
|
||||
return externalId;
|
||||
}
|
||||
|
||||
String getSessionId() {
|
||||
return sessionId;
|
||||
}
|
||||
|
||||
boolean needsCookieRefresh() {
|
||||
return refreshCookieAt <= now();
|
||||
}
|
||||
@@ -213,6 +222,11 @@ class WebSessionManager {
|
||||
writeString(out, externalId.get());
|
||||
}
|
||||
|
||||
if (sessionId != null) {
|
||||
writeVarInt32(out, 5);
|
||||
writeString(out, sessionId);
|
||||
}
|
||||
|
||||
writeVarInt32(out, 6);
|
||||
writeFixInt64(out, expiresAt);
|
||||
|
||||
@@ -238,7 +252,7 @@ class WebSessionManager {
|
||||
externalId = new AccountExternalId.Key(readString(in));
|
||||
continue;
|
||||
case 5:
|
||||
readString(in);
|
||||
sessionId = readString(in);
|
||||
continue;
|
||||
case 6:
|
||||
expiresAt = readFixInt64(in);
|
||||
|
||||
@@ -131,7 +131,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
|
||||
}
|
||||
Audit note = (Audit) method.getAnnotation(Audit.class);
|
||||
if (note != null) {
|
||||
final String sid = call.getWebSession().getAuthorization();
|
||||
final String sid = call.getWebSession().getSessionId();
|
||||
final CurrentUser username = call.getWebSession().getCurrentUser();
|
||||
final List<Object> args =
|
||||
extractParams(note, call);
|
||||
|
||||
Reference in New Issue
Block a user