5d6eefa498
The Multiple Simultaneous Logins Control is a feature designed for securing Horizon dashboard sessions. The default Horizon configuration allows the same user to login several times (e.g. different browsers) simultaneously, that is, the same user can have more than one active session for Horizon dashboard. When there is the need to control the active sessions that one user can have simultaneously, it will be possible to configure the Horizon dashboard to disallow more than one active session per user. When multiple simultaneously sessions are disabled, the most recent authenticated session will be considered the valid one and the previous session will be invalidated. The following manual tests encompass both simulteaneous session control configuration: 'allow' and 'disconnect' and were verified with this code change before submitting it: Test Plan: PASS: Verify that a user is able to login to Horizon dashboard (when configuration is 'disconnect') PASS: Verify that a user is able to start a second Horizon dashboard session and the first session is finished (when configuration is 'disconnect') Failure Path: PASS: Verify that when a user fails to authenticate a second Horizon dashboard session the first session stills active (when configuration is 'disconnect') Regression: PASS: Verify that a user is able to login to Horizon dashboard (when configuration is default: 'allow') PASS: Verify that a user is able to start multiple simultaneous Horizon dashboard sessions (when configuration is default: 'allow') Implements: blueprint handle-multiple-login-sessions-from-same-user-in-horizon Signed-off-by: Hugo Brito <hugo.brito@windriver.com> Co-authored-by: Thales Elero Cervi <thaleselero.cervi@windriver.com> Change-Id: I8462aa98398dd8f27fe24d911c9bfaa7f303eb93
51 lines
1.9 KiB
Python
51 lines
1.9 KiB
Python
# Copyright (c) 2021 Wind River Systems Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import importlib
|
|
import logging
|
|
|
|
from django.conf import settings
|
|
from django.core.cache import caches
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
class SimultaneousSessionsMiddleware(object):
|
|
def __init__(self, get_response):
|
|
self.get_response = get_response
|
|
self.simultaneous_sessions = settings.SIMULTANEOUS_SESSIONS
|
|
|
|
def __call__(self, request):
|
|
self._process_request(request)
|
|
response = self.get_response(request)
|
|
return response
|
|
|
|
def _process_request(self, request):
|
|
cache = caches['default']
|
|
cache_key = ('user_pk_{}_restrict').format(request.user.pk)
|
|
cache_value = cache.get(cache_key)
|
|
if cache_value and self.simultaneous_sessions == 'disconnect':
|
|
if request.session.session_key != cache_value:
|
|
LOG.info('The user %s is already logged in, '
|
|
'the last session will be disconnected.',
|
|
request.user.id)
|
|
engine = importlib.import_module(settings.SESSION_ENGINE)
|
|
session = engine.SessionStore(session_key=cache_value)
|
|
session.delete()
|
|
cache.set(cache_key, request.session.session_key,
|
|
settings.SESSION_TIMEOUT)
|
|
else:
|
|
cache.set(cache_key, request.session.session_key,
|
|
settings.SESSION_TIMEOUT)
|