2019-07-07 11:18:12 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
require 'spec_helper'
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
RSpec.describe ActiveSession, :clean_gitlab_redis_sessions do
|
|
|
|
let(:lookup_key) { described_class.lookup_key_name(user.id) }
|
2018-10-15 14:42:47 +05:30
|
|
|
let(:user) do
|
|
|
|
create(:user).tap do |user|
|
|
|
|
user.current_sign_in_at = Time.current
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-04-15 14:45:12 +05:30
|
|
|
let(:rack_session) { Rack::Session::SessionId.new('6919a6f1bb119dd7396fadc38fd18d0d') }
|
|
|
|
let(:session) { instance_double(ActionDispatch::Request::Session, id: rack_session, '[]': {}) }
|
2018-10-15 14:42:47 +05:30
|
|
|
|
|
|
|
let(:request) do
|
|
|
|
double(:request, {
|
|
|
|
user_agent: 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 ' \
|
|
|
|
'(KHTML, like Gecko) Mobile/12B466 [FBDV/iPhone7,2]',
|
2020-06-23 00:09:42 +05:30
|
|
|
remote_ip: '127.0.0.1',
|
2018-10-15 14:42:47 +05:30
|
|
|
session: session
|
|
|
|
})
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#current?' do
|
|
|
|
it 'returns true if the active session matches the current session' do
|
2020-10-04 03:57:07 +05:30
|
|
|
active_session = ActiveSession.new(session_private_id: rack_session.private_id)
|
2018-10-15 14:42:47 +05:30
|
|
|
|
|
|
|
expect(active_session.current?(session)).to be true
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false if the active session does not match the current session' do
|
2020-04-15 14:45:12 +05:30
|
|
|
active_session = ActiveSession.new(session_id: Rack::Session::SessionId.new('59822c7d9fcdfa03725eff41782ad97d'))
|
2018-10-15 14:42:47 +05:30
|
|
|
|
|
|
|
expect(active_session.current?(session)).to be false
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false if the session id is nil' do
|
|
|
|
active_session = ActiveSession.new(session_id: nil)
|
|
|
|
session = double(:session, id: nil)
|
|
|
|
|
|
|
|
expect(active_session.current?(session)).to be false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.list' do
|
2022-01-26 12:08:38 +05:30
|
|
|
def make_session(id)
|
|
|
|
described_class.new(session_id: id)
|
|
|
|
end
|
|
|
|
|
2018-10-15 14:42:47 +05:30
|
|
|
it 'returns all sessions by user' do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
# Some deprecated sessions
|
|
|
|
redis.set(described_class.key_name_v1(user.id, "6919a6f1bb119dd7396fadc38fd18d0d"), Marshal.dump(make_session('a')))
|
|
|
|
redis.set(described_class.key_name_v1(user.id, "59822c7d9fcdfa03725eff41782ad97d"), Marshal.dump(make_session('b')))
|
|
|
|
# Some new sessions
|
|
|
|
redis.set(described_class.key_name(user.id, 'some-unique-id-x'), make_session('c').dump)
|
|
|
|
redis.set(described_class.key_name(user.id, 'some-unique-id-y'), make_session('d').dump)
|
|
|
|
# Some red herrings
|
|
|
|
redis.set(described_class.key_name(9999, "5c8611e4f9c69645ad1a1492f4131358"), 'irrelevant')
|
|
|
|
redis.set(described_class.key_name_v1(9999, "5c8611e4f9c69645ad1a1492f4131358"), 'irrelevant')
|
2018-10-15 14:42:47 +05:30
|
|
|
|
|
|
|
redis.sadd(
|
2022-01-26 12:08:38 +05:30
|
|
|
lookup_key,
|
2018-10-15 14:42:47 +05:30
|
|
|
%w[
|
|
|
|
6919a6f1bb119dd7396fadc38fd18d0d
|
|
|
|
59822c7d9fcdfa03725eff41782ad97d
|
2022-01-26 12:08:38 +05:30
|
|
|
some-unique-id-x
|
|
|
|
some-unique-id-y
|
2018-10-15 14:42:47 +05:30
|
|
|
]
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(described_class.list(user)).to contain_exactly(
|
|
|
|
have_attributes(session_id: 'a'),
|
|
|
|
have_attributes(session_id: 'b'),
|
|
|
|
have_attributes(session_id: 'c'),
|
|
|
|
have_attributes(session_id: 'd')
|
|
|
|
)
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
shared_examples 'ignoring obsolete entries' do
|
|
|
|
let(:session_id) { '6919a6f1bb119dd7396fadc38fd18d0d' }
|
|
|
|
let(:session) { described_class.new(session_id: 'a') }
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'does not return obsolete entries and cleans them up' do
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
redis.set(session_key, serialized_session)
|
|
|
|
|
|
|
|
redis.sadd(
|
|
|
|
lookup_key,
|
|
|
|
[
|
|
|
|
session_id,
|
|
|
|
'59822c7d9fcdfa03725eff41782ad97d'
|
|
|
|
]
|
|
|
|
)
|
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(ActiveSession.list(user)).to contain_exactly(session)
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
expect(redis.sscan_each(lookup_key)).to contain_exactly session_id
|
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'when the current session is in the old format' do
|
|
|
|
let(:session_key) { described_class.key_name_v1(user.id, session_id) }
|
|
|
|
let(:serialized_session) { Marshal.dump(session) }
|
|
|
|
|
|
|
|
it_behaves_like 'ignoring obsolete entries'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the current session is in the new format' do
|
|
|
|
let(:session_key) { described_class.key_name(user.id, session_id) }
|
|
|
|
let(:serialized_session) { session.dump }
|
|
|
|
|
|
|
|
it_behaves_like 'ignoring obsolete entries'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns an empty array if the user does not have any active session' do
|
|
|
|
expect(ActiveSession.list(user)).to be_empty
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-09-04 21:01:54 +05:30
|
|
|
describe '.list_sessions' do
|
|
|
|
it 'uses the ActiveSession lookup to return original sessions' do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-04-15 14:45:12 +05:30
|
|
|
# Emulate redis-rack: https://github.com/redis-store/redis-rack/blob/c75f7f1a6016ee224e2615017fbfee964f23a837/lib/rack/session/redis.rb#L88
|
|
|
|
redis.set("session:gitlab:#{rack_session.private_id}", Marshal.dump({ _csrf_token: 'abcd' }))
|
2019-09-04 21:01:54 +05:30
|
|
|
|
|
|
|
redis.sadd(
|
|
|
|
"session:lookup:user:gitlab:#{user.id}",
|
|
|
|
%w[
|
2020-10-04 03:57:07 +05:30
|
|
|
2::418729c72310bbf349a032f0bb6e3fce9f5a69df8f000d8ae0ac5d159d8f21ae
|
|
|
|
2::d2ee6f70d6ef0e8701efa3f6b281cbe8e6bf3d109ef052a8b5ce88bfc7e71c26
|
2019-09-04 21:01:54 +05:30
|
|
|
]
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(ActiveSession.list_sessions(user)).to eq [{ _csrf_token: 'abcd' }]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.session_ids_for_user' do
|
|
|
|
it 'uses the user lookup table to return session ids' do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
redis.sadd(lookup_key, %w[a b c])
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(ActiveSession.session_ids_for_user(user.id).map(&:to_s)).to match_array(%w[a b c])
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.sessions_from_ids' do
|
|
|
|
it 'uses the ActiveSession lookup to return original sessions' do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-04-15 14:45:12 +05:30
|
|
|
# Emulate redis-rack: https://github.com/redis-store/redis-rack/blob/c75f7f1a6016ee224e2615017fbfee964f23a837/lib/rack/session/redis.rb#L88
|
|
|
|
redis.set("session:gitlab:#{rack_session.private_id}", Marshal.dump({ _csrf_token: 'abcd' }))
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
expect(ActiveSession.sessions_from_ids([rack_session.private_id])).to eq [{ _csrf_token: 'abcd' }]
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'avoids a redis lookup for an empty array' do
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(Gitlab::Redis::Sessions).not_to receive(:with)
|
2019-09-04 21:01:54 +05:30
|
|
|
|
|
|
|
expect(ActiveSession.sessions_from_ids([])).to eq([])
|
|
|
|
end
|
2019-09-30 21:07:59 +05:30
|
|
|
|
|
|
|
it 'uses redis lookup in batches' do
|
|
|
|
stub_const('ActiveSession::SESSION_BATCH_SIZE', 1)
|
|
|
|
|
|
|
|
redis = double(:redis)
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(Gitlab::Redis::Sessions).to receive(:with).and_yield(redis)
|
2019-09-30 21:07:59 +05:30
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
sessions = %w[session-a session-b]
|
2022-08-27 11:52:29 +05:30
|
|
|
mget_responses = sessions.map { |session| [Marshal.dump(session)] }
|
2020-10-04 03:57:07 +05:30
|
|
|
expect(redis).to receive(:mget).twice.times.and_return(*mget_responses)
|
2019-09-30 21:07:59 +05:30
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
expect(ActiveSession.sessions_from_ids([1, 2])).to eql(sessions)
|
2019-09-30 21:07:59 +05:30
|
|
|
end
|
2019-09-04 21:01:54 +05:30
|
|
|
end
|
|
|
|
|
2018-10-15 14:42:47 +05:30
|
|
|
describe '.set' do
|
|
|
|
it 'sets a new redis entry for the user session and a lookup entry' do
|
|
|
|
ActiveSession.set(user, request)
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
session_id = "2::418729c72310bbf349a032f0bb6e3fce9f5a69df8f000d8ae0ac5d159d8f21ae"
|
|
|
|
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-04-22 19:07:51 +05:30
|
|
|
expect(redis.scan_each.to_a).to include(
|
2023-06-20 00:43:36 +05:30
|
|
|
described_class.key_name(user.id, session_id), # current session
|
2022-01-26 12:08:38 +05:30
|
|
|
lookup_key
|
2020-04-22 19:07:51 +05:30
|
|
|
)
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'adds timestamps and information from the request' do
|
2022-01-26 12:08:38 +05:30
|
|
|
time = Time.zone.parse('2018-03-12 09:06')
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
travel_to(time) do
|
|
|
|
described_class.set(user, request)
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
sessions = described_class.list(user)
|
|
|
|
|
|
|
|
expect(sessions).to contain_exactly have_attributes(
|
2018-10-15 14:42:47 +05:30
|
|
|
ip_address: '127.0.0.1',
|
|
|
|
browser: 'Mobile Safari',
|
|
|
|
os: 'iOS',
|
|
|
|
device_name: 'iPhone 6',
|
|
|
|
device_type: 'smartphone',
|
2022-01-26 12:08:38 +05:30
|
|
|
created_at: eq(time),
|
|
|
|
updated_at: eq(time)
|
2018-10-15 14:42:47 +05:30
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'keeps the created_at from the login on consecutive requests' do
|
2022-01-26 12:08:38 +05:30
|
|
|
created_at = Time.zone.parse('2018-03-12 09:06')
|
|
|
|
updated_at = created_at + 1.minute
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
travel_to(created_at) do
|
2018-10-15 14:42:47 +05:30
|
|
|
ActiveSession.set(user, request)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
travel_to(updated_at) do
|
|
|
|
ActiveSession.set(user, request)
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
session = ActiveSession.list(user)
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(session.first).to have_attributes(
|
|
|
|
created_at: eq(created_at),
|
|
|
|
updated_at: eq(updated_at)
|
|
|
|
)
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-03-05 16:19:46 +05:30
|
|
|
describe '.destroy_session' do
|
2020-10-04 03:57:07 +05:30
|
|
|
shared_examples 'removes all session data' do
|
|
|
|
before do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-10-04 03:57:07 +05:30
|
|
|
redis.set("session:user:gitlab:#{user.id}:#{active_session_lookup_key}", '')
|
|
|
|
# Emulate redis-rack: https://github.com/redis-store/redis-rack/blob/c75f7f1a6016ee224e2615017fbfee964f23a837/lib/rack/session/redis.rb#L88
|
|
|
|
redis.set("session:gitlab:#{rack_session.private_id}", '')
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
redis.set(session_key, serialized_session)
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, active_session_lookup_key)
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes the devise session' do
|
|
|
|
subject
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-10-04 03:57:07 +05:30
|
|
|
expect(redis.scan_each(match: "session:gitlab:*").to_a).to be_empty
|
|
|
|
end
|
|
|
|
end
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
it 'removes the lookup entry' do
|
|
|
|
subject
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
expect(redis.scan_each(match: lookup_key).to_a).to be_empty
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes the ActiveSession' do
|
|
|
|
subject
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-10-04 03:57:07 +05:30
|
|
|
expect(redis.scan_each(match: "session:user:gitlab:*").to_a).to be_empty
|
|
|
|
end
|
|
|
|
end
|
2020-03-13 15:44:24 +05:30
|
|
|
end
|
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
context 'destroy called with Rack::Session::SessionId#private_id' do
|
2021-03-05 16:19:46 +05:30
|
|
|
subject { ActiveSession.destroy_session(user, rack_session.private_id) }
|
2020-10-04 03:57:07 +05:30
|
|
|
|
|
|
|
it 'calls .destroy_sessions' do
|
|
|
|
expect(ActiveSession).to(
|
|
|
|
receive(:destroy_sessions)
|
|
|
|
.with(anything, user, [rack_session.private_id]))
|
|
|
|
|
|
|
|
subject
|
|
|
|
end
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2020-10-04 03:57:07 +05:30
|
|
|
context 'ActiveSession with session_private_id' do
|
|
|
|
let(:active_session) { ActiveSession.new(session_private_id: rack_session.private_id) }
|
|
|
|
let(:active_session_lookup_key) { rack_session.private_id }
|
2020-03-13 15:44:24 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'when using old session key serialization' do
|
|
|
|
let(:session_key) { described_class.key_name_v1(user.id, active_session_lookup_key) }
|
|
|
|
let(:serialized_session) { Marshal.dump(active_session) }
|
|
|
|
|
|
|
|
include_examples 'removes all session data'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when using new session key serialization' do
|
|
|
|
let(:session_key) { described_class.key_name(user.id, active_session_lookup_key) }
|
|
|
|
let(:serialized_session) { active_session.dump }
|
|
|
|
|
|
|
|
include_examples 'removes all session data'
|
|
|
|
end
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
2020-03-13 15:44:24 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-09-03 11:15:55 +05:30
|
|
|
describe '.destroy_all_but_current' do
|
|
|
|
it 'gracefully handles a nil session ID' do
|
|
|
|
expect(described_class).not_to receive(:destroy_sessions)
|
|
|
|
|
|
|
|
ActiveSession.destroy_all_but_current(user, nil)
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
shared_examples 'with user sessions' do
|
2020-09-03 11:15:55 +05:30
|
|
|
let(:current_session_id) { '6919a6f1bb119dd7396fadc38fd18d0d' }
|
|
|
|
|
|
|
|
before do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2020-10-04 03:57:07 +05:30
|
|
|
# setup for current user
|
|
|
|
[current_session_id, '59822c7d9fcdfa03725eff41782ad97d'].each do |session_public_id|
|
|
|
|
session_private_id = Rack::Session::SessionId.new(session_public_id).private_id
|
|
|
|
active_session = ActiveSession.new(session_private_id: session_private_id)
|
2022-01-26 12:08:38 +05:30
|
|
|
redis.set(key_name(user.id, session_private_id), dump_session(active_session))
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, session_private_id)
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
# setup for unrelated user
|
|
|
|
unrelated_user_id = 9999
|
|
|
|
session_private_id = Rack::Session::SessionId.new('5c8611e4f9c69645ad1a1492f4131358').private_id
|
|
|
|
active_session = ActiveSession.new(session_private_id: session_private_id)
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
redis.set(key_name(unrelated_user_id, session_private_id), dump_session(active_session))
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(described_class.lookup_key_name(unrelated_user_id), session_private_id)
|
2020-09-03 11:15:55 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes the entry associated with the all user sessions but current' do
|
2020-10-04 03:57:07 +05:30
|
|
|
expect { ActiveSession.destroy_all_but_current(user, request.session) }
|
|
|
|
.to(change { ActiveSession.session_ids_for_user(user.id).size }.from(2).to(1))
|
2020-09-03 11:15:55 +05:30
|
|
|
|
|
|
|
expect(ActiveSession.session_ids_for_user(9999).size).to eq(1)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes the lookup entry of deleted sessions' do
|
2020-10-04 03:57:07 +05:30
|
|
|
session_private_id = Rack::Session::SessionId.new(current_session_id).private_id
|
2020-09-03 11:15:55 +05:30
|
|
|
ActiveSession.destroy_all_but_current(user, request.session)
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
expect(redis.smembers(lookup_key)).to contain_exactly session_private_id
|
2020-09-03 11:15:55 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not remove impersonated sessions' do
|
|
|
|
impersonated_session_id = '6919a6f1bb119dd7396fadc38fd18eee'
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
redis.set(key_name(user.id, impersonated_session_id),
|
|
|
|
dump_session(ActiveSession.new(session_id: Rack::Session::SessionId.new(impersonated_session_id), is_impersonated: true)))
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, impersonated_session_id)
|
2020-09-03 11:15:55 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
expect { ActiveSession.destroy_all_but_current(user, request.session) }.to change { ActiveSession.session_ids_for_user(user.id).size }.from(3).to(2)
|
|
|
|
|
|
|
|
expect(ActiveSession.session_ids_for_user(9999).size).to eq(1)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'with legacy sessions' do
|
|
|
|
def key_name(user_id, id)
|
|
|
|
described_class.key_name_v1(user_id, id)
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
def dump_session(session)
|
|
|
|
Marshal.dump(session)
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it_behaves_like 'with user sessions'
|
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'with new sessions' do
|
|
|
|
def key_name(user_id, id)
|
|
|
|
described_class.key_name(user_id, id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dump_session(session)
|
|
|
|
session.dump
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
it_behaves_like 'with user sessions'
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
describe '.cleanup' do
|
|
|
|
before do
|
|
|
|
stub_const("ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS", 5)
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
shared_examples 'cleaning up' do
|
|
|
|
context 'when removing obsolete sessions' do
|
|
|
|
let(:current_session_id) { '6919a6f1bb119dd7396fadc38fd18d0d' }
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'removes obsolete lookup entries' do
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
redis.set(session_key, '')
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd(lookup_key, [current_session_id, '59822c7d9fcdfa03725eff41782ad97d'])
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
ActiveSession.cleanup(user)
|
|
|
|
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
expect(redis.smembers(lookup_key)).to contain_exactly current_session_id
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'does not bail if there are no lookup entries' do
|
2020-01-01 13:55:28 +05:30
|
|
|
ActiveSession.cleanup(user)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'cleaning up old sessions' do
|
|
|
|
let(:max_number_of_sessions_plus_one) { ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS + 1 }
|
|
|
|
let(:max_number_of_sessions_plus_two) { ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS + 2 }
|
|
|
|
|
|
|
|
before do
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
max_number_of_sessions_plus_two.times do |number|
|
|
|
|
redis.set(
|
|
|
|
key_name(user.id, number),
|
|
|
|
dump_session(ActiveSession.new(session_id: number.to_s, updated_at: number.days.ago))
|
|
|
|
)
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, number.to_s)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes obsolete active sessions entries' do
|
|
|
|
ActiveSession.cleanup(user)
|
|
|
|
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
sessions = described_class.list(user)
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(sessions.count).to eq(ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS)
|
|
|
|
expect(sessions).not_to include(
|
|
|
|
have_attributes(session_id: max_number_of_sessions_plus_one),
|
|
|
|
have_attributes(session_id: max_number_of_sessions_plus_two)
|
|
|
|
)
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'removes obsolete lookup entries' do
|
|
|
|
ActiveSession.cleanup(user)
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
lookup_entries = redis.smembers(lookup_key)
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(lookup_entries.count).to eq(ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS)
|
|
|
|
expect(lookup_entries).not_to include(max_number_of_sessions_plus_one.to_s, max_number_of_sessions_plus_two.to_s)
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'removes obsolete lookup entries even without active session' do
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, (max_number_of_sessions_plus_two + 1).to_s)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
ActiveSession.cleanup(user)
|
|
|
|
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
lookup_entries = redis.smembers(lookup_key)
|
|
|
|
|
|
|
|
expect(lookup_entries.count).to eq(ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS)
|
|
|
|
expect(lookup_entries).not_to include(
|
|
|
|
max_number_of_sessions_plus_one.to_s,
|
|
|
|
max_number_of_sessions_plus_two.to_s,
|
|
|
|
(max_number_of_sessions_plus_two + 1).to_s
|
|
|
|
)
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'when the number of active sessions is lower than the limit' do
|
|
|
|
before do
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
((max_number_of_sessions_plus_two - 4)..max_number_of_sessions_plus_two).each do |number|
|
|
|
|
redis.del(key_name(user.id, number))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'does not remove active session entries, but removes lookup entries' do
|
|
|
|
lookup_entries_before_cleanup = Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
redis.smembers(lookup_key)
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
sessions_before_cleanup = described_class.list(user)
|
|
|
|
|
|
|
|
described_class.cleanup(user)
|
|
|
|
|
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
lookup_entries = redis.smembers(lookup_key)
|
|
|
|
sessions = described_class.list(user)
|
|
|
|
|
|
|
|
expect(sessions.count).to eq(sessions_before_cleanup.count)
|
|
|
|
expect(lookup_entries.count).to be < lookup_entries_before_cleanup.count
|
|
|
|
end
|
|
|
|
end
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'cleaning up old sessions stored by Rack::Session::SessionId#private_id' do
|
|
|
|
let(:max_number_of_sessions_plus_one) { ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS + 1 }
|
|
|
|
let(:max_number_of_sessions_plus_two) { ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS + 2 }
|
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
before do
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
(1..max_number_of_sessions_plus_two).each do |number|
|
|
|
|
redis.set(
|
|
|
|
key_name(user.id, number),
|
|
|
|
dump_session(ActiveSession.new(session_private_id: number.to_s, updated_at: number.days.ago))
|
|
|
|
)
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, number.to_s)
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'removes obsolete active sessions entries' do
|
|
|
|
described_class.cleanup(user)
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
|
|
|
sessions = described_class.list(user)
|
2020-01-01 13:55:28 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(sessions.count).to eq(described_class::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS)
|
|
|
|
expect(sessions).not_to include(
|
|
|
|
key_name(user.id, max_number_of_sessions_plus_one),
|
|
|
|
key_name(user.id, max_number_of_sessions_plus_two)
|
|
|
|
)
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2020-10-04 03:57:07 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'with legacy sessions' do
|
|
|
|
let(:session_key) { described_class.key_name_v1(user.id, current_session_id) }
|
|
|
|
|
|
|
|
def key_name(user_id, session_id)
|
|
|
|
described_class.key_name_v1(user_id, session_id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dump_session(session)
|
|
|
|
Marshal.dump(session)
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'cleaning up'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with new sessions' do
|
|
|
|
let(:session_key) { described_class.key_name(user.id, current_session_id) }
|
|
|
|
|
|
|
|
def key_name(user_id, session_id)
|
|
|
|
described_class.key_name(user_id, session_id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dump_session(session)
|
|
|
|
session.dump
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'cleaning up'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.cleaned_up_lookup_entries' do
|
|
|
|
before do
|
|
|
|
stub_const("ActiveSession::ALLOWED_NUMBER_OF_ACTIVE_SESSIONS", 5)
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'cleaning up lookup entries' do
|
|
|
|
let(:current_session_id) { '6919a6f1bb119dd7396fadc38fd18d0d' }
|
|
|
|
let(:active_count) { 3 }
|
2020-10-04 03:57:07 +05:30
|
|
|
|
|
|
|
before do
|
2023-06-20 00:43:36 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2022-01-26 12:08:38 +05:30
|
|
|
active_count.times do |number|
|
2020-10-04 03:57:07 +05:30
|
|
|
redis.set(
|
2022-01-26 12:08:38 +05:30
|
|
|
key_name(user.id, number),
|
|
|
|
dump_session(ActiveSession.new(session_id: number.to_s, updated_at: number.days.ago))
|
2020-10-04 03:57:07 +05:30
|
|
|
)
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, number.to_s)
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
redis.sadd?(lookup_key, [(active_count + 1).to_s, (active_count + 2).to_s])
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'removes obsolete lookup entries' do
|
2023-06-20 00:43:36 +05:30
|
|
|
active = Gitlab::Redis::Sessions.with do |redis|
|
2022-01-26 12:08:38 +05:30
|
|
|
ActiveSession.cleaned_up_lookup_entries(redis, user)
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(active.count).to eq(active_count)
|
2020-10-04 03:57:07 +05:30
|
|
|
|
2023-06-20 00:43:36 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2022-01-26 12:08:38 +05:30
|
|
|
lookup_entries = redis.smembers(lookup_key)
|
2020-10-04 03:57:07 +05:30
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(lookup_entries.count).to eq(active_count)
|
|
|
|
expect(lookup_entries).not_to include(
|
|
|
|
(active_count + 1).to_s,
|
|
|
|
(active_count + 2).to_s
|
|
|
|
)
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
it 'reports the removed entries' do
|
|
|
|
removed = []
|
2023-06-20 00:43:36 +05:30
|
|
|
Gitlab::Redis::Sessions.with do |redis|
|
2022-01-26 12:08:38 +05:30
|
|
|
ActiveSession.cleaned_up_lookup_entries(redis, user, removed)
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(removed.count).to eq(2)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with legacy sessions' do
|
|
|
|
let(:session_key) { described_class.key_name_v1(user.id, current_session_id) }
|
|
|
|
|
|
|
|
def key_name(user_id, session_id)
|
|
|
|
described_class.key_name_v1(user_id, session_id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dump_session(session)
|
|
|
|
Marshal.dump(session)
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'cleaning up lookup entries'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with new sessions' do
|
|
|
|
let(:session_key) { described_class.key_name(user.id, current_session_id) }
|
|
|
|
|
|
|
|
def key_name(user_id, session_id)
|
|
|
|
described_class.key_name(user_id, session_id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def dump_session(session)
|
|
|
|
session.dump
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'cleaning up lookup entries'
|
2020-10-04 03:57:07 +05:30
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|
2023-06-20 00:43:36 +05:30
|
|
|
|
|
|
|
describe '.set_active_user_cookie' do
|
|
|
|
let(:auth) { double(cookies: {}) }
|
|
|
|
|
|
|
|
it 'sets marketing cookie' do
|
|
|
|
ActiveSession.set_active_user_cookie(auth)
|
|
|
|
expect(auth.cookies[:about_gitlab_active_user][:value]).to be_truthy
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.unset_active_user_cookie' do
|
|
|
|
let(:auth) { double(cookies: {}) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
ActiveSession.set_active_user_cookie(auth)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'unsets marketing cookie' do
|
|
|
|
ActiveSession.unset_active_user_cookie(auth)
|
|
|
|
expect(auth.cookies[:about_gitlab_active_user]).to be_nil
|
|
|
|
end
|
|
|
|
end
|
2018-10-15 14:42:47 +05:30
|
|
|
end
|