Expire session when update user password

Author: ruanwenjun

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java

@@ -34,6 +34,7 @@
 import org.apache.dolphinscheduler.common.enums.UserType;
 import org.apache.dolphinscheduler.common.utils.JSONUtils;
 import org.apache.dolphinscheduler.common.utils.OkHttpUtils;
+import org.apache.dolphinscheduler.dao.entity.Session;
 import org.apache.dolphinscheduler.dao.entity.User;
 
 import org.apache.commons.lang3.StringUtils;
@@ -160,20 +161,13 @@ public Result ssoLogin(HttpServletRequest request) {
         return Result.success();
     }
 
-    /**
-     * sign out
-     *
-     * @param loginUser login user
-     * @param request request
-     * @return sign out result
-     */
     @Operation(summary = "signOut", description = "SIGNOUT_NOTES")
     @PostMapping(value = "/signOut")
     @ApiException(SIGN_OUT_ERROR)
     public Result signOut(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser,
                           HttpServletRequest request) {
         String ip = getClientIpAddress(request);
-        sessionService.signOut(ip, loginUser);
+        sessionService.expireSession(loginUser.getId());
         // clear session
         request.removeAttribute(Constants.SESSION_USER);
         return success();
@@ -244,13 +238,10 @@ public void loginByAuth2(@RequestParam String code, @RequestParam String provide
             if (user == null) {
                 user = usersService.createUser(UserType.GENERAL_USER, username, null);
             }
-            String sessionId = sessionService.createSession(user, null);
-            if (sessionId == null) {
-                log.error("Failed to create session, userName:{}.", user.getUserName());
-            }
+            Session session = sessionService.createSessionIfAbsent(user);
             response.setStatus(HttpStatus.SC_MOVED_TEMPORARILY);
             response.sendRedirect(String.format("%s?sessionId=%s&authType=%s", oAuth2ClientProperties.getCallbackUrl(),
-                    sessionId, "oauth2"));
+                    session.getId(), "oauth2"));
         } catch (Exception ex) {
             log.error(ex.getMessage(), ex);
             response.setStatus(HttpStatus.SC_MOVED_TEMPORARILY);

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/UsersController.java

@@ -76,18 +76,6 @@ public class UsersController extends BaseController {
     @Autowired
     private UsersService usersService;
 
-    /**
-     * create user
-     *
-     * @param loginUser login user
-     * @param userName user name
-     * @param userPassword user password
-     * @param email email
-     * @param tenantId tenant id
-     * @param phone phone
-     * @param queue queue
-     * @return create result code
-     */
     @Operation(summary = "createUser", description = "CREATE_USER_NOTES")
     @Parameters({
             @Parameter(name = "userName", description = "USER_NAME", required = true, schema = @Schema(implementation = String.class)),

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/Authenticator.java

@@ -24,16 +24,19 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import lombok.NonNull;
+
 public interface Authenticator {
 
     /**
      * Verifying legality via username and password
+     *
      * @param username user name
      * @param password user password
-     * @param extra extra info
+     * @param ip       client ip
      * @return result object
      */
-    Result<Map<String, String>> authenticate(String username, String password, String extra);
+    Result<Map<String, String>> authenticate(@NonNull String username, String password, @NonNull String ip);
 
     /**
      * Get authenticated user

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java

@@ -29,15 +29,20 @@
 import org.apache.dolphinscheduler.dao.entity.Session;
 import org.apache.dolphinscheduler.dao.entity.User;
 
+import org.apache.commons.lang3.StringUtils;
+
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
 
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
+import lombok.NonNull;
 import lombok.extern.slf4j.Slf4j;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.util.WebUtils;
 
 @Slf4j
 public abstract class AbstractAuthenticator implements Authenticator {
@@ -56,15 +61,14 @@ public abstract class AbstractAuthenticator implements Authenticator {
      *
      * @param userId user identity field
      * @param password user login password
-     * @param extra extra user login field
      * @return user object in databse
      */
-    public abstract User login(String userId, String password, String extra);
+    public abstract User login(@NonNull String userId, String password);
 
     @Override
-    public Result<Map<String, String>> authenticate(String userId, String password, String extra) {
+    public Result<Map<String, String>> authenticate(@NonNull String userId, String password, @NonNull String ip) {
         Result<Map<String, String>> result = new Result<>();
-        User user = login(userId, password, extra);
+        User user = login(userId, password);
         if (user == null) {
             if (Objects.equals(securityConfig.getType(), AuthenticationType.CASDOOR_SSO.name())) {
                 log.error("State or code entered incorrectly.");
@@ -87,9 +91,8 @@ public Result<Map<String, String>> authenticate(String userId, String password,
         }
 
         // create session
-        String sessionId = sessionService.createSession(user, extra);
-        if (sessionId == null) {
-            log.error("Failed to create session, userName:{}.", user.getUserName());
+        Session session = sessionService.createSessionIfAbsent(user);
+        if (session == null) {
             result.setCode(Status.LOGIN_SESSION_FAILED.getCode());
             result.setMsg(Status.LOGIN_SESSION_FAILED.getMsg());
             return result;
@@ -98,7 +101,7 @@ public Result<Map<String, String>> authenticate(String userId, String password,
         log.info("Session is created, userName:{}.", user.getUserName());
 
         Map<String, String> data = new HashMap<>();
-        data.put(Constants.SESSION_ID, sessionId);
+        data.put(Constants.SESSION_ID, session.getId());
         data.put(Constants.SECURITY_CONFIG_TYPE, securityConfig.getType());
 
         result.setData(data);
@@ -109,9 +112,15 @@ public Result<Map<String, String>> authenticate(String userId, String password,
 
     @Override
     public User getAuthUser(HttpServletRequest request) {
-        Session session = sessionService.getSession(request);
+        String sessionId = request.getHeader(Constants.SESSION_ID);
+        if (StringUtils.isBlank(sessionId)) {
+            Cookie cookie = WebUtils.getCookie(request, Constants.SESSION_ID);
+            if (cookie != null) {
+                sessionId = cookie.getValue();
+            }
+        }
+        Session session = sessionService.getSession(sessionId);
         if (session == null) {
-            log.info("session info is null ");
             return null;
         }
         // get user object from session

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapAuthenticator.java

@@ -20,6 +20,8 @@
 import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;
 import org.apache.dolphinscheduler.dao.entity.User;
 
+import lombok.NonNull;
+
 import org.springframework.beans.factory.annotation.Autowired;
 
 public class LdapAuthenticator extends AbstractAuthenticator {
@@ -28,7 +30,7 @@ public class LdapAuthenticator extends AbstractAuthenticator {
     LdapService ldapService;
 
     @Override
-    public User login(String userId, String password, String extra) {
+    public User login(@NonNull String userId, String password) {
         User user = null;
         String ldapEmail = ldapService.ldapLogin(userId, password);
         if (ldapEmail != null) {

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/pwd/PasswordAuthenticator.java

@@ -23,7 +23,7 @@
 public class PasswordAuthenticator extends AbstractAuthenticator {
 
     @Override
-    public User login(String userId, String password, String extra) {
+    public User login(String userId, String password) {
         return userService.queryUser(userId, password);
     }
 }

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/sso/CasdoorAuthenticator.java

@@ -27,6 +27,8 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import lombok.NonNull;
+
 import org.casbin.casdoor.entity.CasdoorUser;
 import org.casbin.casdoor.service.CasdoorAuthService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -46,7 +48,7 @@ public class CasdoorAuthenticator extends AbstractSsoAuthenticator {
     private String adminUserName;
 
     @Override
-    public User login(String state, String code, String extra) {
+    public User login(@NonNull String state, String code) {
         ServletRequestAttributes servletRequestAttributes =
                 (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
         if (servletRequestAttributes == null) {

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/SessionService.java

@@ -20,36 +20,13 @@
 import org.apache.dolphinscheduler.dao.entity.Session;
 import org.apache.dolphinscheduler.dao.entity.User;
 
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * session service
- */
 public interface SessionService {
 
-    /**
-     * get user session from request
-     *
-     * @param request request
-     * @return session
-     */
-    Session getSession(HttpServletRequest request);
+    Session getSession(String sessionId);
+
+    Session createSessionIfAbsent(User user);
 
-    /**
-     * create session
-     *
-     * @param user user
-     * @param ip ip
-     * @return session string
-     */
-    String createSession(User user, String ip);
+    void expireSession(Integer userId);
 
-    /**
-     * sign out
-     * remove ip restrictions
-     *
-     * @param ip   no use
-     * @param loginUser login user
-     */
-    void signOut(String ip, User loginUser);
+    boolean isSessionExpire(Session session);
 }