Generate new session ID after login

This commit mitigates the Session Fixation issue by making sure a new
session ID is generated each time user logs in to Harbor

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2019-09-19 01:17:07 +08:00
parent c360e71d51
commit 07dd14d3b5
3 changed files with 16 additions and 6 deletions

View File

@ -18,6 +18,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"github.com/goharbor/harbor/src/common/models"
"net/http" "net/http"
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
@ -37,6 +38,7 @@ import (
const ( const (
yamlFileContentType = "application/x-yaml" yamlFileContentType = "application/x-yaml"
userSessionKey = "user"
) )
// the managers/controllers used globally // the managers/controllers used globally
@ -168,6 +170,12 @@ func (b *BaseController) WriteYamlData(object interface{}) {
_, _ = w.Write(yData) _, _ = w.Write(yData)
} }
// PopulateUserSession generates a new session ID and fill the user model in parm to the session
func (b *BaseController) PopulateUserSession(u models.User) {
b.SessionRegenerateID()
b.SetSession(userSessionKey, u)
}
// Init related objects/configurations for the API controllers // Init related objects/configurations for the API controllers
func Init() error { func Init() error {
registerHealthCheckers() registerHealthCheckers()

View File

@ -17,6 +17,7 @@ package controllers
import ( import (
"bytes" "bytes"
"context" "context"
"github.com/goharbor/harbor/src/core/api"
"html/template" "html/template"
"net" "net"
"net/http" "net/http"
@ -38,11 +39,9 @@ import (
"github.com/goharbor/harbor/src/core/filter" "github.com/goharbor/harbor/src/core/filter"
) )
const userKey = "user"
// CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ... // CommonController handles request from UI that doesn't expect a page, such as /SwitchLanguage /logout ...
type CommonController struct { type CommonController struct {
beego.Controller api.BaseController
i18n.Locale i18n.Locale
} }
@ -51,6 +50,9 @@ func (cc *CommonController) Render() error {
return nil return nil
} }
// Prepare overwrites the Prepare func in api.BaseController to ignore unnecessary steps
func (cc *CommonController) Prepare() {}
type messageDetail struct { type messageDetail struct {
Hint string Hint string
URL string URL string
@ -111,7 +113,7 @@ func (cc *CommonController) Login() {
if user == nil { if user == nil {
cc.CustomAbort(http.StatusUnauthorized, "") cc.CustomAbort(http.StatusUnauthorized, "")
} }
cc.SetSession(userKey, *user) cc.PopulateUserSession(*user)
} }
// LogOut Habor UI // LogOut Habor UI

View File

@ -148,7 +148,7 @@ func (oc *OIDCController) Callback() {
oc.SendInternalServerError(err) oc.SendInternalServerError(err)
return return
} }
oc.SetSession(userKey, *u) oc.PopulateUserSession(*u)
oc.Controller.Redirect("/", http.StatusFound) oc.Controller.Redirect("/", http.StatusFound)
} }
} }
@ -219,8 +219,8 @@ func (oc *OIDCController) Onboard() {
} }
user.OIDCUserMeta = nil user.OIDCUserMeta = nil
oc.SetSession(userKey, user)
oc.DelSession(userInfoKey) oc.DelSession(userInfoKey)
oc.PopulateUserSession(user)
} }
func secretAndToken(tokenBytes []byte) (string, string, error) { func secretAndToken(tokenBytes []byte) (string, string, error) {