From 5b52880822c5aa2fe12a5b615d8965346698bf70 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Thu, 12 Sep 2024 15:07:37 +0530 Subject: [PATCH 1/9] etcd user session cleanup every 11 minutes Signed-off-by: manisha kumari --- backend/store/etcd/session.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index 9f95b85bf..b0098e819 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -30,12 +30,15 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID. +// by the given username and session ID and TTL of 11 minutes func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { - if _, err := s.client.Put(ctx, userSessionPath(username, sessionID), state); err != nil { + leaseResp, err := s.client.Grant(ctx, 60*11) + if err != nil { + fmt.Errorf("%s", err) + } + if _, err := s.client.Put(ctx, userSessionPath(username, sessionID), state, clientv3.WithLease(leaseResp.ID)); err != nil { return err } - return nil } From edf94b0d9d61c1d6ac553a97e4238323e3149c4f Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Thu, 12 Sep 2024 15:55:58 +0530 Subject: [PATCH 2/9] added change log Signed-off-by: manisha kumari --- CHANGELOG-6.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG-6.md b/CHANGELOG-6.md index 119040c1a..22a7c1a08 100644 --- a/CHANGELOG-6.md +++ b/CHANGELOG-6.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [6.11.1] - 2024-09-12 + +### Changed +- Added TTl to each entry in user-session within etcd +- TTl value is 11 minutes + ## [6.11.0] - 2024-01-31 ### Changed From 7ace8870758a4458e88b52385c2f629af32969cc Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Tue, 17 Sep 2024 14:05:38 +0530 Subject: [PATCH 3/9] 6 mins ttl for user sessions Signed-off-by: manisha kumari --- backend/store/etcd/session.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index b0098e819..f6fe7c9a4 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -30,9 +30,9 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID and TTL of 11 minutes +// by the given username and session ID and TTL of 6 minutes considering access token expires in 5 minutes func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { - leaseResp, err := s.client.Grant(ctx, 60*11) + leaseResp, err := s.client.Grant(ctx, 60*6) if err != nil { fmt.Errorf("%s", err) } @@ -48,6 +48,5 @@ func (s *Store) DeleteSession(ctx context.Context, username, sessionID string) e if _, err := s.client.Delete(ctx, userSessionPath(username, sessionID)); err != nil { return err } - return nil } From 6c08054e47663a04f7ed95224da310fb74332369 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Tue, 17 Sep 2024 14:34:07 +0530 Subject: [PATCH 4/9] 6 mins ttl for user sessions Signed-off-by: manisha kumari --- backend/store/etcd/session.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index f6fe7c9a4..910d09873 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -30,7 +30,7 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID and TTL of 6 minutes considering access token expires in 5 minutes +// by the given username and session ID and TTL of 6 minutes added considering access token expires in 5 minutes func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { leaseResp, err := s.client.Grant(ctx, 60*6) if err != nil { From da0b51af382b407096e24f38acc46b03e11a6206 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Tue, 17 Sep 2024 14:45:15 +0530 Subject: [PATCH 5/9] added 6 mins ttl for user sessions Signed-off-by: manisha kumari --- backend/store/etcd/session.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index 910d09873..d46925cab 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -30,7 +30,7 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID and TTL of 6 minutes added considering access token expires in 5 minutes +// by the given username and session ID and TTL of 6 minutes added considering access token gets expired in 5 minutes func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { leaseResp, err := s.client.Grant(ctx, 60*6) if err != nil { From 2d32a3d6fc7225cae7a1bf2e50609952afbe95d8 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Tue, 17 Sep 2024 14:57:11 +0530 Subject: [PATCH 6/9] added 6 mins ttl for each user sessions Signed-off-by: manisha kumari --- backend/store/etcd/session.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index d46925cab..910d09873 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -30,7 +30,7 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID and TTL of 6 minutes added considering access token gets expired in 5 minutes +// by the given username and session ID and TTL of 6 minutes added considering access token expires in 5 minutes func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { leaseResp, err := s.client.Grant(ctx, 60*6) if err != nil { From d1eb3fb0caf412ad50a73920ff654fc37715783f Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Tue, 17 Sep 2024 15:19:06 +0530 Subject: [PATCH 7/9] added 6 mins ttl for each user_sessions Signed-off-by: manisha kumari --- CHANGELOG-6.md | 2 +- backend/store/etcd/session.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-6.md b/CHANGELOG-6.md index 22a7c1a08..9a8eccde0 100644 --- a/CHANGELOG-6.md +++ b/CHANGELOG-6.md @@ -10,7 +10,7 @@ Versioning](http://semver.org/spec/v2.0.0.html). ### Changed - Added TTl to each entry in user-session within etcd -- TTl value is 11 minutes +- TTl value is 6 minutes ## [6.11.0] - 2024-01-31 diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index 910d09873..8dc8ac715 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -34,7 +34,7 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { leaseResp, err := s.client.Grant(ctx, 60*6) if err != nil { - fmt.Errorf("%s", err) + return fmt.Errorf("%s", err) } if _, err := s.client.Put(ctx, userSessionPath(username, sessionID), state, clientv3.WithLease(leaseResp.ID)); err != nil { return err From 596c9067df8216dac2203a89644c0cd0d4dc63a9 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Wed, 25 Sep 2024 13:37:00 +0530 Subject: [PATCH 8/9] ttl hardcoding removed Signed-off-by: manisha kumari --- CHANGELOG-6.md | 4 ++-- backend/authentication/jwt/jwt.go | 8 ++++---- backend/authentication/jwt/jwt_test.go | 6 +++--- backend/store/etcd/session.go | 9 ++++++--- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/CHANGELOG-6.md b/CHANGELOG-6.md index 9a8eccde0..8a9a7494b 100644 --- a/CHANGELOG-6.md +++ b/CHANGELOG-6.md @@ -9,8 +9,8 @@ Versioning](http://semver.org/spec/v2.0.0.html). ## [6.11.1] - 2024-09-12 ### Changed -- Added TTl to each entry in user-session within etcd -- TTl value is 6 minutes +- ADD TTL to each user session in the etcd data store to prevent leak. +- TTl value is DefaultAccessTokenLifeSpan + 1 minute ## [6.11.0] - 2024-01-31 diff --git a/backend/authentication/jwt/jwt.go b/backend/authentication/jwt/jwt.go index 09c65d526..7e2d513ec 100644 --- a/backend/authentication/jwt/jwt.go +++ b/backend/authentication/jwt/jwt.go @@ -26,7 +26,7 @@ const ( ) var ( - defaultAccessTokenLifespan = 5 * time.Minute + DefaultAccessTokenLifespan = 5 * time.Minute defaultRefreshTokenLifespan = 12 * time.Hour secret []byte privateKey *ecdsa.PrivateKey @@ -58,7 +58,7 @@ func AccessToken(claims *corev2.Claims) (*jwt.Token, string, error) { claims.Id = jti // Add an expiration to the token - claims.ExpiresAt = time.Now().Add(defaultAccessTokenLifespan).Unix() + claims.ExpiresAt = time.Now().Add(DefaultAccessTokenLifespan).Unix() token := jwt.NewWithClaims(signingMethod, claims) @@ -78,7 +78,7 @@ func AccessToken(claims *corev2.Claims) (*jwt.Token, string, error) { return token, tokenString, nil } -// NewClaims creates new claim based on username +:q// NewClaims creates new claim based on username func NewClaims(user *corev2.User) (*corev2.Claims, error) { // Create a unique identifier for the token jti, err := GenJTI() @@ -91,7 +91,7 @@ func NewClaims(user *corev2.User) (*corev2.Claims, error) { // library's documentation. We should replace its usage with // RegisteredClaims. StandardClaims: jwt.StandardClaims{ - ExpiresAt: time.Now().Add(defaultAccessTokenLifespan).Unix(), + ExpiresAt: time.Now().Add(DefaultAccessTokenLifespan).Unix(), Id: jti, Subject: user.Username, }, diff --git a/backend/authentication/jwt/jwt_test.go b/backend/authentication/jwt/jwt_test.go index 0abc6ba5e..bbfea6756 100644 --- a/backend/authentication/jwt/jwt_test.go +++ b/backend/authentication/jwt/jwt_test.go @@ -121,7 +121,7 @@ func TestValidateTokenError(t *testing.T) { assert.NoError(t, err) // The token should expire after the expiration time - testTime.Set(time.Now().Add(defaultAccessTokenLifespan + time.Hour)) + testTime.Set(time.Now().Add(DefaultAccessTokenLifespan + time.Hour)) _, err = ValidateToken(tokenString) assert.Error(t, err) } @@ -134,7 +134,7 @@ func TestValidateExpiredToken(t *testing.T) { _, tokenString, _ := AccessToken(claims) // Wait for the token to expire - testTime.Set(time.Now().Add(defaultAccessTokenLifespan + time.Second)) + testTime.Set(time.Now().Add(DefaultAccessTokenLifespan + time.Second)) _, err := ValidateExpiredToken(tokenString) assert.NoError(t, err, "An expired token should not be considered as invalid") } @@ -158,7 +158,7 @@ func TestValidateExpiredTokenInvalid(t *testing.T) { _, tokenString, _ := AccessToken(claims) // The token will expire - testTime.Set(time.Now().Add(defaultAccessTokenLifespan + time.Second)) + testTime.Set(time.Now().Add(DefaultAccessTokenLifespan + time.Second)) // Modify the secret so it's no longer valid secret = []byte("qux") diff --git a/backend/store/etcd/session.go b/backend/store/etcd/session.go index 8dc8ac715..2af98e839 100644 --- a/backend/store/etcd/session.go +++ b/backend/store/etcd/session.go @@ -3,7 +3,7 @@ package etcd import ( "context" "fmt" - + "github.com/sensu/sensu-go/backend/authentication/jwt" "github.com/sensu/sensu-go/backend/store" "go.etcd.io/etcd/client/v3" ) @@ -30,9 +30,12 @@ func (s *Store) GetSession(ctx context.Context, username, sessionID string) (str } // UpdateSession applies the supplied state to the session uniquely identified -// by the given username and session ID and TTL of 6 minutes added considering access token expires in 5 minutes +// by the given username and session ID with attached lease for TTL of the key func (s *Store) UpdateSession(ctx context.Context, username, sessionID, state string) error { - leaseResp, err := s.client.Grant(ctx, 60*6) + + leaseDuration := jwt.DefaultAccessTokenLifespan + ttl := int64(leaseDuration.Minutes()+1) * 60 + leaseResp, err := s.client.Grant(ctx, ttl) if err != nil { return fmt.Errorf("%s", err) } From 32e117fac6efc38c3a674dc39d0bf196b60cba34 Mon Sep 17 00:00:00 2001 From: manisha kumari Date: Wed, 25 Sep 2024 13:43:06 +0530 Subject: [PATCH 9/9] ttl hardcoding removed Signed-off-by: manisha kumari --- backend/authentication/jwt/jwt.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/authentication/jwt/jwt.go b/backend/authentication/jwt/jwt.go index 7e2d513ec..81fbb8444 100644 --- a/backend/authentication/jwt/jwt.go +++ b/backend/authentication/jwt/jwt.go @@ -78,7 +78,7 @@ func AccessToken(claims *corev2.Claims) (*jwt.Token, string, error) { return token, tokenString, nil } -:q// NewClaims creates new claim based on username +// NewClaims creates new claim based on username func NewClaims(user *corev2.User) (*corev2.Claims, error) { // Create a unique identifier for the token jti, err := GenJTI()