Class: ActiveSession

Inherits:

Object

• Object
• ActiveSession

Includes:

ActiveModel::Model

Defined in:

app/models/active_session.rb

Overview

Backing store for GitLab session data.

The raw session information is stored by the Rails session store (config/initializers/session_store.rb). These entries are accessible by the rack_key_name class method and constitute the base of the session data entries. All other entries in the session store can be traced back to these entries.

After a user logs in (config/initializers/warden.rb) a further entry is made in Redis. This entry holds a record of the user’s logged in session. These are accessible with the key_name(user_id, session_id) class method. These entries will expire. Lookups to these entries are lazilly cleaned on future user access.

There is a reference to all sessions that belong to a specific user. A user may login through multiple browsers/devices and thus record multiple login sessions. These are accessible through the lookup_key_name(user_id) class method.

Constant Summary

SESSION_BATCH_SIZE =

200

ALLOWED_NUMBER_OF_ACTIVE_SESSIONS =

100

ATTR_ACCESSOR_LIST =

[
  :ip_address, :browser, :os,
  :device_name, :device_type,
  :is_impersonated, :session_id, :session_private_id,
  :admin_mode, :step_up_authenticated
].freeze

ATTR_READER_LIST =

[
  :created_at, :updated_at
].freeze

Class Method Summary

• .cleaned_up_lookup_entries(redis, user, removed = []) ⇒ Object

  Cleans up the lookup set by removing any session IDs that are no longer present.

• .cleanup(user) ⇒ Object
• .destroy_all_but_current(user, current_rack_session) ⇒ Object
• .destroy_session(user, session_id) ⇒ Object
• .destroy_sessions(redis, user, session_ids) ⇒ Object
• .key_name(user_id, session_id = '*') ⇒ Object
• .key_name_v1(user_id, session_id = '*') ⇒ Object

  Deprecated.

• .list(user) ⇒ Object
• .list_sessions(user) ⇒ Object
• .lookup_key_name(user_id) ⇒ Object
• .session_ids_for_user(user_id) ⇒ Object

  Lists the relevant session IDs for the user.

• .sessions_from_ids(session_ids) ⇒ Object

  Lists the session Hash objects for the given session IDs.

• .set(user, request) ⇒ Object

Instance Method Summary

• #created_at=(time) ⇒ Object
• #current?(rack_session) ⇒ Boolean
• #dump ⇒ Object
• #eql?(other) ⇒ Boolean (also: #==)
• #human_device_type ⇒ Object
• #id ⇒ Object
• #ids ⇒ Object
• #updated_at=(time) ⇒ Object

Class Method Details

.cleaned_up_lookup_entries(redis, user, removed = []) ⇒ Object

Cleans up the lookup set by removing any session IDs that are no longer present.

Returns an array of marshalled ActiveModel objects that are still active. Records removed keys in the optional ‘removed` argument array.

# File 'app/models/active_session.rb', line 320

def self.cleaned_up_lookup_entries(redis, user, removed = [])
  lookup_key = lookup_key_name(user.id)
  session_ids = session_ids_for_user(user.id)
  session_ids_and_entries = raw_active_session_entries(redis, session_ids, user.id)

  # remove expired keys.
  # only the single key entries are automatically expired by redis, the
  # lookup entries in the set need to be removed manually.
  redis.pipelined do |pipeline|
    session_ids_and_entries.each do |session_id, entry|
      next if entry

      pipeline.srem?(lookup_key, session_id)
    end
  end

  removed.concat(session_ids_and_entries.select { |_, v| v.nil? }.keys)

  session_ids_and_entries.values.compact
end

.cleanup(user) ⇒ Object

# File 'app/models/active_session.rb', line 122

def self.cleanup(user)
  Gitlab::Redis::Sessions.with do |redis|
    clean_up_old_sessions(redis, user)
    cleaned_up_lookup_entries(redis, user)
  end
end

.destroy_all_but_current(user, current_rack_session) ⇒ Object

# File 'app/models/active_session.rb', line 157

def self.destroy_all_but_current(user, current_rack_session)
  sessions = not_impersonated(user)
  sessions.reject! { |session| session.current?(current_rack_session) } if current_rack_session

  Gitlab::Redis::Sessions.with do |redis|
    session_ids = sessions.flat_map(&:ids)
    destroy_sessions(redis, user, session_ids) if session_ids.any?
  end
end

.destroy_session(user, session_id) ⇒ Object

# File 'app/models/active_session.rb', line 149

def self.destroy_session(user, session_id)
  return unless session_id

  Gitlab::Redis::Sessions.with do |redis|
    destroy_sessions(redis, user, [session_id].compact)
  end
end

.destroy_sessions(redis, user, session_ids) ⇒ Object

# File 'app/models/active_session.rb', line 129

def self.destroy_sessions(redis, user, session_ids)
  return if session_ids.empty?

  key_names = session_ids.map { |session_id| key_name(user.id, session_id) }
  key_names += session_ids.map { |session_id| key_name_v1(user.id, session_id) }

  redis.srem(lookup_key_name(user.id), session_ids)

  session_keys = rack_session_keys(session_ids)
  Gitlab::Instrumentation::RedisClusterValidator.allow_cross_slot_commands do
    if Gitlab::Redis::ClusterUtil.cluster?(redis)
      Gitlab::Redis::ClusterUtil.batch_unlink(key_names, redis)
      Gitlab::Redis::ClusterUtil.batch_unlink(session_keys, redis)
    else
      redis.del(key_names)
      redis.del(session_keys)
    end
  end
end

.key_name(user_id, session_id = '*') ⇒ Object

# File 'app/models/active_session.rb', line 175

def self.key_name(user_id, session_id = '*')
  "#{Gitlab::Redis::Sessions::USER_SESSIONS_NAMESPACE}::v2:#{user_id}:#{session_id}"
end

.key_name_v1(user_id, session_id = '*') ⇒ Object

Deprecated

# File 'app/models/active_session.rb', line 180

def self.key_name_v1(user_id, session_id = '*')
  "#{Gitlab::Redis::Sessions::USER_SESSIONS_NAMESPACE}:#{user_id}:#{session_id}"
end

.list(user) ⇒ Object

# File 'app/models/active_session.rb', line 114

def self.list(user)
  Gitlab::Redis::Sessions.with do |redis|
    cleaned_up_lookup_entries(redis, user).map do |raw_session|
      load_raw_session(raw_session)
    end
  end
end

.list_sessions(user) ⇒ Object

# File 'app/models/active_session.rb', line 188

def self.list_sessions(user)
  sessions_from_ids(session_ids_for_user(user.id))
end

.lookup_key_name(user_id) ⇒ Object

# File 'app/models/active_session.rb', line 184

def self.lookup_key_name(user_id)
  "#{Gitlab::Redis::Sessions::USER_SESSIONS_LOOKUP_NAMESPACE}:#{user_id}"
end

.session_ids_for_user(user_id) ⇒ Object

Lists the relevant session IDs for the user.

Returns an array of strings

# File 'app/models/active_session.rb', line 195

def self.session_ids_for_user(user_id)
  Gitlab::Redis::Sessions.with do |redis|
    redis.smembers(lookup_key_name(user_id))
  end
end

.sessions_from_ids(session_ids) ⇒ Object

Lists the session Hash objects for the given session IDs.

session_ids - An array of strings

Returns an array of ActiveSession objects

# File 'app/models/active_session.rb', line 206

def self.sessions_from_ids(session_ids)
  return [] if session_ids.empty?

  Gitlab::Redis::Sessions.with do |redis|
    session_keys = rack_session_keys(session_ids)

    session_keys.each_slice(SESSION_BATCH_SIZE).flat_map do |session_keys_batch|
      Gitlab::Instrumentation::RedisClusterValidator.allow_cross_slot_commands do
        raw_sessions = if Gitlab::Redis::ClusterUtil.cluster?(redis)
                         Gitlab::Redis::ClusterUtil.batch_get(session_keys_batch, redis)
                       else
                         redis.mget(session_keys_batch)
                       end

        raw_sessions.compact.map do |raw_session|
          load_raw_session(raw_session)
        end
      end
    end
  end
end

.set(user, request) ⇒ Object

# File 'app/models/active_session.rb', line 74

def self.set(user, request)
  Gitlab::Redis::Sessions.with do |redis|
    session_private_id = request.session.id.private_id
    client = Gitlab::SafeDeviceDetector.new(request.user_agent)
    timestamp = Time.current
    expiry = Settings.gitlab['session_expire_delay'] * 60

    active_user_session = new(
      ip_address: request.remote_ip,
      browser: client.name,
      os: client.os_name,
      device_name: client.device_name,
      device_type: client.device_type,
      created_at: user.current_sign_in_at || timestamp,
      updated_at: timestamp,
      session_private_id: session_private_id,
      is_impersonated: request.session[:impersonator_id].present?,
      admin_mode: Gitlab::Auth::CurrentUserMode.new(user, request.session).admin_mode?,
      step_up_authenticated:
        Feature.enabled?(:omniauth_step_up_auth_for_admin_mode, user) &&
          ::Gitlab::Auth::Oidc::StepUpAuthentication.succeeded?(request.session)
    )

    Gitlab::Instrumentation::RedisClusterValidator.allow_cross_slot_commands do
      redis.pipelined do |pipeline|
        pipeline.setex(
          key_name(user.id, session_private_id),
          expiry,
          active_user_session.dump
        )

        pipeline.sadd?(
          lookup_key_name(user.id),
          session_private_id
        )
      end
    end
  end
end

Instance Method Details

#created_at=(time) ⇒ Object

# File 'app/models/active_session.rb', line 41

def created_at=(time)
  @created_at = time.is_a?(String) ? Time.zone.parse(time) : time
end

#current?(rack_session) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/active_session.rb', line 49

def current?(rack_session)
  return false if session_private_id.nil? || rack_session.id.nil?

  # Rack v2.0.8+ added private_id, which uses the hash of the
  # public_id to avoid timing attacks.
  session_private_id == rack_session.id.private_id
end

#dump ⇒ Object

# File 'app/models/active_session.rb', line 228

def dump
  "v2:#{Gitlab::Json.dump(self)}"
end

#eql?(other) ⇒ Boolean Also known as: ==

Returns:

• (Boolean)

# File 'app/models/active_session.rb', line 57

def eql?(other)
  other.is_a?(self.class) && id == other.id
end

#human_device_type ⇒ Object

# File 'app/models/active_session.rb', line 70

def human_device_type
  device_type&.titleize
end

#id ⇒ Object

# File 'app/models/active_session.rb', line 62

def id
  session_private_id.presence || session_id
end

#ids ⇒ Object

# File 'app/models/active_session.rb', line 66

def ids
  [session_private_id, session_id].compact
end

#updated_at=(time) ⇒ Object

# File 'app/models/active_session.rb', line 45

def updated_at=(time)
  @updated_at = time.is_a?(String) ? Time.zone.parse(time) : time
end