dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/SessionManager.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

package org.openslx.bwlp.sat.thrift;

import java.sql.SQLException;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.openslx.bwlp.sat.database.mappers.DbUser;
import org.openslx.bwlp.sat.permissions.User;
import org.openslx.bwlp.sat.util.Formatter;
import org.openslx.bwlp.thrift.iface.AuthorizationError;
import org.openslx.bwlp.thrift.iface.Role;
import org.openslx.bwlp.thrift.iface.TAuthorizationException;
import org.openslx.bwlp.thrift.iface.TInvalidTokenException;
import org.openslx.bwlp.thrift.iface.TInvocationException;
import org.openslx.bwlp.thrift.iface.UserInfo;
import org.openslx.thrifthelper.ThriftManager;
import org.openslx.util.QuickTimer;
import org.openslx.util.QuickTimer.Task;

/**
 * Manages user sessions. Mainly used to map tokens to users.
 * 
 */
public class SessionManager {

	private static final Logger LOGGER = LogManager.getLogger(SessionManager.class);

	private static class Entry {
		private static final long SESSION_TIMEOUT = TimeUnit.DAYS.toMillis(1);
		private final UserInfo user;
		private long validUntil;

		private Entry(UserInfo user) {
			this.user = user;
			this.validUntil = System.currentTimeMillis() + SESSION_TIMEOUT;
		}

		public void touch(long now) {
			this.validUntil = now + SESSION_TIMEOUT;
		}

		public boolean isTooOld(long now) {
			return validUntil < now;
		}
	}

	// saves the current tokens and the mapped userdata, returning from the server
	private static final Map<String, Entry> tokenManager = new ConcurrentHashMap<>();

	static {
		// Clean cached session periodically
		QuickTimer.scheduleAtFixedDelay(new Task() {
			@Override
			public void fire() {
				final long now = System.currentTimeMillis();
				for (Iterator<Entry> it = tokenManager.values().iterator(); it.hasNext();) {
					Entry e = it.next();
					if (e == null || e.isTooOld(now))
						it.remove();
				}
			}
		}, 60000, 1200600);
	}

	/**
	 * Get the user corresponding to the given token.
	 * 
	 * @param token user's token
	 * @return UserInfo for the matching user
	 * @throws TAuthorizationException if the token is not known or the session
	 *             expired
	 * @throws TInvocationException
	 */
	public static UserInfo getOrFail(String token) throws TAuthorizationException, TInvocationException {
		UserInfo ui = getInternal(token);
		if (ui != null)
			return ui;
		throw new TAuthorizationException(AuthorizationError.NOT_AUTHENTICATED,
				"Your session token is not known to the server");
	}

	/**
	 * Do nothing if a user belongs to the given token and is authorized to use
	 * this satellite, throw an exception otherwise.
	 * 
	 * @param token Token in question
	 * @throws TAuthorizationException
	 * @throws TInvocationException
	 */
	public static void ensureAuthenticated(String token) throws TAuthorizationException, TInvocationException {
		getInternal(token);
	}

	/**
	 * Get the user corresponding to the given token. Returns <code>null</code>
	 * if the token is not known, or the session already timed out.
	 * 
	 * @param token user's token
	 * @return UserInfo for the matching user
	 */
	public static UserInfo get(String token) {
		try {
			return getInternal(token);
		} catch (TAuthorizationException | TInvocationException e) {
			return null;
		}
	}

	private static UserInfo getInternal(String token) throws TAuthorizationException, TInvocationException {
		Entry e = tokenManager.get(token);
		if (e == null) {
			LOGGER.info("Cache miss for token " + token + ", asking master");
			return getRemote(token);
		}
		// User session already cached
		final long now = System.currentTimeMillis();
		if (e.isTooOld(now)) {
			tokenManager.remove(token);
			return getRemote(token);
		}
		e.touch(now);
		return e.user;
	}

	/**
	 * Remove session matching the given token
	 * 
	 * @param token
	 */
	public static void remove(String token) {
		tokenManager.remove(token);
	}

	/**
	 * Get {@link UserInfo} from master server.
	 * 
	 * @param token token of user to get
	 * @return
	 * @throws TAuthorizationException if user is not allowed to use this
	 *             satellite, this exception contains the reason
	 * @throws TInvocationException if something unexpected fails
	 */
	private static UserInfo getRemote(String token) throws TAuthorizationException, TInvocationException {
		UserInfo ui = null;
		try {
			ui = ThriftManager.getMasterClient().getUserFromToken(token);
		} catch (TInvalidTokenException ite) {
			LOGGER.warn("Master says: Invalid token: " + token);
			throw new TAuthorizationException(AuthorizationError.INVALID_TOKEN,
					"Your token is not known to the master server");
		} catch (Exception e) {
			LOGGER.warn("Could not reach master server to query for user token (" + token + ") of a client!",
					e);
			throw new TInvocationException();
		}
		LOGGER.info("Got '" + Formatter.userFullName(ui) + "' (" + ui.userId + ") for token " + token);
		if (ui.role == null) {
			// Fail-safe: No role supplied, assume student
			ui.role = Role.STUDENT;
		}
		// Valid reply, check if user is allowed to communicate with this satellite server
		AuthorizationError authError = User.canLogin(ui);
		handleAuthorizationError(ui, authError);
		// Is valid, insert/update db record, but ignore students
		if (ui.role != Role.STUDENT) {
			try {
				DbUser.writeUserOnLogin(ui);
			} catch (SQLException e) {
				LOGGER.info("User " + ui.userId + " cannot be written to DB - rejecting.");
				throw new TInvocationException();
			}
			// Check again, as it might be a fresh entry to the DB, and we don't allow logins by default
			authError = User.canLogin(ui);
			handleAuthorizationError(ui, authError);
		}
		tokenManager.put(token, new Entry(ui));
		return ui;
	}
	
	private static void handleAuthorizationError(UserInfo ui, AuthorizationError authError) throws TAuthorizationException {
		if (authError == null)
			return;
		
		LOGGER.info("User " + ui.userId + " cannot login: " + authError.toString());
		switch (authError) {
		case ACCOUNT_SUSPENDED:
			throw new TAuthorizationException(authError,
					"Your account is not allowed to log in to this satellite");
		case BANNED_NETWORK:
			throw new TAuthorizationException(authError, "Your IP address is banned from this satellite");
		case INVALID_CREDENTIALS:
		case INVALID_KEY:
		case CHALLENGE_FAILED:
			throw new TAuthorizationException(authError, "Authentication error");
		case INVALID_ORGANIZATION:
			throw new TAuthorizationException(authError,
					"Your organization is not known to this satellite");
		case ORGANIZATION_SUSPENDED:
			throw new TAuthorizationException(authError,
					"Your organization is not allowed to log in to this satellite");
		case NOT_AUTHENTICATED:
		case NO_PERMISSION:
			throw new TAuthorizationException(authError, "No permission");
		case GENERIC_ERROR:
		case INVALID_TOKEN:
		default:
			throw new TAuthorizationException(authError, "Internal server error");
		}
	}

}