mirror of https://github.com/MISP/MISP
new: [security] Cancel API session right after auth key is deleted
parent
640e9492d7
commit
c0f6463d57
|
@ -1420,6 +1420,12 @@ class AppController extends Controller
|
|||
if (!$user) {
|
||||
throw new RuntimeException("User with ID {$sessionUser['id']} not exists.");
|
||||
}
|
||||
if (isset($sessionUser['authkey_id'])) {
|
||||
$this->loadModel('AuthKey');
|
||||
if (!$this->AuthKey->exists($sessionUser['authkey_id'])) {
|
||||
throw new RuntimeException("Auth key with ID {$sessionUser['authkey_id']} not exists.");
|
||||
}
|
||||
}
|
||||
foreach (['authkey_id', 'authkey_expiration', 'logged_by_authkey'] as $copy) {
|
||||
if (isset($sessionUser[$copy])) {
|
||||
$user[$copy] = $sessionUser[$copy];
|
||||
|
|
|
@ -154,6 +154,18 @@ class AuthKey extends AppModel
|
|||
return [$output, $lastUsage];
|
||||
}
|
||||
|
||||
/**
|
||||
* When key is deleted, update after `date_modified` for user that was assigned to that key, so session data
|
||||
* will be realoaded and canceled.
|
||||
* @see AppController::_refreshAuth
|
||||
*/
|
||||
public function afterDelete()
|
||||
{
|
||||
parent::afterDelete();
|
||||
$userId = $this->data['AuthKey']['user_id'];
|
||||
$this->User->updateAll(['date_modified' => time()], ['User.id' => $userId]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return AbstractPasswordHasher
|
||||
*/
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
import os
|
||||
import sys
|
||||
import time
|
||||
import json
|
||||
import datetime
|
||||
import unittest
|
||||
|
@ -375,6 +376,35 @@ class TestSecurity(unittest.TestCase):
|
|||
|
||||
self.__delete_advanced_authkey(auth_key["id"])
|
||||
|
||||
def test_advanced_authkeys_deleted(self):
|
||||
with MISPSetting(self.admin_misp_connector, "Security.advanced_authkeys", True):
|
||||
auth_key = self.__create_advanced_authkey(self.test_usr.id)
|
||||
|
||||
logged_in = PyMISP(url, auth_key["authkey_raw"])
|
||||
self.assertEqual(logged_in._current_user.id, self.test_usr.id)
|
||||
|
||||
self.__delete_advanced_authkey(auth_key["id"])
|
||||
|
||||
assert_error_response(logged_in.get_user())
|
||||
|
||||
def test_advanced_authkeys_deleted_keep_session(self):
|
||||
with MISPComplexSetting({
|
||||
"Security": {
|
||||
"advanced_authkeys": True,
|
||||
"authkey_keep_session": True,
|
||||
}
|
||||
}):
|
||||
auth_key = self.__create_advanced_authkey(self.test_usr.id)
|
||||
|
||||
logged_in = PyMISP(url, auth_key["authkey_raw"])
|
||||
self.assertEqual(logged_in._current_user.id, self.test_usr.id)
|
||||
|
||||
self.__delete_advanced_authkey(auth_key["id"])
|
||||
# Wait one second to really know that session will be reloaded
|
||||
time.sleep(1)
|
||||
with self.assertRaises(MISPServerError):
|
||||
logged_in.get_user()
|
||||
|
||||
def test_advanced_authkeys_own_key_not_possible(self):
|
||||
with MISPSetting(self.admin_misp_connector, "Security.advanced_authkeys", True):
|
||||
authkey = ("a" * 40)
|
||||
|
|
Loading…
Reference in New Issue