fleet/server/kolide/sessions.go

package kolide

import (
	"context"
	"time"
)

// SessionStore is the abstract interface that all session backends must
// conform to.
type SessionStore interface {
	// Given a session key, find and return a session object or an error if one
	// could not be found for the given key
	SessionByKey(key string) (*Session, error)

	// Given a session id, find and return a session object or an error if one
	// could not be found for the given id
	SessionByID(id uint) (*Session, error)

	// Find all of the active sessions for a given user
	ListSessionsForUser(id uint) ([]*Session, error)

	// Store a new session struct
	NewSession(session *Session) (*Session, error)

	// Destroy the currently tracked session
	DestroySession(session *Session) error

	// Destroy all of the sessions for a given user
	DestroyAllSessionsForUser(id uint) error

	// Mark the currently tracked session as access to extend expiration
	MarkSessionAccessed(session *Session) error
}

type Auth interface {
	UserID() string
	RequestID() string
}

type SessionService interface {
	// InitiateSSO is used to initiate an SSO session and returns a URL that
	// can be used in a redirect to the IDP.
	// Arguments: redirectURL is the URL of the protected resource that the user
	// was trying to access when they were promted to log in.
	InitiateSSO(ctx context.Context, redirectURL string) (string, error)
	// CallbackSSO handles the IDP response.  The original URL the viewer attempted
	// to access is returned from this function so we can redirect back to the front end and
	// load the page the viewer originally attempted to access when prompted for login.
	CallbackSSO(ctx context.Context, auth Auth) (*SSOSession, error)
	// SSOSettings returns non sensitive single sign on information used before
	// authentication
	SSOSettings(ctx context.Context) (*SSOSettings, error)
	Login(ctx context.Context, username, password string) (user *User, token string, err error)
	Logout(ctx context.Context) (err error)
	DestroySession(ctx context.Context) (err error)
	GetInfoAboutSessionsForUser(ctx context.Context, id uint) (sessions []*Session, err error)
	DeleteSessionsForUser(ctx context.Context, id uint) (err error)
	GetInfoAboutSession(ctx context.Context, id uint) (session *Session, err error)
	GetSessionByKey(ctx context.Context, key string) (session *Session, err error)
	DeleteSession(ctx context.Context, id uint) (err error)
}

type SSOSession struct {
	Token       string
	RedirectURL string
}

// SSOSettings SSO information used prior to authentication.
type SSOSettings struct {
	// IDPName is a human readable name for the IDP
	IDPName string `json:"idp_name"`
	// IDPImageURL https link to a logo image for the IDP.
	IDPImageURL string `json:"idp_image_url"`
	// SSOEnabled true if single sign on is enabled.
	SSOEnabled bool `json:"sso_enabled"`
}

// Session is the model object which represents what an active session is
type Session struct {
	CreateTimestamp
	ID         uint
	AccessedAt time.Time `db:"accessed_at"`
	UserID     uint      `db:"user_id"`
	Key        string
}
Session shuffle and rename app to server (#84) * renaming campaign to email * moving session management code to the new kolide/datastore pattern * removing global configuration variables in favor of config * moving email operations to package kolide * moving app to server * using http.ListenAndServeTLS instead of a method on gin.Engine remove the kolide.go dependency on gin 2016-08-19 00:45:39 +00:00			`package kolide`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00
			`import (`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`"context"`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00			`"time"`
			`)`

Session shuffle and rename app to server (#84) * renaming campaign to email * moving session management code to the new kolide/datastore pattern * removing global configuration variables in favor of config * moving email operations to package kolide * moving app to server * using http.ListenAndServeTLS instead of a method on gin.Engine remove the kolide.go dependency on gin 2016-08-19 00:45:39 +00:00			`// SessionStore is the abstract interface that all session backends must`
			`// conform to.`
			`type SessionStore interface {`
			`// Given a session key, find and return a session object or an error if one`
			`// could not be found for the given key`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`SessionByKey(key string) (*Session, error)`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00
Session shuffle and rename app to server (#84) * renaming campaign to email * moving session management code to the new kolide/datastore pattern * removing global configuration variables in favor of config * moving email operations to package kolide * moving app to server * using http.ListenAndServeTLS instead of a method on gin.Engine remove the kolide.go dependency on gin 2016-08-19 00:45:39 +00:00			`// Given a session id, find and return a session object or an error if one`
			`// could not be found for the given id`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`SessionByID(id uint) (*Session, error)`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00
Session shuffle and rename app to server (#84) * renaming campaign to email * moving session management code to the new kolide/datastore pattern * removing global configuration variables in favor of config * moving email operations to package kolide * moving app to server * using http.ListenAndServeTLS instead of a method on gin.Engine remove the kolide.go dependency on gin 2016-08-19 00:45:39 +00:00			`// Find all of the active sessions for a given user`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`ListSessionsForUser(id uint) ([]*Session, error)`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00
Refactoring for config patterns (#159) This PR refactors most of the codebase to use the new config patterns implemented in #149. Now the core service keeps a copy of the KolideConfig struct, and service methods can reference the configuration in that struct when they need it. The most significant refactoring is in the sessions code, separating the business logic from the storage layer. 2016-09-14 16:11:06 +00:00			`// Store a new session struct`
			`NewSession(session Session) (Session, error)`
Session shuffle and rename app to server (#84) * renaming campaign to email * moving session management code to the new kolide/datastore pattern * removing global configuration variables in favor of config * moving email operations to package kolide * moving app to server * using http.ListenAndServeTLS instead of a method on gin.Engine remove the kolide.go dependency on gin 2016-08-19 00:45:39 +00:00
			`// Destroy the currently tracked session`
			`DestroySession(session *Session) error`

			`// Destroy all of the sessions for a given user`
			`DestroyAllSessionsForUser(id uint) error`

			`// Mark the currently tracked session as access to extend expiration`
			`MarkSessionAccessed(session *Session) error`
			`}`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`type Auth interface {`
			`UserID() string`
			`RequestID() string`
			`}`

Sessions endpoints (#108) * renaming auth service to sessions service * service method implementations * endpoint and transport and transport tests * Authenticate tests 2016-09-05 19:50:57 +00:00			`type SessionService interface {`
Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`// InitiateSSO is used to initiate an SSO session and returns a URL that`
			`// can be used in a redirect to the IDP.`
			`// Arguments: redirectURL is the URL of the protected resource that the user`
			`// was trying to access when they were promted to log in.`
			`InitiateSSO(ctx context.Context, redirectURL string) (string, error)`
			`// CallbackSSO handles the IDP response. The original URL the viewer attempted`
			`// to access is returned from this function so we can redirect back to the front end and`
			`// load the page the viewer originally attempted to access when prompted for login.`
			`CallbackSSO(ctx context.Context, auth Auth) (*SSOSession, error)`
SSO Login and Configuration Support (#1506) Closes issue #1456 This PR adds a single sign on option to the login form, exposes single sign on to the end user, and allows an admin user to set single sign on configuration options. 2017-05-17 15:58:40 +00:00			`// SSOSettings returns non sensitive single sign on information used before`
			`// authentication`
			`SSOSettings(ctx context.Context) (*SSOSettings, error)`
add prometheus endpoint (#236) generate metrics for Users, Appconfig and Session services 2016-09-28 11:35:15 +00:00			`Login(ctx context.Context, username, password string) (user *User, token string, err error)`
			`Logout(ctx context.Context) (err error)`
			`DestroySession(ctx context.Context) (err error)`
			`GetInfoAboutSessionsForUser(ctx context.Context, id uint) (sessions []*Session, err error)`
			`DeleteSessionsForUser(ctx context.Context, id uint) (err error)`
			`GetInfoAboutSession(ctx context.Context, id uint) (session *Session, err error)`
			`GetSessionByKey(ctx context.Context, key string) (session *Session, err error)`
			`DeleteSession(ctx context.Context, id uint) (err error)`
Sessions endpoints (#108) * renaming auth service to sessions service * service method implementations * endpoint and transport and transport tests * Authenticate tests 2016-09-05 19:50:57 +00:00			`}`

Server Side SSO Support (#1498) This PR partially addresses #1456, providing SSO SAML support. The flow of the code is as follows. A Kolide user attempts to access a protected resource and is directed to log in. If SSO identity providers (IDP) have been configured by an admin, the user is presented with SSO log in. The user selects SSO, which invokes a call the InitiateSSO passing the URL of the protected resource that the user was originally trying access. Kolide server loads the IDP metadata and caches it along with the URL. We then build an auth request URL for the IDP which is returned to the front end. The IDP calls the server, invoking CallbackSSO with the auth response. We extract the original request id from the response and use it to fetch the cached metadata and the URL. We check the signature of the response, and validate the timestamps. If everything passes we get the user id from the IDP response and use it to create a login session. We then build a page which executes some javascript that will write the token to web local storage, and redirect to the original URL. I've created a test web page in tools/app/authtest.html that can be used to test and debug new IDP's which also illustrates how a front end would interact with the IDP and the server. This page can be loaded by starting Kolide with the environment variable KOLIDE_TEST_PAGE_PATH to the full path of the page and then accessed at https://localhost:8080/test 2017-05-09 00:43:48 +00:00			`type SSOSession struct {`
			`Token string`
			`RedirectURL string`
			`}`

SSO Login and Configuration Support (#1506) Closes issue #1456 This PR adds a single sign on option to the login form, exposes single sign on to the end user, and allows an admin user to set single sign on configuration options. 2017-05-17 15:58:40 +00:00			`// SSOSettings SSO information used prior to authentication.`
			`type SSOSettings struct {`
			`// IDPName is a human readable name for the IDP`
			IDPName string `json:"idp_name"`
			`// IDPImageURL https link to a logo image for the IDP.`
			IDPImageURL string `json:"idp_image_url"`
			`// SSOEnabled true if single sign on is enabled.`
			SSOEnabled bool `json:"sso_enabled"`
			`}`

Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00			`// Session is the model object which represents what an active session is`
			`type Session struct {`
Datastore refactor (#439) Removed Gorm, replaced it with Sqlx * Added SQL bundling command to Makfile * Using go-kit logger * Added soft delete capability * Changed SearchLabel to accept a variadic param for optional omit list instead of array * Gorm removed * Refactor table structures to use CURRENT_TIMESTAMP mysql function * Moved Inmem datastore into it's own package * Updated README * Implemented code review suggestions from @zwass * Removed reference to Gorm from glide.yaml 2016-11-16 13:47:49 +00:00			`CreateTimestamp`
removing gorm struct tags (#491) 2016-11-16 17:48:43 +00:00			`ID uint`
Datastore refactor (#439) Removed Gorm, replaced it with Sqlx * Added SQL bundling command to Makfile * Using go-kit logger * Added soft delete capability * Changed SearchLabel to accept a variadic param for optional omit list instead of array * Gorm removed * Refactor table structures to use CURRENT_TIMESTAMP mysql function * Moved Inmem datastore into it's own package * Updated README * Implemented code review suggestions from @zwass * Removed reference to Gorm from glide.yaml 2016-11-16 13:47:49 +00:00			AccessedAt time.Time `db:"accessed_at"`
Fixes for bugs in MySQL migration (#501) * Fix users table name in MySQL ListUsers * Fix invalid SQL * Implement MarkHostSeen * Partial fix for targets autocompletion 2016-11-16 23:12:59 +00:00			UserID uint `db:"user_id"`
removing gorm struct tags (#491) 2016-11-16 17:48:43 +00:00			`Key string`
Moving sessions code into sub-package (#42) Since the sessions code mostly stands on it's own, I wanted to break the dependencies apart from it and move it into it's own package. 2016-08-05 17:47:41 +00:00			`}`