diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-04 01:28:55 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-04 01:29:18 +0300 |
| commit | fa206403d6b6a501488b70173ba873189776edc6 (patch) | |
| tree | 747df0d0c32d9f0624b5a9c84dfbfc09265adc49 /app | |
| parent | 5fc81825b645b13c3ecd49ec727bdf2162d15922 (diff) | |
Add latest changes from gitlab-org/security/gitlab@13-9-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/profiles/active_sessions_controller.rb | 5 | ||||
| -rw-r--r-- | app/helpers/active_sessions_helper.rb | 7 | ||||
| -rw-r--r-- | app/models/active_session.rb | 50 |
3 files changed, 5 insertions, 57 deletions
diff --git a/app/controllers/profiles/active_sessions_controller.rb b/app/controllers/profiles/active_sessions_controller.rb index 1233c906406..aafd7c2b65b 100644 --- a/app/controllers/profiles/active_sessions_controller.rb +++ b/app/controllers/profiles/active_sessions_controller.rb @@ -8,9 +8,8 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController end def destroy - # params[:id] can be either an Rack::Session::SessionId#private_id - # or an encrypted Rack::Session::SessionId#public_id - ActiveSession.destroy_with_deprecated_encryption(current_user, params[:id]) + # params[:id] can be an Rack::Session::SessionId#private_id + ActiveSession.destroy_session(current_user, params[:id]) current_user.forget_me! respond_to do |format| diff --git a/app/helpers/active_sessions_helper.rb b/app/helpers/active_sessions_helper.rb index 322c5b3b16d..cfe0b747e78 100644 --- a/app/helpers/active_sessions_helper.rb +++ b/app/helpers/active_sessions_helper.rb @@ -24,11 +24,6 @@ module ActiveSessionsHelper end def revoke_session_path(active_session) - if active_session.session_private_id - profile_active_session_path(active_session.session_private_id) - else - # TODO: remove in 13.7 - profile_active_session_path(active_session.public_id) - end + profile_active_session_path(active_session.session_private_id) end end diff --git a/app/models/active_session.rb b/app/models/active_session.rb index 823685f78f4..a0e74c7f48e 100644 --- a/app/models/active_session.rb +++ b/app/models/active_session.rb @@ -42,13 +42,6 @@ class ActiveSession device_type&.titleize end - # This is not the same as Rack::Session::SessionId#public_id, but we - # need to preserve this for backwards compatibility. - # TODO: remove in 13.7 - def public_id - Gitlab::CryptoHelper.aes256_gcm_encrypt(session_id) - end - def self.set(user, request) Gitlab::Redis::SharedState.with do |redis| session_private_id = request.session.id.private_id @@ -63,8 +56,6 @@ class ActiveSession device_type: client.device_type, created_at: user.current_sign_in_at || timestamp, updated_at: timestamp, - # TODO: remove in 13.7 - session_id: request.session.id.public_id, session_private_id: session_private_id, is_impersonated: request.session[:impersonator_id].present? ) @@ -80,20 +71,10 @@ class ActiveSession lookup_key_name(user.id), session_private_id ) - - # We remove the ActiveSession stored by using public_id to avoid - # duplicate entries - remove_deprecated_active_sessions_with_public_id(redis, user.id, request.session.id.public_id) end end end - # TODO: remove in 13.7 - private_class_method def self.remove_deprecated_active_sessions_with_public_id(redis, user_id, rack_session_public_id) - redis.srem(lookup_key_name(user_id), rack_session_public_id) - redis.del(key_name(user_id, rack_session_public_id)) - end - def self.list(user) Gitlab::Redis::SharedState.with do |redis| cleaned_up_lookup_entries(redis, user).map do |raw_session| @@ -109,18 +90,6 @@ class ActiveSession end end - # TODO: remove in 13.7 - # After upgrade there might be a duplicate ActiveSessions: - # - one with the public_id stored in #session_id - # - another with private_id stored in #session_private_id - def self.destroy_with_rack_session_id(user, rack_session_id) - return unless rack_session_id - - Gitlab::Redis::SharedState.with do |redis| - destroy_sessions(redis, user, [rack_session_id.public_id, rack_session_id.private_id]) - end - end - def self.destroy_sessions(redis, user, session_ids) key_names = session_ids.map { |session_id| key_name(user.id, session_id) } @@ -132,19 +101,11 @@ class ActiveSession end end - # TODO: remove in 13.7 - # After upgrade, .destroy might be called with the session id encrypted - # by .public_id. - def self.destroy_with_deprecated_encryption(user, session_id) + def self.destroy_session(user, session_id) return unless session_id - decrypted_session_id = decrypt_public_id(session_id) - rack_session_private_id = if decrypted_session_id - Rack::Session::SessionId.new(decrypted_session_id).private_id - end - Gitlab::Redis::SharedState.with do |redis| - destroy_sessions(redis, user, [session_id, decrypted_session_id, rack_session_private_id].compact) + destroy_sessions(redis, user, [session_id].compact) end end @@ -275,11 +236,4 @@ class ActiveSession entries.compact end - - # TODO: remove in 13.7 - private_class_method def self.decrypt_public_id(public_id) - Gitlab::CryptoHelper.aes256_gcm_decrypt(public_id) - rescue - nil - end end |