diff --git a/app/controllers/epp/base_controller.rb b/app/controllers/epp/base_controller.rb
index e9d58a4ed..e3ac81815 100644
--- a/app/controllers/epp/base_controller.rb
+++ b/app/controllers/epp/base_controller.rb
@@ -10,7 +10,8 @@ module Epp
before_action :latin_only
before_action :validate_against_schema
before_action :validate_request
- before_action :update_epp_session, if: -> { signed_in? }
+ before_action :enforce_epp_session_timeout, if: :signed_in?
+ before_action :iptables_counter_update, if: :signed_in?
around_action :wrap_exceptions
@@ -349,32 +350,22 @@ module Epp
raise 'EPP session id is empty' unless epp_session_id.present?
end
- def update_epp_session
- iptables_counter_update
-
- if session_timeout_reached?
- @api_user = current_user # cache current_user for logging
- epp_session.destroy
-
+ def enforce_epp_session_timeout
+ if epp_session.timed_out?
epp_errors << {
- msg: t('session_timeout'),
- code: '2201'
+ code: '2201',
+ msg: 'Authorization error: Session timeout',
}
-
- handle_errors and return
+ handle_errors
+ epp_session.destroy!
else
- epp_session.update_column(:updated_at, Time.zone.now)
+ epp_session.update_last_access
end
end
- def session_timeout_reached?
- timeout = 5.minutes
- epp_session.updated_at < (Time.zone.now - timeout)
- end
-
def iptables_counter_update
return if ENV['iptables_counter_enabled'].blank? && ENV['iptables_counter_enabled'] != 'true'
- return if current_user.blank?
+
counter_update(current_user.registrar_code, ENV['iptables_server_ip'])
end
diff --git a/app/models/epp/expired_sessions.rb b/app/models/epp/expired_sessions.rb
new file mode 100644
index 000000000..f9fefac46
--- /dev/null
+++ b/app/models/epp/expired_sessions.rb
@@ -0,0 +1,13 @@
+module Epp
+ class ExpiredSessions
+ attr_reader :sessions
+
+ def initialize(sessions)
+ @sessions = sessions
+ end
+
+ def clear
+ sessions.find_each(&:destroy!)
+ end
+ end
+end
diff --git a/app/models/epp_session.rb b/app/models/epp_session.rb
index 6427c503c..f1b641aa0 100644
--- a/app/models/epp_session.rb
+++ b/app/models/epp_session.rb
@@ -3,6 +3,11 @@ class EppSession < ApplicationRecord
validates :session_id, uniqueness: true, presence: true
+ class_attribute :timeout
+ self.timeout = (ENV['epp_session_timeout_seconds'] || 300).to_i.seconds
+
+ alias_attribute :last_access, :updated_at
+
def self.limit_per_registrar
4
end
@@ -11,4 +16,21 @@ class EppSession < ApplicationRecord
count = where(user_id: registrar.api_users.ids).where('updated_at >= ?', Time.zone.now - 1.second).count
count >= limit_per_registrar
end
+
+ def self.expired
+ interval = "#{timeout.parts.first.second} #{timeout.parts.first.first}"
+ where(':now > (updated_at + interval :interval)', now: Time.zone.now, interval: interval)
+ end
+
+ def update_last_access
+ touch
+ end
+
+ def timed_out?
+ (updated_at + self.class.timeout).past?
+ end
+
+ def expired?
+ timed_out?
+ end
end
diff --git a/config/application.yml.sample b/config/application.yml.sample
index 2cd19b768..c35a8a5bb 100644
--- a/config/application.yml.sample
+++ b/config/application.yml.sample
@@ -153,6 +153,8 @@ lhv_keystore_password:
lhv_ca_file: # Needed only in dev mode
lhv_dev_mode: 'false'
+epp_session_timeout_seconds: '300'
+
# Since the keys for staging are absent from the repo, we need to supply them separate for testing.
test:
payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'
diff --git a/lib/tasks/epp/clear_expired_sessions.rake b/lib/tasks/epp/clear_expired_sessions.rake
new file mode 100644
index 000000000..296b463d9
--- /dev/null
+++ b/lib/tasks/epp/clear_expired_sessions.rake
@@ -0,0 +1,7 @@
+namespace :epp do
+ desc 'Clear expired EPP sessions'
+
+ task clear_expired_sessions: :environment do
+ Epp::ExpiredSessions.new(EppSession.expired).clear
+ end
+end
diff --git a/test/integration/epp/base_test.rb b/test/integration/epp/base_test.rb
index 456e7b41e..2d19a6fa8 100644
--- a/test/integration/epp/base_test.rb
+++ b/test/integration/epp/base_test.rb
@@ -7,6 +7,14 @@ class DummyEppController < Epp::BaseController
end
class EppBaseTest < EppTestCase
+ setup do
+ @original_session_timeout = EppSession.timeout
+ end
+
+ teardown do
+ EppSession.timeout = @original_session_timeout
+ end
+
def test_internal_error
Rails.application.routes.draw do
post 'epp/command/internal_error', to: 'dummy_epp#internal_error',
@@ -81,6 +89,63 @@ class EppBaseTest < EppTestCase
assert_epp_response :authorization_error
end
+ def test_deletes_session_when_timed_out
+ now = Time.zone.parse('2010-07-05')
+ travel_to now
+ timeout = 0.second
+ EppSession.timeout = timeout
+ session = epp_sessions(:api_bestnames)
+ session.update!(updated_at: now - timeout - 1.second)
+
+ authentication_enabled_epp_request_xml = <<-XML
+
+
+
+
+
+ #{domains(:shop).name}
+
+
+
+
+ XML
+ post '/epp/command/info', params: { frame: authentication_enabled_epp_request_xml },
+ headers: { 'HTTP_COOKIE' => "session=#{session.session_id}" }
+
+ assert_epp_response :authorization_error
+ assert_nil EppSession.find_by(session_id: session.session_id)
+ end
+
+ def test_session_last_access_is_updated_when_not_timed_out
+ now = Time.zone.parse('2010-07-05')
+ travel_to now
+ timeout = 1.seconds
+ EppSession.timeout = timeout
+ session = epp_sessions(:api_bestnames)
+ session.last_access = now - timeout
+
+ authentication_enabled_epp_request_xml = <<-XML
+
+
+
+
+
+ #{domains(:shop).name}
+
+
+
+
+ XML
+
+ post '/epp/command/info', params: { frame: authentication_enabled_epp_request_xml },
+ headers: { 'HTTP_COOKIE' => "session=#{session.session_id}" }
+
+ session.reload
+
+ assert_epp_response :completed_successfully
+ assert_equal now, session.last_access
+ end
+
private
def valid_command_path
diff --git a/test/models/epp_session_test.rb b/test/models/epp_session_test.rb
index 6f90e2445..8ed63f6ab 100644
--- a/test/models/epp_session_test.rb
+++ b/test/models/epp_session_test.rb
@@ -3,6 +3,11 @@ require 'test_helper'
class EppSessionTest < ActiveSupport::TestCase
setup do
@epp_session = epp_sessions(:api_bestnames)
+ @original_session_timeout = EppSession.timeout
+ end
+
+ teardown do
+ EppSession.timeout = @original_session_timeout
end
def test_valid
@@ -60,4 +65,39 @@ class EppSessionTest < ActiveSupport::TestCase
refute EppSession.limit_reached?(registrars(:bestnames))
end
+
+ def test_expired_scope
+ now = Time.zone.parse('2010-07-05')
+ travel_to now
+ session = epp_sessions(:api_bestnames)
+ timeout = 0.seconds
+ EppSession.timeout = timeout
+
+ session.update!(last_access: now - timeout - 1.second)
+ assert_includes EppSession.expired, session, 'Expired session should be returned'
+
+ session.update!(last_access: now - timeout)
+
+ assert_not_includes EppSession.expired, session, 'Unexpired session should not be returned'
+ end
+
+ def test_expired_when_timed_out
+ now = Time.zone.parse('2010-07-05')
+ travel_to now
+ timeout = 0.seconds
+ EppSession.timeout = timeout
+ @epp_session.last_access = now - timeout - 1.second
+
+ assert @epp_session.expired?
+ end
+
+ def test_not_expired_when_not_timed_out
+ now = Time.zone.parse('2010-07-05')
+ travel_to now
+ timeout = 0.seconds
+ EppSession.timeout = timeout
+ @epp_session.last_access = now - timeout
+
+ assert_not @epp_session.expired?
+ end
end
diff --git a/test/tasks/epp/clear_expired_sessions_test.rb b/test/tasks/epp/clear_expired_sessions_test.rb
new file mode 100644
index 000000000..c7bebcd97
--- /dev/null
+++ b/test/tasks/epp/clear_expired_sessions_test.rb
@@ -0,0 +1,29 @@
+require 'test_helper'
+
+class EppClearExpiredSessionsTaskTest < ActiveSupport::TestCase
+ setup do
+ @original_session_timeout = EppSession.timeout
+ end
+
+ teardown do
+ EppSession.timeout = @original_session_timeout
+ end
+
+ def test_clears_expired_epp_sessions
+ timeout = EppSession.timeout
+ session = epp_sessions(:api_bestnames)
+ next_session = epp_sessions(:api_goodnames)
+ session.update!(updated_at: Time.zone.now - timeout - 1.second)
+
+ run_task
+
+ assert_nil EppSession.find_by(session_id: session.session_id)
+ assert EppSession.find_by(session_id: next_session.session_id)
+ end
+
+ private
+
+ def run_task
+ Rake::Task['epp:clear_expired_sessions'].execute
+ end
+end