search

z1pti3 / jimi

Jimi is an automation first no-code platform designed and developed originally for Security Orchestration and Response. Since its launch jimi has developed into a fully fledged IT automation platform which effortlessly integrates with your existing tools unlocking the potential for autonomous IT and Security operations.
https://www.secureack.com
Apache License 2.0
161 stars 31 forks source link

[Bug] User Sessions Don't Revalidate #232

Closed b1scuit-thi3f closed 3 years ago

b1scuit-thi3f commented 3 years ago

Sessions are renewed regularly, however when renewing it is not checked if the user is still valid (i.e. active and not deleted) and whether their ACLs might have changed (i.e. part of a new group). https://github.com/z1pti3/jimi/blob/48cae178d2ebecca721c7f0a864727bc526c8ca2/core/auth.py#L454-L459

This should be fixed by reevaluating the user details within auth whenever a session is being asked to generate.

z1pti3 commented 3 years ago

Added a new function to standardise the generation of user sessions:

def buildApplicationSessionData(application,sessionID,user):
    return {application : { "_id" : user._id, "user" : user.username, "primaryGroup" : user.primaryGroup, "admin" : isAdmin(user), "accessIDs" : enumerateGroups(user), "authenticated" : True, "sessionID" : sessionID, "api" : False, "theme" : user.theme, "application" : application }}

These is then used to build sessions and to renew. I also added an additional check to ensure the user is still enabled when the session is regenerated.