Add: New --user-session-limit option

The new option --user-session-limit allows limiting the number of
logged in sessions per user.

doc/gsad.8

@@ -101,6 +101,9 @@ Sets the maximum number of connections per ip. Use 0 for unlimited.
 .BR --http-cors=\fICORS\fR
 Set Cross-Origin Resource Sharing (CORS) allow origin http header.
 .TP
+.BR --user-session-limit=\fIMAX_SESSIONS\fR
+Set maximum number of active sessions per user. 0 for unlimited.
+.TP
 .BR -? ", " --help
 Show help.
 .SH EXAMPLES

doc/gsad.8.xml

@@ -94,6 +94,13 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
       <optdesc><p>Do chroot and drop privileges.</p></optdesc>
     </option>
 
+    <option>
+      <p><opt>--user-session-limit=<arg>MAX_SESSIONS</arg></opt></p>
+      <optdesc>
+        <p>Set maximum number of active sessions per user. 0 for unlimited.</p>
+      </optdesc>
+    </option>
+
     <option>
       <p><opt>-v, --verbose</opt></p>
       <optdesc>

doc/gsad.html

@@ -88,6 +88,11 @@ <h2>Options</h2>
 
 
 
+      <p><b>--user-session-limit=<em>MAX_SESSIONS</em></b></p>
+      <p>Set maximum number of active sessions per user. 0 for unlimited.</p>
+
+
+
       <p><b>-v, --verbose</b></p>
 
         <p>Print progress messages.</p>

src/gsad.c

@@ -2180,6 +2180,7 @@ main (int argc, char **argv)
   static gboolean ignore_x_real_ip = FALSE;
   static int per_ip_connection_limit = DEFAULT_GSAD_PER_IP_CONNECTION_LIMIT;
   static int verbose = 0;
+  static int gsad_user_session_limit = 0;
   GError *error = NULL;
   GOptionContext *option_context;
   static GOptionEntry option_entries[] = {
@@ -2266,6 +2267,10 @@ main (int argc, char **argv)
     {"http-cors", 0, 0, G_OPTION_ARG_STRING, &http_cors,
      "Set Cross-Origin Resource Sharing (CORS) allow origin http header ",
      "<cors>"},
+    {"user-session-limit", '\0', 0, G_OPTION_ARG_INT,
+     &gsad_user_session_limit,
+     "Set maximum number of active sessions per user. 0 for unlimited.",
+     "<max-sessions>"},
     {NULL}};
 
   option_context =
@@ -2484,6 +2489,8 @@ main (int argc, char **argv)
         }
     }
 
+  set_user_session_limit (gsad_user_session_limit);
+
   /* Register the cleanup function. */
 
   if (atexit (&gsad_cleanup))

src/gsad_gmp.c

@@ -11144,7 +11144,8 @@ save_my_settings_gmp (gvm_connection_t *connection, credentials_t *credentials,
       if (gmp_success (entity) == 1)
         {
           user_set_password (user, passwd);
-          session_remove_other_sessions (user_get_token (user), user);
+          session_remove_other_sessions (user_get_token (user),
+                                         user_get_username (user));
           user_changed = 1;
         }
       else
@@ -14525,16 +14526,13 @@ save_user_gmp (gvm_connection_t *connection, credentials_t *credentials,
     case 0:
       if (gmp_success (entity) == 1)
         {
-          user_t *user = session_get_user_by_username (old_login);
-
-          if (user
-              && (!str_equal (modify_password, "0")
-                  || !str_equal (old_login, login)))
+          if (!str_equal (modify_password, "0")
+              || !str_equal (old_login, login))
             {
               /* logout all other user sessions if new password was set,
                  authentication type has changed or username has changed */
               session_remove_other_sessions (user_get_token (current_user),
-                                             user);
+                                             old_login);
             }
 
           if (str_equal (old_login, user_get_username (current_user)))
@@ -16980,6 +16978,24 @@ login (http_connection_t *con, params_t *params,
           user = user_add (login, password, timezone, role, capabilities,
                            language, pw_warning, client_address);
 
+          if (user == NULL)
+            {
+              status = MHD_HTTP_UNAUTHORIZED;
+              auth_reason = TOO_MANY_USER_SESSIONS;
+
+              g_warning ("Authentication failure for '%s' from %s."
+                         " Too many sessions for user.",
+                         login ?: "", client_address);
+
+              g_free (timezone);
+              g_free (capabilities);
+              g_free (language);
+              g_free (role);
+              g_free (pw_warning);
+
+              return handler_send_reauthentication (con, status, auth_reason);
+            }
+
           g_message ("Authentication success for '%s' from %s", login ?: "",
                      client_address);
 

src/gsad_http.c

@@ -462,6 +462,9 @@ handler_send_reauthentication (http_connection_t *connection,
     case LOGOUT:
       msg = "Successfully logged out.";
       break;
+    case TOO_MANY_USER_SESSIONS:
+      msg = "Login failed. Too many concurrent logins for user.";
+      break;
     case UNKOWN_ERROR:
       msg = "Unknown error.";
       break;

src/gsad_http.h

@@ -162,6 +162,7 @@ enum authentication_reason
   SESSION_EXPIRED,
   BAD_MISSING_COOKIE,
   BAD_MISSING_TOKEN,
+  TOO_MANY_USER_SESSIONS,
   UNKOWN_ERROR,
 };
 

src/gsad_session.c

@@ -24,6 +24,7 @@
 #include "gsad_session.h"
 
 #include "gsad_user.h"
+#include "gsad_gmp_auth.h"
 #include "utils.h" /* for str_equal */
 
 #undef G_LOG_DOMAIN
@@ -107,15 +108,15 @@ session_get_user_by_id (const gchar *id)
 }
 
 /**
- * Find the first user with the username
+ * Find all users with the given username
  *
- * @return Return a copy of the user or NULL if not found
+ * @return Return a list with copies of the users or NULL if not found
  */
-user_t *
-session_get_user_by_username (const gchar *username)
+GList *
+session_get_users_by_username (const gchar *username)
 {
   int index;
-  user_t *user = NULL;
+  GList *list = NULL;
 
   g_mutex_lock (mutex);
 
@@ -126,14 +127,15 @@ session_get_user_by_username (const gchar *username)
 
       if (str_equal (name, username))
         {
+          user_t *user = NULL;
           user = user_copy (item);
-          break;
+          list = g_list_prepend (list, user);
         }
     }
 
   g_mutex_unlock (mutex);
 
-  return user;
+  return list;
 }
 
 /**
@@ -172,12 +174,12 @@ session_remove_user (const gchar *id)
 /**
  * @brief Removes all session of the user, except the one with the passed id.
  *
- * @param[in] id    ID of the session to keep
- * @param[in] user  The user to logout.
+ * @param[in] keep_id   ID of the session to keep
+ * @param[in] username  The user to logout.
  *
  */
 void
-session_remove_other_sessions (const gchar *id, user_t *user)
+session_remove_other_sessions (const gchar *keep_id, const gchar *username)
 {
   int index;
 
@@ -189,12 +191,17 @@ session_remove_other_sessions (const gchar *id, user_t *user)
 
       const gchar *itemtoken = user_get_token (item);
       const gchar *itemname = user_get_username (item);
-      const gchar *username = user_get_username (user);
 
-      if (str_equal (itemname, username) && !str_equal (id, itemtoken))
+      if (str_equal (itemname, username) && !str_equal (keep_id, itemtoken))
         {
+          const char *itempassword = user_get_password (item);
+
           g_debug ("%s: logging out user '%s', token '%s'", __func__, itemname,
                    itemtoken);
+
+          if (itemname && itempassword)
+            logout_gmp (itemname, itempassword);
+
           g_ptr_array_remove (users, (gpointer) item);
 
           user_free (item);

src/gsad_session.h

@@ -37,11 +37,11 @@ session_remove_user (const gchar *id);
 user_t *
 session_get_user_by_id (const gchar *id);
 
-user_t *
-session_get_user_by_username (const gchar *username);
+GList *
+session_get_users_by_username (const gchar *username);
 
 void
-session_remove_other_sessions (const gchar *id, user_t *user);
+session_remove_other_sessions (const gchar *id, const gchar *user);
 
 void
 session_init ();

src/gsad_settings.c

@@ -95,6 +95,11 @@ int unix_socket = 0;
  */
 int use_secure_cookie = 1;
 
+/**
+ * @brief The maximum number of logged in sessions per user.
+ */
+int user_session_limit = 0;
+
 /**
  * @brief Set the vendor version.
  *
@@ -276,3 +281,18 @@ is_unix_socket ()
 {
   return unix_socket > 0;
 }
+
+void
+set_user_session_limit (int new_limit)
+{
+  if (new_limit >= 0)
+    user_session_limit = new_limit;
+  else
+    user_session_limit = 0;
+}
+
+int
+get_user_session_limit ()
+{
+  return user_session_limit;
+}

src/gsad_settings.h

@@ -116,4 +116,10 @@ get_guest_password ();
 gboolean
 is_ignore_http_x_real_ip ();
 
+void
+set_user_session_limit (int);
+
+int
+get_user_session_limit ();
+
 #endif /* _GSAD_SETTINGS_H */

src/gsad_user.c

@@ -325,15 +325,31 @@ user_add (const gchar *username, const gchar *password, const gchar *timezone,
           const gchar *role, const gchar *capabilities, const gchar *language,
           const gchar *pw_warning, const char *address)
 {
-  user_t *user = session_get_user_by_username (username);
+  GList *current_user_item, *user_list;
+  user_t *user;
+  int session_count = 0;
 
-  if (user && user_session_expired (user))
+  user_list = current_user_item = session_get_users_by_username (username);
+  while (current_user_item)
     {
-      if (user->username && user->password)
-        logout_gmp (user->username, user->password);
-      session_remove_user (user->token);
+      user = current_user_item->data;
+      if (user_session_expired (user))
+        {
+          if (user->username && user->password)
+            logout_gmp (user->username, user->password);
+          session_remove_user (user->token);
+        }
+      else
+        session_count ++;
       user_free (user);
+      current_user_item = current_user_item->next;
     }
+  g_list_free (user_list);
+
+  int session_limit = get_user_session_limit ();
+  if (session_limit && (session_count >= session_limit))
+
+    return NULL;
 
   user = user_new_with_data (username, password, timezone, role, capabilities,
                              language, pw_warning, address);