HPCC-19187 Implement security manager userLogout() functionality

Currently when a user logs out of an ESP session, the security  manager is
not notified and the user's entry remains in the cache.  Need to add a
"userLogout()" method to ISecManager, called from ESP,  that removes the
user from the cache when logged out

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>

esp/bindings/http/platform/httpservice.cpp

@@ -1469,11 +1469,30 @@ void CEspHttpServer::logoutSession(EspAuthRequest& authReq, unsigned sessionID,
         Owned<IPropertyTreeIterator> it = sessionTree->getElements(path.str());
         ForEach(*it)
             toRemove.append(it->query());
+
+        IEspContext* ctx = m_request->queryContext();
+        ISecManager* secmgr = nullptr;
+        if (ctx)
+            secmgr = ctx->querySecManager();
+
         ForEachItemIn(i, toRemove)
+        {
+            if (secmgr)
+            {
+                const char * user = toRemove.item(i).queryProp("@userid");
+                if (user)
+                {
+                    //inform security manager that user is logged out
+                    Owned<ISecUser> secUser = secmgr->createUser(user);
+                    secmgr->logoutUser(*secUser);
+                }
+            }
+
             sessionTree->removeTree(&toRemove.item(i));
+        }
     }
     else
-        ESPLOG(LogMin, "Cann't find session tree: %s[@port=\"%d\"]", PathSessionApplication, authReq.authBinding->getPort());
+        ESPLOG(LogMin, "Can't find session tree: %s[@port=\"%d\"]", PathSessionApplication, authReq.authBinding->getPort());
 
     ///authReq.ctx->setAuthorized(true);
 

system/security/LdapSecurity/ldapsecurity.cpp

@@ -1444,6 +1444,16 @@ bool CLdapSecManager::authenticateUser(ISecUser & user, bool *superUser)
         *superUser = isSuperUser(&user);
     return true;
 }
+bool CLdapSecManager::logoutUser(ISecUser & user)
+{
+    //remove user from permissions cache
+    m_permissionsCache->removeFromUserCache(user);
+    user.setAuthenticateStatus(AS_UNKNOWN);
+    user.credentials().setSessionToken(0);
+    return true;
+}
+
+
 
 //Data View related interfaces
 void CLdapSecManager::createView(const char* viewName, const char * viewDescription)

system/security/LdapSecurity/ldapsecurity.ipp

@@ -471,6 +471,7 @@ public:
     virtual bool authenticateUser(ISecUser & user, bool * superUser);
     virtual secManagerType querySecMgrType() { return SMT_LDAP; }
     inline virtual const char* querySecMgrTypeName() { return "LdapSecurity"; }
+    virtual bool logoutUser(ISecUser & user);
 
     //Data View related interfaces
     virtual void createView(const char * viewName, const char * viewDescription);

system/security/shared/basesecurity.hpp

@@ -59,250 +59,218 @@ public:
 
     bool subscribe(ISecAuthenticEvents & events)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool unsubscribe(ISecAuthenticEvents & events)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool authorize(ISecUser & user, ISecResourceList * resources, IEspSecureContext* secureContext)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool authorizeEx(SecResourceType rtype, ISecUser & user, ISecResourceList * resources, IEspSecureContext* secureContext)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     SecAccessFlags authorizeEx(SecResourceType rtype, ISecUser & user, const char * resourcename, IEspSecureContext* secureContext)
     {
-        UNIMPLEMENTED;
-        return SecAccess_None;
+        throwUnexpected();
     }
 
     SecAccessFlags getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename)
     {
-        UNIMPLEMENTED;
-        return SecAccess_None;
+        throwUnexpected();
     }
 
     SecAccessFlags authorizeFileScope(ISecUser & user, const char * filescope)
     {
-        UNIMPLEMENTED;
-        return SecAccess_None;
+        throwUnexpected();
     }
 
     bool authorizeFileScope(ISecUser & user, ISecResourceList * resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool authorizeViewScope(ISecUser & user, ISecResourceList * resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool addResources(ISecUser & user, ISecResourceList * resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool addResourcesEx(SecResourceType rtype, ISecUser & user, ISecResourceList * resources, SecPermissionType ptype, const char * basedn)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool addResourceEx(SecResourceType rtype, ISecUser & user, const char * resourcename, SecPermissionType ptype, const char * basedn)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool getResources(SecResourceType rtype, const char * basedn, IResourceArray & resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool updateResources(ISecUser & user, ISecResourceList * resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool updateSettings(ISecUser & user, ISecPropertyList * resources, IEspSecureContext* secureContext)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool addUser(ISecUser & user)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     ISecUser * findUser(const char * username)
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     ISecUser * lookupUser(unsigned uid)
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     ISecUserIterator * getAllUsers()
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions )
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     bool updateUserPassword(ISecUser & user, const char * newPassword, const char* currPassword = 0)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool initUser(ISecUser & user)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     void setExtraParam(const char * name, const char * value)
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     IAuthMap * createAuthMap(IPropertyTree * authconfig)
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     IAuthMap * createFeatureMap(IPropertyTree * authconfig)
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     IAuthMap * createSettingMap(IPropertyTree * authconfig)
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     void deleteResource(SecResourceType rtype, const char * name, const char * basedn)
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     void renameResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn)
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     void copyResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn)
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     void cacheSwitch(SecResourceType rtype, bool on)
     {
-        UNIMPLEMENTED;
+        throwUnexpected();
     }
 
     bool authTypeRequired(SecResourceType rtype)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     SecAccessFlags authorizeWorkunitScope(ISecUser & user, const char * filescope)
     {
-        UNIMPLEMENTED;
-        return SecAccess_None;
+        throwUnexpected();
     }
 
     bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     const char * getDescription()
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
     unsigned getPasswordExpirationWarningDays()
     {
-        UNIMPLEMENTED;
-        return 0;
+        throwUnexpected();
     }
 
     bool createUserScopes()
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     aindex_t getManagedFileScopes(IArrayOf<ISecResource>& scopes)
     {
-        UNIMPLEMENTED;
-        return 0;
+        throwUnexpected();
     }
 
     SecAccessFlags queryDefaultPermission(ISecUser& user)
     {
-        UNIMPLEMENTED;
-        return SecAccess_None;
+        throwUnexpected();
     }
 
     bool clearPermissionsCache(ISecUser & user)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     bool authenticateUser(ISecUser & user, bool *superUser)
     {
-        UNIMPLEMENTED;
-        return false;
+        throwUnexpected();
     }
 
     secManagerType querySecMgrType()
     {
-        UNIMPLEMENTED;
-        return (secManagerType)0;
+        throwUnexpected();
     }
 
     const char* querySecMgrTypeName()
     {
-        UNIMPLEMENTED;
-        return NULL;
+        throwUnexpected();
     }
 
+    bool logoutUser(ISecUser & user)
+    {
+        throwUnexpected();
+    }
 };
 
 #endif // BASESECURITY_INCL

system/security/shared/caching.cpp

@@ -349,7 +349,7 @@ bool CPermissionsCache::lookup(ISecUser& sec_user)
 
         time_t now;
         time(&now);
-        if(user->getTimestamp() < (now - m_cacheTimeout))
+        if(user->getTimestamp() < (now - m_cacheTimeout)  && 0==sec_user.credentials().getSessionToken())//don't delete session based users
         {
             deleteEntry = true;
         }

system/security/shared/seclib.hpp

@@ -340,6 +340,7 @@ interface ISecManager : extends IInterface
     virtual bool authenticateUser(ISecUser & user, bool * superUser) = 0;
     virtual secManagerType querySecMgrType() = 0;
     virtual const char* querySecMgrTypeName() = 0;
+    virtual bool logoutUser(ISecUser & user) = 0;
 };
 
 interface IRestartHandler : extends IInterface