From af178629b8d44795a9188dd158766a70ec9967d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Mon, 3 Jul 2023 17:16:57 +0100 Subject: [PATCH 1/6] Modify default session engine to use Django built-in file backend --- omeroweb/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omeroweb/settings.py b/omeroweb/settings.py index be84ce31b3..baa73fd316 100755 --- a/omeroweb/settings.py +++ b/omeroweb/settings.py @@ -186,7 +186,7 @@ DEFAULT_SERVER_TYPE = WSGITCP ALL_SERVER_TYPES = (WSGI, WSGITCP, DEVELOPMENT) -DEFAULT_SESSION_ENGINE = "omeroweb.filesessionstore" +DEFAULT_SESSION_ENGINE = "django.contrib.sessions.backends.file" SESSION_ENGINE_VALUES = ( "omeroweb.filesessionstore", "django.contrib.sessions.backends.db", From 30fbb43f1163bd0f1326c6c43e482c400b621028 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Tue, 4 Jul 2023 06:24:32 +0100 Subject: [PATCH 2/6] Mark omeroweb.filesessionstore as deprecated --- omeroweb/filesessionstore.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/omeroweb/filesessionstore.py b/omeroweb/filesessionstore.py index ea4b96e8b6..9130b1eb3a 100644 --- a/omeroweb/filesessionstore.py +++ b/omeroweb/filesessionstore.py @@ -1,9 +1,31 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# +# Copyright (C) 2014-2023 University of Dundee & Open Microscopy Environment. +# All rights reserved. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# + import datetime import errno import logging import os import shutil import tempfile +import warnings from django.conf import settings from django.contrib.sessions.backends.base import SessionBase, CreateError @@ -20,6 +42,11 @@ logger = logging.getLogger(__name__) +DEPRECATION_MESSAGE = ( + "This session backend is deprecated as of OMERO.web 5.22.0. Use Django " + "'django.contrib.sessions.backends.file' instead." +) + class SessionStore(SessionBase): """ @@ -27,6 +54,7 @@ class SessionStore(SessionBase): """ def __init__(self, session_key=None): + warnings.warn(DEPRECATION_MESSAGE, DeprecationWarning) self.storage_path = type(self)._get_storage_path() self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) From 746caace22a1074743f54f3bb9b7b25b96f9d175 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Tue, 4 Jul 2023 06:25:18 +0100 Subject: [PATCH 3/6] omeroweb.filesessionstore: extend upstream logic Make the deprecated session store simply extend the upstream file-backend sessions store --- omeroweb/filesessionstore.py | 224 +---------------------------------- 1 file changed, 2 insertions(+), 222 deletions(-) diff --git a/omeroweb/filesessionstore.py b/omeroweb/filesessionstore.py index 9130b1eb3a..f42edd8f03 100644 --- a/omeroweb/filesessionstore.py +++ b/omeroweb/filesessionstore.py @@ -19,240 +19,20 @@ # along with this program. If not, see . # -import datetime -import errno -import logging -import os -import shutil -import tempfile +import django.contrib.sessions.backends.file import warnings -from django.conf import settings -from django.contrib.sessions.backends.base import SessionBase, CreateError -from django.contrib.sessions.backends.base import VALID_KEY_CHARS -from django.core.exceptions import SuspiciousOperation, ImproperlyConfigured -from django.utils import timezone -from django.utils.encoding import force_str - -from django.contrib.sessions.exceptions import InvalidSessionKey - -# Aleksandra Tarkowska: -# This is temporary solution to fix clearout of expiered sessions -# See: https://code.djangoproject.com/ticket/22938 - -logger = logging.getLogger(__name__) - DEPRECATION_MESSAGE = ( "This session backend is deprecated as of OMERO.web 5.22.0. Use Django " "'django.contrib.sessions.backends.file' instead." ) -class SessionStore(SessionBase): +class SessionStore(django.contrib.sessions.backends.file.SessionStore): """ Implements a file based session store. """ def __init__(self, session_key=None): warnings.warn(DEPRECATION_MESSAGE, DeprecationWarning) - self.storage_path = type(self)._get_storage_path() - self.file_prefix = settings.SESSION_COOKIE_NAME super(SessionStore, self).__init__(session_key) - - @classmethod - def _get_storage_path(cls): - try: - return cls._storage_path - except AttributeError: - storage_path = getattr(settings, "SESSION_FILE_PATH", None) - if not storage_path: - storage_path = tempfile.gettempdir() - - # Make sure the storage path is valid. - if not os.path.isdir(storage_path): - raise ImproperlyConfigured( - "The session storage path %r doesn't exist. Please set" - " your SESSION_FILE_PATH setting to an existing directory" - " in which Django can store session data." % storage_path - ) - - cls._storage_path = storage_path - return storage_path - - def _key_to_file(self, session_key=None): - """ - Get the file associated with this session key. - """ - if session_key is None: - session_key = self._get_or_create_session_key() - - # Make sure we're not vulnerable to directory traversal. Session keys - # should always be md5s, so they should never contain directory - # components. - if not set(session_key).issubset(set(VALID_KEY_CHARS)): - raise InvalidSessionKey("Invalid characters in session key") - - return os.path.join(self.storage_path, self.file_prefix + session_key) - - def _last_modification(self): - """ - Return the modification time of the file storing the session's content. - """ - modification = os.stat(self._key_to_file()).st_mtime - if settings.USE_TZ: - modification = datetime.datetime.utcfromtimestamp(modification) - modification = modification.replace(tzinfo=timezone.utc) - else: - modification = datetime.datetime.fromtimestamp(modification) - return modification - - def _expiry_date(self, session_data): - """ - Return the expiry time of the file storing the session's content. - """ - expiry = session_data.get("_session_expiry", None) - if expiry is None: - expiry = self._last_modification() + datetime.timedelta( - seconds=settings.SESSION_COOKIE_AGE - ) - return expiry - - def load(self): - session_data = {} - try: - with open(self._key_to_file(), "r") as session_file: - file_data = session_file.read() - # Don't fail if there is no data in the session file. - # We may have opened the empty placeholder file. - if file_data: - try: - session_data = self.decode(file_data) - except (EOFError, SuspiciousOperation) as e: - if isinstance(e, SuspiciousOperation): - log = logging.getLogger( - "django.security.%s" % e.__class__.__name__ - ) - log.warning(force_str(e)) - self.create() - - # Remove expired sessions. - # Fixing https://code.djangoproject.com/ticket/22938 - expiry_age = self.get_expiry_age(expiry=self._expiry_date(session_data)) - if expiry_age < 0: - session_data = {} - self.delete() - self.create() - else: - logger.debug("No file_data for session: %s" % self._key_to_file()) - except (IOError, SuspiciousOperation): - logger.debug("Failed to load session data", exc_info=True) - self.create() - return session_data - - def create(self): - while True: - self._session_key = self._get_new_session_key() - try: - self.save(must_create=True) - except CreateError: - continue - logger.debug("Session created with session_key: %s" % self._session_key) - self.modified = True - self._session_cache = {} - return - - def save(self, must_create=False): - # Get the session data now, before we start messing - # with the file it is stored within. - session_data = self._get_session(no_load=must_create) - - session_file_name = self._key_to_file() - logger.debug( - "Save session to file with session_file_name: %s" % session_file_name - ) - - try: - # Make sure the file exists. If it does not already exist, an - # empty placeholder file is created. - flags = os.O_WRONLY | os.O_CREAT | getattr(os, "O_BINARY", 0) - if must_create: - flags |= os.O_EXCL - fd = os.open(session_file_name, flags) - os.close(fd) - - except OSError as e: - if must_create and e.errno == errno.EEXIST: - raise CreateError - raise - - # Write the session file without interfering with other threads - # or processes. By writing to an atomically generated temporary - # file and then using the atomic os.rename() to make the complete - # file visible, we avoid having to lock the session file, while - # still maintaining its integrity. - # - # Note: Locking the session file was explored, but rejected in part - # because in order to be atomic and cross-platform, it required a - # long-lived lock file for each session, doubling the number of - # files in the session storage directory at any given time. This - # rename solution is cleaner and avoids any additional overhead - # when reading the session data, which is the more common case - # unless SESSION_SAVE_EVERY_REQUEST = True. - # - # See ticket #8616. - dir, prefix = os.path.split(session_file_name) - - try: - output_file_fd, output_file_name = tempfile.mkstemp( - dir=dir, prefix=prefix + "_out_" - ) - renamed = False - try: - try: - os.write(output_file_fd, self.encode(session_data).encode()) - finally: - os.close(output_file_fd) - - # This will atomically rename the file (os.rename) if the OS - # supports it. Otherwise this will result in a shutil.copy2 - # and os.unlink (for example on Windows). See #9084. - shutil.move(output_file_name, session_file_name) - renamed = True - finally: - if not renamed: - os.unlink(output_file_name) - - except (OSError, IOError, EOFError): - logger.debug("Failed to save session data", exc_info=True) - - def exists(self, session_key): - return os.path.exists(self._key_to_file(session_key)) - - def delete(self, session_key=None): - if session_key is None: - if self.session_key is None: - return - session_key = self.session_key - try: - os.unlink(self._key_to_file(session_key)) - except OSError: - logger.debug("Failed to delete with session_key: %s" % session_key) - - def clean(self): - pass - - @classmethod - def clear_expired(cls): - storage_path = cls._get_storage_path() - file_prefix = settings.SESSION_COOKIE_NAME - - for session_file in os.listdir(storage_path): - if not session_file.startswith(file_prefix): - continue - session_key = session_file[len(file_prefix) :] - session = cls(session_key) - # When an expired session is loaded, its file is removed, and a - # new file is immediately created. Prevent this by disabling - # the create() method. - session.create = lambda: None - session.load() From eff26c26313fa05091343f3856615382bf564960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Tue, 4 Jul 2023 06:37:53 +0100 Subject: [PATCH 4/6] OMERO.web: list all supported session engines in settings.py --- omeroweb/settings.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/omeroweb/settings.py b/omeroweb/settings.py index baa73fd316..bd16360f26 100755 --- a/omeroweb/settings.py +++ b/omeroweb/settings.py @@ -468,6 +468,11 @@ def leave_none_unset_int(s): "Controls where Django stores session data. See :djangodoc:" "`Configuring the session engine for more details `." + "Allowed values are: ``omeroweb.filesessionstore`` (deprecated), " + "``django.contrib.sessions.backends.db``, " + "``django.contrib.sessions.backends.file``` " + "``django.contrib.sessions.backends.cache``` or " + "``django.contrib.sessions.backends.cached_db``." ), ], "omero.web.session_expire_at_browser_close": [ From 994de1bd5a78c96fe062df1caa1dd22ebe2abc5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Tue, 4 Jul 2023 12:52:19 +0100 Subject: [PATCH 5/6] Fix formatting --- omeroweb/settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/omeroweb/settings.py b/omeroweb/settings.py index bd16360f26..a1166acd62 100755 --- a/omeroweb/settings.py +++ b/omeroweb/settings.py @@ -470,8 +470,8 @@ def leave_none_unset_int(s): "/#session-engine>`." "Allowed values are: ``omeroweb.filesessionstore`` (deprecated), " "``django.contrib.sessions.backends.db``, " - "``django.contrib.sessions.backends.file``` " - "``django.contrib.sessions.backends.cache``` or " + "``django.contrib.sessions.backends.file``, " + "``django.contrib.sessions.backends.cache`` or " "``django.contrib.sessions.backends.cached_db``." ), ], From 8fa12e6ca26007a9345f92bde8f9ee769c51af48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Besson?= Date: Tue, 4 Jul 2023 12:57:01 +0100 Subject: [PATCH 6/6] Add note about SessionStore behavior equivalence --- omeroweb/filesessionstore.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/omeroweb/filesessionstore.py b/omeroweb/filesessionstore.py index f42edd8f03..bc9e1b86d8 100644 --- a/omeroweb/filesessionstore.py +++ b/omeroweb/filesessionstore.py @@ -23,8 +23,9 @@ import warnings DEPRECATION_MESSAGE = ( - "This session backend is deprecated as of OMERO.web 5.22.0. Use Django " - "'django.contrib.sessions.backends.file' instead." + "This session store implementation behaves identically to Django's built-in " + "'django.contrib.sessions.backends.file' and is deprecated as of " + "OMERO.web 5.22.0." )