Don't apply a session limit when genuinely replacing a session
This commit is contained in:
Olivier 'reivilibre
@@ -36,6 +36,10 @@ violation contains {
|
||||
# TODO not strictly correct...
|
||||
input.login_type == "m.login.sso"
|
||||
|
||||
# Only apply if this login doesn't replace a session
|
||||
# (As then this login is not actually increasing the number of devices)
|
||||
not input.session_replaced
|
||||
|
||||
# For web-based 'compat SSO' login, a violation occurs when the soft limit has already been
|
||||
# reached or exceeded.
|
||||
# We use the soft limit because the user will be able to interactively remove
|
||||
@@ -53,6 +57,10 @@ violation contains {
|
||||
# This is not a web-based interactive login
|
||||
input.login_type == "m.login.password"
|
||||
|
||||
# Only apply if this login doesn't replace a session
|
||||
# (As then this login is not actually increasing the number of devices)
|
||||
not input.session_replaced
|
||||
|
||||
# For `m.login.password` login, a violation occurs when the hard limit has already been
|
||||
# reached or exceeded.
|
||||
# We don't use the soft limit because the user won't be able to interactively remove
|
||||
|
||||
@@ -14,32 +14,38 @@ test_session_limiting_sso if {
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 1}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 31}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 32}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 42}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 65}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
# No limit configured
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 1}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as null
|
||||
}
|
||||
|
||||
@@ -47,26 +53,45 @@ test_session_limiting_password if {
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 1}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 63}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 64}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 65}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
# No limit configured
|
||||
compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 1}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as null
|
||||
}
|
||||
|
||||
test_no_session_limiting_upon_replacement if {
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 65}
|
||||
with input.login_type as "m.login.password"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
|
||||
not compat_login.allow with input.user as user
|
||||
with input.session_counts as {"total": 65}
|
||||
with input.login_type as "m.login.sso"
|
||||
with input.session_replaced as false
|
||||
with data.session_limit as {"soft_limit": 32, "hard_limit": 64}
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
"login_type",
|
||||
"requester",
|
||||
"session_counts",
|
||||
"session_replaced",
|
||||
"user"
|
||||
],
|
||||
"properties": {
|
||||
@@ -22,6 +23,10 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"session_replaced": {
|
||||
"description": "Whether a session will be replaced by this login",
|
||||
"type": "boolean"
|
||||
},
|
||||
"login_type": {
|
||||
"$ref": "#/definitions/CompatLoginType"
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user