persistent session purge script (#3303)

5 months ago · 8f583cde7e
parent 4d05e86a4d
commit 8f583cde7e
4 changed files with 166 additions and 0 deletions
--- a/1
+++ b/1
@ -673,6 +673,7 @@ install_bin:	install_conf_dir
 	@cp -f\
 		${SRCHANDLERDIR}/scripts/purgeLocalCache \
 		${SRCPORTALDIR}/scripts/purgeCentralCache \
+		${SRCPORTALDIR}/scripts/purgePersistentSessions \
 		${SRCPORTALDIR}/scripts/llngDeleteSession \
 		${SRCPORTALDIR}/scripts/llngUserAttributes \
 		${SRCPORTALDIR}/scripts/downloadSamlMetadata \
--- a/debian/liblemonldap-ng-portal-perl.install
+++ b/debian/liblemonldap-ng-portal-perl.install
@ -2,8 +2,10 @@ etc/lemonldap-ng/portal-apache2.conf
 etc/lemonldap-ng/portal-nginx.conf
 usr/share/lemonldap-ng/bin/downloadSamlMetadata
 usr/share/lemonldap-ng/bin/purgeCentralCache
+usr/share/lemonldap-ng/bin/purgePersistentSessions
 usr/share/lemonldap-ng/portal
 usr/share/man/man3/Lemonldap::NG::Portal*
 usr/share/perl5/Lemonldap/NG/Portal*
 usr/share/man/man1/downloadSamlMetadata.1p
 usr/share/man/man1/purgeCentralCache.1p
+usr/share/man/man1/purgePersistentSessions.1p
--- a/lemonldap-ng-portal/scripts/purgePersistentSessions
+++ b/lemonldap-ng-portal/scripts/purgePersistentSessions
@ -0,0 +1,161 @@
+#!/usr/bin/perl
+#=============================================================================
+# Cleaner for LemonLDAP::NG: removes old persistent sessions
+#
+# This is part of LemonLDAP::NG product, released under GPL
+#=============================================================================
+
+use strict;
+use Getopt::Long;
+use Pod::Usage;
+
+use Lemonldap::NG::Common::Session::Purge;
+
+  my %cli_opts;
+my $result =
+  GetOptions( \%cli_opts, 'debug|d', 'json|j', 'help|h', 'creation=i', 'last-update=i',
+    'recent-login=i', 'no-registered-2fa' );
+pod2usage(0) if $cli_opts{help};
+
+my $opts = {
+    ( $cli_opts{debug} ? ( logLevel => 'debug' ) : () ),
+    ( $cli_opts{json}  ? ( json     => 1 )       : () ),
+};
+
+my $filters = {
+    ( defined( $cli_opts{creation} ) ? ( age => $cli_opts{creation} ) : () ),
+    (
+        defined( $cli_opts{'last-update'} )
+        ? ( update => $cli_opts{'last-update'} )
+        : ()
+    ),
+    (
+        defined( $cli_opts{'recent-login'} )
+        ? ( login => $cli_opts{'recent-login'} )
+        : ()
+    ),
+    ( defined( $cli_opts{'no-registered-2fa'} ) ? ( sfdevice => 1 ) : () ),
+};
+
+my $res = Lemonldap::NG::Common::Session::Purge->new($opts)->persistentPurge($filters);
+
+exit 1 unless $res->{success};
+
+__END__
+
+=head1 NAME
+
+=encoding utf8
+
+purgePersistentSessions - Remove persistent sessions that match a certain filter
+
+=head1 SYNOPSIS
+
+  purgePersistentSessions [options] [filters]
+
+=head1 DESCRIPTION
+
+LemonLDAP::NG stores user information in an object called a persistent session.
+While it is not required to purge them, on larger installations with high user
+turnover, persistent sessions may end up accumulating and purging them might
+make sense. This script lets you automatically remove persistent sessions
+that match one or several filters.
+
+=head1 OPTIONS
+
+=head2 GENERAL OPTIONS
+
+=over 8
+
+=item B<--help>, B<-h>
+
+Print a brief help message and exit.
+
+=item B<--debug>, B<-d>
+
+Print additional diagnostics to STDERR
+
+=item B<--json>, B<-j>
+
+Log execution stats as JSON instead of human-readable text
+
+=back
+
+=head2 FILTERS
+
+Filters are ways to select which persistent sessions you want to remove. You
+need to specify at least one filter. If you don't, nothing will be removed.
+
+Multiple filters may be specified, when this is the case, ALL filters must match
+in order for a persistent session to be deleted.
+
+=over 8
+
+=item B<--creation=I<SECONDS>>
+
+The persistent session will be deleted if it was created more than SECONDS ago
+
+=item B<--last-update=I<SECONDS>>
+
+The persistent session will be deleted if it was last updated more than SECONDS
+ago
+
+=item B<--recent-login=I<SECONDS>>
+
+The persistent session will be deleted if the login history's most recent,
+successfull login attempt happened more than SECONDS ago.
+
+If there are no successful logins at all, the persistent session will also be
+deleted.
+
+=item B<--no-registered-2fa>
+
+The persistent session will be deleted if the user has not registered a second
+factor device.
+
+=back
+
+=head1 SEE ALSO
+
+L<http://lemonldap-ng.org/>
+
+=head1 AUTHORS
+
+=over
+
+=item Maxime Besson, E<lt>maxime.besson@worteks.comE<gt>
+
+=back
+
+=head1 BUG REPORT
+
+Use OW2 system to report bug or ask for features:
+L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
+
+=head1 DOWNLOAD
+
+Lemonldap::NG is available at
+L<https://lemonldap-ng.org/download>
+
+=head1 COPYRIGHT AND LICENSE
+
+=over
+
+=item Copyright (C) 2024 by Xavier Guimard, E<lt>yadd@debian.orgE<gt>
+
+=back
+
+This library is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see L<http://www.gnu.org/licenses/>.
+
+=cut
--- a/rpm/lemonldap-ng.spec
+++ b/rpm/lemonldap-ng.spec
@ -729,9 +729,11 @@ fi
 %files portal
 %{_mandir}/man1/downloadSamlMetadata*
 %{_mandir}/man1/purgeCentralCache*
+%{_mandir}/man1/purgePersistentSessions*
 %{lm_sharedir}/portal
 %{lm_bindir}/purgeCentralCache
 %{lm_bindir}/downloadSamlMetadata
+%{lm_bindir}/purgePersistentSessions
 %config(noreplace) %{apache_confdir}/z-lemonldap-ng-portal.conf
 %config(noreplace) %{_sysconfdir}/nginx/conf.d/portal-nginx.conf
 %{_unitdir}/lemonldap-ng-portal.service