Merge pull request #4675 from mudit06mah/feat/session-ttl

backend: charts: Add session-ttl flag and logic

Author: illume

backend/cmd/headlamp.go

@@ -391,6 +391,7 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	logger.Log(logger.LevelInfo, nil, nil, "me Groups Paths: "+config.MeGroupsPaths)
 	logger.Log(logger.LevelInfo, nil, nil, "me User Info URL: "+config.MeUserInfoURL)
 	logger.Log(logger.LevelInfo, nil, nil, "Base URL: "+config.BaseURL)
+	logger.Log(logger.LevelInfo, nil, nil, "Session TTL: "+fmt.Sprint(config.SessionTTL))
 	logger.Log(logger.LevelInfo, nil, nil, "Use In Cluster: "+fmt.Sprint(config.UseInCluster))
 	logger.Log(logger.LevelInfo, nil, nil, "Watch Plugins Changes: "+fmt.Sprint(config.WatchPluginsChanges))
 
@@ -859,7 +860,7 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		}
 
 		// Set auth cookie
-		auth.SetTokenCookie(w, r, oauthConfig.Cluster, rawUserToken, config.BaseURL)
+		auth.SetTokenCookie(w, r, oauthConfig.Cluster, rawUserToken, config.BaseURL, config.SessionTTL)
 
 		redirectURL += fmt.Sprintf("auth?cluster=%1s", oauthConfig.Cluster)
 
@@ -942,7 +943,7 @@ func (c *HeadlampConfig) refreshAndSetToken(oidcAuthConfig *kubeconfig.OidcConfi
 		}
 
 		// Set refreshed token in cookie
-		auth.SetTokenCookie(w, r, cluster, newTokenString, c.BaseURL)
+		auth.SetTokenCookie(w, r, cluster, newTokenString, c.BaseURL, c.SessionTTL)
 
 		c.TelemetryHandler.RecordEvent(span, "Token refreshed successfully")
 	}
@@ -2534,7 +2535,7 @@ func (c *HeadlampConfig) handleSetToken(w http.ResponseWriter, r *http.Request)
 	if req.Token == "" {
 		auth.ClearTokenCookie(w, r, cluster, c.BaseURL)
 	} else {
-		auth.SetTokenCookie(w, r, cluster, req.Token, c.BaseURL)
+		auth.SetTokenCookie(w, r, cluster, req.Token, c.BaseURL, c.SessionTTL)
 	}
 
 	w.WriteHeader(http.StatusOK)

backend/cmd/server.go

@@ -100,6 +100,7 @@ func buildHeadlampCFG(conf *config.Config, kubeConfigStore kubeconfig.ContextSto
 		ProxyURLs:             strings.Split(conf.ProxyURLs, ","),
 		TLSCertPath:           conf.TLSCertPath,
 		TLSKeyPath:            conf.TLSKeyPath,
+		SessionTTL:            conf.SessionTTL,
 	}
 }
 

backend/pkg/auth/cookies.go

@@ -75,7 +75,7 @@ func IsSecureContext(r *http.Request) bool {
 }
 
 // SetTokenCookie sets an authentication cookie for a specific cluster.
-func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token, baseURL string) {
+func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token, baseURL string, sessionTTL int) {
 	// Validate inputs
 	if cluster == "" || token == "" {
 		return
@@ -101,7 +101,7 @@ func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token, base
 			Secure:   secure,
 			SameSite: http.SameSiteStrictMode,
 			Path:     GetCookiePath(baseURL, cluster),
-			MaxAge:   86400, // 24 hours
+			MaxAge:   sessionTTL,
 		}
 
 		http.SetCookie(w, cookie)

backend/pkg/auth/cookies_test.go

@@ -166,7 +166,8 @@ func TestSetAndGetAuthCookie(t *testing.T) {
 	w := httptest.NewRecorder()
 
 	// Test setting a cookie
-	auth.SetTokenCookie(w, req, "test-cluster", "test-token", "")
+	testTTL := 100
+	auth.SetTokenCookie(w, req, "test-cluster", "test-token", "", testTTL)
 
 	// Check if cookie was set
 	cookies := w.Result().Cookies()
@@ -191,6 +192,10 @@ func TestSetAndGetAuthCookie(t *testing.T) {
 		t.Error("Expected SameSite to be SameSiteStrictMode")
 	}
 
+	if cookie.MaxAge != testTTL {
+		t.Errorf("Expected MaxAge to be %d, got %d", testTTL, cookie.MaxAge)
+	}
+
 	// Test getting the cookie
 	req.AddCookie(cookie)
 
@@ -213,7 +218,7 @@ func TestGetAuthCookieChunked(t *testing.T) {
 	longToken := strings.Repeat("a", 5000)
 
 	// Test setting a cookie
-	auth.SetTokenCookie(w, req, "test-cluster", longToken, "")
+	auth.SetTokenCookie(w, req, "test-cluster", longToken, "", 86400)
 
 	// Check if cookie was set
 	cookies := w.Result().Cookies()

backend/pkg/config/config.go

@@ -20,8 +20,9 @@ import (
 )
 
 const (
-	defaultPort = 4466
-	osWindows   = "windows"
+	defaultPort       = 4466
+	defaultSessionTTL = 86400 // 24 hours in seconds
+	osWindows         = "windows"
 )
 
 const (
@@ -54,6 +55,7 @@ type Config struct {
 	PluginsDir                string `koanf:"plugins-dir"`
 	UserPluginsDir            string `koanf:"user-plugins-dir"`
 	BaseURL                   string `koanf:"base-url"`
+	SessionTTL                int    `koanf:"session-ttl"`
 	ProxyURLs                 string `koanf:"proxy-urls"`
 	OidcClientID              string `koanf:"oidc-client-id"`
 	OidcValidatorClientID     string `koanf:"oidc-validator-client-id"`
@@ -115,6 +117,16 @@ func (c *Config) Validate() error {
 		return errors.New("base-url needs to start with a '/' or be empty")
 	}
 
+	if c.SessionTTL <= 0 {
+		return errors.New("session-ttl cannot be negative or equal to zero")
+	}
+
+	const oneYearInSeconds = 31536000
+
+	if c.SessionTTL > oneYearInSeconds {
+		return errors.New("session-ttl cannot be greater than 1 year")
+	}
+
 	if c.TracingEnabled != nil && *c.TracingEnabled {
 		if c.ServiceName == "" {
 			return errors.New("service-name is required when tracing is enabled")
@@ -430,6 +442,8 @@ func addGeneralFlags(f *flag.FlagSet) {
 	f.String("plugins-dir", defaultPluginDir(), "Specify the plugins directory to build the backend with")
 	f.String("user-plugins-dir", defaultUserPluginDir(), "Specify the user-installed plugins directory")
 	f.String("base-url", "", "Base URL path. eg. /headlamp")
+	f.Int("session-ttl", defaultSessionTTL, "The time in seconds for the session to be valid"+
+		"(Default: 86400/24h, Min: 1 , Max: 31536000/1yr )")
 	f.String("listen-addr", "", "Address to listen on; default is empty, which means listening to any address")
 	f.Uint("port", defaultPort, "Port to listen from")
 	f.String("proxy-urls", "", "Allow proxy requests to specified URLs")

backend/pkg/headlampconfig/headlampConfig.go

@@ -62,4 +62,5 @@ type HeadlampCFG struct {
 	ProxyURLs             []string
 	TLSCertPath           string
 	TLSKeyPath            string
+	SessionTTL            int
 }

charts/headlamp/README.md

@@ -71,6 +71,7 @@ $ helm install my-headlamp headlamp/headlamp \
 |--------------------|--------|-----------------------|---------------------------------------------------------------------------|
 | config.inCluster   | bool   | `true`                | Run Headlamp in-cluster                                                   |
 | config.baseURL     | string | `""`                  | Base URL path for Headlamp UI                                             |
+| config.sessionTTL  | int    | `86400`               | The time in seconds for the internal session to remain valid (Default: 86400/24h, Min: 1 , Max: 31536000/1yr) |
 | config.pluginsDir  | string | `"/headlamp/plugins"` | Directory to load Headlamp plugins from                                   |
 | config.enableHelm  | bool   | `false`               | Enable Helm operations like install, upgrade and uninstall of Helm charts |
 | config.extraArgs   | array  | `[]`                  | Additional arguments for Headlamp server                                  |

charts/headlamp/templates/deployment.yaml

@@ -245,6 +245,9 @@ spec:
             {{- with .Values.config.pluginsDir}}
             - "-plugins-dir={{ . }}"
             {{- end }}
+            {{- if hasKey .Values.config "sessionTTL" }}
+            - "-session-ttl={{ .Values.config.sessionTTL }}"
+            {{- end }}
             {{- if not $oidc.externalSecret.enabled}}
             # Check if externalSecret is disabled
             {{- if or (ne $oidc.clientID "") (ne $clientID "") }}

charts/headlamp/tests/expected_templates/azure-oidc-with-validators.yaml

@@ -115,6 +115,7 @@ spec:
             - "-in-cluster"
             - "-in-cluster-context-name=main"
             - "-plugins-dir=/headlamp/plugins"
+            - "-session-ttl=86400"
             # Check if externalSecret is disabled
             # Check if clientID is non empty either from env or oidc.config
             - "-oidc-client-id=$(OIDC_CLIENT_ID)"

charts/headlamp/tests/expected_templates/default.yaml

@@ -112,6 +112,7 @@ spec:
             - "-in-cluster"
             - "-in-cluster-context-name=main"
             - "-plugins-dir=/headlamp/plugins"
+            - "-session-ttl=86400"
             # Check if externalSecret is disabled
           ports:
             - name: http