Display and revoke active sessions

8 files changed, 209 insertions, 30 deletions

diff --git a/app/assets/stylesheets/framework/common.scss b/app/assets/stylesheets/framework/common.scss
index e058a0b35b7..2faea55a5f5 100644
--- a/app/assets/stylesheets/framework/common.scss
+++ b/app/assets/stylesheets/framework/common.scss
@@ -452,6 +452,7 @@ img.emoji {
 
 /** COMMON CLASSES **/
 .prepend-top-0 { margin-top: 0; }
+.prepend-top-2 { margin-top: 2px; }
 .prepend-top-5 { margin-top: 5px; }
 .prepend-top-8 { margin-top: $grid-size; }
 .prepend-top-10 { margin-top: 10px; }
diff --git a/app/assets/stylesheets/framework/images.scss b/app/assets/stylesheets/framework/images.scss
index 62a0fba3da3..ab3cceceae9 100644
--- a/app/assets/stylesheets/framework/images.scss
+++ b/app/assets/stylesheets/framework/images.scss
@@ -39,35 +39,10 @@
 svg {
   fill: currentColor;
 
-  &.s8 {
-    @include svg-size(8px);
-  }
-
-  &.s12 {
-    @include svg-size(12px);
-  }
-
-  &.s16 {
-    @include svg-size(16px);
-  }
-
-  &.s18 {
-    @include svg-size(18px);
-  }
-
-  &.s24 {
-    @include svg-size(24px);
-  }
-
-  &.s32 {
-    @include svg-size(32px);
-  }
-
-  &.s48 {
-    @include svg-size(48px);
-  }
-
-  &.s72 {
-    @include svg-size(72px);
+  $svg-sizes: 8 12 16 18 24 32 48 72;
+  @each $svg-size in $svg-sizes {
+    &.s#{$svg-size} {
+      @include svg-size(#{$svg-size}px);
+    }
   }
 }
diff --git a/app/controllers/profiles/active_sessions_controller.rb b/app/controllers/profiles/active_sessions_controller.rb
new file mode 100644
index 00000000000..f0cdc228366
--- /dev/null
+++ b/app/controllers/profiles/active_sessions_controller.rb
@@ -0,0 +1,14 @@
+class Profiles::ActiveSessionsController < Profiles::ApplicationController
+  def index
+    @sessions = ActiveSession.list(current_user)
+  end
+
+  def destroy
+    ActiveSession.destroy(current_user, params[:id])
+
+    respond_to do |format|
+      format.html { redirect_to profile_active_sessions_url, status: 302 }
+      format.js { head :ok }
+    end
+  end
+end
diff --git a/app/helpers/active_sessions_helper.rb b/app/helpers/active_sessions_helper.rb
new file mode 100644
index 00000000000..97b6dac67c5
--- /dev/null
+++ b/app/helpers/active_sessions_helper.rb
@@ -0,0 +1,23 @@
+module ActiveSessionsHelper
+  # Maps a device type as defined in `ActiveSession` to an svg icon name and
+  # outputs the icon html.
+  #
+  # see `DeviceDetector::Device::DEVICE_NAMES` about the available device types
+  def active_session_device_type_icon(active_session)
+    icon_name =
+      case active_session.device_type
+      when 'smartphone', 'feature phone', 'phablet'
+        'mobile'
+      when 'tablet'
+        'tablet'
+      when 'tv', 'smart display', 'camera', 'portable media player', 'console'
+        'media'
+      when 'car browser'
+        'car'
+      else
+        'monitor-o'
+      end
+
+    sprite_icon(icon_name, size: 16, css_class: 'prepend-top-2')
+  end
+end
diff --git a/app/models/active_session.rb b/app/models/active_session.rb
new file mode 100644
index 00000000000..b4a86dbb331
--- /dev/null
+++ b/app/models/active_session.rb
@@ -0,0 +1,110 @@
+class ActiveSession
+  include ActiveModel::Model
+
+  attr_accessor :created_at, :updated_at,
+    :session_id, :ip_address,
+    :browser, :os, :device_name, :device_type
+
+  def current?(session)
+    return false if session_id.nil? || session.id.nil?
+
+    session_id == session.id
+  end
+
+  def human_device_type
+    device_type&.titleize
+  end
+
+  def self.set(user, request)
+    Gitlab::Redis::SharedState.with do |redis|
+      session_id = request.session.id
+      client = DeviceDetector.new(request.user_agent)
+      timestamp = Time.current
+
+      active_user_session = new(
+        ip_address: request.ip,
+        browser: client.name,
+        os: client.os_name,
+        device_name: client.device_name,
+        device_type: client.device_type,
+        created_at: user.current_sign_in_at || timestamp,
+        updated_at: timestamp,
+        session_id: session_id
+      )
+
+      redis.pipelined do
+        redis.setex(
+          key_name(user.id, session_id),
+          Settings.gitlab['session_expire_delay'] * 60,
+          Marshal.dump(active_user_session)
+        )
+
+        redis.sadd(
+          lookup_key_name(user.id),
+          session_id
+        )
+      end
+    end
+  end
+
+  def self.list(user)
+    Gitlab::Redis::SharedState.with do |redis|
+      cleaned_up_lookup_entries(redis, user.id).map do |entry|
+        # rubocop:disable Security/MarshalLoad
+        Marshal.load(entry)
+        # rubocop:enable Security/MarshalLoad
+      end
+    end
+  end
+
+  def self.destroy(user, session_id)
+    Gitlab::Redis::SharedState.with do |redis|
+      redis.srem(lookup_key_name(user.id), session_id)
+
+      deleted_keys = redis.del(key_name(user.id, session_id))
+
+      # only allow deleting the devise session if we could actually find a
+      # related active session. this prevents another user from deleting
+      # someone else's session.
+      if deleted_keys > 0
+        redis.del("#{Gitlab::Redis::SharedState::SESSION_NAMESPACE}:#{session_id}")
+      end
+    end
+  end
+
+  def self.cleanup(user)
+    Gitlab::Redis::SharedState.with do |redis|
+      cleaned_up_lookup_entries(redis, user.id)
+    end
+  end
+
+  def self.key_name(user_id, session_id = '*')
+    "#{Gitlab::Redis::SharedState::USER_SESSIONS_NAMESPACE}:#{user_id}:#{session_id}"
+  end
+
+  def self.lookup_key_name(user_id)
+    "#{Gitlab::Redis::SharedState::USER_SESSIONS_LOOKUP_NAMESPACE}:#{user_id}"
+  end
+
+  def self.cleaned_up_lookup_entries(redis, user_id)
+    lookup_key = lookup_key_name(user_id)
+
+    session_ids = redis.smembers(lookup_key)
+
+    entry_keys = session_ids.map { |session_id| key_name(user_id, session_id) }
+    return [] if entry_keys.empty?
+
+    entries = redis.mget(entry_keys)
+
+    session_ids_and_entries = session_ids.zip(entries)
+
+    # remove expired keys.
+    # only the single key entries are automatically expired by redis, the
+    # lookup entries in the set need to be removed manually.
+    session_ids_and_entries.reject { |_session_id, entry| entry }.each do |session_id, _entry|
+      redis.srem(lookup_key, session_id)
+    end
+
+    session_ids_and_entries.select { |_session_id, entry| entry }.map { |_session_id, entry| entry }
+  end
+end
diff --git a/app/views/layouts/nav/sidebar/_profile.html.haml b/app/views/layouts/nav/sidebar/_profile.html.haml
index c878fcf2808..6cbd163dd41 100644
--- a/app/views/layouts/nav/sidebar/_profile.html.haml
+++ b/app/views/layouts/nav/sidebar/_profile.html.haml
@@ -129,6 +129,17 @@
             = link_to profile_preferences_path do
               %strong.fly-out-top-item-name
                 #{ _('Preferences') }
+      = nav_link(controller: :active_sessions) do
+        = link_to profile_active_sessions_path do
+          .nav-icon-container
+            = sprite_icon('monitor-lines')
+          %span.nav-item-name
+            Active Sessions
+        %ul.sidebar-sub-level-items.is-fly-out-only
+          = nav_link(controller: :active_sessions, html_options: { class: "fly-out-top-item" } ) do
+            = link_to profile_active_sessions_path do
+              %strong.fly-out-top-item-name
+                #{ _('Active Sessions') }
       = nav_link(path: 'profiles#audit_log') do
         = link_to audit_log_profile_path do
           .nav-icon-container
diff --git a/app/views/profiles/active_sessions/_active_session.html.haml b/app/views/profiles/active_sessions/_active_session.html.haml
new file mode 100644
index 00000000000..d40b771f48b
--- /dev/null
+++ b/app/views/profiles/active_sessions/_active_session.html.haml
@@ -0,0 +1,31 @@
+- is_current_session = active_session.current?(session)
+
+%li
+  .pull-left.append-right-10{ data: { toggle: 'tooltip' }, title: active_session.human_device_type }
+    = active_session_device_type_icon(active_session)
+
+  .description.pull-left
+    %div
+      %strong= active_session.ip_address
+    - if is_current_session
+      %div This is your current session
+    - else
+      %div
+        Last accessed on
+        = l(active_session.updated_at, format: :short)
+
+    %div
+      %strong= active_session.browser
+      on
+      %strong= active_session.os
+
+    %div
+      %strong Signed in
+      on
+      = l(active_session.created_at, format: :short)
+
+  - unless is_current_session
+    .pull-right
+      = link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do
+        %span.sr-only Revoke
+        Revoke
diff --git a/app/views/profiles/active_sessions/index.html.haml b/app/views/profiles/active_sessions/index.html.haml
new file mode 100644
index 00000000000..d0250bb4eab
--- /dev/null
+++ b/app/views/profiles/active_sessions/index.html.haml
@@ -0,0 +1,14 @@
+- page_title 'Active Sessions'
+- @content_class = "limit-container-width" unless fluid_layout
+
+.row.prepend-top-default
+  .col-lg-4.profile-settings-sidebar
+    %h4.prepend-top-0
+      = page_title
+    %p
+      This is a list of devices that have logged into your account. Revoke any sessions that you do not recognize.
+  .col-lg-8
+    .append-bottom-default
+
+      %ul.well-list
+        = render partial: 'profiles/active_sessions/active_session', collection: @sessions