From fea12ba5a4e9ad9eaa0816d4ddf9d1da5deb18da Mon Sep 17 00:00:00 2001
From: Jana Cupova <root@localhost>
Date: Mon, 17 Oct 2022 15:05:07 +0200
Subject: [PATCH] Log when session ID, session key and hostip is not related

Fixes: https://pagure.io/koji/issue/3395
---
 koji/auth.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/koji/auth.py b/koji/auth.py
index c10afca3..d21a6db9 100644
--- a/koji/auth.py
+++ b/koji/auth.py
@@ -21,6 +21,7 @@
 
 from __future__ import absolute_import
 
+import logging
 import random
 import re
 import socket
@@ -53,6 +54,8 @@ RetryWhitelist = [
     'repoProblem',
 ]
 
+logger = logging.getLogger('koji.auth')
+
 
 class Session(object):
 
@@ -117,6 +120,14 @@ class Session(object):
         c.execute(q, locals())
         row = c.fetchone()
         if not row:
+            q = "SELECT key, hostip FROM sessions WHERE id = %(id)i"
+            c.execute(q, locals())
+            row = c.fetchone()
+            if row:
+                if key != row[0]:
+                    logger.warning("Session ID %s is not related to session key %s.", id, key)
+                elif hostip != row[1]:
+                    logger.warning("Session ID %s is not related to host IP %s.", id, hostip)
             raise koji.AuthError('Invalid session or bad credentials')
         session_data = dict(zip(aliases, row))
         # check for expiration