syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [syncope] branch 2_1_X updated: [SYNCOPE-1420] Replacing expired access tokens upon login
Date Fri, 21 Dec 2018 11:02:56 GMT
This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_1_X by this push:
     new 79964a9  [SYNCOPE-1420] Replacing expired access tokens upon login
79964a9 is described below

commit 79964a9d6bc62c4baced7864db417729a54cd989
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
AuthorDate: Fri Dec 21 11:55:16 2018 +0100

    [SYNCOPE-1420] Replacing expired access tokens upon login
---
 .../java/data/AccessTokenDataBinderImpl.java       |  4 +--
 .../org/apache/syncope/fit/core/JWTITCase.java     | 38 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
index 9e1c8c9..9ccc4e5 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
@@ -133,8 +133,8 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder
{
             accessToken.setKey(SecureRandomUtils.generateRandomUUID().toString());
 
             accessToken = replace(subject, claims, authorities, accessToken);
-        } else if (replace) {
-            // AccessToken found, but replace requested: update existing
+        } else if (replace || accessToken.getExpiryTime() == null || accessToken.getExpiryTime().before(new
Date())) {
+            // AccessToken found, but either replace was requested or it is expired: update
existing
             accessToken = replace(subject, claims, authorities, accessToken);
         }
 
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
index 663544a..2dfa0b5 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
@@ -20,6 +20,7 @@ package org.apache.syncope.fit.core;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -48,6 +49,7 @@ import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.syncope.client.lib.SyncopeClient;
+import org.apache.syncope.common.lib.to.AttrTO;
 import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.rest.api.RESTHeaders;
 import org.apache.syncope.common.rest.api.service.AccessTokenService;
@@ -551,4 +553,40 @@ public class JWTITCase extends AbstractITCase {
             // expected
         }
     }
+
+    @Test
+    public void issueSYNCOPE1420() {
+        AttrTO orig = configurationService.get("jwt.lifetime.minutes");
+        try {
+            // set for immediate JWT expiration
+            configurationService.set(new AttrTO.Builder().schema("jwt.lifetime.minutes").value("0").build());
+
+            UserTO user = UserITCase.getUniqueSampleTO("syncope164@syncope.apache.org");
+            user = createUser(user).getEntity();
+            assertNotNull(user);
+
+            // login, get JWT with  expiryTime
+            String jwt = clientFactory.create(user.getUsername(), "password123").getJWT();
+
+            JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(jwt);
+            assertTrue(consumer.verifySignatureWith(jwsSignatureVerifier));
+            Long expiryTime = consumer.getJwtClaims().getExpiryTime();
+            assertNotNull(expiryTime);
+
+            // wait for 1 sec, check that JWT is effectively expired
+            try {
+                Thread.sleep(1000L);
+            } catch (InterruptedException e) {
+                // ignore
+            }
+            assertTrue(expiryTime < System.currentTimeMillis());
+
+            // login again, get new JWT
+            // (even if ExpiredAccessTokenCleanup did not run yet, as it is scheduled every
5 minutes)
+            String newJWT = clientFactory.create(user.getUsername(), "password123").getJWT();
+            assertNotEquals(jwt, newJWT);
+        } finally {
+            configurationService.set(orig);
+        }
+    }
 }


Mime
View raw message