[SYNCOPE-1420] Replacing expired access tokens upon login
authorFrancesco Chicchiriccò <ilgrosso@apache.org>
Fri, 21 Dec 2018 10:55:16 +0000 (11:55 +0100)
committerFrancesco Chicchiriccò <ilgrosso@apache.org>
Fri, 21 Dec 2018 10:55:16 +0000 (11:55 +0100)
core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java

index 9e1c8c9..9ccc4e5 100644 (file)
@@ -133,8 +133,8 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
             accessToken.setKey(SecureRandomUtils.generateRandomUUID().toString());
 
             accessToken = replace(subject, claims, authorities, accessToken);
-        } else if (replace) {
-            // AccessToken found, but replace requested: update existing
+        } else if (replace || accessToken.getExpiryTime() == null || accessToken.getExpiryTime().before(new Date())) {
+            // AccessToken found, but either replace was requested or it is expired: update existing
             accessToken = replace(subject, claims, authorities, accessToken);
         }
 
index 663544a..406909b 100644 (file)
@@ -20,6 +20,7 @@ package org.apache.syncope.fit.core;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -48,6 +49,8 @@ import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.syncope.client.lib.SyncopeClient;
+import org.apache.syncope.common.lib.Attr;
+import org.apache.syncope.common.lib.request.UserCR;
 import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.rest.api.RESTHeaders;
 import org.apache.syncope.common.rest.api.service.AccessTokenService;
@@ -551,4 +554,40 @@ public class JWTITCase extends AbstractITCase {
             // expected
         }
     }
+
+    @Test
+    public void issueSYNCOPE1420() {
+        Attr orig = configurationService.get("jwt.lifetime.minutes");
+        try {
+            // set for immediate JWT expiration
+            configurationService.set(new Attr.Builder("jwt.lifetime.minutes").value("0").build());
+
+            UserCR userCR = UserITCase.getUniqueSample("syncope164@syncope.apache.org");
+            UserTO user = createUser(userCR).getEntity();
+            assertNotNull(user);
+
+            // login, get JWT with  expiryTime
+            String jwt = clientFactory.create(user.getUsername(), "password123").getJWT();
+
+            JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(jwt);
+            assertTrue(consumer.verifySignatureWith(jwsSignatureVerifier));
+            Long expiryTime = consumer.getJwtClaims().getExpiryTime();
+            assertNotNull(expiryTime);
+
+            // wait for 1 sec, check that JWT is effectively expired
+            try {
+                Thread.sleep(1000L);
+            } catch (InterruptedException e) {
+                // ignore
+            }
+            assertTrue(expiryTime < System.currentTimeMillis());
+
+            // login again, get new JWT
+            // (even if ExpiredAccessTokenCleanup did not run yet, as it is scheduled every 5 minutes)
+            String newJWT = clientFactory.create(user.getUsername(), "password123").getJWT();
+            assertNotEquals(jwt, newJWT);
+        } finally {
+            configurationService.set(orig);
+        }
+    }
 }