From d2f6fb75b63824b6dea2ad9c9591f59815155a23 Mon Sep 17 00:00:00 2001 From: Julien Lancelot Date: Fri, 14 Apr 2017 13:19:04 +0200 Subject: [PATCH] SONAR-9004 Fix max authentication session timeout Max authentication session timeout was limited to 25 days because of integer usage instead of long --- .../server/authentication/JwtSerializer.java | 8 +++---- .../authentication/JwtSerializerTest.java | 21 ++++++++++++++++--- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/authentication/JwtSerializer.java b/server/sonar-server/src/main/java/org/sonar/server/authentication/JwtSerializer.java index 325b0e7ba25..8b2a6289508 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/authentication/JwtSerializer.java +++ b/server/sonar-server/src/main/java/org/sonar/server/authentication/JwtSerializer.java @@ -156,14 +156,14 @@ public class JwtSerializer implements Startable { static class JwtSession { private final String userLogin; - private final int expirationTimeInSeconds; + private final long expirationTimeInSeconds; private final Map properties; - JwtSession(String userLogin, int expirationTimeInSeconds) { + JwtSession(String userLogin, long expirationTimeInSeconds) { this(userLogin, expirationTimeInSeconds, Collections.emptyMap()); } - JwtSession(String userLogin, int expirationTimeInSeconds, Map properties) { + JwtSession(String userLogin, long expirationTimeInSeconds, Map properties) { this.userLogin = requireNonNull(userLogin, "User login cannot be null"); this.expirationTimeInSeconds = expirationTimeInSeconds; this.properties = properties; @@ -173,7 +173,7 @@ public class JwtSerializer implements Startable { return userLogin; } - int getExpirationTimeInSeconds() { + long getExpirationTimeInSeconds() { return expirationTimeInSeconds; } diff --git a/server/sonar-server/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java b/server/sonar-server/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java index cc1df896a69..9095b04f43c 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java @@ -74,12 +74,27 @@ public class JwtSerializerTest { underTest.start(); Date now = new Date(); - String token = underTest.encode(new JwtSession(USER_LOGIN, 10)); + long expirationTimeInSeconds = 10L; + String token = underTest.encode(new JwtSession(USER_LOGIN, expirationTimeInSeconds)); + + assertThat(token).isNotEmpty(); + Claims claims = underTest.decode(token).get(); + assertThat(claims.getExpiration().getTime()).isGreaterThanOrEqualTo(now.getTime() + expirationTimeInSeconds * 1000L - 1000L); + } + + @Test + public void generate_token_with_big_expiration_date() throws Exception { + setSecretKey(A_SECRET_KEY); + underTest.start(); + Date now = new Date(); + + long oneYearInSeconds = 12 * 30 * 24 * 60 * 60L; + String token = underTest.encode(new JwtSession(USER_LOGIN, oneYearInSeconds)); assertThat(token).isNotEmpty(); Claims claims = underTest.decode(token).get(); - // Check expiration date it set to more than 9 seconds in the future - assertThat(claims.getExpiration()).isAfterOrEqualsTo(new Date(now.getTime() + 9 * 1000)); + // Check expiration date it set to one year in the future + assertThat(claims.getExpiration().getTime()).isGreaterThanOrEqualTo(now.getTime() + oneYearInSeconds * 1000L - 1000L); } @Test -- 2.39.5