SONAR-13373 sonar.web.sessionTimeoutInMinutes cannot be lower than 5 minutes

author: Julien Lancelot <julien.lancelot@sonarsource.com> 2020-06-23 10:14:29 +0200
committer: sonartech <sonartech@sonarsource.com> 2020-06-26 20:04:58 +0000
commit: 73d36cf5bf53c934ffab329bd88897fca0080c4f (patch)
tree: ceceb8cc5d736982de96475324013f2c8132db09 /server/sonar-webserver-auth
parent: 7a225877b6dd3297af89fcbab079138bdea1e5e3 (diff)
download: sonarqube-73d36cf5bf53c934ffab329bd88897fca0080c4f.tar.gz
sonarqube-73d36cf5bf53c934ffab329bd88897fca0080c4f.zip
2 files changed, 16 insertions, 7 deletions
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtHttpHandler.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtHttpHandler.java
index 8c000e1a65c..e537d713172 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtHttpHandler.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtHttpHandler.java
@@ -215,10 +215,9 @@ public class JwtHttpHandler {
 
   private static int getSessionTimeoutInSeconds(Configuration config) {
     int minutes = config.getInt(WEB_SESSION_TIMEOUT_IN_MIN.getKey()).orElse(SESSION_TIMEOUT_DEFAULT_VALUE_IN_MINUTES);
-    checkArgument(minutes > 0, "Property %s must be strictly positive. Got %s", WEB_SESSION_TIMEOUT_IN_MIN.getKey(), minutes);
-    checkArgument(minutes <= MAX_SESSION_TIMEOUT_IN_MINUTES,
-      "Property %s must not be greater than 3 months (%s minutes). Got %s minutes", WEB_SESSION_TIMEOUT_IN_MIN.getKey(),
-      MAX_SESSION_TIMEOUT_IN_MINUTES, minutes);
+    checkArgument(minutes > SESSION_REFRESH_IN_SECONDS / 60 && minutes <= MAX_SESSION_TIMEOUT_IN_MINUTES,
+      "Property %s must be higher than 5 minutes and must not be greater than 3 months. Got %s minutes", WEB_SESSION_TIMEOUT_IN_MIN.getKey(),
+      minutes);
     return minutes * 60;
   }
 
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtHttpHandlerTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtHttpHandlerTest.java
index 0e6430c1ae8..f50617c5ce1 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtHttpHandlerTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtHttpHandlerTest.java
@@ -157,7 +157,7 @@ public class JwtHttpHandlerTest {
     settings.setProperty("sonar.web.sessionTimeoutInMinutes", 0);
 
     expectedException.expect(IllegalArgumentException.class);
-    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be strictly positive. Got 0");
+    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be higher than 5 minutes and must not be greater than 3 months. Got 0");
 
     new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier);
   }
@@ -167,7 +167,17 @@ public class JwtHttpHandlerTest {
     settings.setProperty("sonar.web.sessionTimeoutInMinutes", -10);
 
     expectedException.expect(IllegalArgumentException.class);
-    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be strictly positive. Got -10");
+    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be higher than 5 minutes and must not be greater than 3 months. Got -10");
+
+    new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier);
+  }
+
+  @Test
+  public void session_timeout_property_cannot_be_set_to_five_minutes() {
+    settings.setProperty("sonar.web.sessionTimeoutInMinutes", 5);
+
+    expectedException.expect(IllegalArgumentException.class);
+    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be higher than 5 minutes and must not be greater than 3 months. Got 5 minutes");
 
     new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier);
   }
@@ -177,7 +187,7 @@ public class JwtHttpHandlerTest {
     settings.setProperty("sonar.web.sessionTimeoutInMinutes", 4 * 30 * 24 * 60);
 
     expectedException.expect(IllegalArgumentException.class);
-    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must not be greater than 3 months (129600 minutes). Got 172800 minutes");
+    expectedException.expectMessage("Property sonar.web.sessionTimeoutInMinutes must be higher than 5 minutes and must not be greater than 3 months. Got 172800 minutes");
 
     new JwtHttpHandler(system2, dbClient, settings.asConfig(), jwtSerializer, jwtCsrfVerifier);
   }
author	Julien Lancelot <julien.lancelot@sonarsource.com>	2020-06-23 10:14:29 +0200
committer	sonartech <sonartech@sonarsource.com>	2020-06-26 20:04:58 +0000
commit	73d36cf5bf53c934ffab329bd88897fca0080c4f (patch)
tree	ceceb8cc5d736982de96475324013f2c8132db09 /server/sonar-webserver-auth
parent	7a225877b6dd3297af89fcbab079138bdea1e5e3 (diff)
download	sonarqube-73d36cf5bf53c934ffab329bd88897fca0080c4f.tar.gz sonarqube-73d36cf5bf53c934ffab329bd88897fca0080c4f.zip