From 929bf2ca704f43685c58da9fd60dceac037d3593 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Tue, 18 Aug 2020 16:23:38 -0300 Subject: [PATCH] 16678: Sets token expiration at login time. Disabled by default. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- lib/config/config.default.yml | 5 ++-- lib/config/generated_config.go | 5 ++-- .../controllers/user_sessions_controller.rb | 5 ++++ .../user_sessions_controller_test.rb | 23 ++++++++++++++++++- 4 files changed, 33 insertions(+), 5 deletions(-) diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 24e5b71c6c..91cd8b4352 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -699,8 +699,9 @@ Clusters: RemoteTokenRefresh: 5m # How long a client token created from a login flow will be valid without - # asking the user to re-login. - TokenLifetime: 12h + # asking the user to re-login. Example values: 60m, 8h. + # Default value zero means tokens don't have expiration. + TokenLifetime: 0s Git: # Path to git or gitolite-shell executable. Each authenticated diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index e35318ff95..a2ff94c385 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -705,8 +705,9 @@ Clusters: RemoteTokenRefresh: 5m # How long a client token created from a login flow will be valid without - # asking the user to re-login. - TokenLifetime: 12h + # asking the user to re-login. Example values: 60m, 8h. + # Default value zero means tokens don't have expiration. + TokenLifetime: 0s Git: # Path to git or gitolite-shell executable. Each authenticated diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 582b98cf2d..8e3c3ac5e3 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -147,10 +147,15 @@ class UserSessionsController < ApplicationController find_or_create_by(url_prefix: api_client_url_prefix) end + token_expiration = nil + if Rails.configuration.Login.TokenLifetime > 0 + token_expiration = Time.now + Rails.configuration.Login.TokenLifetime + end @api_client_auth = ApiClientAuthorization. new(user: user, api_client: @api_client, created_by_ip_address: remote_ip, + expires_at: token_expiration, scopes: ["all"]) @api_client_auth.save! diff --git a/services/api/test/functional/user_sessions_controller_test.rb b/services/api/test/functional/user_sessions_controller_test.rb index fc9475692a..cd475dea4d 100644 --- a/services/api/test/functional/user_sessions_controller_test.rb +++ b/services/api/test/functional/user_sessions_controller_test.rb @@ -14,7 +14,6 @@ class UserSessionsControllerTest < ActionController::TestCase assert_nil assigns(:api_client) end - test "send token when user is already logged in" do authorize_with :inactive api_client_page = 'http://client.example.com/home' @@ -26,6 +25,28 @@ class UserSessionsControllerTest < ActionController::TestCase assert_not_nil assigns(:api_client) end + test "login creates token without expiration by default" do + assert_equal Rails.configuration.Login.TokenLifetime, 0 + authorize_with :inactive + api_client_page = 'http://client.example.com/home' + get :login, params: {return_to: api_client_page} + assert_not_nil assigns(:api_client) + assert_nil assigns(:api_client_auth).expires_at + end + + test "login creates token with configured lifetime" do + token_lifetime = 1.hour + Rails.configuration.Login.TokenLifetime = token_lifetime + authorize_with :inactive + api_client_page = 'http://client.example.com/home' + get :login, params: {return_to: api_client_page} + assert_not_nil assigns(:api_client) + api_client_auth = assigns(:api_client_auth) + assert_in_delta(api_client_auth.expires_at, + api_client_auth.updated_at + token_lifetime, + 1.second) + end + test "login with remote param returns a salted token" do authorize_with :inactive api_client_page = 'http://client.example.com/home' -- 2.30.2