Skip to content

Commit

Permalink
SONAR-13372 JWT refresh now really occurs every 5 minutes
Browse files Browse the repository at this point in the history
  • Loading branch information
Julien Lancelot authored and sonartech committed Jun 26, 2020
1 parent 96af2bc commit 7a22587
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 15 deletions.
2 changes: 1 addition & 1 deletion ...er/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtHttpHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,14 @@
import static org.sonar.process.ProcessProperties.Property.WEB_SESSION_TIMEOUT_IN_MIN;
import static org.sonar.server.authentication.Cookies.findCookie;
import static org.sonar.server.authentication.Cookies.newCookieBuilder;
import static org.sonar.server.authentication.JwtSerializer.LAST_REFRESH_TIME_PARAM;

@ServerSide
public class JwtHttpHandler {
private static final int SESSION_TIMEOUT_DEFAULT_VALUE_IN_MINUTES = 3 * 24 * 60;
private static final int MAX_SESSION_TIMEOUT_IN_MINUTES = 3 * 30 * 24 * 60;

private static final String JWT_COOKIE = "JWT-SESSION";
private static final String LAST_REFRESH_TIME_PARAM = "lastRefreshTime";

private static final String CSRF_JWT_PARAM = "xsrfToken";

Expand Down
27 changes: 13 additions & 14 deletions server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/JwtSerializer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import com.google.common.annotations.VisibleForTesting;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.SignatureException;
Expand Down Expand Up @@ -54,6 +53,8 @@ public class JwtSerializer implements Startable {

private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.HS256;

static final String LAST_REFRESH_TIME_PARAM = "lastRefreshTime";

private final Configuration config;
private final System2 system2;

Expand All @@ -79,16 +80,15 @@ public void start() {

String encode(JwtSession jwtSession) {
checkIsStarted();
JwtBuilder jwtBuilder = Jwts.builder()
return Jwts.builder()
.addClaims(jwtSession.getProperties())
.claim(LAST_REFRESH_TIME_PARAM, system2.now())
.setId(jwtSession.getSessionTokenUuid())
.setSubject(jwtSession.getUserLogin())
.setIssuedAt(new Date(system2.now()))
.setExpiration(new Date(jwtSession.getExpirationTime()))
.signWith(secretKey, SIGNATURE_ALGORITHM);
for (Map.Entry<String, Object> entry : jwtSession.getProperties().entrySet()) {
jwtBuilder.claim(entry.getKey(), entry.getValue());
}
return jwtBuilder.compact();
.signWith(secretKey, SIGNATURE_ALGORITHM)
.compact();
}

Optional<Claims> decode(String token) {
Expand Down Expand Up @@ -118,13 +118,12 @@ Optional<Claims> decode(String token) {

String refresh(Claims token, long expirationTime) {
checkIsStarted();
JwtBuilder jwtBuilder = Jwts.builder();
for (Map.Entry<String, Object> entry : token.entrySet()) {
jwtBuilder.claim(entry.getKey(), entry.getValue());
}
jwtBuilder.setExpiration(new Date(expirationTime))
.signWith(secretKey, SIGNATURE_ALGORITHM);
return jwtBuilder.compact();
return Jwts.builder()
.setClaims(token)
.claim(LAST_REFRESH_TIME_PARAM, system2.now())
.setExpiration(new Date(expirationTime))
.signWith(secretKey, SIGNATURE_ALGORITHM)
.compact();
}

private static SecretKey generateSecretKey() {
Expand Down
3 changes: 3 additions & 0 deletions ...sonar-webserver-auth/src/test/java/org/sonar/server/authentication/JwtSerializerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,12 +252,14 @@ public void refresh_token() {
Date createdAt = DateUtils.parseDate("2016-01-01");
// Expired in 10 minutes
Date expiredAt = addMinutes(new Date(), 10);
Date lastRefreshDate = addMinutes(new Date(), -4);
Claims token = new DefaultClaims()
.setId("id")
.setSubject("subject")
.setIssuer("sonarqube")
.setIssuedAt(createdAt)
.setExpiration(expiredAt);
token.put("lastRefreshTime", lastRefreshDate.getTime());
token.put("key", "value");

// Refresh the token with a higher expiration time
Expand All @@ -268,6 +270,7 @@ public void refresh_token() {
assertThat(result.getSubject()).isEqualTo("subject");
assertThat(result.getIssuer()).isEqualTo("sonarqube");
assertThat(result.getIssuedAt()).isEqualTo(createdAt);
assertThat(((long) result.get("lastRefreshTime"))).isGreaterThanOrEqualTo(now.getTime());
assertThat(result.get("key")).isEqualTo("value");
// Expiration date has been changed
assertThat(result.getExpiration()).isNotEqualTo(expiredAt)
Expand Down

0 comments on commit 7a22587

Please sign in to comment.