coheigea closed pull request #455: CXF-7864: Fix issue if lifetime only specify
expired without created
URL: https://github.com/apache/cxf/pull/455
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
index 135f53f7841..1bf9be47118 100644
---
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
+++
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
@@ -78,6 +78,7 @@ public void setLifetime(long lifetime) {
* doesn't specify a lifetime element
* @return the lifetime in seconds
*/
+ @Override
public long getLifetime() {
return lifetime;
}
@@ -134,25 +135,17 @@ public void setFailLifetimeExceedance(boolean
failLifetimeExceedance) {
/**
* Get a ConditionsBean object.
*/
+ @Override
public ConditionsBean getConditions(TokenProviderParameters
providerParameters) {
ConditionsBean conditions = new ConditionsBean();
Lifetime tokenLifetime =
providerParameters.getTokenRequirements().getLifetime();
if (lifetime > 0) {
if (acceptClientLifetime && tokenLifetime != null
- && tokenLifetime.getCreated() != null &&
tokenLifetime.getExpires() != null) {
- Instant creationTime = null;
- Instant expirationTime = null;
- try {
- creationTime =
ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
- expirationTime =
ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
- } catch (DateTimeParseException ex) {
- LOG.fine("Error in parsing Timestamp Created or Expiration
Strings");
- throw new STSException(
- "Error in parsing Timestamp Created or Expiration
Strings",
- STSException.INVALID_TIME
- );
- }
+ && (tokenLifetime.getCreated() != null ||
tokenLifetime.getExpires() != null)) {
+ Instant creationTime =
parsedInstantOrDefault(tokenLifetime.getCreated(), Instant.now());
+ Instant expirationTime =
parsedInstantOrDefault(tokenLifetime.getExpires(),
+ creationTime.plusSeconds(lifetime));
// Check to see if the created time is in the future
Instant validCreation = Instant.now();
@@ -198,6 +191,21 @@ public ConditionsBean
getConditions(TokenProviderParameters providerParameters)
return conditions;
}
+ private Instant parsedInstantOrDefault(String dateTime, Instant
defaultInstant) {
+ if (dateTime == null || dateTime.isEmpty()) {
+ return defaultInstant;
+ }
+ try {
+ return ZonedDateTime.parse(dateTime).toInstant();
+ } catch (DateTimeParseException ex) {
+ LOG.fine("Error in parsing Timestamp Created or Expiration
Strings");
+ throw new STSException(
+ "Error in parsing Timestamp Created or Expiration Strings",
+ STSException.INVALID_TIME
+ );
+ }
+ }
+
/**
* Create a list of AudienceRestrictions to be added to the Conditions
Element of the
* issued Assertion. The default behaviour is to add a single Audience URI
per
diff --git
a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
index 41a514aa8da..183bbfa96da 100644
---
a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
+++
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
@@ -44,6 +44,7 @@
import org.apache.wss4j.common.util.DateUtil;
+
/**
* Some unit tests for creating SAML Tokens with lifetime
*/
@@ -86,6 +87,40 @@ public void testSaml2ValidLifetime() throws Exception {
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
+ /**
+ *
+ * As specified in ws-trust
+ * "If this attribute isn't specified, then the current time is used as an
initial period."
+ * if creation time is not specified, we use current time instead.
+ *
+ */
+ @org.junit.Test
+ public void saml2LifetimeWithoutCreated() throws WSSecurityException {
+ int requestedLifetime = 60;
+ SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+ DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
+ conditionsProvider.setAcceptClientLifetime(true);
+ samlTokenProvider.setConditionsProvider(conditionsProvider);
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ WSS4JConstants.WSS_SAML2_TOKEN_TYPE,
STSConstants.BEARER_KEY_KEYTYPE
+ );
+
+ // Set expected lifetime to 1 minute
+ Lifetime lifetime = new Lifetime();
+ Instant expirationTime = Instant.now().plusSeconds(requestedLifetime);
+
+
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+ providerParameters.getTokenRequirements().setLifetime(lifetime);
+
+
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
+ TokenProviderResponse providerResponse =
samlTokenProvider.createToken(providerParameters);
+ assertTrue(providerResponse != null);
+ assertTrue(providerResponse.getToken() != null &&
providerResponse.getTokenId() != null);
+ assertEquals(providerResponse.getExpires(), expirationTime);
+ }
+
/**
@@ -223,14 +258,14 @@ public void
testSaml2ExceededConfiguredMaxLifetimeButUpdated() throws Exception
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse =
samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null &&
providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(),
providerResponse.getExpires()).getSeconds();
assertEquals(maxLifetime, duration);
Element token = (Element)providerResponse.getToken();
@@ -264,14 +299,14 @@ public void testSaml2NearFutureCreatedLifetime() throws
Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse =
samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null &&
providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(),
providerResponse.getExpires()).getSeconds();
assertEquals(50, duration);
Element token = (Element)providerResponse.getToken();
@@ -304,7 +339,7 @@ public void testSaml2FarFutureCreatedLifetime() throws
Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -336,6 +371,7 @@ public void testSaml2NoExpires() throws Exception {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new
DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
+ conditionsProvider.setFutureTimeToLive(180L);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
@@ -348,7 +384,7 @@ public void testSaml2NoExpires() throws Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -356,7 +392,7 @@ public void testSaml2NoExpires() throws Exception {
TokenProviderResponse providerResponse =
samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null &&
providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(),
providerResponse.getExpires()).getSeconds();
assertEquals(conditionsProvider.getLifetime(), duration);
Element token = (Element)providerResponse.getToken();
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
