You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by GitBox <gi...@apache.org> on 2018/10/05 16:06:09 UTC
[GitHub] coheigea closed pull request #455: CXF-7864: Fix issue if lifetime
only specify expired without created
coheigea closed pull request #455: CXF-7864: Fix issue if lifetime only specify expired without created
URL: https://github.com/apache/cxf/pull/455
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
index 135f53f7841..1bf9be47118 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultConditionsProvider.java
@@ -78,6 +78,7 @@ public void setLifetime(long lifetime) {
* doesn't specify a lifetime element
* @return the lifetime in seconds
*/
+ @Override
public long getLifetime() {
return lifetime;
}
@@ -134,25 +135,17 @@ public void setFailLifetimeExceedance(boolean failLifetimeExceedance) {
/**
* Get a ConditionsBean object.
*/
+ @Override
public ConditionsBean getConditions(TokenProviderParameters providerParameters) {
ConditionsBean conditions = new ConditionsBean();
Lifetime tokenLifetime = providerParameters.getTokenRequirements().getLifetime();
if (lifetime > 0) {
if (acceptClientLifetime && tokenLifetime != null
- && tokenLifetime.getCreated() != null && tokenLifetime.getExpires() != null) {
- Instant creationTime = null;
- Instant expirationTime = null;
- try {
- creationTime = ZonedDateTime.parse(tokenLifetime.getCreated()).toInstant();
- expirationTime = ZonedDateTime.parse(tokenLifetime.getExpires()).toInstant();
- } catch (DateTimeParseException ex) {
- LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
- throw new STSException(
- "Error in parsing Timestamp Created or Expiration Strings",
- STSException.INVALID_TIME
- );
- }
+ && (tokenLifetime.getCreated() != null || tokenLifetime.getExpires() != null)) {
+ Instant creationTime = parsedInstantOrDefault(tokenLifetime.getCreated(), Instant.now());
+ Instant expirationTime = parsedInstantOrDefault(tokenLifetime.getExpires(),
+ creationTime.plusSeconds(lifetime));
// Check to see if the created time is in the future
Instant validCreation = Instant.now();
@@ -198,6 +191,21 @@ public ConditionsBean getConditions(TokenProviderParameters providerParameters)
return conditions;
}
+ private Instant parsedInstantOrDefault(String dateTime, Instant defaultInstant) {
+ if (dateTime == null || dateTime.isEmpty()) {
+ return defaultInstant;
+ }
+ try {
+ return ZonedDateTime.parse(dateTime).toInstant();
+ } catch (DateTimeParseException ex) {
+ LOG.fine("Error in parsing Timestamp Created or Expiration Strings");
+ throw new STSException(
+ "Error in parsing Timestamp Created or Expiration Strings",
+ STSException.INVALID_TIME
+ );
+ }
+ }
+
/**
* Create a list of AudienceRestrictions to be added to the Conditions Element of the
* issued Assertion. The default behaviour is to add a single Audience URI per
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
index 41a514aa8da..183bbfa96da 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderLifetimeTest.java
@@ -44,6 +44,7 @@
import org.apache.wss4j.common.util.DateUtil;
+
/**
* Some unit tests for creating SAML Tokens with lifetime
*/
@@ -86,6 +87,40 @@ public void testSaml2ValidLifetime() throws Exception {
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
+ /**
+ *
+ * As specified in ws-trust
+ * "If this attribute isn't specified, then the current time is used as an initial period."
+ * if creation time is not specified, we use current time instead.
+ *
+ */
+ @org.junit.Test
+ public void saml2LifetimeWithoutCreated() throws WSSecurityException {
+ int requestedLifetime = 60;
+ SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+ DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
+ conditionsProvider.setAcceptClientLifetime(true);
+ samlTokenProvider.setConditionsProvider(conditionsProvider);
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE
+ );
+
+ // Set expected lifetime to 1 minute
+ Lifetime lifetime = new Lifetime();
+ Instant expirationTime = Instant.now().plusSeconds(requestedLifetime);
+
+ lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
+ providerParameters.getTokenRequirements().setLifetime(lifetime);
+
+ assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
+ TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+ assertTrue(providerResponse != null);
+ assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+ assertEquals(providerResponse.getExpires(), expirationTime);
+ }
+
/**
@@ -223,14 +258,14 @@ public void testSaml2ExceededConfiguredMaxLifetimeButUpdated() throws Exception
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(maxLifetime, duration);
Element token = (Element)providerResponse.getToken();
@@ -264,14 +299,14 @@ public void testSaml2NearFutureCreatedLifetime() throws Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(50, duration);
Element token = (Element)providerResponse.getToken();
@@ -304,7 +339,7 @@ public void testSaml2FarFutureCreatedLifetime() throws Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -336,6 +371,7 @@ public void testSaml2NoExpires() throws Exception {
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
+ conditionsProvider.setFutureTimeToLive(180L);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
@@ -348,7 +384,7 @@ public void testSaml2NoExpires() throws Exception {
Lifetime lifetime = new Lifetime();
lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
-
+
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
@@ -356,7 +392,7 @@ public void testSaml2NoExpires() throws Exception {
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
-
+
long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
assertEquals(conditionsProvider.getLifetime(), duration);
Element token = (Element)providerResponse.getToken();
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services