Adding JWTUtils unit tests + fixing a bug with the TTL validation
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6fd3ada7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6fd3ada7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6fd3ada7 Branch: refs/heads/master Commit: 6fd3ada7af5af1fcb0de337c379e34e7bdb44a56 Parents: 67e48ee Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Oct 27 17:09:07 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Oct 27 17:09:07 2015 +0000 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwt/JwtUtils.java | 24 ++-- .../cxf/rs/security/jose/jwt/JwtUtilsTest.java | 144 +++++++++++++++++++ 2 files changed, 159 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6fd3ada7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index 3f0a27e..9f1c1d6 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -87,21 +87,27 @@ public final class JwtUtils { } Date createdDate = new Date(issuedAtInSecs * 1000L); - if (clockOffset != 0) { - // Calculate the time that is allowed for the message to travel - createdDate.setTime(createdDate.getTime() - (long)clockOffset * 1000L); - } - Date validCreation = new Date(); - if (timeToLive != 0) { - long currentTime = validCreation.getTime(); - currentTime -= (long)timeToLive * 1000L; - validCreation.setTime(currentTime); + long currentTime = validCreation.getTime(); + if (clockOffset > 0) { + validCreation.setTime(currentTime + (long)clockOffset * 1000L); } + // Check to see if the IssuedAt time is in the future if (createdDate.after(validCreation)) { throw new JwtException("Invalid issuedAt"); } + + if (timeToLive > 0) { + // Calculate the time that is allowed for the message to travel + currentTime -= (long)timeToLive * 1000L; + validCreation.setTime(currentTime); + + // Validate the time it took the message to travel + if (createdDate.before(validCreation)) { + throw new JwtException("Invalid issuedAt"); + } + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/6fd3ada7/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java new file mode 100644 index 0000000..9a2050e --- /dev/null +++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java @@ -0,0 +1,144 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jwt; + +import java.util.Calendar; +import java.util.Date; + +import org.junit.Assert; + +/** + * Some tests for JwtUtils + */ +public class JwtUtilsTest extends Assert { + + @org.junit.Test + public void testExpiredToken() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // Set the expiry date to be yesterday + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.DATE, -1); + claims.setExpiryTime(cal.getTimeInMillis() / 1000L); + + try { + JwtUtils.validateJwtExpiry(claims, 0, true); + fail("Failure expected on an expired token"); + } catch (JwtException ex) { + // expected + } + } + + @org.junit.Test + public void testFutureToken() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // Set the issued date to be in the future + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.DATE, 1); + claims.setIssuedAt(cal.getTimeInMillis() / 1000L); + + try { + JwtUtils.validateJwtIssuedAt(claims, 300, 0, true); + fail("Failure expected on a token issued in the future"); + } catch (JwtException ex) { + // expected + } + } + + @org.junit.Test + public void testNearFutureToken() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // Set the issued date to be in the near future + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.SECOND, 30); + claims.setIssuedAt(cal.getTimeInMillis() / 1000L); + + try { + JwtUtils.validateJwtIssuedAt(claims, 0, 0, true); + fail("Failure expected on a token issued in the future"); + } catch (JwtException ex) { + // expected + } + + // Now set the clock offset + JwtUtils.validateJwtIssuedAt(claims, 0, 60, true); + } + + @org.junit.Test + public void testNotBefore() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // Set the issued date to be in the near future + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.SECOND, 30); + claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setNotBefore(cal.getTimeInMillis() / 1000L); + + try { + JwtUtils.validateJwtNotBefore(claims, 0, true); + fail("Failure expected on not before"); + } catch (JwtException ex) { + // expected + } + + // Now set the clock offset + JwtUtils.validateJwtNotBefore(claims, 60, true); + } + + @org.junit.Test + public void testIssuedAtTTL() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // Set the issued date to be now + claims.setIssuedAt(new Date().getTime() / 1000L); + + // Now test the TTL + JwtUtils.validateJwtIssuedAt(claims, 60, 0, true); + + // Now create the token 70 seconds ago + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.SECOND, -70); + claims.setIssuedAt(cal.getTimeInMillis() / 1000L); + + try { + JwtUtils.validateJwtIssuedAt(claims, 60, 0, true); + fail("Failure expected on an expired token"); + } catch (JwtException ex) { + // expected + } + } +} +