Skip to content

Commit

Permalink
Add long-term token check in isAuthorized method (#210)
Browse files Browse the repository at this point in the history
This commit adds a new parameter `isLongTermToken` to the `isAuthorized` method in the `AuthorizationService` class. It updates the `TokenService` and several test cases to accommodate this change, ensuring that long-term tokens bypass the session expiration check.
  • Loading branch information
Gcolon021 authored Sep 17, 2024
1 parent a66011a commit 222a096
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ private TokenInspection validateToken(Map<String, Object> inputMap) throws Illeg
// The protocol between applications and PSAMA is application will
// attach everything that needs to be verified in request field of inputMap
// besides token. So here we should attach everything in request.
&& authorizationService.isAuthorized(application, inputMap.get("request"), user)) {
&& authorizationService.isAuthorized(application, inputMap.get("request"), user, isLongTermToken)) {
isAuthorizationPassed = true;
} else {
// if isLongTermTokenCompromised flag is true,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,12 @@ public AuthorizationService(AccessRuleService accessRuleService,
*
* @param application
* @param requestBody
* @param isLongTermToken
* @return
* @see Privilege
* @see AccessRule
*/
public boolean isAuthorized(Application application, Object requestBody, User user) {
public boolean isAuthorized(Application application, Object requestBody, User user, boolean isLongTermToken) {
String applicationName = application.getName();
String resourceId = "null";
String targetService = "null";
Expand All @@ -103,7 +104,7 @@ public boolean isAuthorized(Application application, Object requestBody, User us
return false;
}

if (sessionService.isSessionExpired(user.getSubject())) {
if (!isLongTermToken && sessionService.isSessionExpired(user.getSubject())) {
logger.error("isAuthorized() Session expired {}", user.getSubject());
return false;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public void testIsAuthorized_AccessRulePassed() {
Map<String, Object> requestBody = new HashMap<>();
requestBody.put("test", "value");

boolean result = authorizationService.isAuthorized(application, requestBody, user);
boolean result = authorizationService.isAuthorized(application, requestBody, user, false);

assertTrue(result);
}
Expand All @@ -77,7 +77,7 @@ public void testIsAuthorized_AccessRuleFailed() {
Map<String, Object> requestBody = new HashMap<>();
requestBody.put("test", "differentValue");

boolean result = authorizationService.isAuthorized(application, requestBody, user);
boolean result = authorizationService.isAuthorized(application, requestBody, user, false);

assertFalse(result);
}
Expand Down Expand Up @@ -171,7 +171,7 @@ public void testIsAuthorized_NoRequestBody() {
configureUserSecurityContext(user);
application.setPrivileges(user.getPrivilegesByApplication(application));

boolean result = authorizationService.isAuthorized(application, null, user);
boolean result = authorizationService.isAuthorized(application, null, user, false);

assertTrue(result);
}
Expand All @@ -182,7 +182,7 @@ public void testIsAuthorized_NoPrivileges() {
User user = createTestUser();

user.getRoles().iterator().next().setPrivileges(Collections.emptySet());
boolean result = authorizationService.isAuthorized(application, new HashMap<>(), user);
boolean result = authorizationService.isAuthorized(application, new HashMap<>(), user, false);

assertFalse(result);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ public void testIsAuthorized_AccessRulePassed() {
Map<String, Object> requestBody = new HashMap<>();
requestBody.put("test", "value");

boolean result = authorizationService.isAuthorized(application, requestBody, user);
boolean result = authorizationService.isAuthorized(application, requestBody, user, false);

assertTrue(result);
}
Expand All @@ -359,7 +359,7 @@ public void testIsAuthorized_AccessRuleFailed() {
Map<String, Object> requestBody = new HashMap<>();
requestBody.put("test", "differentValue");

boolean result = authorizationService.isAuthorized(application, requestBody, user);
boolean result = authorizationService.isAuthorized(application, requestBody, user, false);

assertFalse(result);
}
Expand All @@ -374,7 +374,7 @@ public void testIsAuthorized_AccessRuleFailed_strict() {
Map<String, Object> requestBody = new HashMap<>();
requestBody.put("test", "differentValue");

boolean result = authorizationService.isAuthorized(application, requestBody, user);
boolean result = authorizationService.isAuthorized(application, requestBody, user, false);

assertFalse(result);
}
Expand Down Expand Up @@ -476,7 +476,7 @@ public void testIsAuthorized_NoRequestBody() {
configureUserSecurityContext(user);
application.setPrivileges(user.getPrivilegesByApplication(application));

boolean result = authorizationService.isAuthorized(application, null, user);
boolean result = authorizationService.isAuthorized(application, null, user, false);

assertTrue(result);
}
Expand All @@ -488,7 +488,7 @@ public void testIsAuthorized_NoPrivileges() {
user.setConnection(createFenceTestConnection());

user.getRoles().iterator().next().setPrivileges(Collections.emptySet());
boolean result = authorizationService.isAuthorized(application, new HashMap<>(), user);
boolean result = authorizationService.isAuthorized(application, new HashMap<>(), user, false);

assertFalse(result);
}
Expand Down

0 comments on commit 222a096

Please # to comment.