Add checks for expired passwords

cs3org · May 26, 2021 · 64c6883 · 64c6883
1 parent 207f404
commit 64c6883
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 3 deletions.
diff --git a/pkg/appauth/manager/json/json.go b/pkg/appauth/manager/json/json.go
@@ -160,8 +160,12 @@ func (mgr *jsonManager) ListAppPasswords(ctx context.Context) ([]*apppb.AppPassw
 	mgr.Lock()
 	defer mgr.Unlock()
 	appPasswords := []*apppb.AppPassword{}
-	for _, pw := range mgr.passwords[userID.String()] {
-		appPasswords = append(appPasswords, pw)
+	for k, pw := range mgr.passwords[userID.String()] {
+		if pw.Expiration == nil || pw.Expiration.Seconds == 0 || uint64(time.Now().Unix()) < pw.Expiration.Seconds {
+			appPasswords = append(appPasswords, pw)
+		} else {
+			delete(mgr.passwords[userID.String()], k)
+		}
 	}
 	return appPasswords, nil
 }
@@ -180,7 +184,7 @@ func (mgr *jsonManager) InvalidateAppPassword(ctx context.Context, password stri
 	if _, ok := appPasswords[password]; !ok {
 		return errtypes.BadRequest("password not found")
 	}
-	delete(appPasswords, password)
+	delete(mgr.passwords[userID.String()], password)
 
 	// if user has 0 passwords, delete user key from state map
 	if len(mgr.passwords[userID.String()]) == 0 {
@@ -204,6 +208,11 @@ func (mgr *jsonManager) GetAppPassword(ctx context.Context, userID *userpb.UserI
 		return nil, errtypes.BadRequest("password not found")
 	}
 
+	if pw.Expiration != nil && pw.Expiration.Seconds != 0 && uint64(time.Now().Unix()) > pw.Expiration.Seconds {
+		delete(mgr.passwords[userID.String()], password)
+		return nil, errtypes.BadRequest("password not found")
+	}
+
 	pw.Utime = now()
 	if err := mgr.save(); err != nil {
 		return nil, errors.Wrap(err, "error saving file")

diff --git a/pkg/appauth/manager/json/json_test.go b/pkg/appauth/manager/json/json_test.go
@@ -282,7 +282,39 @@ func TestListAppPasswords(t *testing.T) {
 			},
 		}}
 
+	dummyDataUserExpired := map[string]map[string]*apppb.AppPassword{
+		user0Test.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       user0Test.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 100,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
+	dummyDataUserFutureExpiration := map[string]map[string]*apppb.AppPassword{
+		user0Test.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       user0Test.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 16220400870,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
 	dummyDataUser0JSON, _ := json.Marshal(dummyDataUser0)
+	dummyDataUserExpiredJSON, _ := json.Marshal(dummyDataUserExpired)
+	dummyDataUserFutureExpirationJSON, _ := json.Marshal(dummyDataUserFutureExpiration)
 
 	dummyDataUser1 := map[string]map[string]*apppb.AppPassword{
 		user1Test.GetId().String(): {
@@ -321,6 +353,18 @@ func TestListAppPasswords(t *testing.T) {
 				dummyDataUser0[user0Test.GetId().String()][token],
 			},
 		},
+		{
+			description:   "ListAppPasswords with not empty state with expired password (only one user)",
+			stateJSON:     string(dummyDataUserExpiredJSON),
+			expectedState: make([]*apppb.AppPassword, 0),
+		},
+		{
+			description: "ListAppPasswords with not empty state with non-expired password (only one user)",
+			stateJSON:   string(dummyDataUserFutureExpirationJSON),
+			expectedState: []*apppb.AppPassword{
+				dummyDataUserFutureExpiration[user0Test.GetId().String()][token],
+			},
+		},
 		{
 			description: "ListAppPasswords with not empty state (different users)",
 			stateJSON:   string(dummyDataTwoUsersJSON),
@@ -512,7 +556,23 @@ func TestGetAppPassword(t *testing.T) {
 			},
 		}}
 
+	dummyDataUserExpired := map[string]map[string]*apppb.AppPassword{
+		userTest.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       userTest.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 100,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
 	dummyDataUser1TokenJSON, _ := json.Marshal(dummyDataUser1Token)
+	dummyDataUserExpiredJSON, _ := json.Marshal(dummyDataUserExpired)
 
 	dummyDataDifferentUserToken := map[string]map[string]*apppb.AppPassword{
 		"OTHER_USER_ID": {
@@ -541,6 +601,12 @@ func TestGetAppPassword(t *testing.T) {
 			password:      "TOKEN_NOT_EXISTS",
 			expectedState: nil,
 		},
+		{
+			description:   "GetAppPassword with token that does not exist",
+			stateJSON:     string(dummyDataUserExpiredJSON),
+			password:      "TOKEN_NOT_EXISTS",
+			expectedState: nil,
+		},
 		{
 			description:   "GetAppPassword with token that exists but different user",
 			stateJSON:     string(dummyDataDifferentUserTokenJSON),