Add checks for expired passwords

pkg/appauth/manager/json/json.go

@@ -180,7 +180,7 @@ func (mgr *jsonManager) InvalidateAppPassword(ctx context.Context, password stri
 	if _, ok := appPasswords[password]; !ok {
 		return errtypes.BadRequest("password not found")
 	}
-	delete(appPasswords, password)
+	delete(mgr.passwords[userID.String()], password)
 
 	// if user has 0 passwords, delete user key from state map
 	if len(mgr.passwords[userID.String()]) == 0 {
@@ -204,6 +204,10 @@ func (mgr *jsonManager) GetAppPassword(ctx context.Context, userID *userpb.UserI
 		return nil, errtypes.BadRequest("password not found")
 	}
 
+	if pw.Expiration != nil && pw.Expiration.Seconds != 0 && uint64(time.Now().Unix()) > pw.Expiration.Seconds {
+		return nil, errtypes.BadRequest("password not found")
+	}
+
 	pw.Utime = now()
 	if err := mgr.save(); err != nil {
 		return nil, errors.Wrap(err, "error saving file")

pkg/appauth/manager/json/json_test.go

@@ -282,7 +282,23 @@ func TestListAppPasswords(t *testing.T) {
 			},
 		}}
 
+	dummyDataUserExpired := map[string]map[string]*apppb.AppPassword{
+		user0Test.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       user0Test.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 100,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
 	dummyDataUser0JSON, _ := json.Marshal(dummyDataUser0)
+	dummyDataUserExpiredJSON, _ := json.Marshal(dummyDataUserExpired)
 
 	dummyDataUser1 := map[string]map[string]*apppb.AppPassword{
 		user1Test.GetId().String(): {
@@ -321,6 +337,13 @@ func TestListAppPasswords(t *testing.T) {
 				dummyDataUser0[user0Test.GetId().String()][token],
 			},
 		},
+		{
+			description: "ListAppPasswords with not empty state with expired password (only one user)",
+			stateJSON:   string(dummyDataUserExpiredJSON),
+			expectedState: []*apppb.AppPassword{
+				dummyDataUserExpired[user0Test.GetId().String()][token],
+			},
+		},
 		{
 			description: "ListAppPasswords with not empty state (different users)",
 			stateJSON:   string(dummyDataTwoUsersJSON),
@@ -512,7 +535,39 @@ func TestGetAppPassword(t *testing.T) {
 			},
 		}}
 
+	dummyDataUserExpired := map[string]map[string]*apppb.AppPassword{
+		userTest.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       userTest.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 100,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
+	dummyDataUserFutureExpiration := map[string]map[string]*apppb.AppPassword{
+		userTest.GetId().String(): {
+			token: {
+				Password:   token,
+				TokenScope: nil,
+				Label:      "label",
+				User:       userTest.GetId(),
+				Expiration: &typespb.Timestamp{
+					Seconds: 16220400870,
+				},
+				Ctime: now,
+				Utime: now,
+			},
+		}}
+
 	dummyDataUser1TokenJSON, _ := json.Marshal(dummyDataUser1Token)
+	dummyDataUserExpiredJSON, _ := json.Marshal(dummyDataUserExpired)
+	dummyDataUserFutureExpirationJSON, _ := json.Marshal(dummyDataUserFutureExpiration)
 
 	dummyDataDifferentUserToken := map[string]map[string]*apppb.AppPassword{
 		"OTHER_USER_ID": {
@@ -541,6 +596,18 @@ func TestGetAppPassword(t *testing.T) {
 			password:      "TOKEN_NOT_EXISTS",
 			expectedState: nil,
 		},
+		{
+			description:   "GetAppPassword with expired token",
+			stateJSON:     string(dummyDataUserExpiredJSON),
+			password:      "TOKEN_NOT_EXISTS",
+			expectedState: nil,
+		},
+		{
+			description:   "GetAppPassword with token with expiration set in the future",
+			stateJSON:     string(dummyDataUserFutureExpirationJSON),
+			password:      "1234",
+			expectedState: dummyDataUserFutureExpiration[userTest.GetId().String()][token],
+		},
 		{
 			description:   "GetAppPassword with token that exists but different user",
 			stateJSON:     string(dummyDataDifferentUserTokenJSON),