commit 25e495e0d86b5540989f2bd0005d6cf640395c92
author Alex Song <alexsong93@gmail.com> Fri Nov 17 14:46:46 2017 -0500
committer Vincent <shou@us.ibm.com> Fri Nov 17 14:46:46 2017 -0500
tree 8bf2f6b5ff345fa8f210f7ebdd07b01949b52e2b
parent 300654739b8375d74b1c3cd126a99c5884724d48

Check for expired oauth tokens (#264)

scripts/lua/oauth/app-id.lua

diff --git a/scripts/lua/oauth/app-id.lua b/scripts/lua/oauth/app-id.lua
index e0d15ef..7b5af21 100644
--- a/scripts/lua/oauth/app-id.lua
+++ b/scripts/lua/oauth/app-id.lua
@@ -55,10 +55,17 @@
     request.err(401, 'AppId key signature verification failed.')
     return nil
   end
-  jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+  local jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+  local expireTime = jwt_obj['exp']
+  if expireTime < os.time() then
+    request.err(401, 'Access token expired.')
+    return nil
+  end
   ngx.header['X-OIDC-Email'] = jwt_obj['email']
   ngx.header['X-OIDC-Sub'] = jwt_obj['sub']
-  dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), jwt_obj['exp'])
+  -- keep token in cache until it expires
+  local ttl = expireTime - os.time()
+  dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), ttl)
   return jwt_obj
 end
 

scripts/lua/oauth/facebook.lua

diff --git a/scripts/lua/oauth/facebook.lua b/scripts/lua/oauth/facebook.lua
index 2de6f09..f23ddf9 100644
--- a/scripts/lua/oauth/facebook.lua
+++ b/scripts/lua/oauth/facebook.lua
@@ -30,11 +30,7 @@
     return nil
   end
 
-  local result = dataStore:getOAuthToken('facebook', token)
-  if result ~= ngx.null then
-    return cjson.decode(result)
-  end
-  result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
+  local result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
   if result ~= ngx.null then
     return cjson.decode(result)
   end
@@ -64,13 +60,16 @@
     return
   end
   local json_resp = cjson.decode(res.body)
+  if json_resp['error'] ~= nil then
+    return nil
+  end
 
   if (json_resp['error']) then
     return nil
   end
-  -- convert Facebook's response
-  -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
-  dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), json_resp['expires_at'])
+  -- keep token in cache until it expires
+  local ttl = json_resp.data['expires_at'] - os.time()
+  dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), ttl)
   return json_resp
 end
 

scripts/lua/oauth/github.lua

diff --git a/scripts/lua/oauth/github.lua b/scripts/lua/oauth/github.lua
index aa7035e..f4f2e9b 100644
--- a/scripts/lua/oauth/github.lua
+++ b/scripts/lua/oauth/github.lua
@@ -58,7 +58,9 @@
     return nil
   end
 
-  dataStore:saveOAuthToken('github', token, cjson.encode(json_resp))
+  -- Github tokens do not expire; keep token in cache and clean up after 7 days
+  local ttl = 604800
+  dataStore:saveOAuthToken('github', token, cjson.encode(json_resp), ttl)
   -- convert Github's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
   return json_resp

scripts/lua/oauth/google.lua

diff --git a/scripts/lua/oauth/google.lua b/scripts/lua/oauth/google.lua
index 78f48dd..b6892b3 100644
--- a/scripts/lua/oauth/google.lua
+++ b/scripts/lua/oauth/google.lua
@@ -58,7 +58,9 @@
     return nil
   end
 
-  dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), json_resp['expires'])
+  -- keep token in cache until it expires
+  local ttl = json_resp['expires_in']
+  dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), ttl)
   -- convert Google's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
   ngx.header['X-OIDC-Sub'] = json_resp['sub']

tests/scripts/lua/security.lua

diff --git a/tests/scripts/lua/security.lua b/tests/scripts/lua/security.lua
index 2b8cf52..89533fd 100644
--- a/tests/scripts/lua/security.lua
+++ b/tests/scripts/lua/security.lua
@@ -237,33 +237,6 @@
     assert.same(red:exists('oauth:providers:mock:tokens:bad'), 0)
     assert.falsy(result)
   end)
-  it('Loads a facebook token from the cache without a valid app id', function()
-    local red = fakeredis.new()
-    local ds = require "lib/dataStore"
-    local dataStore = ds.initWithDriver(red)
-    local token = "test"
-    local ngxattrs = [[
-      {
-        "http_Authorization":"]] .. token .. [[",
-        "http_x_facebook_app_token":"nothing",
-        "tenant":"1234",
-        "gatewayPath":"v1/test"
-      }
-    ]]
-    local ngx = fakengx.new()
-    ngx.var = cjson.decode(ngxattrs)
-    _G.ngx = ngx
-    local securityObj = [[
-      {
-        "type":"oauth2",
-        "provider":"facebook",
-        "scope":"resource"
-      }
-    ]]
-    red:set('oauth:providers:facebook:tokens:test', '{ "token":"good"}')
-    local result = oauth.process(dataStore, cjson.decode(securityObj))
-    assert.truthy(result)
-  end)
   it('Loads a facebook token from the cache with a valid app id', function()
     local red = fakeredis.new()
     local ds = require "lib/dataStore"

tools/travis/build.sh

diff --git a/tools/travis/build.sh b/tools/travis/build.sh
index 8b5dbaf..a9654bf 100755
--- a/tools/travis/build.sh
+++ b/tools/travis/build.sh
@@ -57,4 +57,4 @@
 sleep 60
 TERM=dumb ./gradlew tests:test --tests whisk.core.apigw.* ${WSK_TESTS_DEPS_EXCLUDE}
 sleep 60
-TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwTests ${WSK_TESTS_DEPS_EXCLUDE}
+TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwRestTests ${WSK_TESTS_DEPS_EXCLUDE}