From 9d3f0578943063f5f6858cced3fb5289505d8b9c Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad <902768+bizybot@users.noreply.github.com> Date: Tue, 5 Feb 2019 12:02:36 +1100 Subject: [PATCH] Limit token expiry to 1 hour maximum (#38244) We mention in our documentation for the token expiration configuration maximum value is 1 hour but do not enforce it. This commit adds max limit to the TOKEN_EXPIRATION setting. --- .../xpack/security/authc/TokenService.java | 2 +- .../security/authc/TokenServiceTests.java | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index daa20aeb9e1..0ea689f3ac5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -156,7 +156,7 @@ public final class TokenService { public static final String THREAD_POOL_NAME = XPackField.SECURITY + "-token-key"; public static final Setting TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout", - TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), Property.NodeScope); + TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), TimeValue.timeValueHours(1L), Property.NodeScope); public static final Setting DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.token.delete.interval", TimeValue.timeValueMinutes(30L), Property.NodeScope); public static final Setting DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.token.delete.timeout", diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java index 47770288b1b..6744bd8e099 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java @@ -65,6 +65,7 @@ import javax.crypto.SecretKey; import static java.time.Clock.systemUTC; import static org.elasticsearch.repositories.ESBlobStoreTestCase.randomBytes; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; import static org.mockito.Matchers.any; @@ -408,6 +409,29 @@ public class TokenServiceTests extends ESTestCase { assertArrayEquals(key.getEncoded(), key2.getEncoded()); } + public void testTokenExpiryConfig() { + TimeValue expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings); + assertThat(expiration, equalTo(TimeValue.timeValueMinutes(20L))); + // Configure Minimum expiration + tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "1s").build(); + expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings); + assertThat(expiration, equalTo(TimeValue.timeValueSeconds(1L))); + // Configure Maximum expiration + tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "60m").build(); + expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings); + assertThat(expiration, equalTo(TimeValue.timeValueHours(1L))); + // Outside range should fail + tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "1ms").build(); + IllegalArgumentException ile = expectThrows(IllegalArgumentException.class, + () -> TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings)); + assertThat(ile.getMessage(), + containsString("failed to parse value [1ms] for setting [xpack.security.authc.token.timeout], must be >= [1s]")); + tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "120m").build(); + ile = expectThrows(IllegalArgumentException.class, () -> TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings)); + assertThat(ile.getMessage(), + containsString("failed to parse value [120m] for setting [xpack.security.authc.token.timeout], must be <= [1h]")); + } + public void testTokenExpiry() throws Exception { ClockMock clock = ClockMock.frozen(); TokenService tokenService = new TokenService(tokenServiceEnabledSettings, clock, client, securityIndex, clusterService);