Limit token expiry to 1 hour maximum (#38244)

We mention in our documentation for the token
expiration configuration maximum value is 1 hour
but do not enforce it. This commit adds max limit
to the TOKEN_EXPIRATION setting.
This commit is contained in:
Yogesh Gaikwad 2019-02-05 12:02:36 +11:00 committed by GitHub
parent 48f09471f8
commit 9d3f057894
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 1 deletions

View File

@ -156,7 +156,7 @@ public final class TokenService {
public static final String THREAD_POOL_NAME = XPackField.SECURITY + "-token-key";
public static final Setting<TimeValue> TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout",
TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), Property.NodeScope);
TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), TimeValue.timeValueHours(1L), Property.NodeScope);
public static final Setting<TimeValue> DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.token.delete.interval",
TimeValue.timeValueMinutes(30L), Property.NodeScope);
public static final Setting<TimeValue> DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.token.delete.timeout",

View File

@ -65,6 +65,7 @@ import javax.crypto.SecretKey;
import static java.time.Clock.systemUTC;
import static org.elasticsearch.repositories.ESBlobStoreTestCase.randomBytes;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.notNullValue;
import static org.hamcrest.Matchers.nullValue;
import static org.mockito.Matchers.any;
@ -408,6 +409,29 @@ public class TokenServiceTests extends ESTestCase {
assertArrayEquals(key.getEncoded(), key2.getEncoded());
}
public void testTokenExpiryConfig() {
TimeValue expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings);
assertThat(expiration, equalTo(TimeValue.timeValueMinutes(20L)));
// Configure Minimum expiration
tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "1s").build();
expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings);
assertThat(expiration, equalTo(TimeValue.timeValueSeconds(1L)));
// Configure Maximum expiration
tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "60m").build();
expiration = TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings);
assertThat(expiration, equalTo(TimeValue.timeValueHours(1L)));
// Outside range should fail
tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "1ms").build();
IllegalArgumentException ile = expectThrows(IllegalArgumentException.class,
() -> TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings));
assertThat(ile.getMessage(),
containsString("failed to parse value [1ms] for setting [xpack.security.authc.token.timeout], must be >= [1s]"));
tokenServiceEnabledSettings = Settings.builder().put(TokenService.TOKEN_EXPIRATION.getKey(), "120m").build();
ile = expectThrows(IllegalArgumentException.class, () -> TokenService.TOKEN_EXPIRATION.get(tokenServiceEnabledSettings));
assertThat(ile.getMessage(),
containsString("failed to parse value [120m] for setting [xpack.security.authc.token.timeout], must be <= [1h]"));
}
public void testTokenExpiry() throws Exception {
ClockMock clock = ClockMock.frozen();
TokenService tokenService = new TokenService(tokenServiceEnabledSettings, clock, client, securityIndex, clusterService);