Merge branch 'master' of https://github.com/Blackbaud-MitchellMorris/jjwt into Blackbaud-MitchellMorris-master

src/main/java/io/jsonwebtoken/Clock.java

@@ -0,0 +1,7 @@
+package io.jsonwebtoken;
+
+import java.util.Date;
+
+public interface Clock {
+    Date now();
+}

src/main/java/io/jsonwebtoken/DefaultClock.java

@@ -0,0 +1,10 @@
+package io.jsonwebtoken;
+
+import java.util.Date;
+
+public class DefaultClock implements Clock {
+    @Override
+    public Date now() {
+        return new Date();
+    }
+}

src/main/java/io/jsonwebtoken/JwtParser.java

@@ -124,6 +124,15 @@ public interface JwtParser {
      */
     JwtParser require(String claimName, Object value);
 
+    /**
+     * Replace the {@code clock} used by the parser to determine the current time-of-day to use when validating
+     * the parsed JWT. If {@code null}, will reset the behavior to use the system clock.
+     *
+     * @param clock a {@code Clock} object to return the time-of-day or {@code null}
+     * @return the builder instance for method chaining.
+     */
+    JwtParser setClock(Clock clock);
+
     /**
      * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
      * a JWS (no signature), this key is not used.

src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java

@@ -18,8 +18,10 @@ package io.jsonwebtoken.impl;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.ClaimJwtException;
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Clock;
 import io.jsonwebtoken.CompressionCodec;
 import io.jsonwebtoken.CompressionCodecResolver;
+import io.jsonwebtoken.DefaultClock;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Header;
 import io.jsonwebtoken.IncorrectClaimException;
@@ -69,6 +71,8 @@ public class DefaultJwtParser implements JwtParser {
 
     Claims expectedClaims = new DefaultClaims();
 
+    private Clock clock = new DefaultClock();
+
     @Override
     public JwtParser requireIssuedAt(Date issuedAt) {
         expectedClaims.setIssuedAt(issuedAt);
@@ -127,6 +131,17 @@ public class DefaultJwtParser implements JwtParser {
         return this;
     }
 
+    @Override
+    public JwtParser setClock(Clock clock) {
+        if (clock == null) {
+            this.clock = new DefaultClock();
+        } else {
+            this.clock = clock;
+        }
+
+        return this;
+    }
+
     @Override
     public JwtParser setSigningKey(byte[] key) {
         Assert.notEmpty(key, "signing key cannot be null or empty.");
@@ -346,16 +361,15 @@ public class DefaultJwtParser implements JwtParser {
         //since 0.3:
         if (claims != null) {
 
-            Date now = null;
             SimpleDateFormat sdf;
 
+            final Date now = this.clock.now();
+
             //https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.4
             //token MUST NOT be accepted on or after any specified exp time:
             Date exp = claims.getExpiration();
             if (exp != null) {
 
-                now = new Date();
-
                 if (now.equals(exp) || now.after(exp)) {
                     sdf = new SimpleDateFormat(ISO_8601_FORMAT);
                     String expVal = sdf.format(exp);
@@ -371,10 +385,6 @@ public class DefaultJwtParser implements JwtParser {
             Date nbf = claims.getNotBefore();
             if (nbf != null) {
 
-                if (now == null) {
-                    now = new Date();
-                }
-
                 if (now.before(nbf)) {
                     sdf = new SimpleDateFormat(ISO_8601_FORMAT);
                     String nbfVal = sdf.format(nbf);

src/main/java/io/jsonwebtoken/impl/FixedClock.java

@@ -0,0 +1,22 @@
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.Clock;
+
+import java.util.Date;
+
+public class FixedClock implements Clock {
+    private final Date now;
+
+    public FixedClock() {
+        this(new Date());
+    }
+
+    public FixedClock(Date now) {
+        this.now = now;
+    }
+
+    @Override
+    public Date now() {
+        return this.now;
+    }
+}

src/test/groovy/io/jsonwebtoken/JwtParserTest.groovy

@@ -15,6 +15,7 @@
  */
 package io.jsonwebtoken
 
+import io.jsonwebtoken.impl.FixedClock
 import io.jsonwebtoken.impl.TextCodec
 import org.junit.Test
 
@@ -1392,4 +1393,43 @@ class JwtParserTest {
             )
         }
     }
+
+    @Test
+    void testParseClockManipulationWithFixedClock() {
+        def then = System.currentTimeMillis() - 1000
+        Date expiry = new Date(then)
+        Date beforeExpiry = new Date(then - 1000)
+
+        String compact = Jwts.builder().setSubject('Joe').setExpiration(expiry).compact()
+
+        Jwts.parser().setClock(new FixedClock(beforeExpiry)).parse(compact)
+    }
+
+    @Test
+    void testParseClockManipulationWithNullClock() {
+        Date expiry = new Date(System.currentTimeMillis() - 1000)
+
+        String compact = Jwts.builder().setSubject('Joe').setExpiration(expiry).compact()
+
+        try {
+            Jwts.parser().setClock(null).parse(compact)
+            fail()
+        } catch (ExpiredJwtException e) {
+            assertTrue e.getMessage().startsWith('JWT expired at ')
+        }
+    }
+
+    @Test
+    void testParseClockManipulationWithDefaultClock() {
+        Date expiry = new Date(System.currentTimeMillis() - 1000)
+
+        String compact = Jwts.builder().setSubject('Joe').setExpiration(expiry).compact()
+
+        try {
+            Jwts.parser().setClock(new DefaultClock()).parse(compact)
+            fail()
+        } catch (ExpiredJwtException e) {
+            assertTrue e.getMessage().startsWith('JWT expired at ')
+        }
+    }
 }