From bf10974cdefffdaaebc58d21e8a9912638a0405a Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Wed, 16 Dec 2015 15:46:13 -0800 Subject: [PATCH] Expose token expiration time in tempauth auth response Previously, we gave no indication of when a token would expire. Users would have to just use it until it stopped working, then re-auth. Now, a successful auth response will include a new header, X-Auth-Token-Expires, with the number of seconds remaining until the token is invalid. This allows the client to attempt to re-auth before sending a request that will definitely fail. For comparison, swauth already uses the X-Auth-Token-Expires header with identical semantics. Additionally, Keystone (v2 and v3) already exposes expiration times in its JSON responses. The security impact should be minimal. Change-Id: I5a4a74276bc0df6dda94e4bc150065c0d77de0eb --- swift/common/middleware/tempauth.py | 8 ++++++-- test/unit/common/middleware/test_tempauth.py | 17 +++++++++++++++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py index 9eec784a6e..a28e450a6f 100644 --- a/swift/common/middleware/tempauth.py +++ b/swift/common/middleware/tempauth.py @@ -38,6 +38,9 @@ from swift.common.utils import config_read_reseller_options from swift.proxy.controllers.base import get_account_info +DEFAULT_TOKEN_LIFE = 86400 + + class TempAuth(object): """ Test authentication and authorization system. @@ -181,7 +184,7 @@ class TempAuth(object): self.auth_prefix = '/' + self.auth_prefix if not self.auth_prefix.endswith('/'): self.auth_prefix += '/' - self.token_life = int(conf.get('token_life', 86400)) + self.token_life = int(conf.get('token_life', DEFAULT_TOKEN_LIFE)) self.allow_overrides = config_true_value( conf.get('allow_overrides', 't')) self.storage_url_scheme = conf.get('storage_url_scheme', 'default') @@ -765,7 +768,8 @@ class TempAuth(object): memcache_client.set(memcache_user_key, token, time=float(expires - time())) resp = Response(request=req, headers={ - 'x-auth-token': token, 'x-storage-token': token}) + 'x-auth-token': token, 'x-storage-token': token, + 'x-auth-token-expires': str(int(expires - time()))}) url = self.users[account_user]['url'].replace('$HOST', resp.host_url) if self.storage_url_scheme != 'default': url = self.storage_url_scheme + ':' + url.split(':', 1)[1] diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py index cea15b6595..58bcc11c87 100644 --- a/test/unit/common/middleware/test_tempauth.py +++ b/test/unit/common/middleware/test_tempauth.py @@ -515,7 +515,11 @@ class TestAuth(unittest.TestCase): self.assertEqual(resp.status_int, 200) self.assertTrue(resp.headers['x-storage-url'].endswith('/v1/AUTH_ac')) self.assertTrue(resp.headers['x-auth-token'].startswith('AUTH_')) - self.assertTrue(len(resp.headers['x-auth-token']) > 10) + self.assertEqual(resp.headers['x-auth-token'], + resp.headers['x-storage-token']) + self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']), + auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5) + self.assertGreater(len(resp.headers['x-auth-token']), 10) def test_use_token_success(self): # Example of how to simulate an authorized request @@ -641,11 +645,16 @@ class TestAuth(unittest.TestCase): req.environ['SERVER_NAME'] = 'bob' req.environ['SERVER_PORT'] = '1234' req.environ['swift.cache'].set('AUTH_/user/test:tester', 'uuid_token') + expires = time() + 180 req.environ['swift.cache'].set('AUTH_/token/uuid_token', - (time() + 180, 'test,test:tester')) + (expires, 'test,test:tester')) resp = req.get_response(self.test_auth) self.assertEqual(resp.status_int, 200) self.assertEqual(resp.headers['x-auth-token'], 'uuid_token') + self.assertEqual(resp.headers['x-auth-token'], + resp.headers['x-storage-token']) + self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']), + 179.5, delta=0.5) def test_old_token_overdate(self): self.test_auth = \ @@ -664,6 +673,8 @@ class TestAuth(unittest.TestCase): self.assertEqual(resp.status_int, 200) self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token') self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk') + self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']), + auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5) def test_old_token_with_old_data(self): self.test_auth = \ @@ -682,6 +693,8 @@ class TestAuth(unittest.TestCase): self.assertEqual(resp.status_int, 200) self.assertNotEqual(resp.headers['x-auth-token'], 'uuid_token') self.assertEqual(resp.headers['x-auth-token'][:7], 'AUTH_tk') + self.assertAlmostEqual(int(resp.headers['x-auth-token-expires']), + auth.DEFAULT_TOKEN_LIFE - 0.5, delta=0.5) def test_reseller_admin_is_owner(self): orig_authorize = self.test_auth.authorize