[ISSUE #12060] fix too large ttl when auth disabled (#12090)

* [ISSUE #12060] fix too large ttl when auth disabled fix issue #12060 1. fix too large ttl when auth disabled 2. generate a valid token when key is valid even if auth disabled * [ISSUE #12060] add unit test * [ISSUE #12060] fix style issue
alibaba · May 20, 2024 · 9363a08 · 9363a08
1 parent 35e3994
commit 9363a08
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 4 deletions.
diff --git a/...h-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.java b/...h-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.java
@@ -103,10 +103,13 @@ public String createToken(Authentication authentication) {
  * @return token
  */
  public String createToken(String userName) {
- if (!authConfigs.isAuthEnabled()) {
+ // create a token when auth enabled or nacos.core.auth.plugin.nacos.token.secret.key is configured
+ if (!authConfigs.isAuthEnabled() && null == jwtParser) {
  return AUTH_DISABLED_TOKEN;
+ } else if (authConfigs.isAuthEnabled()) {
+ // check nacos.core.auth.plugin.nacos.token.secret.key only if auth enabled
+ checkJwtParser();
  }
- checkJwtParser();
  return jwtParser.jwtBuilder().setUserName(userName).setExpiredTime(this.tokenValidityInSeconds).compact();
  }
 
@@ -147,7 +150,7 @@ public long getTokenValidityInSeconds() {
  @Override
  public long getTokenTtlInSeconds(String token) throws AccessException {
  if (!authConfigs.isAuthEnabled()) {
- return TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) + tokenValidityInSeconds;
+ return tokenValidityInSeconds;
  }
  return jwtParser.getExpireTimeInSeconds(token) - TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
  }

diff --git a/...ugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManagerTest.java b/...ugin/src/test/java/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManagerTest.java
@@ -35,6 +35,7 @@
 import java.util.concurrent.TimeUnit;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
 import static org.mockito.Mockito.when;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -105,13 +106,49 @@ public void testGetTokenTtlInSeconds() throws AccessException {
  public void testGetExpiredTimeInSeconds() throws AccessException {
  Assert.assertTrue(jwtTokenManager.getExpiredTimeInSeconds(jwtTokenManager.createToken("nacos")) > 0);
  }
+
+ @Test
+ public void testGetTokenTtlInSecondsWhenAuthDisabled() throws AccessException {
+ when(authConfigs.isAuthEnabled()).thenReturn(false);
+ // valid secret key
+ String ttl = EnvUtil.getProperty(AuthConstants.TOKEN_EXPIRE_SECONDS);
+ Assert.assertEquals(Integer.parseInt(ttl), jwtTokenManager.getTokenTtlInSeconds(jwtTokenManager.createToken("nacos")));
+ // invalid secret key
+ MockEnvironment mockEnvironment = new MockEnvironment();
+ mockEnvironment.setProperty(AuthConstants.TOKEN_SECRET_KEY, "");
+ EnvUtil.setEnvironment(mockEnvironment);
+ jwtTokenManager = new JwtTokenManager(authConfigs);
+ Assert.assertEquals(Integer.parseInt(ttl), jwtTokenManager.getTokenTtlInSeconds(jwtTokenManager.createToken("nacos")));
+ }
 
  @Test
- public void testCreateTokenWhenDisableAuth() {
+ public void testCreateTokenWhenDisableAuthAndSecretKeyIsBlank() {
  when(authConfigs.isAuthEnabled()).thenReturn(false);
+ MockEnvironment mockEnvironment = new MockEnvironment();
+ mockEnvironment.setProperty(AuthConstants.TOKEN_SECRET_KEY, "");
+ mockEnvironment
+ .setProperty(AuthConstants.TOKEN_EXPIRE_SECONDS, AuthConstants.DEFAULT_TOKEN_EXPIRE_SECONDS.toString());
+
+ EnvUtil.setEnvironment(mockEnvironment);
  jwtTokenManager = new JwtTokenManager(authConfigs);
  assertEquals("AUTH_DISABLED", jwtTokenManager.createToken("nacos"));
  }
+
+ @Test
+ public void testCreateTokenWhenDisableAuthAndSecretKeyIsNotBlank() throws AccessException {
+ when(authConfigs.isAuthEnabled()).thenReturn(false);
+ MockEnvironment mockEnvironment = new MockEnvironment();
+ String tmpKey = "SecretKey0123567890234567890123456789012345678901234567890123456789";
+ mockEnvironment.setProperty(AuthConstants.TOKEN_SECRET_KEY,
+ Base64.getEncoder().encodeToString(tmpKey.getBytes(StandardCharsets.UTF_8)));
+ mockEnvironment
+ .setProperty(AuthConstants.TOKEN_EXPIRE_SECONDS, AuthConstants.DEFAULT_TOKEN_EXPIRE_SECONDS.toString());
+ EnvUtil.setEnvironment(mockEnvironment);
+ jwtTokenManager = new JwtTokenManager(authConfigs);
+ String token = jwtTokenManager.createToken("nacos");
+ assertNotEquals("AUTH_DISABLED", token);
+ jwtTokenManager.validateToken(token);
+ }
 
  @Test
  public void testNacosJwtParser() throws AccessException {