Merge branch 'master' into PWX-36514

libopenstorage · Jul 24, 2024 · 803b401 · 803b401
2 parents 51a888f + 5b34b43
commit 803b401
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 0 deletions.
diff --git a/drivers/storage/portworx/components_test.go b/drivers/storage/portworx/components_test.go
@@ -17662,6 +17662,8 @@ func validateTokenLifetime(t *testing.T, cluster *corev1.StorageCluster, jwtClai
 	iatTime := time.Unix(int64(iatFloat64), 0)
 	expTime := time.Unix(int64(expFloat64), 0)
 	tokenLifetime := expTime.Sub(iatTime)
+	// subtract 10 minutes from tokenLifetime to adjust for the iat time creation for ntp sync
+	tokenLifetime = tokenLifetime - 10*time.Minute
 	duration, err := pxutil.ParseExtendedDuration(*cluster.Spec.Security.Auth.SelfSigned.TokenLifetime)
 	require.NoError(t, err)
 	require.Equal(t, tokenLifetime, duration)

diff --git a/drivers/storage/portworx/util/util.go b/drivers/storage/portworx/util/util.go
@@ -1098,6 +1098,8 @@ func GenerateToken(
 	token, err := auth.Token(claims, signature, &auth.Options{
 		Expiration: time.Now().
 			Add(duration).Unix(),
+		// set IAT to 10 minutes in the past to avoid clock skew issues
+		IATSubtract: 10 * time.Minute,
 	})
 	if err != nil {
 		return "", err

diff --git a/drivers/storage/portworx/util/util_test.go b/drivers/storage/portworx/util/util_test.go
@@ -3,8 +3,11 @@ package util
 import (
 	"encoding/json"
 	"testing"
+	"time"
 
+	"github.com/golang-jwt/jwt/v4"
 	version "github.com/hashicorp/go-version"
+	"github.com/libopenstorage/openstorage/pkg/auth"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -744,3 +747,54 @@ func TestIsVersionSupported(t *testing.T) {
 	supported = isVersionSupported("4.16.0", "4.15.0")
 	require.True(t, supported)
 }
+
+func TestGenerateToken(t *testing.T) {
+	// setup
+	cluster := &corev1.StorageCluster{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testcluster",
+			Namespace: "ns",
+		},
+		Spec: corev1.StorageClusterSpec{
+			Security: &corev1.SecuritySpec{
+				Enabled: true,
+			},
+		},
+	}
+
+	inputClaims := &auth.Claims{
+		Issuer:  "testissuer",
+		Subject: "test-subject",
+		Name:    "test-name",
+		Email:   "test-email",
+		Roles:   nil,
+		Groups:  []string{"*"},
+	}
+
+	secretKey := "dummy-secret"
+	currentTime := time.Now()
+
+	tokenStr, err := GenerateToken(cluster, secretKey, inputClaims, 24*time.Hour)
+	require.NoError(t, err)
+
+	// define the Keyfunc
+	keyFunc := func(token *jwt.Token) (interface{}, error) {
+		return []byte(secretKey), nil
+	}
+
+	// parse the jwt token to get the issued time
+	token, err := jwt.Parse(tokenStr, keyFunc)
+	require.NoError(t, err)
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	require.True(t, ok)
+	// get issued time from token
+	iat, ok := claims["iat"].(float64)
+	require.True(t, ok)
+	iatTime := time.Unix(int64(iat), 0)
+
+	// check time difference between issued time and current time
+	// get time difference in minutes truncating milliseconds
+	timeDifferenceInMinutes := currentTime.Sub(iatTime).Truncate(time.Minute).Minutes()
+	require.Equal(t, float64(10), timeDifferenceInMinutes)
+}