diff --git a/drivers/storage/portworx/components_test.go b/drivers/storage/portworx/components_test.go index 6d4be9606..9dd0f345f 100644 --- a/drivers/storage/portworx/components_test.go +++ b/drivers/storage/portworx/components_test.go @@ -17662,6 +17662,8 @@ func validateTokenLifetime(t *testing.T, cluster *corev1.StorageCluster, jwtClai iatTime := time.Unix(int64(iatFloat64), 0) expTime := time.Unix(int64(expFloat64), 0) tokenLifetime := expTime.Sub(iatTime) + // subtract 10 minutes from tokenLifetime to adjust for the iat time creation for ntp sync + tokenLifetime = tokenLifetime - 10*time.Minute duration, err := pxutil.ParseExtendedDuration(*cluster.Spec.Security.Auth.SelfSigned.TokenLifetime) require.NoError(t, err) require.Equal(t, tokenLifetime, duration) diff --git a/drivers/storage/portworx/util/util.go b/drivers/storage/portworx/util/util.go index d4df26cb3..bd445cb93 100644 --- a/drivers/storage/portworx/util/util.go +++ b/drivers/storage/portworx/util/util.go @@ -1098,6 +1098,8 @@ func GenerateToken( token, err := auth.Token(claims, signature, &auth.Options{ Expiration: time.Now(). Add(duration).Unix(), + // set IAT to 10 minutes in the past to avoid clock skew issues + IATSubtract: 10 * time.Minute, }) if err != nil { return "", err diff --git a/drivers/storage/portworx/util/util_test.go b/drivers/storage/portworx/util/util_test.go index 7792bd718..2bf5e0fce 100644 --- a/drivers/storage/portworx/util/util_test.go +++ b/drivers/storage/portworx/util/util_test.go @@ -3,8 +3,11 @@ package util import ( "encoding/json" "testing" + "time" + "github.com/golang-jwt/jwt/v4" version "github.com/hashicorp/go-version" + "github.com/libopenstorage/openstorage/pkg/auth" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -744,3 +747,54 @@ func TestIsVersionSupported(t *testing.T) { supported = isVersionSupported("4.16.0", "4.15.0") require.True(t, supported) } + +func TestGenerateToken(t *testing.T) { + // setup + cluster := &corev1.StorageCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "testcluster", + Namespace: "ns", + }, + Spec: corev1.StorageClusterSpec{ + Security: &corev1.SecuritySpec{ + Enabled: true, + }, + }, + } + + inputClaims := &auth.Claims{ + Issuer: "testissuer", + Subject: "test-subject", + Name: "test-name", + Email: "test-email", + Roles: nil, + Groups: []string{"*"}, + } + + secretKey := "dummy-secret" + currentTime := time.Now() + + tokenStr, err := GenerateToken(cluster, secretKey, inputClaims, 24*time.Hour) + require.NoError(t, err) + + // define the Keyfunc + keyFunc := func(token *jwt.Token) (interface{}, error) { + return []byte(secretKey), nil + } + + // parse the jwt token to get the issued time + token, err := jwt.Parse(tokenStr, keyFunc) + require.NoError(t, err) + + claims, ok := token.Claims.(jwt.MapClaims) + require.True(t, ok) + // get issued time from token + iat, ok := claims["iat"].(float64) + require.True(t, ok) + iatTime := time.Unix(int64(iat), 0) + + // check time difference between issued time and current time + // get time difference in minutes truncating milliseconds + timeDifferenceInMinutes := currentTime.Sub(iatTime).Truncate(time.Minute).Minutes() + require.Equal(t, float64(10), timeDifferenceInMinutes) +}