rpms / rh-thermostat16-thermostat

Clone
Source Code
GIT

Files

  1.   8aa4af194937f71503d7cc4d606037100d1d4a37
  2.   SOURCES
  3.   0004_verify_token_removal_fix.patch
Blob Blame History Raw 
# HG changeset patch
# User Jie Kang <jkang@redhat.com>
# Date 1477487506 14400
#      Wed Oct 26 09:11:46 2016 -0400
# Node ID a26429779377d98fcf07664d767f9d3400043eed
# Parent  9fe2266b4fa55eb78d372e634790878f328303f5
Fix verified-token removal in TokenManager

PR3210

Reviewed-by: jerboaa
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021425.html

diff --git a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java
+++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java
@@ -85,12 +85,12 @@
         return token;
     }
 
-    private void scheduleRemoval(final String clientToken) {
+    private void scheduleRemoval(final String clientKey) {
         TimerTask task = new TimerTask() {
             
             @Override
             public void run() {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
         };
         timer.schedule(task, timeout);
@@ -111,7 +111,7 @@
             byte[] storedToken = tokens.get(clientKey);
             boolean verified = Arrays.equals(candidateToken, storedToken);
             if (verified) {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
             return verified;
         }
diff --git a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
+++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
@@ -91,6 +91,17 @@
     }
     
     @Test
+    public void generateTokenCanNotBeReusedTest() {
+        TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
+        String clientToken = "something";
+        String action = "myAction";
+        byte[] token = tokenManager.generateToken(clientToken.getBytes(), action);
+        assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+        // try again with same action name, which should not verify
+        assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+    }
+
+    @Test
     public void generateAndVerifyTokenTest() {
         TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
         String clientToken = "something";

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation