Mercurial > hg > release > thermostat-1.6

changeset 2030:a26429779377

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix verified-token removal in TokenManager PR3210 Reviewed-by: jerboaa Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021425.html
author Jie Kang <jkang@redhat.com>
date Wed, 26 Oct 2016 09:11:46 -0400
parents 9fe2266b4fa5
children 5a183ba7be84
files web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
diffstat 2 files changed, 14 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Wed Oct 12 11:28:56 2016 -0400
+++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Wed Oct 26 09:11:46 2016 -0400
@@ -85,12 +85,12 @@
         return token;
     }
 
-    private void scheduleRemoval(final String clientToken) {
+    private void scheduleRemoval(final String clientKey) {
         TimerTask task = new TimerTask() {
             
             @Override
             public void run() {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
         };
         timer.schedule(task, timeout);
@@ -111,7 +111,7 @@
             byte[] storedToken = tokens.get(clientKey);
             boolean verified = Arrays.equals(candidateToken, storedToken);
             if (verified) {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
             return verified;
         }
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Wed Oct 12 11:28:56 2016 -0400
+++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Wed Oct 26 09:11:46 2016 -0400
@@ -91,6 +91,17 @@
     }
     
     @Test
+    public void generateTokenCanNotBeReusedTest() {
+        TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
+        String clientToken = "something";
+        String action = "myAction";
+        byte[] token = tokenManager.generateToken(clientToken.getBytes(), action);
+        assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+        // try again with same action name, which should not verify
+        assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+    }
+
+    @Test
     public void generateAndVerifyTokenTest() {
         TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
         String clientToken = "something";