Mercurial > hg > release > thermostat-2.0

changeset 2492:afecd793c82f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix verified-token removal in TokenManager Reviewed-by: aazores Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2016-October/021401.html
author Omair Majid <omajid@redhat.com>
date Tue, 25 Oct 2016 15:31:41 -0400
parents ca32ab5d3635
children 49e3ab7f5702
files web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java
diffstat 2 files changed, 14 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Tue Oct 25 12:05:45 2016 +0200
+++ b/web/server/src/main/java/com/redhat/thermostat/web/server/TokenManager.java	Tue Oct 25 15:31:41 2016 -0400
@@ -85,12 +85,12 @@
         return token;
     }
 
-    private void scheduleRemoval(final String clientToken) {
+    private void scheduleRemoval(final String clientKey) {
         TimerTask task = new TimerTask() {
             
             @Override
             public void run() {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
         };
         timer.schedule(task, timeout);
@@ -111,7 +111,7 @@
             byte[] storedToken = tokens.get(clientKey);
             boolean verified = Arrays.equals(candidateToken, storedToken);
             if (verified) {
-                tokens.remove(clientToken);
+                tokens.remove(clientKey);
             }
             return verified;
         }
--- a/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Tue Oct 25 12:05:45 2016 +0200
+++ b/web/server/src/test/java/com/redhat/thermostat/web/server/TokenManagerTest.java	Tue Oct 25 15:31:41 2016 -0400
@@ -91,6 +91,17 @@
     }
     
     @Test
+    public void generateTokenCanNotBeReusedTest() {
+        TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
+        String clientToken = "something";
+        String action = "myAction";
+        byte[] token = tokenManager.generateToken(clientToken.getBytes(), action);
+        assertTrue(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+        // try again with same action name, which should not verify
+        assertFalse(tokenManager.verifyToken(clientToken.getBytes(), token, action));
+    }
+
+    @Test
     public void generateAndVerifyTokenTest() {
         TokenManager tokenManager = new TokenManager(mock(TimerRegistry.class));
         String clientToken = "something";