Align GitHub OAuth token expire with GerritAccount
Calculate the GerritOAuth Cookie.maxAge in the same
way that Gerrit Cached WebSessions expire.
This allows to avoid the unpleasant situations where
Gerrit session is active but all RESTFul API calls
are failing because of the missing OAuth cookie.
This was perceived as a "Internal Error" pop-up
on the Gerrit UX when the OAuth token expired.
Change-Id: I0d1f5d3be1f9257ee3b8ee5f0ac1dd809f1727fd
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
index 1b9d536..ece7ca8 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubLogin.java
@@ -78,7 +78,7 @@
@Inject
public GitHubLogin(final OAuthProtocol oauth, final GitHubOAuthConfig config) {
this.oauth = oauth;
- this.cookieProvider = new OAuthCookieProvider(TokenCipher.get());
+ this.cookieProvider = new OAuthCookieProvider(TokenCipher.get(), config);
this.config = config;
}
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
index 2ed144c..e9cb5c5 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java
@@ -54,10 +54,13 @@
public final Map<String, List<OAuthProtocol.Scope>> scopes;
public final int fileUpdateMaxRetryCount;
public final int fileUpdateMaxRetryIntervalMsec;
+ public final CompositeConfig gerritConfig;
@Inject
public GitHubOAuthConfig(CompositeConfig config)
throws MalformedURLException {
+ this.gerritConfig = config;
+
httpHeader = config.getString("auth", null, "httpHeader");
gitHubUrl = dropTrailingSlash(
Objects.firstNonNull(config.getString(CONF_SECTION, null, "url"),
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookie.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookie.java
index 5550bfa..9df3190 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookie.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookie.java
@@ -31,13 +31,13 @@
public final SortedSet<Scope> scopes;
public OAuthCookie(TokenCipher cipher, final String user, final String email,
- final String fullName, final SortedSet<Scope> scopes) throws OAuthTokenException {
+ final String fullName, final SortedSet<Scope> scopes, final long maxAgeSeconds) throws OAuthTokenException {
super(OAUTH_COOKIE_NAME, cipher.encode(getClearTextCookie(user, email, fullName, scopes)));
this.user = user;
this.email = email;
this.fullName = fullName;
this.scopes = scopes;
- setMaxAge((int) (TokenCipher.COOKIE_TIMEOUT/1000L));
+ setMaxAge((int) maxAgeSeconds);
setHttpOnly(true);
setPath("/");
}
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookieProvider.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookieProvider.java
index 185002c..9b78818 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookieProvider.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthCookieProvider.java
@@ -13,23 +13,31 @@
// limitations under the License.
package com.googlesource.gerrit.plugins.github.oauth;
+import static java.util.concurrent.TimeUnit.MINUTES;
+import static java.util.concurrent.TimeUnit.SECONDS;
+
import java.util.SortedSet;
import javax.servlet.http.Cookie;
+import com.google.gerrit.server.config.ConfigUtil;
import com.googlesource.gerrit.plugins.github.oauth.OAuthProtocol.Scope;
public class OAuthCookieProvider {
+ private static final String CACHE_NAME = "web_sessions";
private TokenCipher cipher;
+ private GitHubOAuthConfig config;
- public OAuthCookieProvider(TokenCipher cipher) {
+
+ public OAuthCookieProvider(TokenCipher cipher, GitHubOAuthConfig config) {
this.cipher = cipher;
+ this.config = config;
}
public OAuthCookie getFromUser(String username, String email, String fullName, SortedSet<Scope> scopes) {
try {
- return new OAuthCookie(cipher, username, email, fullName, scopes);
+ return new OAuthCookie(cipher, username, email, fullName, scopes, getGerritSessionMaxAgeMillis());
} catch (OAuthTokenException e) {
return null;
}
@@ -39,4 +47,8 @@
return new OAuthCookie(cipher, cookie);
}
+ private long getGerritSessionMaxAgeMillis() {
+ return ConfigUtil.getTimeUnit(config.gerritConfig, "cache", CACHE_NAME,
+ "maxAge", TokenCipher.MAX_COOKIE_TIMEOUT, SECONDS);
+ }
}
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java
index d14068d..9c37094 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthGitFilter.java
@@ -139,7 +139,7 @@
this.accountCache = accountCache;
this.httpClientProvider = httpClientProvider;
this.config = config;
- this.cookieProvider = new OAuthCookieProvider(TokenCipher.get());
+ this.cookieProvider = new OAuthCookieProvider(TokenCipher.get(), config);
this.xGerritAuth = xGerritAuth;
}
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java
index bc64fde..2b0b774 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java
@@ -62,7 +62,7 @@
this.config = config;
this.sites = sites;
this.loginProvider = loginProvider;
- this.cookieProvider = new OAuthCookieProvider(TokenCipher.get());
+ this.cookieProvider = new OAuthCookieProvider(TokenCipher.get(), config);
}
@Override
diff --git a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/TokenCipher.java b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/TokenCipher.java
index 58ac738..1efce54 100644
--- a/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/TokenCipher.java
+++ b/github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/TokenCipher.java
@@ -14,6 +14,8 @@
package com.googlesource.gerrit.plugins.github.oauth;
+import static java.util.concurrent.TimeUnit.HOURS;
+
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.NoSuchAlgorithmException;
@@ -36,7 +38,8 @@
private static final String ENC_ALGO = "AES";
private static final Logger log = org.slf4j.LoggerFactory
.getLogger(OAuthCookieProvider.class);
- public static final Long COOKIE_TIMEOUT = 15 * 60 * 1000L;
+ public static final Long MAX_COOKIE_TIMEOUT = HOURS.toSeconds(12);
+
private SecretKey aesKey;
private byte[] IV;
@@ -117,7 +120,7 @@
}
long ts = Long.parseLong(clearTextParts[1]);
- if ((System.currentTimeMillis() - ts) > COOKIE_TIMEOUT) {
+ if ((System.currentTimeMillis() - ts) > MAX_COOKIE_TIMEOUT) {
throw new OAuthTokenException("Session token " + sessionToken
+ " has expired");
}
