Check that token lifetime is long enough

Check that the configured token lifetime is at least as long as twice the minimum token lifetime so that we don't get weird redirect loops with very short token lifetimes.
lsst-sqre · Sep 19, 2024 · ec257f5 · ec257f5
1 parent 1881ca3
commit ec257f5
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/changelog.d/20240919_154251_rra_DM_46399.md b/changelog.d/20240919_154251_rra_DM_46399.md
@@ -0,0 +1,3 @@
+### Bug fixes
+
+- Check that `tokenLifetime` is at least as long as twice the minimum token lifetime.
diff --git a/src/gafaelfawr/config.py b/src/gafaelfawr/config.py
@@ -50,7 +50,7 @@
 from safir.logging import LogLevel, configure_logging
 from safir.pydantic import EnvAsyncPostgresDsn, EnvRedisDsn, HumanTimedelta
 
-from .constants import SCOPE_REGEX, USERNAME_REGEX
+from .constants import MINIMUM_LIFETIME, SCOPE_REGEX, USERNAME_REGEX
 from .exceptions import InvalidTokenError
 from .keypair import RSAKeyPair
 from .models.token import Token
@@ -993,6 +993,15 @@ def _validate_known_scopes(cls, v: dict[str, str]) -> dict[str, str]:
                 raise ValueError(f"required scope {required} missing")
         return v
 
+    @field_validator("token_lifetime")
+    @classmethod
+    def _validate_token_lifetime(cls, v: timedelta) -> timedelta:
+        """Ensure the token lifetime is longer than minimal lifetime."""
+        limit = MINIMUM_LIFETIME + MINIMUM_LIFETIME
+        if v < limit:
+            raise ValueError(f"must be longer than {limit.total_seconds}s")
+        return v
+
     @model_validator(mode="before")
     @classmethod
     def _validate_optional(cls, data: Any) -> Any:

diff --git a/tests/config_test.py b/tests/config_test.py
@@ -82,6 +82,11 @@ def test_config_invalid_token(monkeypatch: pytest.MonkeyPatch) -> None:
         parse_config(config_path("github"))
 
 
+def test_config_invalid_lifetime() -> None:
+    with pytest.raises(ValidationError, match=r"must be longer than"):
+        parse_config(config_path("bad-lifetime"))
+
+
 def test_config_bad_groups() -> None:
     with pytest.raises(ValidationError, match="Input should be a valid list"):
         parse_config(config_path("bad-groups"))

diff --git a/tests/data/config/bad-lifetime.yaml b/tests/data/config/bad-lifetime.yaml
@@ -0,0 +1,15 @@
+# Test too short of a token lifetime.
+
+realm: "example.com"
+slackAlerts: true
+initialAdmins: ["admin"]
+afterLogoutUrl: "https://example.com/landing"
+groupMapping:
+  "exec:admin": ["admin"]
+knownScopes:
+  "admin:token": "token administration"
+  "exec:admin": "admin description"
+  "user:token": "Can create and modify user tokens"
+github:
+  clientId: "some-github-client-id"
+tokenLifetime: "8m"