Merge branch 'RM-5091_nonce_prop_fix' into 'master'

RM-5091: move nonce expiration property to NonceConfigProperties and change... See merge request cdoc2/cdoc2-shares-server!22
open-eid · Feb 27, 2025 · a0e3db9 · a0e3db9
2 parents ee11566 + 3807039
commit a0e3db9
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 10 deletions.
diff --git a/shares-server/src/main/java/ee/cyber/cdoc2/server/Cdoc2KeySharesServerApplication.java b/shares-server/src/main/java/ee/cyber/cdoc2/server/Cdoc2KeySharesServerApplication.java
@@ -17,6 +17,7 @@
 import ee.cyber.cdoc2.server.config.AuthCertificateConfigProperties;
 import ee.cyber.cdoc2.server.config.DbConnectionConfigProperties;
 import ee.cyber.cdoc2.server.config.MonitoringConfigProperties;
+import ee.cyber.cdoc2.server.config.NonceConfigProperties;
 
 
 @SpringBootApplication
@@ -27,7 +28,8 @@
 @EnableConfigurationProperties({
     MonitoringConfigProperties.class,
     DbConnectionConfigProperties.class,
-    AuthCertificateConfigProperties.class
+    AuthCertificateConfigProperties.class,
+    NonceConfigProperties.class
 })
 @EnableScheduling
 public class Cdoc2KeySharesServerApplication implements CommandLineRunner {

diff --git a/shares-server/src/main/java/ee/cyber/cdoc2/server/api/KeyShareApiService.java b/shares-server/src/main/java/ee/cyber/cdoc2/server/api/KeyShareApiService.java
@@ -31,14 +31,14 @@
 import org.bouncycastle.asn1.x509.Certificate;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.cert.X509CertificateHolder;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Service;
 import org.springframework.web.context.request.NativeWebRequest;
 
 import ee.cyber.cdoc2.server.config.AuthCertificateConfigProperties;
+import ee.cyber.cdoc2.server.config.NonceConfigProperties;
 import ee.cyber.cdoc2.server.generated.api.KeySharesApi;
 import ee.cyber.cdoc2.server.generated.api.KeySharesApiController;
 import ee.cyber.cdoc2.server.generated.api.KeySharesApiDelegate;
@@ -65,6 +65,8 @@ public class KeyShareApiService implements KeySharesApiDelegate {
 
     private final AuthCertificateConfigProperties certificateConfig;
 
+    private final NonceConfigProperties nonceConfigProperties;
+
     private final NativeWebRequest nativeWebRequest;
 
     private final KeyShareRepository keyShareRepository;
@@ -75,9 +77,6 @@ public class KeyShareApiService implements KeySharesApiDelegate {
     // https://docs.spring.io/spring-boot/reference/features/ssl.html#features.ssl.pem
     private final SslBundles sslBundles;
 
-    @Value("${cdoc2.nonce.expiration.seconds:300}")
-    private long nonceExpirationSeconds;
-
     @Override
     public Optional<NativeWebRequest> getRequest() {
         return Optional.of(this.nativeWebRequest);
@@ -353,11 +352,12 @@ protected void checkNonceFromDB(String ticketShareId, String ticketNonce) {
 
         if (dbNonceOpt.isPresent()) {
             KeyShareNonceDb dbNonce = dbNonceOpt.get();
-            long nonceAgeSeconds = Instant.now().getEpochSecond() - dbNonce.getCreatedAt().getEpochSecond();
-            if (nonceAgeSeconds > this.nonceExpirationSeconds) {
-                log.debug("nonce {} is expired. now({})-nonce.createdAt({})={} > {}", ticketNonce, Instant.now(),
-                    dbNonce.getCreatedAt(), nonceAgeSeconds,
-                    this.nonceExpirationSeconds);
+            long nonceExpirationSeconds = nonceConfigProperties.expirationSeconds();
+            Instant now = Instant.now();
+            long nonceAgeSeconds = now.getEpochSecond() - dbNonce.getCreatedAt().getEpochSecond();
+            if (nonceAgeSeconds > nonceExpirationSeconds) {
+                log.debug("nonce {} is expired. now({})-nonce.createdAt({})={} > {}", ticketNonce,
+                    now, dbNonce.getCreatedAt(), nonceAgeSeconds, nonceExpirationSeconds);
                 throw new ResponseStatusException(HttpStatus.NOT_FOUND);
             }
         } else {

diff --git a/shares-server/src/main/java/ee/cyber/cdoc2/server/config/NonceConfigProperties.java b/shares-server/src/main/java/ee/cyber/cdoc2/server/config/NonceConfigProperties.java
@@ -0,0 +1,14 @@
+package ee.cyber.cdoc2.server.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+
+/**
+ * Key Shares nonce configuration properties
+ */
+@ConfigurationProperties(prefix = "cdoc2.nonce")
+public record NonceConfigProperties(long expirationSeconds) {
+    public NonceConfigProperties() {
+        this(300L);
+    }
+}
diff --git a/shares-server/src/test/java/ee/cyber/cdoc2/server/api/KeyShareApiAuthenticationTest.java b/shares-server/src/test/java/ee/cyber/cdoc2/server/api/KeyShareApiAuthenticationTest.java
@@ -5,6 +5,7 @@
 import com.nimbusds.jose.util.X509CertUtils;
 import ee.cyber.cdoc2.server.KeyShareIntegrationTest;
 import ee.cyber.cdoc2.server.config.AuthCertificateConfigProperties;
+import ee.cyber.cdoc2.server.config.NonceConfigProperties;
 import ee.cyber.cdoc2.server.model.entity.KeyShareDb;
 import ee.cyber.cdoc2.server.model.entity.KeyShareNonceDb;
 import ee.cyber.cdoc2.server.model.repository.KeyShareNonceRepository;
@@ -132,6 +133,7 @@ void contextLoads() {
     public void setUp() {
         keyShareApiService = new KeyShareApiService(
             new AuthCertificateConfigProperties(),
+            new NonceConfigProperties(),
             mockNativeWebRequest,
             mockShareRep,
             mockNonceRep,