Validate expiration of Token at UserInfo endpoint

Close #424

CHANGELOG.md

@@ -32,6 +32,7 @@ The format is based on the [KeepAChangeLog] project.
 - [#145] Successful token endpoint responses have correct no-cache headers
 - [#352] Fixed broken windows test for ``test_provider_key_setup``. 
 - [#475] ``get_verify_key`` returns inactive ``sig`` keys for verification
+- [#429] An expired token is not possible to use.
 
 [#430]: https://github.com/OpenIDC/pyoidc/pull/430
 [#427]: https://github.com/OpenIDC/pyoidc/pull/427
@@ -50,6 +51,7 @@ The format is based on the [KeepAChangeLog] project.
 [#475]: https://github.com/OpenIDC/pyoidc/issues/475
 [#478]: https://github.com/OpenIDC/pyoidc/issues/478
 [#483]: https://github.com/OpenIDC/pyoidc/pull/483
+[#429]: https://github.com/OpenIDC/pyoidc/issues/424
 
 ## 0.12.0 [2017-09-25]
 

src/oic/oic/provider.py

@@ -1221,6 +1221,9 @@ def _do_user_info(self, token, **kwargs):
             logger.error('Wrong token type: {}'.format(typ))
             raise FailedAuthentication("Wrong type of token")
 
+        if _sdb.access_token.is_expired():
+            return error(error='invalid_token', descr='Token is expired', status_code=401)
+
         if _sdb.is_revoked(key):
             return error(error="invalid_token", descr="Token is revoked",
                          status_code=401)

src/oic/utils/sdb.py

@@ -83,6 +83,7 @@ def __init__(self, typ, lifetime=0, **kwargs):
         self.type = typ
         self.lifetime = lifetime
         self.args = kwargs
+        self.issued_at = utc_time_sans_frac()
 
     def __call__(self, sid, *args, **kwargs):
         """
@@ -128,7 +129,19 @@ def get_type(self, token):
         raise NotImplementedError()
 
     def expires_at(self):
-        return utc_time_sans_frac() + self.lifetime
+        return self.issued_at + self.lifetime
+
+    def is_expired(self, when=None):
+        """Return if token is still valid."""
+        if when is None:
+            now = utc_time_sans_frac()
+        else:
+            now = when
+        eat = self.expires_at()
+        if now > eat:
+            return True
+        else:
+            return False
 
     def invalidate(self, token):
         pass

tests/test_oic_provider.py

@@ -12,6 +12,7 @@
 
 import pytest
 import responses
+from freezegun import freeze_time
 from mock import Mock
 from mock import patch
 from requests import ConnectionError
@@ -705,6 +706,28 @@ def test_userinfo_endpoint(self):
         ident = OpenIDSchema().deserialize(resp.message, "json")
         assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
 
+    def test_userinfo_endpoint_expired(self):
+        self.cons.client_secret = "drickyoughurt"
+        self.cons.config["response_type"] = ["token"]
+        self.cons.config["request_method"] = "parameter"
+        state, location = self.cons.begin("openid", "token", path="http://localhost:8087")
+
+        initial_datetime = datetime.datetime(2018, 2, 5, 10, 0, 0, 0)
+        final_datetime = datetime.datetime(2018, 2, 9, 10, 0, 0, 0)
+        with freeze_time(initial_datetime) as frozen:
+            resp = self.provider.authorization_endpoint(request=urlparse(location).query)
+
+            # redirect
+            atr = AuthorizationResponse().deserialize(urlparse(resp.message).fragment, "urlencoded")
+            frozen.move_to(final_datetime)
+
+            uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
+            resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
+
+        message = json.loads(resp.message)
+        assert message['error'] == 'invalid_token'
+        assert message['error_description'] == 'Token is expired'
+
     def test_userinfo_endpoint_extra_claim(self):
         # We have to recreate the cache again
         self.provider.extra_claims = ['extra_claim']

tests/test_sdb.py

@@ -1,10 +1,12 @@
 import base64
+import datetime
 import hashlib
 import hmac
 import random
 import time
 
 import pytest
+from freezegun import freeze_time
 
 from oic.oic.message import AuthorizationRequest
 from oic.oic.message import OpenIDRequest
@@ -71,7 +73,7 @@ def test_get_token(self):
 class TestToken(object):
     @pytest.fixture(autouse=True)
     def create_token(self):
-        self.token = DefaultToken("secret", "password", lifetime={'': 60})
+        self.token = DefaultToken("secret", "password", lifetime=60)
 
     def test_token(self):
         sid = self.token.key(areq=AREQ)
@@ -95,6 +97,23 @@ def test_type_and_key(self):
         assert part[0] == "A"
         assert part[1] == sid
 
+    def test_expired_fresh(self):
+        _token = DefaultToken('secret', 'password', lifetime=60)
+        assert _token.is_expired() is False
+
+    def test_expired_stale(self):
+        initial_datetime = datetime.datetime(2018, 2, 5, 10, 0, 0, 0)
+        final_datetime = datetime.datetime(2018, 2, 5, 10, 1, 0, 0)
+        with freeze_time(initial_datetime) as frozen:
+            _token = DefaultToken('secret', 'password', lifetime=2)
+            frozen.move_to(final_datetime)
+            assert _token.is_expired() is True
+
+    def test_expired_when(self):
+        _token = DefaultToken('secret', 'password', lifetime=2)
+        when = time.time() + 5  # 5 seconds from now
+        assert _token.is_expired(when=when) is True
+
 
 class TestSessionDB(object):
     @pytest.fixture(autouse=True)