ProgrammeVitam · bbenaissa · Nov 6, 2024 · Oct 26, 2024
diff --git a/...rc/main/java/fr/gouv/vitamui/iam/internal/server/security/IamAuthentificationService.java b/...rc/main/java/fr/gouv/vitamui/iam/internal/server/security/IamAuthentificationService.java
@@ -57,13 +57,12 @@
 
 /**
  * External authentication service
- *
- *
  */
 @Getter
 @Setter
 public class IamAuthentificationService {
 
+    public static final String INTERNAL_CAS_USER_NAME = "casuser";
     private final TokenRepository tokenRepository;
 
     private final UserInternalService internalUserService;
@@ -90,6 +89,7 @@ public IamAuthentificationService(
 
     /**
      * Return the User profile and check security data.
+     *
      * @param httpContext HTTP Context.
      * @return
      */
@@ -111,7 +111,10 @@ private AuthUserDto getUserByToken(final String userToken) {
             Date tokenMaxExpirationDate = DateUtils.addMinutes(token.getCreatedDate(), tokenMaxTtl);
             Date currentTokenExpirationDate = token.getUpdatedDate();
             Date newTokenExpirationDate = DateUtils.addMinutes(new Date(), tokenAdditionalTtl);
-            final LocalDate currentTokenExpirationLocalDate = convertToLocalDate(currentTokenExpirationDate);
+
+            if (!token.getRefId().equals(INTERNAL_CAS_USER_NAME) && currentTokenExpirationDate.before(new Date())) {
+                throw new BadCredentialsException("Expired token  usertoken: " + userToken);
+            }
             if (
                 currentTokenExpirationDate.before(newTokenExpirationDate) &&
                 newTokenExpirationDate.before(tokenMaxExpirationDate)

diff --git a/...t/java/fr/gouv/vitamui/iam/internal/server/user/service/UserInternalServiceIntegTest.java b/...t/java/fr/gouv/vitamui/iam/internal/server/user/service/UserInternalServiceIntegTest.java
@@ -46,9 +46,11 @@
 import fr.gouv.vitamui.iam.internal.server.user.dao.UserRepository;
 import fr.gouv.vitamui.iam.internal.server.user.domain.User;
 import fr.gouv.vitamui.iam.internal.server.utils.IamServerUtilsTest;
+import org.apache.commons.lang.time.DateUtils;
 import org.bson.Document;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.jupiter.api.Assertions;
 import org.junit.runner.RunWith;
 import org.mockito.ArgumentMatchers;
 import org.mockito.Mock;
@@ -64,6 +66,7 @@
 import java.util.Arrays;
 import java.util.Calendar;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -77,7 +80,6 @@
 
 /**
  * Class.
- *
  */
 @RunWith(SpringRunner.class)
 @EnableMongoRepositories(
@@ -87,7 +89,7 @@
 public final class UserInternalServiceIntegTest extends AbstractLogbookIntegrationTest {
 
     private static final String TOKEN_VALUE = "TOK1234567890";
-
+    private static int ttlInMinutes = 30;
     private static final String USER_ID = "userId";
 
     private static final String CUSTOMER_ID = "customerId";
@@ -228,8 +230,10 @@ public void testGetUserProfileByTokenNoTokenInDatabase() {
     public void testGetUserProfileByToken() {
         final Token token = new Token();
         token.setId(TOKEN_VALUE);
-        token.setCreatedDate(Calendar.getInstance().getTime());
-        token.setUpdatedDate(Calendar.getInstance().getTime());
+        Date currentDate = Calendar.getInstance().getTime();
+        final Date nowPlusXMinutes = DateUtils.addMinutes(currentDate, ttlInMinutes);
+        token.setCreatedDate(currentDate);
+        token.setUpdatedDate(nowPlusXMinutes);
         token.setRefId(USER_ID);
         tokenRepository.save(token);
 
@@ -262,6 +266,49 @@ public void testGetUserProfileByToken() {
         assertEquals(USER_ID, userProfile.getId());
     }
 
+    @Test
+    public void testGetUserProfileByExpiredTokenShouldThrowUnauthorizedException() {
+        final Token token = new Token();
+        token.setId(TOKEN_VALUE);
+
+        Date currentDate = Calendar.getInstance().getTime();
+        final Date nowMinusXMinutes = DateUtils.addMinutes(currentDate, (-1) * ttlInMinutes);
+        token.setCreatedDate(currentDate);
+        token.setUpdatedDate(nowMinusXMinutes);
+        token.setRefId(USER_ID);
+        tokenRepository.save(token);
+
+        final User user = IamServerUtilsTest.buildUser(USER_ID, "test@vitamui.com", GROUP_ID, CUSTOMER_ID, LEVEL);
+
+        userRepository.save(user);
+
+        when(groupInternalService.getOne(ArgumentMatchers.anyString(), any(), ArgumentMatchers.any())).thenReturn(
+            new GroupDto()
+        );
+        when(groupInternalService.getMany(any(String.class))).thenReturn(Arrays.asList(new GroupDto()));
+        Mockito.when(internalSecurityService.userIsRootLevel()).thenReturn(true);
+
+        final Customer customer = IamServerUtilsTest.buildCustomer();
+        customer.setId(CUSTOMER_ID);
+        final Tenant tenant = new Tenant();
+        tenant.setId("id");
+        tenant.setIdentifier(10);
+        tenant.setEnabled(true);
+        tenant.setProof(true);
+        when(customerRepository.findById(CUSTOMER_ID)).thenReturn(Optional.of(customer));
+        when(tenantRepository.findByCustomerId(CUSTOMER_ID)).thenReturn(Arrays.asList(tenant));
+
+        when(internalSecurityService.getLevel()).thenReturn(LEVEL);
+        when(groupInternalService.getMany(GROUP_ID)).thenReturn(Arrays.asList(buildGroupDto()));
+        when(groupInternalService.getOneByPassSecurity(GROUP_ID, Optional.empty())).thenReturn(buildGroupDto());
+        when(internalHttpContext.getUserToken()).thenReturn(TOKEN_VALUE);
+
+        Assertions.assertThrows(
+            BadCredentialsException.class,
+            () -> iamAuthentificationService.getUserFromHttpContext(internalHttpContext)
+        );
+    }
+
     @Test
     public void testCreateUser() {
         final UserDto user = createUser();