diff --git a/lib/auth/auth_test.go b/lib/auth/auth_test.go index 960cdc58f7d35..1fea4b37639cd 100644 --- a/lib/auth/auth_test.go +++ b/lib/auth/auth_test.go @@ -3119,7 +3119,7 @@ func TestNewWebSession(t *testing.T) { LoginTime: p.a.GetClock().Now().UTC(), SessionTTL: apidefaults.CertDuration, } - bearerTokenTTL := min(req.SessionTTL, defaults.BearerTokenTTL) + bearerTokenTTL := min(req.SessionTTL, duration) ws, _, err := p.a.NewWebSession(ctx, req, nil /* opts */) require.NoError(t, err) diff --git a/lib/auth/sessions.go b/lib/auth/sessions.go index 14b3e8790a859..8834ef67705ac 100644 --- a/lib/auth/sessions.go +++ b/lib/auth/sessions.go @@ -313,6 +313,9 @@ func (a *Server) newWebSession( return nil, nil, trace.Wrap(err) } bearerTokenTTL := min(sessionTTL, defaults.BearerTokenTTL) + if idleTimeout > 0 { + bearerTokenTTL = min(sessionTTL, idleTimeout) + } startTime := a.clock.Now() if !req.LoginTime.IsZero() { diff --git a/lib/auth/sessions_test.go b/lib/auth/sessions_test.go index 9d77d4d1fcaec..2572276068743 100644 --- a/lib/auth/sessions_test.go +++ b/lib/auth/sessions_test.go @@ -22,6 +22,7 @@ import ( "time" "github.com/google/go-cmp/cmp" + "github.com/jonboulle/clockwork" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -29,8 +30,81 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth" "github.com/gravitational/teleport/lib/auth/authtest" + "github.com/gravitational/teleport/lib/defaults" ) +func TestCreateWebSession(t *testing.T) { + t.Parallel() + + const userLlama = "llama" + tenHours := time.Hour * 10 + eightHours := time.Hour * 8 + + testCases := []struct { + name string + webIdleTimeout *time.Duration + sessionTTL time.Duration + expectedBearerTokenTTL time.Duration + }{ + { + name: "bearerTokenExpiry equal webidletimeout", + webIdleTimeout: &tenHours, + expectedBearerTokenTTL: tenHours, + sessionTTL: time.Hour * 12, + }, + { + name: "bearerTokenExpiry is sessionTTL when shorter than webidletimeout", + webIdleTimeout: &tenHours, + sessionTTL: eightHours, + expectedBearerTokenTTL: eightHours, + }, + { + name: "bearerTokenExpiry defaults to 10 minutes when webidletimeout not configured", + webIdleTimeout: nil, + sessionTTL: time.Hour * 12, + expectedBearerTokenTTL: defaults.BearerTokenTTL, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + clusterNetworkConfig := types.DefaultClusterNetworkingConfig() + if tc.webIdleTimeout != nil { + clusterNetworkConfig.SetWebIdleTimeout(*tc.webIdleTimeout) + } + + fakeclock := clockwork.NewFakeClock() + testAuthServer, err := authtest.NewAuthServer(authtest.AuthServerConfig{ + Clock: fakeclock, + Dir: t.TempDir(), + ClusterNetworkingConfig: clusterNetworkConfig, + }) + require.NoError(t, err, "NewAuthServer failed") + t.Cleanup(func() { + assert.NoError(t, testAuthServer.Close(), "testAuthServer.Close() errored") + }) + + authServer := testAuthServer.AuthServer + ctx := context.Background() + + _, _, err = authtest.CreateUserAndRole(authServer, userLlama, []string{userLlama} /* logins */, nil /* allowRules */) + require.NoError(t, err, "CreateUserAndRole failed") + + session, err := authServer.CreateWebSessionFromReq(ctx, auth.NewWebSessionRequest{ + User: userLlama, + SessionTTL: tc.sessionTTL, + }) + require.NoError(t, err, "CreateWebSessionFromReq failed") + + bearerTokenExpiry := session.GetBearerTokenExpiryTime() + actualTTL := fakeclock.Until(bearerTokenExpiry) + require.Equal(t, tc.expectedBearerTokenTTL, actualTTL) + }) + } +} + func TestServer_CreateWebSessionFromReq_deviceWebToken(t *testing.T) { t.Parallel()