Make security stricter for creation of tokens. (#23333)

* #21856: Make security stricter for creation of tokens.

* Add changelog and added section to UPGRADING.md

* Also add migration to MigrationsModule

---------

Co-authored-by: Patrick Mann <[email protected]>

Author: fpetersen-gl

UPGRADING.md

@@ -28,6 +28,8 @@ is now used as the primary color for elements like buttons and badges in the UI.
   all existing users with the `Reader` role to ensure backwards compatibility. New users that will be created in the
   future need to be explicitly assigned to the `Cluster Configuration Reader` role if they should be able to access the
   page.
+- Only admins are allowed to create a new API token. Existing tokens are not affected by this change. Also, new tokens
+  will expire after 30 days by default.
 
 ## Java API Changes
 

changelog/unreleased/pr-23333.toml

@@ -0,0 +1,6 @@
+type = "c"
+message = "Make default settings for creating new tokens more secure."
+
+pulls = ["23333"]
+issues = ["21856"]
+

graylog2-server/src/main/java/org/graylog2/migrations/MigrationsModule.java

@@ -76,5 +76,6 @@ protected void configure() {
         addMigration(V20250219134200_DefaultTTLForNewTokens.class);
         addMigration(V20250506090000_AddInputTypesPermissions.class);
         addMigration(V20250721090000_AddClusterConfigurationPermission.class);
+        addMigration(V20250804104500_TightenTokenSecurity.class);
     }
 }

graylog2-server/src/main/java/org/graylog2/migrations/V20250804104500_TightenTokenSecurity.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.migrations;
+
+import jakarta.inject.Inject;
+import org.graylog2.plugin.cluster.ClusterConfigService;
+import org.graylog2.users.UserConfiguration;
+
+import java.time.ZonedDateTime;
+import java.util.Objects;
+
+/**
+ * Updates {@link UserConfiguration} in the DB to make the security for tokens stricter.
+ *
+ * A possibly existing {@link UserConfiguration} is updated to restrict creation of tokens to admins and local users only.
+ * So no regular or externally authenticated user is allowed to create a token. Also, the default time-to-live (TTL) is
+ * set to 30 days.
+ */
+public class V20250804104500_TightenTokenSecurity extends Migration {
+    private final ClusterConfigService configService;
+
+    //No breaking changes in minor versions (i.e. access must not be limited for upgrades).
+    // When it comes to upgrading to 7.0, access should be restricted.
+
+    @Inject
+    public V20250804104500_TightenTokenSecurity(ClusterConfigService configService) {
+        this.configService = configService;
+    }
+
+    @Override
+    public ZonedDateTime createdAt() {
+        return ZonedDateTime.parse("2025-08-04T10:45:00Z");
+    }
+
+    @Override
+    public void upgrade() {
+        if (migrationAlreadyApplied()) {
+            //Migration already ran, nothing more to do.
+            return;
+        }
+
+        //This migration comes with 7.0, so we're allowed to do breaking changes.
+        final UserConfiguration newDefaults = UserConfiguration.DEFAULT_VALUES;
+
+        UserConfiguration configToUpdate = this.configService.get(UserConfiguration.class);
+        if (configToUpdate == null) {
+            //No userConfig exists, let's simply save the default for the current version:
+            configToUpdate = newDefaults;
+        } else {
+            //A UserConfig already exists. We tighten the security when it comes to who is allowed to create a token
+            // and how long it will be active. The remaining settings stay unchanged:
+            configToUpdate = UserConfiguration.create(
+                    configToUpdate.enableGlobalSessionTimeout(),
+                    configToUpdate.globalSessionTimeoutInterval(),
+                    newDefaults.allowAccessTokenForExternalUsers(),
+                    newDefaults.restrictAccessTokenToAdmins(),
+                    newDefaults.defaultTTLForNewTokens());
+        }
+
+        configService.write(configToUpdate);
+
+        markMigrationApplied();
+    }
+
+    private boolean migrationAlreadyApplied() {
+        return Objects.nonNull(configService.get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class));
+    }
+
+    private void markMigrationApplied() {
+        this.configService.write(new V20250804104500_TightenTokenSecurity.MigrationCompleted());
+    }
+
+    public record MigrationCompleted() {}
+}

graylog2-server/src/test/java/org/graylog2/migrations/V20250804104500_TightenTokenSecurityTest.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.migrations;
+
+import org.graylog2.plugin.cluster.ClusterConfigService;
+import org.graylog2.users.UserConfiguration;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.threeten.extra.PeriodDuration;
+
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class V20250804104500_TightenTokenSecurityTest {
+    //We prepare some existing config with explicitly updated values, so we can safely check they're not touched by the migration:
+    private final UserConfiguration existingConfig = UserConfiguration.create(true, Duration.of(10, ChronoUnit.HOURS), true, false, PeriodDuration.of(Duration.ofDays(7)));
+
+    @Mock
+    private ClusterConfigService configService;
+
+    private V20250804104500_TightenTokenSecurity testee;
+
+    @BeforeEach
+    void setUp() {
+        testee = new V20250804104500_TightenTokenSecurity(configService);
+    }
+
+    @Test
+    void doNothingIfMigrationAlreadyRanSuccessfully() {
+        setupMocks(true, false);
+
+        testee.upgrade();
+
+        verify(configService).get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class);
+        verifyNoMoreInteractions(configService);
+    }
+
+    @Test
+    void persistDefaultValuesIfNoConfigExists() {
+        testee = new V20250804104500_TightenTokenSecurity(configService);
+        setupMocks(false, false);
+
+        testee.upgrade();
+
+        verify(configService).get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class);
+        verify(configService).write(UserConfiguration.DEFAULT_VALUES);
+        verify(configService).write(new V20250804104500_TightenTokenSecurity.MigrationCompleted());
+        verifyNoMoreInteractions(configService);
+    }
+
+    @Test
+    void existingConfigIsUpdatedWithStricterValues() {
+        setupMocks(false, true);
+        //Expected to be written - keeps existing values for globalSessionTimeout and -interval, but applies default values for token access management
+        final UserConfiguration updated = UserConfiguration.create(existingConfig.enableGlobalSessionTimeout(),
+                existingConfig.globalSessionTimeoutInterval(),
+                UserConfiguration.DEFAULT_VALUES.allowAccessTokenForExternalUsers(),
+                UserConfiguration.DEFAULT_VALUES.restrictAccessTokenToAdmins(),
+                UserConfiguration.DEFAULT_VALUES.defaultTTLForNewTokens());
+
+        testee.upgrade();
+
+        verify(configService).get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class);
+        verify(configService).get(UserConfiguration.class);
+        verify(configService).write(updated);
+        verify(configService).write(new V20250804104500_TightenTokenSecurity.MigrationCompleted());
+        verifyNoMoreInteractions(configService);
+    }
+
+
+    private void setupMocks(boolean migrationAlreadyRan, boolean configExists) {
+        if (migrationAlreadyRan) {
+            when(configService.get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class)).thenReturn(new V20250804104500_TightenTokenSecurity.MigrationCompleted());
+        } else {
+            when(configService.get(V20250804104500_TightenTokenSecurity.MigrationCompleted.class)).thenReturn(null);
+            when(configService.get(UserConfiguration.class)).thenReturn(configExists ? existingConfig : null);
+        }
+    }
+}