Add function that resolves expiration tine

MarcialRosales · MarcialRosales · commit 6efef0995471 · 2024-03-07T10:26:31.000+01:00
diff --git a/deps/oauth2_client/include/oauth2_client.hrl b/deps/oauth2_client/include/oauth2_client.hrl
@@ -66,7 +66,9 @@
 -record(successful_access_token_response, {
   access_token :: binary(),
   token_type :: binary(),
-  refresh_token :: option(binary()),
+  refresh_token :: option(binary()),    % A refresh token SHOULD NOT be included
+                                        % .. for client-credentials flow.
+                                        % https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3
   expires_in :: option(integer())
 }).
 
diff --git a/deps/oauth2_client/src/jwt_helper.erl b/deps/oauth2_client/src/jwt_helper.erl
@@ -6,7 +6,7 @@
 %%
 -module(jwt_helper).
 
--export([decode/1, get_expiration/1]).
+-export([decode/1, get_expiration_time/1]).
 
 -include_lib("jose/include/jose_jwt.hrl").
 
@@ -18,5 +18,5 @@ decode(Token) ->
         {error, {invalid_token, Type, Err, Stacktrace}}
     end.
 
-get_expiration(#{<<"exp">> := Exp}) when is_integer(Exp) -> {ok, Exp};
-get_expiration(#{}) -> {error, missing_exp_field}.
+get_expiration_time(#{<<"exp">> := Exp}) when is_integer(Exp) -> {ok, Exp};
+get_expiration_time(#{}) -> {error, missing_exp_field}.
diff --git a/deps/oauth2_client/src/oauth2_client.erl b/deps/oauth2_client/src/oauth2_client.erl
@@ -5,7 +5,7 @@
 %% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
 %%
 -module(oauth2_client).
--export([get_access_token/2,
+-export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
         get_oauth_provider/1, get_oauth_provider/2,
         extract_ssl_options_as_list/1
@@ -71,6 +71,14 @@ get_openid_configuration(IssuerURI, OpenIdConfigurationPath, TLSOptions) ->
 get_openid_configuration(IssuerURI, TLSOptions) ->
   get_openid_configuration(IssuerURI, ?DEFAULT_OPENID_CONFIGURATION_PATH, TLSOptions).
 
+-spec get_expiration_time(successful_access_token_response()) -> {ok, integer()} | {error, missing_exp_field}.
+get_expiration_time(#successful_access_token_response{expires_in = ExpiresIn,
+    access_token = AccessToken}) ->
+  case ExpiresIn of
+    undefined -> jwt_helper:get_expiration_time(jwt_helper:decode(AccessToken));
+    _ -> {ok, ExpiresIn}
+  end.
+
 update_oauth_provider_endpoints_configuration(OAuthProvider) ->
   LockId = lock(),
   try do_update_oauth_provider_endpoints_configuration(OAuthProvider) of
diff --git a/deps/oauth2_client/test/oauth2_client_test_util.erl b/deps/oauth2_client/test/oauth2_client_test_util.erl
@@ -66,6 +66,11 @@ expirable_token(Seconds) ->
     %% expiration is a timestamp with precision in seconds
     TokenPayload#{<<"exp">> := os:system_time(seconds) + Seconds}.
 
+expirable_token_with_expiration_time(ExpiresIn) ->
+    TokenPayload = fixture_token(),
+    %% expiration is a timestamp with precision in seconds
+    TokenPayload#{<<"exp">> := ExpiresIn}.
+
 expired_token() ->
     expired_token_with_scopes(full_permission_scopes()).
 
diff --git a/deps/oauth2_client/test/unit_SUITE.erl b/deps/oauth2_client/test/unit_SUITE.erl
@@ -15,10 +15,12 @@
 
 -compile(export_all).
 
+-define(UTIL_MOD, oauth2_client_test_util).
 
 all() ->
 [
-   {group, ssl_options}
+   {group, ssl_options},
+   {group, get_expiration_time}
 ].
 
 groups() ->
@@ -27,42 +29,77 @@ groups() ->
     no_ssl_options_triggers_verify_peer,
     peer_verification_verify_none,
     peer_verification_verify_peer_with_cacertfile
+  ]},
+  {get_expiration_time, [], [
+    access_token_response_without_expiration_time,
+    access_token_response_with_expires_in,
+    access_token_response_with_exp_in_access_token
   ]}
 ].
 
+
 no_ssl_options_triggers_verify_peer(_) ->
-  ?assertMatch([
+  [
     {verify, verify_peer},
     {depth, 10},
     {crl_check,false},
     {fail_if_no_peer_cert,false},
     {cacerts, _CaCerts}
-  ], oauth2_client:extract_ssl_options_as_list(#{})).
+  ] = oauth2_client:extract_ssl_options_as_list(#{ }).
 
 peer_verification_verify_none(_) ->
-  Expected1 = [
+  [
     {verify, verify_none}
-  ],
-  ?assertEqual(Expected1, oauth2_client:extract_ssl_options_as_list(#{peer_verification => verify_none})),
-
-  Expected2 = [
+  ] = oauth2_client:extract_ssl_options_as_list(#{ peer_verification => verify_none }),
+  [
     {verify, verify_none}
-  ],
-  ?assertEqual(Expected2, oauth2_client:extract_ssl_options_as_list(#{
+  ] = oauth2_client:extract_ssl_options_as_list(#{
     peer_verification => verify_none,
     cacertfile => "/tmp"
-  })).
+  }).
 
 
 peer_verification_verify_peer_with_cacertfile(_) ->
-  Expected = [
+  [
     {verify, verify_peer},
     {depth, 10},
     {crl_check,false},
     {fail_if_no_peer_cert,false},
     {cacertfile, "/tmp"}
-  ],
-  ?assertEqual(Expected, oauth2_client:extract_ssl_options_as_list(#{
+  ] = oauth2_client:extract_ssl_options_as_list(#{
     cacertfile => "/tmp",
     peer_verification => verify_peer
-  })).
+  }).
+
+
+access_token_response_with_expires_in(_) ->
+  Jwk = ?UTIL_MOD:fixture_jwk(),
+  ExpiresIn = os:system_time(seconds),
+  AccessToken = ?UTIL_MOD:expirable_token_with_expiration_time(ExpiresIn),
+  {_, EncodedToken} = ?UTIL_MOD:sign_token_hs(AccessToken, Jwk),
+  AccessTokenResponse = #successful_access_token_response{
+    access_token = EncodedToken,
+    expires_in = ExpiresIn
+  },
+  ?assertEqual({ok, ExpiresIn}, oauth2_client:get_expiration_time(AccessTokenResponse)).
+
+access_token_response_with_exp_in_access_token(_) ->
+  Jwk = ?UTIL_MOD:fixture_jwk(),
+  ExpiresIn = os:system_time(seconds),
+  AccessToken = ?UTIL_MOD:expirable_token_with_expiration_time(ExpiresIn),
+  {_, EncodedToken} = ?UTIL_MOD:sign_token_hs(AccessToken, Jwk),
+  AccessTokenResponse = #successful_access_token_response{
+    access_token = EncodedToken
+  },
+  ?assertEqual({ok, ExpiresIn}, oauth2_client:get_expiration_time(AccessTokenResponse)).
+
+access_token_response_without_expiration_time(_) ->
+  Jwk = ?UTIL_MOD:fixture_jwk(),
+  AccessToken = maps:remove(<<"exp">>, ?UTIL_MOD:fixture_token()),
+  ct:log("AccesToken ~p", [AccessToken]),
+  {_, EncodedToken} = ?UTIL_MOD:sign_token_hs(AccessToken, Jwk),
+  AccessTokenResponse = #successful_access_token_response{
+    access_token = EncodedToken
+  },
+  ct:log("AccessTokenResponse ~p", [AccessTokenResponse]),
+  ?assertEqual({error, missing_exp_field}, oauth2_client:get_expiration_time(AccessTokenResponse)).
