feat: use ZonedDateTime instead of LocalDateTime to avoid unexpected results nearby daylight saving clock changes

WE2-458

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

README.md

@@ -86,20 +86,20 @@ import static javax.cache.configuration.FactoryBuilder.factoryOf;
     private static final long NONCE_TTL_MINUTES = 5;
     private static final String CACHE_NAME = "nonceCache";
 
-    private Cache<String, LocalDateTime> nonceCache() {
+    private Cache<String, ZonedDateTime> nonceCache() {
         CacheManager cacheManager = Caching.getCachingProvider(CaffeineCachingProvider.class.getName())
             .getCacheManager();
-        Cache<String, LocalDateTime> cache = cacheManager.getCache(CACHE_NAME);
+        Cache<String, ZonedDateTime> cache = cacheManager.getCache(CACHE_NAME);
 
         if (cache == null) {
             cache = createNonceCache(cacheManager);
         }
         return cache;
     }
 
-    private Cache<String, LocalDateTime> createNonceCache(CacheManager cacheManager) {
-        CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>()
-                .setTypes(String.class, LocalDateTime.class)
+    private Cache<String, ZonedDateTime> createNonceCache(CacheManager cacheManager) {
+        CompleteConfiguration<String, ZonedDateTime> cacheConfig = new MutableConfiguration<String, ZonedDateTime>()
+                .setTypes(String.class, ZonedDateTime.class)
                 .setExpiryPolicyFactory(factoryOf(new CreatedExpiryPolicy(
                         new Duration(TimeUnit.MINUTES, NONCE_TTL_MINUTES + 1))));
         return cacheManager.createCache(CACHE_NAME, cacheConfig);

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>org.webeid.security</groupId>
-    <version>1.0.2</version>
+    <version>1.1.0</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>

src/main/java/org/webeid/security/nonce/NonceGeneratorBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -25,7 +25,7 @@
 import javax.cache.Cache;
 import java.security.SecureRandom;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.Objects;
 
 /**
@@ -35,7 +35,7 @@ public class NonceGeneratorBuilder {
 
     private static final SecureRandom RANDOM = new SecureRandom();
 
-    private Cache<String, LocalDateTime> cache;
+    private Cache<String, ZonedDateTime> cache;
     private SecureRandom secureRandom = RANDOM;
     private Duration ttl = Duration.ofMinutes(5);
 
@@ -60,7 +60,7 @@ public NonceGeneratorBuilder withNonceTtl(Duration duration) {
      * @param cache nonce cache
      * @return current builder instance
      */
-    public NonceGeneratorBuilder withNonceCache(Cache<String, LocalDateTime> cache) {
+    public NonceGeneratorBuilder withNonceCache(Cache<String, ZonedDateTime> cache) {
         this.cache = cache;
         return this;
     }

src/main/java/org/webeid/security/nonce/NonceGeneratorImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -22,19 +22,21 @@
 
 package org.webeid.security.nonce;
 
+import org.webeid.security.util.UtcDateTime;
+
 import javax.cache.Cache;
 import java.security.SecureRandom;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.Base64;
 
 final class NonceGeneratorImpl implements NonceGenerator {
 
-    private final Cache<String, LocalDateTime> cache;
+    private final Cache<String, ZonedDateTime> cache;
     private final SecureRandom secureRandom;
     private final Duration ttl;
 
-    NonceGeneratorImpl(Cache<String, LocalDateTime> cache, SecureRandom secureRandom, Duration ttl) {
+    NonceGeneratorImpl(Cache<String, ZonedDateTime> cache, SecureRandom secureRandom, Duration ttl) {
         this.cache = cache;
         this.secureRandom = secureRandom;
         this.ttl = ttl;
@@ -44,7 +46,7 @@ final class NonceGeneratorImpl implements NonceGenerator {
     public String generateAndStoreNonce() {
         final byte[] nonceBytes = new byte[NONCE_LENGTH];
         secureRandom.nextBytes(nonceBytes);
-        final LocalDateTime expirationTime = LocalDateTime.now().plus(ttl);
+        final ZonedDateTime expirationTime = UtcDateTime.now().plus(ttl);
         final String base64StringNonce = Base64.getEncoder().encodeToString(nonceBytes);
         cache.put(base64StringNonce, expirationTime);
         return base64StringNonce;

src/main/java/org/webeid/security/util/UtcDateTime.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.security.util;
+
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+
+public final class UtcDateTime {
+
+    public static ZonedDateTime now() {
+        return ZonedDateTime.now(ZoneOffset.UTC);
+    }
+
+    private UtcDateTime() {
+        throw new IllegalStateException("Utility class");
+    }
+}

src/main/java/org/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 import java.net.URI;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.Objects;
@@ -45,7 +45,7 @@
 final class AuthTokenValidationConfiguration {
 
     private URI siteOrigin;
-    private Cache<String, LocalDateTime> nonceCache;
+    private Cache<String, ZonedDateTime> nonceCache;
     private Collection<X509Certificate> trustedCACertificates = new HashSet<>();
     private boolean isUserCertificateRevocationCheckWithOcspEnabled = true;
     private Duration ocspRequestTimeout = Duration.ofSeconds(5);
@@ -86,11 +86,11 @@ URI getSiteOrigin() {
         return siteOrigin;
     }
 
-    void setNonceCache(Cache<String, LocalDateTime> nonceCache) {
+    void setNonceCache(Cache<String, ZonedDateTime> nonceCache) {
         this.nonceCache = nonceCache;
     }
 
-    Cache<String, LocalDateTime> getNonceCache() {
+    Cache<String, ZonedDateTime> getNonceCache() {
         return nonceCache;
     }
 

src/main/java/org/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -31,7 +31,7 @@
 import java.net.URI;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.Collections;
 
 /**
@@ -67,7 +67,7 @@ public AuthTokenValidatorBuilder withSiteOrigin(URI origin) {
      * @param cache nonce cache
      * @return the builder instance for method chaining
      */
-    public AuthTokenValidatorBuilder withNonceCache(Cache<String, LocalDateTime> cache) {
+    public AuthTokenValidatorBuilder withNonceCache(Cache<String, ZonedDateTime> cache) {
         configuration.setNonceCache(cache);
         return this;
     }

src/main/java/org/webeid/security/validator/validators/NonceValidator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -29,18 +29,19 @@
 import org.webeid.security.exceptions.TokenParseException;
 import org.webeid.security.exceptions.TokenValidationException;
 import org.webeid.security.nonce.NonceGenerator;
+import org.webeid.security.util.UtcDateTime;
 import org.webeid.security.validator.AuthTokenValidatorData;
 
 import javax.cache.Cache;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 
 public final class NonceValidator {
 
     private static final Logger LOG = LoggerFactory.getLogger(NonceValidator.class);
 
-    private final Cache<String, LocalDateTime> cache;
+    private final Cache<String, ZonedDateTime> cache;
 
-    public NonceValidator(Cache<String, LocalDateTime> cache) {
+    public NonceValidator(Cache<String, ZonedDateTime> cache) {
         this.cache = cache;
     }
 
@@ -54,7 +55,7 @@ public NonceValidator(Cache<String, LocalDateTime> cache) {
      */
     public void validateNonce(AuthTokenValidatorData actualTokenData) throws TokenValidationException {
         final String nonce = actualTokenData.getNonce();
-        final LocalDateTime nonceExpirationTime = cache.getAndRemove(nonce);
+        final ZonedDateTime nonceExpirationTime = cache.getAndRemove(nonce);
         if (nonceExpirationTime == null) {
             throw new NonceNotFoundException();
         }
@@ -64,7 +65,7 @@ public void validateNonce(AuthTokenValidatorData actualTokenData) throws TokenVa
                 NonceGenerator.NONCE_LENGTH
             ));
         }
-        if (nonceExpirationTime.isBefore(LocalDateTime.now())) {
+        if (nonceExpirationTime.isBefore(UtcDateTime.now())) {
             throw new NonceExpiredException();
         }
         LOG.debug("Nonce was found and has not expired.");

src/test/java/org/webeid/security/testutil/AbstractTestWithCache.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -25,13 +25,14 @@
 import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.webeid.security.util.UtcDateTime;
 
 import javax.cache.Cache;
 import javax.cache.CacheManager;
 import javax.cache.Caching;
 import javax.cache.configuration.CompleteConfiguration;
 import javax.cache.configuration.MutableConfiguration;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 
 public abstract class AbstractTestWithCache {
 
@@ -41,11 +42,11 @@ public abstract class AbstractTestWithCache {
     private static final String TOO_SHORT_TEST_NONCE_KEY = "1234567812345678123456781234567";
 
     private static final CacheManager cacheManager = Caching.getCachingProvider(CaffeineCachingProvider.class.getName()).getCacheManager();
-    private static final CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>().setTypes(String.class, LocalDateTime.class);
+    private static final CompleteConfiguration<String, ZonedDateTime> cacheConfig = new MutableConfiguration<String, ZonedDateTime>().setTypes(String.class, ZonedDateTime.class);
 
-    protected Cache<String, LocalDateTime> cache;
+    protected Cache<String, ZonedDateTime> cache;
 
-    public static Cache<String, LocalDateTime> createCache(String cacheName) {
+    public static Cache<String, ZonedDateTime> createCache(String cacheName) {
         return cacheManager.createCache(cacheName, cacheConfig);
     }
 
@@ -54,12 +55,17 @@ protected void setup() {
         cache = createCache(CACHE_NAME);
     }
 
+    @AfterEach
+    protected void tearDown() {
+        cacheManager.destroyCache(CACHE_NAME);
+    }
+
     public void putCorrectNonceToCache() {
         cache.putIfAbsent(CORRECT_TEST_NONCE_KEY, fiveMinutesFromNow());
     }
 
     public void putExpiredNonceToCache() {
-        cache.putIfAbsent(CORRECT_TEST_NONCE_KEY, LocalDateTime.now().minusMinutes(5));
+        cache.putIfAbsent(CORRECT_TEST_NONCE_KEY, ZonedDateTime.now().minusMinutes(5));
     }
 
     public void putIncorrectNonceToCache() {
@@ -70,13 +76,8 @@ public void putTooShortNonceToCache() {
         cache.putIfAbsent(TOO_SHORT_TEST_NONCE_KEY, fiveMinutesFromNow());
     }
 
-    @AfterEach
-    public void tearDown() {
-        cacheManager.destroyCache(CACHE_NAME);
-    }
-
-    private LocalDateTime fiveMinutesFromNow() {
-        return LocalDateTime.now().plusMinutes(5);
+    private ZonedDateTime fiveMinutesFromNow() {
+        return UtcDateTime.now().plusMinutes(5);
     }
 
 }