Token cache temporal fix and jwt expiration issue

bin/www

@@ -22,7 +22,7 @@ const debug = require('debug')('pep-proxy:www');
 
 const os = require('os');
 const cluster = require('cluster');
-const clusterWorkerSize = os.cpus().length;
+const clusterWorkerSize = (config.cluster.type === 'manual') ? config.cluster.number : os.cpus().length;
 
 process.on('uncaughtException', function (err) {
   debug('Caught exception: ' + err);

config.js

@@ -1,7 +1,8 @@
+#!/usr/bin/env node
 const config = {};
 
 // Used only if https is disabled
-config.pep_port = 80;
+config.pep_port = 3001;
 
 // Set this var to undefined if you don't want the server to listen on HTTPS
 config.https = {
@@ -13,13 +14,13 @@ config.https = {
 
 config.idm = {
   host: 'localhost',
-  port: 3005,
+  port: 3000,
   ssl: false
 };
 
 config.app = {
-  host: 'www.fiware.org',
-  port: '80',
+  host: 'localhost',
+  port: '3002',
   ssl: false // Use true if the app server listens in https
 };
 
@@ -30,9 +31,9 @@ config.organizations = {
 
 // Credentials obtained when registering PEP Proxy in app_id in Account Portal
 config.pep = {
-  app_id: '',
-  username: '',
-  password: '',
+  app_id: 'c365f878-a348-4584-8ac4-7e940697e1b6',
+  username: 'pep_proxy_7f270eda-17ed-4a49-b9fc-2f6f68490782',
+  password: 'pep_proxy_6a079689-6d4d-466c-bfd9-d2a0af4c6196',
   token: {
     secret: '' // Secret must be configured in order validate a jwt
   },
@@ -45,21 +46,22 @@ config.cache_time = 300;
 // if enabled PEP checks permissions in two ways:
 //  - With IdM: only allow basic authorization
 //  - With Authzforce: allow basic and advanced authorization.
-//	  For advanced authorization, you can use custom policy checks by including programatic scripts
+//    For advanced authorization, you can use custom policy checks by including programatic scripts
 //    in policies folder. An script template is included there
 //
-//	This is only compatible with oauth2 tokens engine
+//  This is only compatible with oauth2 tokens engine
 
 config.authorization = {
   enabled: false,
-  pdp: 'idm', // idm|iShare|xacml|authzforce|opa|azf
+  type: 'idm', // idm|iShare|xacml|authzforce
   header: undefined, // NGSILD-Tenant|fiware-service
-  azf: {
-    // iShare|xacml|authzforce|opa|azf
+  pdp: {
     protocol: 'http',
     host: 'localhost',
     port: 8080,
-    path: '',
+    path: ''
+  },
+  azf: {
     custom_policy: undefined // use undefined to default policy checks (HTTP verb + path).
   }
 };
@@ -72,6 +74,11 @@ config.cors = {
   credentials: true
 };
 
+config.cluster = {
+  type: 'manual', // manual|allCPUCores
+  number: 1
+};
+
 // list of paths that will not check authentication/authorization
 // example: ['/public/*', '/static/css/']
 config.public_paths = [];

config.js.template

@@ -53,7 +53,7 @@ config.cache_time = 300;
 
 config.authorization = {
   enabled: false,
-  pdp: 'idm', // idm|iShare|xacml|authzforce
+  type: 'idm', // idm|iShare|xacml|authzforce
   header: undefined, // NGSILD-Tenant|fiware-service
   pdp: {
     protocol: 'http',
@@ -74,6 +74,11 @@ config.cors = {
   credentials: true
 };
 
+config.cluster = {
+  type: 'manual', // manual|allCPUCores
+  number: 1
+};
+
 // list of paths that will not check authentication/authorization
 // example: ['/public/*', '/static/css/']
 config.public_paths = [];

lib/cache.js

@@ -5,7 +5,6 @@
  *
  */
 
-const isHex = require('is-hex');
 const debug = require('debug')('pep-proxy:cache');
 const config_service = require('./config_service');
 const NodeCache = require('node-cache');
@@ -52,7 +51,7 @@ function checkTokenCache(token, jwtExpiration, action, resource) {
   debug('Token found, checking timestamp...');
   debug(token);
   const currentTime = new Date().getTime();
-  const tokenTime = token.length <= 40 && isHex(token) ? jwtExpiration * 1000 : user.date.getTime();
+  const tokenTime = jwtExpiration ? jwtExpiration * 1000 : user.date.getTime();
 
   if (currentTime - tokenTime > config.cache_time * 1000) {
     debug('Token in cache expired');

lib/config_service.js

@@ -92,7 +92,9 @@ function process_environment_variables(verbose) {
     'PEP_PROXY_MAGIC_KEY',
     'PEP_PROXY_DEBUG',
     'PEP_PROXY_ERROR_TEMPLATE',
-    'PEP_PROXY_ERROR_CONTENT_TYPE'
+    'PEP_PROXY_ERROR_CONTENT_TYPE',
+    'PEP_PROXY_CLUSTER_TYPE',
+    'PEP_PROXY_CLUSTER_NUMBER'
   ];
 
   const protected_variables = [
@@ -215,7 +217,7 @@ function process_environment_variables(verbose) {
     if (process.env.PEP_PROXY_PDP) {
       config.authorization.pdp = process.env.PEP_PROXY_PDP;
     }
-    let pdp = config.authorization.pdp.toLowerCase();
+    let pdp = config.authorization.type.toLowerCase();
     if (pdp === 'authzforce') {
       pdp = 'azf';
     }
@@ -308,6 +310,12 @@ function process_environment_variables(verbose) {
   if (process.env.PEP_PROXY_ERROR_CONTENT_TYPE) {
     config.error_content_type = process.env.PEP_PROXY_ERROR_CONTENT_TYPE;
   }
+  if (process.env.PEP_PROXY_CLUSTER_TYPE) {
+    config.type = process.env.PEP_PROXY_CLUSTER_TYPE;
+  }
+  if (process.env.PEP_PROXY_CLUSTER_NUMBER) {
+    config.number = process.env.PEP_PROXY_CLUSTER_NUMBER;
+  }
 }
 
 function set_config(new_config, verbose = false) {

test/unit/keyrock-pdp-test.js

@@ -264,7 +264,7 @@ describe('Authorization: Keyrock PDP', () => {
       contextBrokerMock = nock('http://fiware.org:1026').get('/restricted').times(3).reply(StatusCodes.OK, {});
       idmMock = nock('http://keyrock.com:3000')
         .get('/user?access_token=' + jwt + '&app_id=application_id&action=GET&resource=/restricted')
-        .times(2)
+        .times(1)
         .reply(StatusCodes.OK, keyrock_permit_response);
     });
     it('should access the user action from cache', (done) => {