core/authorize: check for expired tokens (#4543)

* core/authorize: check for expired tokens

* Update pkg/grpc/session/session.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

* lint

* fix zero timestamps

* fix

---------

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

pkg/grpc/session/session.go

@@ -4,6 +4,7 @@ package session
 import (
 	context "context"
 	"fmt"
+	"time"
 
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -86,3 +87,22 @@ func (x *Session) RemoveDeviceCredentialID(deviceCredentialID string) {
 		return el.GetId() != deviceCredentialID
 	})
 }
+
+// ErrSessionExpired indicates the session has expired
+var ErrSessionExpired = fmt.Errorf("session has expired")
+
+// Validate returns an error if the session is not valid.
+func (x *Session) Validate() error {
+	now := time.Now()
+	for name, expiresAt := range map[string]*timestamppb.Timestamp{
+		"session":      x.GetExpiresAt(),
+		"access_token": x.GetOauthToken().GetExpiresAt(),
+		"id_token":     x.GetIdToken().GetExpiresAt(),
+	} {
+		if expiresAt.AsTime().Year() > 1970 && now.After(expiresAt.AsTime()) {
+			return fmt.Errorf("%w: %s expired at %s", ErrSessionExpired, name, expiresAt.AsTime())
+		}
+	}
+
+	return nil
+}

pkg/grpc/session/session_test.go

@@ -0,0 +1,32 @@
+package session
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+func TestSession_Validate(t *testing.T) {
+	t.Parallel()
+
+	t0 := timestamppb.New(time.Now().Add(-time.Second))
+	for _, tc := range []struct {
+		name    string
+		session *Session
+		expect  error
+	}{
+		{"valid", &Session{}, nil},
+		{"expired", &Session{ExpiresAt: t0}, ErrSessionExpired},
+		{"expired id token", &Session{IdToken: &IDToken{ExpiresAt: t0}}, ErrSessionExpired},
+		{"expired oauth token", &Session{OauthToken: &OAuthToken{ExpiresAt: t0}}, ErrSessionExpired},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			assert.ErrorIs(t, tc.session.Validate(), tc.expect)
+		})
+	}
+}

pkg/grpc/user/user.go

@@ -3,8 +3,11 @@ package user
 
 import (
 	context "context"
+	"fmt"
+	"time"
 
 	"google.golang.org/protobuf/types/known/structpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
@@ -28,6 +31,23 @@ func PutServiceAccount(ctx context.Context, client databroker.DataBrokerServiceC
 	return databroker.Put(ctx, client, serviceAccount)
 }
 
+// ErrServiceAccountExpired indicates the service account has expired.
+var ErrServiceAccountExpired = fmt.Errorf("service account has expired")
+
+// Validate returns an error if the service account is not valid.
+func (x *ServiceAccount) Validate() error {
+	now := time.Now()
+	for _, expiresAt := range []*timestamppb.Timestamp{
+		x.GetExpiresAt(),
+	} {
+		if expiresAt.AsTime().Year() > 1970 && now.After(expiresAt.AsTime()) {
+			return ErrServiceAccountExpired
+		}
+	}
+
+	return nil
+}
+
 // AddClaims adds the flattened claims to the user.
 func (x *User) AddClaims(claims identity.FlattenedClaims) {
 	if x.Claims == nil {

pkg/grpc/user/user_test.go

@@ -0,0 +1,30 @@
+package user
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+func TestServiceAccount_Validate(t *testing.T) {
+	t.Parallel()
+
+	t0 := timestamppb.New(time.Now().Add(-time.Second))
+	for _, tc := range []struct {
+		name           string
+		serviceAccount *ServiceAccount
+		expect         error
+	}{
+		{"valid", &ServiceAccount{}, nil},
+		{"expired", &ServiceAccount{ExpiresAt: t0}, ErrServiceAccountExpired},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			assert.ErrorIs(t, tc.serviceAccount.Validate(), tc.expect)
+		})
+	}
+}