handle entity statement exp

Author: leleuj

documentation/docs/next-version.md

@@ -3,7 +3,7 @@ layout: ddoc
 title: Next version
 ---
 
-The next version **6.4.0-SNAPSHOT** is under development.
+The next version **6.4.1-SNAPSHOT** is under development.
 Maven artifacts are built via Github Actions and available in the [Central Portal Snapshots repository](https://central.sonatype.com/repository/maven-snapshots).
 
 The source code can be cloned and locally built via Maven:
@@ -13,3 +13,5 @@ git clone git@github.com:pac4j/pac4j.git
 cd pac4j
 mvn clean install
 ```
+
+You'd better fork the project if you want to submit pull requests.

documentation/docs/release-notes.md

@@ -7,6 +7,7 @@ title: Release notes:
 
 **v6.4.1**:
 - Ensures proper initialization of `SAML2Configuration`
+- Expires the entity statement after `validityInDays` in `DefaultEntityConfigurationGenerator`
 
 **v6.4.0**:
 - Upgrade to Shiro v2.1 for security reasons. Defaults remain the ones of Shiro v1.13 though and will change in a future major version.

pac4j-oidc/src/main/java/org/pac4j/oidc/federation/entity/DefaultEntityConfigurationGenerator.java

@@ -4,7 +4,9 @@
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import lombok.AccessLevel;
 import lombok.RequiredArgsConstructor;
+import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import lombok.val;
 import org.apache.commons.lang3.StringUtils;
@@ -39,6 +41,9 @@ public class DefaultEntityConfigurationGenerator extends InitializableObject imp
 
     private String data;
 
+    @Setter(AccessLevel.PACKAGE)
+    private Date expirationDate;
+
     @Override
     public String getContentType() {
         return CONTENT_TYPE;
@@ -51,6 +56,16 @@ public String generateEntityStatement() {
         return data;
     }
 
+    @Override
+    protected boolean shouldInitialize(final boolean forceReinit) {
+        val now = new Date();
+        if (expirationDate == null || expirationDate.before(now)) {
+            return true;
+        }
+
+        return super.shouldInitialize(forceReinit);
+    }
+
     @Override
     protected void internalInit(final boolean forceReinit) {
         val config = client.getConfiguration();
@@ -87,14 +102,14 @@ protected String buildConfig(final JWK signingKey) {
 
         val now = new Date();
         long validityMs = (long) federation.getValidityInDays() * 24 * 60 * 60 * 1000L;
-        val exp = new Date(now.getTime() + validityMs);
+        expirationDate = new Date(now.getTime() + validityMs);
 
         val claimsBuilder = new JWTClaimsSet.Builder()
             .issuer(entityId)
             .subject(entityId)
             .jwtID(UUID.randomUUID().toString())
             .issueTime(now)
-            .expirationTime(exp)
+            .expirationTime(expirationDate)
             .notBeforeTime(now);
 
         val rpMetadata = new LinkedHashMap<String, Object>();

pac4j-oidc/src/test/java/org/pac4j/oidc/federation/entity/DefaultEntityConfigurationGeneratorTests.java

@@ -25,6 +25,7 @@
 
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
@@ -79,6 +80,40 @@ public void testGetContentType() {
         assertEquals("application/entity-statement+jwt", generator.getContentType());
     }
 
+    @Test
+    public void testShouldNotInitializeAgainWhenAlreadyInitializedAndNotExpired() throws Exception {
+        val jwksFile = tmp.resolve("not-expired.jwks");
+        federation.getJwks().setJwksResource(new FileSystemResource(jwksFile.toFile()));
+        val generator = newGenerator();
+
+        val firstEntityStatement = generator.generateEntityStatement();
+        assertEquals(1, generator.getNbAttempts());
+
+        generator.setExpirationDate(new Date(System.currentTimeMillis() + 60_000L));
+        assertFalse(generator.shouldInitialize(false));
+
+        val secondEntityStatement = generator.generateEntityStatement();
+        assertEquals(firstEntityStatement, secondEntityStatement);
+        assertEquals(1, generator.getNbAttempts());
+    }
+
+    @Test
+    public void testShouldInitializeAgainWhenAlreadyInitializedAndExpired() throws Exception {
+        val jwksFile = tmp.resolve("expired.jwks");
+        federation.getJwks().setJwksResource(new FileSystemResource(jwksFile.toFile()));
+        val generator = newGenerator();
+
+        val firstEntityStatement = generator.generateEntityStatement();
+        assertEquals(1, generator.getNbAttempts());
+
+        generator.setExpirationDate(new Date(System.currentTimeMillis() - 1_000L));
+        assertTrue(generator.shouldInitialize(false));
+
+        val secondEntityStatement = generator.generateEntityStatement();
+        assertNotEquals(firstEntityStatement, secondEntityStatement);
+        assertEquals(2, generator.getNbAttempts());
+    }
+
     @Test
     public void testGenerateEntityStatementWithoutJwksAndWithoutKeystore() {
         federation.setJwks(null);