CAS 6.6.6
Have Simple MFA expiration working in production with couchDb, but had
noticed an issue.
No matter how configured, the expiration of the MFA couchDb record is
always written at 100 years from record creation date.
Only work around I could find for this was to add a "by_not_processed "
view to couchDb that finds newly created MFA cache entries in order modify
them with a nightly process to the correct the expiration (to for instance
7 days out). This does work very nicely in conjunction with multi-device
MFA.
Either the timed CAS cleanup, or querying the expired record will cause it
to be removed which then triggers the need for the user to re-MFA.
Sharing the following in case others run into this issue, and in the case
they also discover the auto-create is not working with couchDb MFA caching.
Added the by_not_processed view, as well as the index (2nd definition)
Combed through every setting I could find from both the documents and the
master property lists. Nothing seemed to affect the expiration. Perhaps I
missed a setting, or there is an undocumented setting, or a problem crept
in. In any case this is a functional work around.
{
"_id": "_design/CouchDbMultifactorAuthenticationTrustRecord",
"_rev": "10-f5c3b2d1d2d76830b88fe50965fbbd0c",
"views": {
"all": {
"map": "function(doc) { if (doc.recordKey && doc.principal &&
doc.deviceFingerprint && doc.recordDate) { emit(doc._id, doc) } }"
},
"by_recordKey": {
"map": "function(doc) { if (doc.principal && doc.deviceFingerprint &&
doc.recordDate) { emit(doc.recordKey, doc) } }"
},
"by_recordDate": {
"map": "function(doc) { if (doc.principal && doc.deviceFingerprint &&
doc.recordDate) { emit(doc.recordDate, doc) } }"
},
"by_expirationDate": {
"map": "function(doc) { if (doc.principal && doc.deviceFingerprint &&
doc.expirationDate) { emit(doc.expirationDate, doc) } }"
},
"by_principal": {
"map": "function(doc) { if (doc.principal && doc.deviceFingerprint &&
doc.recordDate) { emit(doc.principal, doc) } }"
},
"by_id": {
"map": "function(doc) { if (doc.principal && doc.deviceFingerprint &&
doc.recordDate) { emit(doc.id, doc) } }"
},
"by_principal_date": {
"map": "function(doc) { if (doc.recordKey && doc.principal &&
doc.deviceFingerprint && doc.recordDate) { emit([doc.principal,
doc.recordDate], doc) } }"
},
"by_all": {
"map": "function(doc) { if (doc.recordKey) { emit([doc.recordKey],
doc) } }"
},
"by_not_processed": {
"map": "function(doc) { if (doc.recordKey && !doc.processed) {
emit([doc.recordKey], doc) } }"
}
},
"lists": {},
"shows": {},
"language": "javascript",
"filters": {}
}
{
"_id": "_design/531fa4a2dcce623b3bf528d83ef5a85e0cafffe4",
"_rev": "3-14798c189251a398d868ae55b8ea2e33",
"language": "query",
"views": {
"processed-json-index": {
"map": {
"fields": {
"processed": "asc"
},
"partial_filter_selector": {}
},
"reduce": "_count",
"options": {
"def": {
"fields": [
"processed"
]
}
}
}
}
}
In batch java job have something like the following to update the
expiration date.
...
List<CasMfaCache> mfaList =
dbClient.view("CouchDbMultifactorAuthenticationTrustRecord/by_not_processed")
.includeDocs(true)
.limit(200)
.query(CasMfaCache.class);
if ((mfaList != null) && (mfaList.size() > 0)) {
for (CasMfaCache mfa : mfaList) {
/*
sample recordDate, and expirationDates with expected format in
record
"recordDate": "2023-06-17T19:49:39Z",
"expirationDate": "2123-06-17T19:49:39.000+00:00"
*/
LocalDate ld = LocalDate.parse(mfa.getRecordDate().substring(0,
10), dateFormatter).plusDays(expireInXDays);
String expirationDate = ld.format(dateFormatter) +
mfa.getRecordDate().substring(10, 19) + ".000+00:00";
mfa.setExpirationDate(expirationDate);
mfa.setProcessed("Y");
dbClient.update(mfa);
}
}
...
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/34e77605-5cf4-478e-91f4-8720d3a1bcdcn%40apereo.org.
