From fe34a6a1107f44cab097e81bf0f7cc194675df6c Mon Sep 17 00:00:00 2001
From: Wenkai Yin <yinw@vmware.com>
Date: Mon, 8 Aug 2016 11:21:48 +0800
Subject: [PATCH] make token expiratioin configurable

---
 Deploy/harbor.cfg          |  3 +++
 Deploy/prepare             |  4 +++-
 Deploy/templates/ui/env    |  1 +
 service/token/authutils.go | 27 ++++++++++++++++++++++++++-
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/Deploy/harbor.cfg b/Deploy/harbor.cfg
index bf8a721e7..be01490c3 100644
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@@ -44,6 +44,9 @@ use_compressed_js = on
 #Maximum number of job workers in job service  
 max_job_workers = 3 
 
+#The expiration of token used by token service, default is 30 minutes
+token_expiration = 30
+
 #Determine whether the job service should verify the ssl cert when it connects to a remote registry.
 #Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
 verify_remote_cert = on
diff --git a/Deploy/prepare b/Deploy/prepare
index cdea56550..27c6775ca 100755
--- a/Deploy/prepare
+++ b/Deploy/prepare
@@ -48,6 +48,7 @@ crt_organizationalunit = rcp.get("configuration", "crt_organizationalunit")
 crt_commonname = rcp.get("configuration", "crt_commonname")
 crt_email = rcp.get("configuration", "crt_email")
 max_job_workers = rcp.get("configuration", "max_job_workers")
+token_expiration = rcp.get("configuration", "token_expiration")
 verify_remote_cert = rcp.get("configuration", "verify_remote_cert")
 ########
 
@@ -101,7 +102,8 @@ render(os.path.join(templates_dir, "ui", "env"),
 	self_registration=self_registration,
 	use_compressed_js=use_compressed_js,
         ui_secret=ui_secret,
-	verify_remote_cert=verify_remote_cert)
+	verify_remote_cert=verify_remote_cert,
+	token_expiration=token_expiration)
 
 render(os.path.join(templates_dir, "ui", "app.conf"),
         ui_conf,
diff --git a/Deploy/templates/ui/env b/Deploy/templates/ui/env
index 972d94df7..fe8f860d2 100644
--- a/Deploy/templates/ui/env
+++ b/Deploy/templates/ui/env
@@ -19,3 +19,4 @@ GODEBUG=netdns=cgo
 EXT_ENDPOINT=$ui_url
 TOKEN_URL=http://ui
 VERIFY_REMOTE_CERT=$verify_remote_cert
+TOKEN_EXPIRATION=$token_expiration
diff --git a/service/token/authutils.go b/service/token/authutils.go
index 4c30648c4..7e914c732 100644
--- a/service/token/authutils.go
+++ b/service/token/authutils.go
@@ -21,6 +21,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -34,9 +36,32 @@ import (
 const (
 	issuer     = "registry-token-issuer"
 	privateKey = "/etc/ui/private_key.pem"
-	expiration = 5 //minute
 )
 
+var (
+	expiration = 30 //minutes
+)
+
+func init() {
+	// TODO read it from config
+	expi := os.Getenv("TOKEN_EXPIRATION")
+	if len(expi) != 0 {
+		i, err := strconv.Atoi(expi)
+		if err != nil {
+			log.Errorf("failed to parse token expiration: %v, using default value: %d minutes", err, expiration)
+			return
+		}
+
+		if i <= 0 {
+			log.Warningf("invalid token expiration, using default value: %d minutes", expiration)
+			return
+		}
+
+		expiration = i
+	}
+	log.Infof("token expiration: %d minutes", expiration)
+}
+
 // GetResourceActions ...
 func GetResourceActions(scopes []string) []*token.ResourceActions {
 	log.Debugf("scopes: %+v", scopes)