From 04c74a18300e08cc9575e5d022816109593202da Mon Sep 17 00:00:00 2001
From: Ravi Nagarjun Akella <raakella1@$HOSTNAME>
Date: Thu, 23 May 2024 13:55:12 -0700
Subject: [PATCH] download token 5 minutes before expiry

---
 include/sisl/auth_manager/trf_client.hpp |  3 ++-
 src/auth_manager/tests/AuthTest.cpp      | 10 ++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/include/sisl/auth_manager/trf_client.hpp b/include/sisl/auth_manager/trf_client.hpp
index 368fe37f..da47851f 100644
--- a/include/sisl/auth_manager/trf_client.hpp
+++ b/include/sisl/auth_manager/trf_client.hpp
@@ -26,9 +26,10 @@ class TrfClient {
 private:
     void validate_grant_path() const;
     bool grant_path_exists() const { return std::filesystem::exists(SECURITY_DYNAMIC_CONFIG(trf_client->grant_path)); }
+    // If leeway is set, this will force us to download token ahead of its expiry
     bool access_token_expired() const {
         return (std::chrono::system_clock::now() >
-                m_expiry + std::chrono::seconds(SECURITY_DYNAMIC_CONFIG(trf_client->trf_expiry_leeway_secs)));
+                m_expiry - std::chrono::seconds(SECURITY_DYNAMIC_CONFIG(trf_client->trf_expiry_leeway_secs)));
     }
     static bool get_file_contents(const std::string& file_name, std::string& contents);
 
diff --git a/src/auth_manager/tests/AuthTest.cpp b/src/auth_manager/tests/AuthTest.cpp
index 593c4246..3c39f5f0 100644
--- a/src/auth_manager/tests/AuthTest.cpp
+++ b/src/auth_manager/tests/AuthTest.cpp
@@ -208,6 +208,7 @@ static void load_trf_settings() {
     SECURITY_SETTINGS_FACTORY().modifiable_settings([](auto& s) {
         s.trf_client->grant_path = grant_path;
         s.trf_client->server = "127.0.0.1:12346/token";
+        s.trf_client->trf_expiry_leeway_secs = 30;
         s.auth_manager->verify = false;
         s.auth_manager->expiry_leeway_secs = 30;
     });
@@ -240,8 +241,9 @@ TEST_F(AuthTest, trf_allow_valid_token) {
     const auto raw_token{TestToken().sign_rs256()};
     // mock_trf_client is expected to be called twice
     // 1. First time when access_token is empty
-    // 2. When token is set to be expired
-    EXPECT_CALL(mock_trf_client, request_with_grant_token()).Times(2);
+    // 2. When expiry - leeway is less than current time
+    // 3. When access_token is expired
+    EXPECT_CALL(mock_trf_client, request_with_grant_token()).Times(3);
     ON_CALL(mock_trf_client, request_with_grant_token())
         .WillByDefault(
             testing::Invoke([&mock_trf_client, &raw_token]() { mock_trf_client.set_token(raw_token, "Bearer"); }));
@@ -253,6 +255,10 @@ TEST_F(AuthTest, trf_allow_valid_token) {
     EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(0);
     EXPECT_EQ(mock_auth_mgr->verify(mock_trf_client.get_token()), AuthVerifyStatus::OK);
 
+    // token valid but the leeway (30 seconds) should invoke request_with_grant_token
+    mock_trf_client.set_expiry(std::chrono::system_clock::now() + std::chrono::seconds(25));
+    EXPECT_EQ(mock_auth_mgr->verify(mock_trf_client.get_token()), AuthVerifyStatus::OK);
+
     // set token to be expired invoking request_with_grant_token
     mock_trf_client.set_expiry(std::chrono::system_clock::now() - std::chrono::seconds(100));
     EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(0);