API tokens with expiration

API tokens can now get an optional expiration date.
Added a select drop down from where you can choose from predefined
durations, a custom date (max 1 year) and no expiration.
Expiration date is shown in the list. Not expiring tokens are marked
with warning.

fixes jenkinsci#16695

Author: mawinter69

core/src/main/java/jenkins/install/SetupWizard.java

@@ -112,7 +112,7 @@ public SetupWizard() {
      *      E.g. 110123456789abcdef0123456789abcdef.
      *      A fixed API Token will be created for the user with that plain value as the token.
      *      It is strongly recommended to use it to generate a new one (random) and then revoke it.
-     *      See {@link ApiTokenProperty#generateNewToken(String)} and {@link ApiTokenProperty#revokeAllTokensExceptOne(String)}
+     *      See {@link ApiTokenProperty#generateNewToken(String, java.util.Date)} and {@link ApiTokenProperty#revokeAllTokensExceptOne(String)}
      *      for scripting methods or using the web API calls:
      *      /user/[user-login]/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken and
      *      /user/[user-login]/descriptorByName/jenkins.security.ApiTokenProperty/revokeAllExcept
@@ -216,7 +216,7 @@ private void createInitialApiToken(User user) throws IOException, InterruptedExc
 
         String sysProp = ADMIN_INITIAL_API_TOKEN;
         if (sysProp.equals("true")) {
-            TokenUuidAndPlainValue tokenUuidAndPlainValue = apiTokenProperty.generateNewToken("random-generation-during-setup-wizard");
+            TokenUuidAndPlainValue tokenUuidAndPlainValue = apiTokenProperty.generateNewToken("random-generation-during-setup-wizard", null);
             FilePath fp = getInitialAdminApiTokenFile();
             // same comment as in the init method
 

core/src/main/java/jenkins/security/ApiTokenProperty.java

@@ -26,6 +26,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
 import hudson.Extension;
 import hudson.Util;
 import hudson.model.Descriptor.FormException;
@@ -255,13 +256,20 @@ public static class TokenInfoAndStats {
         public final int useCounter;
         public final Date lastUseDate;
         public final long numDaysUse;
+        public final String expirationDate;
 
         public TokenInfoAndStats(@NonNull ApiTokenStore.HashedToken token, @NonNull ApiTokenStats.SingleTokenStats stats) {
             this.uuid = token.getUuid();
             this.name = token.getName();
             this.creationDate = token.getCreationDate();
             this.numDaysCreation = token.getNumDaysCreation();
             this.isLegacy = token.isLegacy();
+            LocalDate expirationDate = token.getExpirationDate();
+            if (expirationDate == null) {
+                this.expirationDate = "never";
+            } else {
+                this.expirationDate = expirationDate.toString();
+            }
 
             this.useCounter = stats.getUseCounter();
             this.lastUseDate = stats.getLastUseDate();
@@ -424,15 +432,27 @@ public ApiTokenStats getTokenStats() {
     // essentially meant for scripting
     @Restricted(Beta.class)
     public @NonNull String addFixedNewToken(@NonNull String name, @NonNull String tokenPlainValue) throws IOException {
-        String tokenUuid = this.tokenStore.addFixedNewToken(name, tokenPlainValue);
+        return addFixedNewToken(name, tokenPlainValue, null);
+    }
+
+    // essentially meant for scripting
+    @Restricted(Beta.class)
+    public @NonNull String addFixedNewToken(@NonNull String name, @NonNull String tokenPlainValue, @Nullable LocalDate expirationDate) throws IOException {
+        String tokenUuid = this.tokenStore.addFixedNewToken(name, tokenPlainValue, expirationDate);
         user.save();
         return tokenUuid;
     }
 
     // essentially meant for scripting
     @Restricted(Beta.class)
     public @NonNull TokenUuidAndPlainValue generateNewToken(@NonNull String name) throws IOException {
-        TokenUuidAndPlainValue tokenUuidAndPlainValue = tokenStore.generateNewToken(name);
+        return generateNewToken(name, null);
+    }
+
+    // essentially meant for scripting
+    @Restricted(Beta.class)
+    public @NonNull TokenUuidAndPlainValue generateNewToken(@NonNull String name, @Nullable LocalDate expirationDate) throws IOException {
+        TokenUuidAndPlainValue tokenUuidAndPlainValue = tokenStore.generateNewToken(name, expirationDate);
         user.save();
         return tokenUuidAndPlainValue;
     }
@@ -535,7 +555,7 @@ public boolean hasCurrentUserRightToGenerateNewToken(User propertyOwner) {
         }
 
         /**
-         * @deprecated use {@link #doGenerateNewToken(User, String)} instead
+         * @deprecated use {@link #doGenerateNewToken(User, String, String, String)} instead
          */
         @Deprecated
         @RequirePOST
@@ -567,7 +587,8 @@ public HttpResponse doChangeToken(@AncestorInPath User u, StaplerResponse rsp) t
         }
 
         @RequirePOST
-        public HttpResponse doGenerateNewToken(@AncestorInPath User u, @QueryParameter String newTokenName) throws IOException {
+        public HttpResponse doGenerateNewToken(@AncestorInPath User u, @QueryParameter String newTokenName,
+                                               @QueryParameter String tokenExpiration, @QueryParameter String expirationDuration) throws IOException {
             if (!hasCurrentUserRightToGenerateNewToken(u)) {
                 return HttpResponses.forbidden();
             }
@@ -579,21 +600,49 @@ public HttpResponse doGenerateNewToken(@AncestorInPath User u, @QueryParameter S
                 tokenName = newTokenName;
             }
 
+            LocalDate expirationDate = getExpirationDate(tokenExpiration, expirationDuration);
+
             ApiTokenProperty p = u.getProperty(ApiTokenProperty.class);
             if (p == null) {
                 p = forceNewInstance(u, false);
                 u.addProperty(p);
             }
 
-            TokenUuidAndPlainValue tokenUuidAndPlainValue = p.generateNewToken(tokenName);
+            TokenUuidAndPlainValue tokenUuidAndPlainValue = p.generateNewToken(tokenName, expirationDate);
+            String expirationDateString = "never";
+            if (expirationDate != null) {
+                expirationDateString = expirationDate.toString();
+            }
 
             Map<String, String> data = new HashMap<>();
             data.put("tokenUuid", tokenUuidAndPlainValue.tokenUuid);
             data.put("tokenName", tokenName);
             data.put("tokenValue", tokenUuidAndPlainValue.plainValue);
+            data.put("expirationDate", expirationDateString);
             return HttpResponses.okJSON(data);
         }
 
+        private LocalDate getExpirationDate(String tokenExpiration, String expirationDuration) {
+            if (expirationDuration == null) {
+                expirationDuration = "";
+            }
+            expirationDuration = expirationDuration.trim();
+
+            return  switch (expirationDuration) {
+                case "", "never" -> {
+                    yield null;
+                }
+                case "custom" -> {
+                    yield LocalDate.parse(tokenExpiration);
+                }
+                default -> {
+                    LocalDate now = LocalDate.now();
+                    int days = Integer.parseInt(expirationDuration);
+                    yield now.plusDays(days);
+                }
+            };
+
+        }
         /**
          * This method is dangerous and should not be used without caution.
          * The token passed here could have been tracked by different network system during its trip.
@@ -603,7 +652,9 @@ public HttpResponse doGenerateNewToken(@AncestorInPath User u, @QueryParameter S
         @Restricted(NoExternalUse.class)
         public HttpResponse doAddFixedToken(@AncestorInPath User u,
                                             @QueryParameter String newTokenName,
-                                            @QueryParameter String newTokenPlainValue) throws IOException {
+                                            @QueryParameter String newTokenPlainValue,
+                                            @QueryParameter String tokenExpiration,
+                                            @QueryParameter String expirationDuration) throws IOException {
             if (!hasCurrentUserRightToGenerateNewToken(u)) {
                 return HttpResponses.forbidden();
             }
@@ -615,13 +666,15 @@ public HttpResponse doAddFixedToken(@AncestorInPath User u,
                 tokenName = newTokenName;
             }
 
+            LocalDate expirationDate = getExpirationDate(tokenExpiration, expirationDuration);
+
             ApiTokenProperty p = u.getProperty(ApiTokenProperty.class);
             if (p == null) {
                 p = forceNewInstance(u, false);
                 u.addProperty(p);
             }
 
-            String tokenUuid = p.tokenStore.addFixedNewToken(tokenName, newTokenPlainValue);
+            String tokenUuid = p.tokenStore.addFixedNewToken(tokenName, newTokenPlainValue, expirationDate);
             u.save();
 
             Map<String, String> data = new HashMap<>();

core/src/main/java/jenkins/security/apitoken/ApiTokenStore.java

@@ -35,6 +35,7 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.time.LocalDate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Comparator;
@@ -43,6 +44,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -168,10 +170,18 @@ private void addLegacyToken(@NonNull Secret legacyToken, boolean migrationFromEx
     }
 
     /**
-     * Create a new token with the given name and return it id and secret value.
+     * Create a new token with the given name and return its id and secret value.
      * Result meant to be sent / displayed and then discarded.
      */
     public synchronized @NonNull TokenUuidAndPlainValue generateNewToken(@NonNull String name) {
+        return generateNewToken(name, null);
+    }
+
+    /**
+     * Create a new token with the given name and expiration and return it id and secret value.
+     * Result meant to be sent / displayed and then discarded.
+     */
+    public synchronized @NonNull TokenUuidAndPlainValue generateNewToken(@NonNull String name, @Nullable LocalDate expirationDate) {
         // 16x8=128bit worth of randomness, using brute-force you need on average 2^127 tries (~10^37)
         byte[] random = new byte[16];
         RANDOM.nextBytes(random);
@@ -180,9 +190,9 @@ private void addLegacyToken(@NonNull Secret legacyToken, boolean migrationFromEx
         String tokenTheUserWillUse = HASH_VERSION + secretValue;
         assert tokenTheUserWillUse.length() == 2 + 32;
 
-        HashedToken token = prepareAndStoreToken(name, secretValue);
+        HashedToken token = prepareAndStoreToken(name, secretValue, expirationDate);
 
-        return new TokenUuidAndPlainValue(token.uuid, tokenTheUserWillUse);
+        return new TokenUuidAndPlainValue(token.uuid, tokenTheUserWillUse, expirationDate);
     }
 
     private static final int VERSION_LENGTH = 2;
@@ -194,7 +204,7 @@ private void addLegacyToken(@NonNull Secret legacyToken, boolean migrationFromEx
      * it could be a good idea to generate a new token randomly and revoke this one.
      */
     @SuppressFBWarnings(value = "UNSAFE_HASH_EQUALS", justification = "Comparison only validates version of the specified token")
-    public synchronized @NonNull String addFixedNewToken(@NonNull String name, @NonNull String tokenPlainValue) {
+    public synchronized @NonNull String addFixedNewToken(@NonNull String name, @NonNull String tokenPlainValue, @Nullable LocalDate expirationDate) {
         if (tokenPlainValue.length() != VERSION_LENGTH + HEX_CHAR_LENGTH) {
             LOGGER.log(Level.INFO, "addFixedNewToken, length received: {0}" + tokenPlainValue.length());
             throw new IllegalArgumentException("The token must consist of 2 characters for the version and 32 hex-characters for the secret");
@@ -211,16 +221,16 @@ private void addLegacyToken(@NonNull Secret legacyToken, boolean migrationFromEx
             throw new IllegalArgumentException("The secret part of the token must consist of 32 hex-characters");
         }
 
-        HashedToken token = prepareAndStoreToken(name, tokenPlainHexValue);
+        HashedToken token = prepareAndStoreToken(name, tokenPlainHexValue, expirationDate);
 
         return token.uuid;
     }
 
-    private @NonNull HashedToken prepareAndStoreToken(@NonNull String name, @NonNull String tokenPlainValue) {
+    private @NonNull HashedToken prepareAndStoreToken(@NonNull String name, @NonNull String tokenPlainValue, LocalDate expirationDate) {
         String secretValueHashed = this.plainSecretToHashInHex(tokenPlainValue);
 
         HashValue hashValue = new HashValue(HASH_VERSION, secretValueHashed);
-        HashedToken token = HashedToken.buildNew(name, hashValue);
+        HashedToken token = HashedToken.buildNew(name, hashValue, expirationDate);
 
         this.addToken(token);
         return token;
@@ -369,6 +379,7 @@ public static class HashedToken implements Serializable {
         private String uuid;
         private String name;
         private Date creationDate;
+        private LocalDate expirationDate;
 
         private HashValue value;
 
@@ -387,16 +398,21 @@ private void init() {
             }
         }
 
-        public static @NonNull HashedToken buildNew(@NonNull String name, @NonNull HashValue value) {
+        public static @NonNull HashedToken buildNew(@NonNull String name, @NonNull HashValue value, LocalDate expirationDate) {
             HashedToken result = new HashedToken();
             result.name = name;
             result.creationDate = new Date();
 
             result.value = value;
+            result.expirationDate = expirationDate;
 
             return result;
         }
 
+        public static @NonNull HashedToken buildNew(@NonNull String name, @NonNull HashValue value) {
+            return buildNew(name, value, null);
+        }
+
         public static @NonNull HashedToken buildNewFromLegacy(@NonNull HashValue value, boolean migrationFromExistingLegacy) {
             HashedToken result = new HashedToken();
             result.name = Messages.ApiTokenProperty_LegacyTokenName();
@@ -426,8 +442,11 @@ public boolean match(byte[] hashedBytes) {
                 return false;
             }
 
+            LocalDate now = LocalDate.now();
+            LocalDate expiration = Objects.requireNonNullElseGet(expirationDate, LocalDate::now);
+            boolean expired = expiration.isBefore(now);
             // String.equals() is not constant-time but this method is. No link between correctness and time spent
-            return MessageDigest.isEqual(hashFromHex, hashedBytes);
+            return MessageDigest.isEqual(hashFromHex, hashedBytes) && !expired;
         }
 
         // used by Jelly view
@@ -440,6 +459,10 @@ public Date getCreationDate() {
             return creationDate;
         }
 
+        public LocalDate getExpirationDate() {
+            return expirationDate;
+        }
+
         // used by Jelly view
         /**
          * Relevant only if the lastUseDate is not null

core/src/main/java/jenkins/security/apitoken/TokenUuidAndPlainValue.java

@@ -24,6 +24,8 @@
 
 package jenkins.security.apitoken;
 
+import java.time.LocalDate;
+import java.time.format.DateTimeFormatter;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.Beta;
 
@@ -45,8 +47,17 @@ public class TokenUuidAndPlainValue {
      */
     public final String plainValue;
 
-    public TokenUuidAndPlainValue(String tokenUuid, String plainValue) {
+
+    public final String expirationDate;
+
+    public TokenUuidAndPlainValue(String tokenUuid, String plainValue, LocalDate expirationDate) {
         this.tokenUuid = tokenUuid;
         this.plainValue = plainValue;
+        if (expirationDate != null) {
+            DateTimeFormatter formatter = DateTimeFormatter.ofPattern("E, L d u");
+            this.expirationDate = formatter.format(expirationDate);
+        } else {
+            this.expirationDate = "Never";
+        }
     }
 }