uc-cdis · BinamB · Mar 12, 2021 · Mar 9, 2021 · Mar 10, 2021 · Mar 10, 2021
diff --git a/fence/blueprints/login/ras.py b/fence/blueprints/login/ras.py
@@ -2,13 +2,15 @@
 import jwt
 import os
 from flask_sqlalchemy_session import current_session
+import urllib.request, urllib.parse, urllib.error
 
 from fence.models import GA4GHVisaV1, IdentityProvider
 
 from fence.blueprints.login.base import DefaultOAuth2Login, DefaultOAuth2Callback
 
 from fence.config import config
 from fence.scripting.fence_create import init_syncer
+from fence.utils import get_valid_expiration
 
 
 class RASLogin(DefaultOAuth2Login):
@@ -66,8 +68,22 @@ def post_login(self, user, token_result):
         refresh_token = flask.g.tokens.get("refresh_token")
         id_token = flask.g.tokens.get("id_token")
         decoded_id = jwt.decode(id_token, verify=False)
+
         # Add 15 days to iat to calculate refresh token expiration time
         expires = int(decoded_id.get("iat")) + config["RAS_REFRESH_EXPIRATION"]
+
+        # User definied RAS refresh token expiration time
+        parsed_url = urllib.parse.parse_qs(flask.redirect_url)
+        if parsed_url.get("visa_refresh_exp"):
+            custom_refresh_expiration = int(decoded_id.get("iat")) + int(
+                parsed_url.get("visa_refresh_exp")[0]
+            )
+            expires = get_valid_expiration(
+                custom_refresh_expiration,
+                expires,
+                expires,
+            )
+
         flask.current_app.ras_client.store_refresh_token(
             user=user, refresh_token=refresh_token, expires=expires
         )

diff --git a/fence/job/visa_update_cronjob.py b/fence/job/visa_update_cronjob.py
@@ -152,6 +152,10 @@ async def updater(self, name, updater_queue, db_session):
                     )
                     client.update_user_visas(user, db_session)
             else:
+                if user.upstream_refresh_tokens:
+                    user.upstream_refresh_tokens = []
+                    db_session.commit()
+
                 self.logger.info(
                     "User {} doesnt have visa. Skipping . . .".format(user.username)
                 )

diff --git a/fence/resources/openid/idp_oauth2.py b/fence/resources/openid/idp_oauth2.py
@@ -156,11 +156,11 @@ def get_access_token(self, user, token_endpoint, db_session=None):
             proxies=self.get_proxies(),
             refresh_token=refresh_token,
         )
-        new_refresh_token = token_response["refresh_token"]
+        refresh_token = token_response["refresh_token"]
 
         self.store_refresh_token(
             user,
-            refresh_token=new_refresh_token,
+            refresh_token=refresh_token,
             expires=expires,
             db_session=db_session,
         )