[knox] branch master updated: KNOX-2384 - Token Service should return expiration from token when renewal disabled (#342)

pzampino Tue, 09 Jun 2020 10:24:07 -0700

This is an automated email from the ASF dual-hosted git repository.

pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git



The following commit(s) were added to refs/heads/master by this push:
     new 918be5a  KNOX-2384 - Token Service should return expiration from token 
when renewal disabled (#342)
918be5a is described below

commit 918be5a38b93df4ffe59affd7d61d3410ec3a236
Author: Phil Zampino <[email protected]>
AuthorDate: Tue Jun 9 13:23:14 2020 -0400

    KNOX-2384 - Token Service should return expiration from token when renewal 
disabled (#342)
---
 .../gateway/service/knoxtoken/TokenResource.java   | 12 +++++-
 .../service/knoxtoken/TokenServiceMessages.java    |  3 ++
 .../knoxtoken/TokenServiceResourceTest.java        | 46 +++++++++++++++++++---
 3 files changed, 54 insertions(+), 7 deletions(-)

diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index 9d5f4e2..57a6996 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -244,7 +244,17 @@ public class TokenResource {
     Response.Status errorStatus = Response.Status.BAD_REQUEST;
 
     if (tokenStateService == null) {
-      error = "Token renewal support is not configured";
+      // If the token state service is disabled, then return the expiration 
from the specified token
+      try {
+        JWTToken jwt = new JWTToken(token);
+        log.renewalDisabled(getTopologyName(), 
TokenUtils.getTokenDisplayText(token), TokenUtils.getTokenId(jwt));
+        expiration = Long.parseLong(jwt.getExpires());
+      } catch (ParseException e) {
+        log.invalidToken(getTopologyName(), 
TokenUtils.getTokenDisplayText(token), e);
+        error = safeGetMessage(e);
+      } catch (Exception e) {
+        error = safeGetMessage(e);
+      }
     } else {
       String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
       if (allowedRenewers.contains(renewer)) {
diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
index afffafc..dc61949 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
@@ -74,4 +74,7 @@ public interface TokenServiceMessages {
   @Message( level = MessageLevel.DEBUG, text = "Knox Token service ({0}) 
stored state for token {1} ({2})")
   void storedToken(String topologyName, String tokenDisplayText, String 
tokenId);
 
+  @Message( level = MessageLevel.WARN,
+          text = "Renewal is disabled for the Knox Token service ({0}). 
Responding with the expiration from the token {1} ({2})")
+  void renewalDisabled(String topologyName, String tokenDisplayText, String 
tokenId);
 }
diff --git 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index afc6738..a5c4796 100644
--- 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -704,20 +704,54 @@ public class TokenServiceResourceTest {
   @Test
   public void 
testTokenRenewal_ServerManagedStateEnabledAtGatewayWithServiceOverride() throws 
Exception {
     final String caller = "yarn";
-    Response renewalResponse = doTestTokenRenewal(false, true, caller, null, 
createTestSubject(caller)).getValue();
-    validateRenewalResponse(renewalResponse, 400, false, "Token renewal 
support is not configured");
+    Map.Entry<TestTokenStateService, Response> result =
+            doTestTokenRenewal(false, true, caller, null, 
createTestSubject(caller));
+
+    // Make sure the expiration was not recorded by the TokenStateService, 
since it is disabled for this test
+    TestTokenStateService tss = result.getKey();
+    assertEquals("TokenStateService should be disabled for this test.", 0, 
tss.expirationData.size());
+
+    Response renewalResponse = result.getValue();
+    validateSuccessfulRenewalResponse(renewalResponse);
+    String responseContent = (String) renewalResponse.getEntity();
+    assertNotNull(responseContent);
+    Map<String, String> json = parseJSONResponse(responseContent);
+    assertTrue(Boolean.parseBoolean(json.get("renewed")));
+    assertNotNull(json.get("expires")); // Should get back the original 
expiration from the token itself
   }
 
   @Test
   public void testTokenRenewal_ServerManagedStateNotConfiguredAtAll() throws 
Exception {
-    Response renewalResponse = doTestTokenRenewal(null, null, null, null, 
null).getValue();
-    validateRenewalResponse(renewalResponse, 400, false, "Token renewal 
support is not configured");
+    Map.Entry<TestTokenStateService, Response> result = 
doTestTokenRenewal(null, null, null, null, null);
+
+    // Make sure the expiration was not recorded by the TokenStateService, 
since it is disabled for this test
+    TestTokenStateService tss = result.getKey();
+    assertEquals("TokenStateService should be disabled for this test.", 0, 
tss.expirationData.size());
+
+    Response renewalResponse = result.getValue();
+    validateSuccessfulRenewalResponse(renewalResponse);
+    String responseContent = (String) renewalResponse.getEntity();
+    assertNotNull(responseContent);
+    Map<String, String> json = parseJSONResponse(responseContent);
+    assertTrue(Boolean.parseBoolean(json.get("renewed")));
+    assertNotNull(json.get("expires")); // Should get back the original 
expiration from the token itself
   }
 
   @Test
   public void testTokenRenewal_Disabled() throws Exception {
-    Response renewalResponse = doTestTokenRenewal(false, null, null);
-    validateRenewalResponse(renewalResponse, 400, false, "Token renewal 
support is not configured");
+    Map.Entry<TestTokenStateService, Response> result = 
doTestTokenRenewal(false, null, null, null);
+
+    // Make sure the expiration was not recorded by the TokenStateService, 
since it is disabled for this test
+    TestTokenStateService tss = result.getKey();
+    assertEquals("TokenStateService should be disabled for this test.", 0, 
tss.expirationData.size());
+
+    Response renewalResponse = result.getValue();
+    validateSuccessfulRenewalResponse(renewalResponse);
+    String responseContent = (String) renewalResponse.getEntity();
+    assertNotNull(responseContent);
+    Map<String, String> json = parseJSONResponse(responseContent);
+    assertTrue(Boolean.parseBoolean(json.get("renewed")));
+    assertNotNull(json.get("expires")); // Should get back the original 
expiration from the token itself
   }
 
   @Test

[knox] branch master updated: KNOX-2384 - Token Service should return expiration from token when renewal disabled (#342)

Reply via email to