[knox] branch master updated: KNOX-2646. The tokenLimitPerUser check doesn't always work. (#484)

Wed, 25 Aug 2021 05:33:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new bd291f8  KNOX-2646. The tokenLimitPerUser check doesn't always work. 
(#484)
bd291f8 is described below

commit bd291f87239c05f3722bfe1796da22c17a7c5e02
Author: Attila Magyar <[email protected]>
AuthorDate: Wed Aug 25 14:33:37 2021 +0200

    KNOX-2646. The tokenLimitPerUser check doesn't always work. (#484)
---
 .../gateway/service/knoxtoken/TokenResource.java   |  3 +-
 .../knoxtoken/TokenServiceResourceTest.java        | 33 ++++++++++++++++++++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index 7bc84e4..ba73430 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -642,7 +642,7 @@ public class TokenResource {
 
     if (tokenStateService != null) {
       if (tokenLimitPerUser != -1) { // if -1 => unlimited tokens for all users
-        if (tokenStateService.getTokens(p.getName()).size() == 
tokenLimitPerUser) {
+        if (tokenStateService.getTokens(p.getName()).size() >= 
tokenLimitPerUser) {
           log.tokenLimitExceeded(p.getName());
           return Response.status(Response.Status.FORBIDDEN).entity("{ \"Unable 
to get token - token limit exceeded.\" }").build();
         }
@@ -777,5 +777,4 @@ public class TokenResource {
     String message = t.getMessage();
     return message != null ? message : "null";
   }
-
 }
diff --git 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index a0fded1..301b46f 100644
--- 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -109,7 +109,7 @@ public class TokenServiceResourceTest {
   private ServletContext context;
   private HttpServletRequest request;
   private JWTokenAuthority authority;
-  private TestTokenStateService tss;
+  private TestTokenStateService tss = new TestTokenStateService();
   private char[] hmacSecret;
 
   private enum TokenLifecycleOperation {
@@ -170,7 +170,6 @@ public class TokenServiceResourceTest {
     
EasyMock.expect(config.getKnoxTokenHashAlgorithm()).andReturn(HmacAlgorithms.HMAC_SHA_256.getName()).anyTimes();
     EasyMock.expect(config.getMaximumNumberOfTokensPerUser())
         .andReturn(contextExpectations.containsKey(KNOX_TOKEN_USER_LIMIT) ? 
Integer.parseInt(contextExpectations.get(KNOX_TOKEN_USER_LIMIT)) : 
-1).anyTimes();
-    tss = new TestTokenStateService();
     
EasyMock.expect(services.getService(ServiceType.TOKEN_STATE_SERVICE)).andReturn(tss).anyTimes();
 
     AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
@@ -987,7 +986,35 @@ public class TokenServiceResourceTest {
   }
 
   @Test
-  public void tesTokenLimitPerUserExceeded() throws Exception {
+  public void testTokenLimitChangeAfterAlreadyHavingTokens() throws Exception {
+    Map<String, String> contextExpectations = new HashMap<>();
+    contextExpectations.put(KNOX_TOKEN_USER_LIMIT, "-1");
+    configureCommonExpectations(contextExpectations, Boolean.TRUE);
+    TokenResource tr = new TokenResource();
+    tr.request = request;
+    tr.context = context;
+    tr.init();
+    // already have N tokens
+    int numberOfPreExistingTokens = 5;
+    for (int i = 0; i < numberOfPreExistingTokens; i++) {
+      tr.doGet();
+    }
+    Response getKnoxTokensResponse = tr.getUserTokens(USER_NAME);
+    Collection<String> tokens = ((Map<String, Collection<String>>) 
JsonUtils.getObjectFromJsonString(getKnoxTokensResponse.getEntity().toString()))
+            .get("tokens");
+    assertEquals(tokens.size(), numberOfPreExistingTokens);
+    // change the limit and try generate one more
+    contextExpectations.put(KNOX_TOKEN_USER_LIMIT, 
Integer.toString(numberOfPreExistingTokens -1));
+    configureCommonExpectations(contextExpectations, Boolean.TRUE);
+    tr.request = request;
+    tr.context = context;
+    tr.init();
+    Response response = tr.doGet();
+    assertTrue(response.getEntity().toString().contains("Unable to get token - 
token limit exceeded."));
+  }
+
+  @Test
+  public void testTokenLimitPerUserExceeded() throws Exception {
     try {
       testLimitingTokensPerUser(String.valueOf("10"), 11);
       fail("Exception should have been thrown");

Reply via email to