(knox) branch master updated: KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878)

smolnar Tue, 12 Mar 2024 04:20:53 -0700

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git



The following commit(s) were added to refs/heads/master by this push:
     new 37dc8a736 KNOX-3018 - Tokens that never expire should not be evicted 
automatically and their expiration should be displayed properly (#878)
37dc8a736 is described below

commit 37dc8a736507ecbd39eacfd206f8c05aa15e1745
Author: Sandor Molnar <smol...@apache.org>
AuthorDate: Tue Mar 12 12:20:43 2024 +0100

    KNOX-3018 - Tokens that never expire should not be evicted automatically 
and their expiration should be displayed properly (#878)
---
 .../gateway/services/token/impl/DefaultTokenStateService.java     | 5 +++--
 .../knox/gateway/services/token/impl/TokenStateDatabase.java      | 4 ++--
 .../gateway/services/token/impl/JDBCTokenStateServiceTest.java    | 8 ++++++--
 .../apache/knox/gateway/services/security/token/KnoxToken.java    | 2 +-
 .../token-generation/app/token-generation.service.ts              | 2 +-
 .../token-management/app/token.management.component.ts            | 4 ++--
 6 files changed, 15 insertions(+), 10 deletions(-)

diff --git 
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
 
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 1676e14fa..18c7ea24f 100644
--- 
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ 
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -392,9 +392,10 @@ public class DefaultTokenStateService implements 
TokenStateService {
    * @return true, if the associated token state can be evicted; Otherwise, 
false.
    */
   protected boolean needsEviction(final String tokenId) throws 
UnknownTokenException {
+    final long tokenExpiration = getTokenExpiration(tokenId, false);
     // If the expiration time(+ grace period) has already passed, it should be 
considered expired
-    long expirationWithGrace = getTokenExpiration(tokenId, false) + 
TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
-    return (expirationWithGrace <= System.currentTimeMillis());
+    long expirationWithGrace = tokenExpiration + 
TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
+    return tokenExpiration > 0 && (expirationWithGrace <= 
System.currentTimeMillis());
   }
 
   /**
diff --git 
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
 
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
index a461171b4..b17b7c93b 100644
--- 
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
+++ 
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
@@ -43,8 +43,8 @@ public class TokenStateDatabase {
   static final String TOKEN_METADATA_TABLE_NAME = "KNOX_TOKEN_METADATA";
   private static final String ADD_TOKEN_SQL = "INSERT INTO " + 
TOKENS_TABLE_NAME + "(token_id, issue_time, expiration, max_lifetime) VALUES(?, 
?, ?, ?)";
   private static final String REMOVE_TOKEN_SQL = "DELETE FROM " + 
TOKENS_TABLE_NAME + " WHERE token_id = ?";
-  private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " 
+ TOKENS_TABLE_NAME + " WHERE expiration < ?";
-  private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + 
TOKENS_TABLE_NAME + " WHERE expiration < ?";
+  private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " 
+ TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
+  private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + 
TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
   static final String GET_TOKEN_ISSUE_TIME_SQL = "SELECT issue_time FROM " + 
TOKENS_TABLE_NAME + " WHERE token_id = ?";
   static final String GET_TOKEN_EXPIRATION_SQL = "SELECT expiration FROM " + 
TOKENS_TABLE_NAME + " WHERE token_id = ?";
   private static final String UPDATE_TOKEN_EXPIRATION_SQL = "UPDATE " + 
TOKENS_TABLE_NAME + " SET expiration = ? WHERE token_id = ?";
diff --git 
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
 
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
index 205c59191..c30b53545 100644
--- 
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
+++ 
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
@@ -260,9 +260,13 @@ public class JDBCTokenStateServiceTest {
       final String tokenId = UUID.randomUUID().toString();
       jdbcTokenStateService.addToken(tokenId, 1, 1, 1);
     }
-    assertEquals(tokenCount, getLongTokenAttributeFromDatabase(null, 
GET_TOKENS_COUNT_SQL));
+
+    //add another token that never expires
+    jdbcTokenStateService.addToken(UUID.randomUUID().toString(), 1, -1, 1);
+
+    assertEquals(tokenCount + 1, getLongTokenAttributeFromDatabase(null, 
GET_TOKENS_COUNT_SQL));
     jdbcTokenStateService.evictExpiredTokens();
-    assertEquals(0, getLongTokenAttributeFromDatabase(null, 
GET_TOKENS_COUNT_SQL));
+    assertEquals(1, getLongTokenAttributeFromDatabase(null, 
GET_TOKENS_COUNT_SQL));  //the one that never expires should remain
   }
 
   private long getLongTokenAttributeFromDatabase(String tokenId, String sql) 
throws SQLException {
diff --git 
a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
 
b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
index b34397be0..21359ca88 100644
--- 
a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
+++ 
b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
@@ -60,7 +60,7 @@ public class KnoxToken implements Comparable<KnoxToken>{
   }
 
   public String getExpiration() {
-    return KNOX_TOKEN_TS_FORMAT.get().format(new Date(expiration));
+    return expiration < 0 ? "Never" : KNOX_TOKEN_TS_FORMAT.get().format(new 
Date(expiration));
   }
 
   public long getExpirationLong() {
diff --git 
a/knox-token-generation-ui/token-generation/app/token-generation.service.ts 
b/knox-token-generation-ui/token-generation/app/token-generation.service.ts
index 4c74cab68..f315988f7 100644
--- a/knox-token-generation-ui/token-generation/app/token-generation.service.ts
+++ b/knox-token-generation-ui/token-generation/app/token-generation.service.ts
@@ -114,7 +114,7 @@ export class TokenGenService {
                 accessToken: tokenData.access_token,
                 user: jwtJson.sub,
                 accessPasscode: tokenData.passcode,
-                expiry: new Date(tokenData.expires_in).toLocaleString(),
+                expiry: tokenData.expires_in < 0 ? 'Never expires' : new 
Date(tokenData.expires_in).toLocaleString(),
                 homepageURL: this.baseURL + tokenData.homepage_url,
                 targetURL: window.location.protocol + '//' + 
window.location.host + this.baseURL + tokenData.target_url
             };
diff --git 
a/knox-token-management-ui/token-management/app/token.management.component.ts 
b/knox-token-management-ui/token-management/app/token.management.component.ts
index 7ed486c1c..7d83409ce 100644
--- 
a/knox-token-management-ui/token-management/app/token.management.component.ts
+++ 
b/knox-token-management-ui/token-management/app/token.management.component.ts
@@ -196,11 +196,11 @@ export class TokenManagementComponent implements OnInit {
     }
 
     formatDateTime(dateTime: number) {
-        return new Date(dateTime).toLocaleString();
+        return dateTime < 0 ? 'Never' : new Date(dateTime).toLocaleString();
     }
 
     isTokenExpired(expiration: number): boolean {
-        return Date.now() > expiration;
+        return expiration < 0 ? false : Date.now() > expiration;
     }
 
     getExpirationColor(expiration: number): string {

(knox) branch master updated: KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878)

Reply via email to