[jira] [Work logged] (KNOX-2527) Support HMAC signature/verification in JWT token authority

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2527?focusedWorklogId=534293&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-534293
 ]

ASF GitHub Bot logged work on KNOX-2527:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Jan/21 15:49
            Start Date: 11/Jan/21 15:49
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request #397:
URL: https://github.com/apache/knox/pull/397


   ## What changes were proposed in this pull request?
   
   In this change, I'm extending the current RSA based token signing with the 
use of HMAC. As described in the corresponding JIRA, from now on end-users are 
able to configure an HMAC secret in the gateway's alias service which then will 
be used as a signature secret (pay attention to the key size requirements!).
   
   
   ## How was this patch tested?
   Updated and ran a full maven build successfully and executed E2E tests:
   1. configured the `gateway.signing.hmac.secret` alias:
   ```
   $ bin/knoxcli.sh list-alias
   Listing aliases for: __gateway
   gateway.signing.hmac.secret
   ```
   2. Added the `KNOXTOKEN` service in the `sandbox` topology:
   ```
   <service>
      <role>KNOXTOKEN</role>
      <param>
         <name>knox.token.ttl</name>
         <value>36000000</value>
      </param>
      <param>
         <name>knox.token.audiences</name>
         <value>tokenbased</value>
      </param>
      <param>
         <name>knox.token.target.url</name>
         <value>https://localhost:8443/gateway/tokenbased</value>
      </param>
   <!--
      <param>
         <name>knox.token.sigalg</name>
         <value>HS256</value>
      </param>
   -->
   </service>
   ```
   3. Added a new topology - called tokenbased - to be able to test the 
generated tokens
   4. Acquired a Knox token:
   ```
   curl -iku admin:admin-password 
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
   ...
   HTTP/1.1 200 OK
   Date: Mon, 11 Jan 2021 15:08:34 GMT
   Set-Cookie: KNOXSESSIONID=node01eow5gtl4jq0z68xpcuoo9cut0.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Sun, 10-Jan-2021 15:08:34 GMT; SameSite=lax
   Content-Type: application/json
   Content-Length: 1862
   
   
{"access_token":"eyJhbGciOiJSUzI1NiJ9...FN7RE8Xsw","target_url":"https://localhost:8443/gateway/tokenbased","endpoint_public_cert":"MIIDe...W6Z2nJarXg==","token_type":"Bearer","expires_in":1610413714993}
   ```
   5. Tested the acquired token by invoking the HDFS UI service in `tokenbased`:
   ```
   curl -ik -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...FN7RE8Xsw" 
https://localhost:8443/gateway/tokenbased/hdfs
   ```
   6. Changed the value of `knox.token.sigalg` parameter to `HS384`, reset the 
`gateway.signing.hmac.secret` with an appropriate secret (key length matters) 
and repeated steps 4-5. The call finished successfully.
   7. Changed the value of `knox.token.sigalg` parameter to `HS512`, reset the 
`gateway.signing.hmac.secret` with an appropriate secret (key length matters) 
and repeated steps 4-5. The call finished successfully.
   8. Changed the value of  `knox.token.sigalg` parameter to `HS123` and 
repeated steps 4-5. Call failed as expected.
   9. Removed the `gateway.signing.hmac.secret` and re-tried the get/verify 
steps; all were OK.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 534293)
    Remaining Estimate: 0h
            Time Spent: 10m

> Support HMAC signature/verification in JWT token authority
> ----------------------------------------------------------
>
>                 Key: KNOX-2527
>                 URL: https://issues.apache.org/jira/browse/KNOX-2527
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: KnoxSSO, Server
>    Affects Versions: 1.5.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> As of now, in {{DefaultTokenAuthorityService}}, the generated JWT token is 
> signed by RSA (PKI). It would be beneficial to add support for HMAC as well 
> so that token signature/verification would not require a keystore being set 
> but using a secret stored via Knox's alias service. The recommended alias 
> name is {{gateway.signing.hmac.secret}}
>  To support backward compatibility, the implementation should use HMAC 
> signature/verification only if:
>  - the HMAC secret is configured via the alias service for the gateway, and
>  - there is no previously pre-configured {{gateway.signing.keystore.name}} 
> which is a clear indication of end-user preference of using PKI signatures.
> The default HMAC signing algorithm should be {{HS256}} (HMAC using SHA-256 
> hash algorithm) and clients should be able to change it by already existing 
> request parameters called {{knoxsso.token.sigalg}} or {{knox.token.sigalg}}. 
> Other valid values are:
>  - {{HS384}} (HMAC using SHA-384 hash algorithm)
>  - {{HS512}} (HMAC using SHA-512 hash algorithm)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)