[
https://issues.apache.org/jira/browse/KNOX-2579?focusedWorklogId=594653&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-594653
]
ASF GitHub Bot logged work on KNOX-2579:
----------------------------------------
Author: ASF GitHub Bot
Created on: 11/May/21 17:40
Start Date: 11/May/21 17:40
Worklog Time Spent: 10m
Work Description: pzampino commented on a change in pull request #437:
URL: https://github.com/apache/knox/pull/437#discussion_r630379211
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
##########
@@ -141,9 +142,21 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
} else if (TokenType.Passcode.equals(tokenType)) {
// Validate the token based on the server-managed metadata
- if (validateToken((HttpServletRequest) request, (HttpServletResponse)
response, chain, tokenValue)) {
+ // The received token value must be a Base64 encoded value of
Base64(tokenId)::Base64(rawPasscode)
+ String tokenId = null, passcode = null;
Review comment:
nit: This is not typical Knox coding style
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
##########
@@ -316,6 +334,35 @@ protected long convertCharArrayToLong(char[] charArray) {
return Long.parseLong(new String(charArray));
}
+ @Override
+ public long getTokenIssueTime(String tokenId) throws UnknownTokenException {
+ // Check the in-memory collection first, to avoid costly keystore access
when possible
+ try {
+ // check the in-memory cache first
+ return super.getTokenIssueTime(tokenId);
+ } catch (UnknownTokenException e) {
+ // It's not in memory
+ }
+
+ // If there is no associated state in the in-memory cache, proceed to
check the alias service
+ long issueTime = 0;
+ try {
+ char[] issueTimeStr = getPasswordUsingAliasService(tokenId +
TOKEN_ISSUE_TIME_POSTFIX);
+ if (issueTimeStr == null) {
+ throw new UnknownTokenException(tokenId);
+ }
+ issueTime = convertCharArrayToLong(issueTimeStr);
+ // Update the in-memory cache to avoid subsequent keystore look-ups for
the same state
+ super.setIssueTime(tokenId, issueTime);
Review comment:
Should use the setIssueTimeInMemory() method here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 594653)
Time Spent: 1h 10m (was: 1h)
> Make token passcode secure in DB token state backend
> ----------------------------------------------------
>
> Key: KNOX-2579
> URL: https://issues.apache.org/jira/browse/KNOX-2579
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Affects Versions: 1.6.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.6.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> With KNOX-2554, we now have the ability to store passcode tokens in
> relational databases. However, it indicates poor security practice if
> sensitive data is stored in plain text format. Since the {{token_id}} JWT
> claim can be used as a passcode, we need to make sure it's saved in a hashed
> format. To be able to do this, the following is going to be implemented:
> * add a new column called {{id}} which will serve as the primary key of the
> {{KNOX_TOKENS}} table (this is also going to be a UUID)
> * keep the current {{token_id}} column as is, and store the {{token.id}}
> claim in a hashed form in this column
> By default, {{HS256}} is going to be used as a hash algorithm, but end-users
> can configure it via the {{gateway.database.hash.alg}} gateway level
> configuration. A new pre-defined alias name is to be introduced too:
> {{gateway_database_hash_key}}. End-users must save the desired key using this
> alias if they use the new {{JDBCTokenStateService}} as the token management
> backend. Please note that key size it's very important for hash-based
> algorithms so using the {{master secret}} is not an option here.
> The token verification logic has to be changed too (need to hash {{token.id}}
> before getting expiration from the database).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
