smolnar82 opened a new pull request #542: URL: https://github.com/apache/knox/pull/542
## What changes were proposed in this pull request? The following enhancements were added by this change: - the simple `GET` API is extended to handle custom metadata information - the `getUserTokens` API endpoint is extended to filter tokens by metadata name/value - additional metadata information is displayed on the Knox Token Management page ## How was this patch tested? Adjusted and ran JUnit tests: ``` $ mvn clean -Dshellcheck=true verify -Prelease,package -am -pl gateway-service-knoxtoken ... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 06:01 min [INFO] Finished at: 2022-03-04T09:32:59+01:00 [INFO] ------------------------------------------------------------------------ ``` Additionally, I tested the API changes with the following `curl` commands: ``` curl -iku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?md_notebookName=accountantKnoxToken&md_souldBeRemovedBy=31March2022&md_otherMeaningfuMetadata=KnoxIsCool' curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=DROP%20TABLE%20knox_token_metadata"; curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=%3Cscript%3Ealert%28%27smolnar%27%29%3B%3C%2Fscript%3E"; curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=<script>alert(\"smolnar\")</script>&md_otherMetadata=MyOtherMetadata" curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=%3Ca%20href%3D%22%23%22%20onClick%3D%22alert%28%27Hello%20World%21%27%29%22%3E%3Cimg%20title%3D%22The%20Link%22%20%2F%3E%3C%2Fa%3E"; curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_smolnarMd=dummyMd"; ``` <img width="1773" alt="Screenshot 2022-03-04 at 10 08 01" src="https://user-images.githubusercontent.com/34065904/156733578-cae30c84-5533-4772-8aec-50d663ebb782.png";> As you can see I tried to challenge the `GET` API with - SQL commands to make sure SQL injection is not an issue (in `TokenStateDatabase` we use `PreparedStatement` objects to communicate with the DB, so we are safe) - different HTML scripts to make sure XSS attacks are not an issue. The prevention of XSS comes OOTB with Angular as we only use interpolated values in curly brackets that [are escaped in Angular](https://angular.io/guide/security#sanitization-example). I also tested the updated `getUserTokens` API: ``` $ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=smolnarMd"; HTTP/1.1 200 OK ... { "tokens": [{ "tokenId": "97de921a-aa54-4308-803c-6c20cebcc1f9", "issueTime": "2022-03-04T10:07:49.093+0100", "expiration": "2022-03-04T11:07:48.928+0100", "maxLifetime": "2022-03-11T10:07:49.093+0100", "metadata": { "customMetadataMap": { "smolnarMd": "dummyMd" }, "comment": null, "enabled": true, "userName": "admin" }, "issueTimeLong": 1646384869093, "expirationLong": 1646388468928, "maxLifetimeLong": 1646989669093 }] } ``` ``` $ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=otherMetadata"; HTTP/1.1 200 OK .... { "tokens": [{ "tokenId": "e8e578ca-a782-4cd7-8fa1-3580b7a79541", "issueTime": "2022-03-04T10:00:31.655+0100", "expiration": "2022-03-04T11:00:31.645+0100", "maxLifetime": "2022-03-11T10:00:31.655+0100", "metadata": { "customMetadataMap": { "notebookName": "<script>alert(\"smolnar\")</script>", "otherMetadata": "MyOtherMetadata" }, "comment": null, "enabled": true, "userName": "admin" }, "issueTimeLong": 1646384431655, "expirationLong": 1646388031645, "maxLifetimeLong": 1646989231655 }] } ``` ``` $ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=notebookName&mdValue=accountantKnoxToken"; HTTP/1.1 200 OK ... { "tokens": [{ "tokenId": "1487647b-b986-4b73-a250-854843aade9b", "issueTime": "2022-03-04T09:58:03.155+0100", "expiration": "2022-07-02T10:58:02.979+0200", "maxLifetime": "2022-03-11T09:58:03.155+0100", "metadata": { "customMetadataMap": { "souldBeRemovedBy": "31March2022", "notebookName": "accountantKnoxToken", "otherMeaningfuMetadata": "KnoxIsCool" }, "comment": null, "enabled": true, "userName": "admin" }, "issueTimeLong": 1646384283155, "expirationLong": 1656752282979, "maxLifetimeLong": 1646989083155 }] } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
![https://user-images.githubusercontent.com/34065904/156733578-cae30c84-5533-4772-8aec-50d663ebb782.png"](https://user-images.githubusercontent.com/34065904/156733578-cae30c84-5533-4772-8aec-50d663ebb782.png"){kind=link}