[jira] [Work logged] (KNOX-2734) Exclude token passcode from KnoxToken responses when server-managed state is disabled.

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2734?focusedWorklogId=759868&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-759868
 ]

ASF GitHub Bot logged work on KNOX-2734:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Apr/22 09:15
            Start Date: 21/Apr/22 09:15
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #562:
URL: https://github.com/apache/knox/pull/562

   ## What changes were proposed in this pull request?
   
   As described in 
[KNOX-2734](https://issues.apache.org/jira/browse/KNOX-2734), the passcode 
token should not be presented in the JSON response coming from TokenResource, 
when a Knox Token is generated, if:
   - token state management is disabled
   - the underlying token state backend stores the tokens in-memory only
   
   The token generation UI should have been modified too: when there is no 
passcode tag in the JSON response there is no reason to show its label on the 
UI.
   
   ## How was this patch tested?
   
   Added new JUnit tests to cover the new business logic.
   
   Additionally, I did E2E testing:
   - added KnoxToken service into the `sandbox` topology with 
`knox.token.exp.server-managed=false`
   - configured the token state backend to `DefaultTokenStateService` in 
`gateway-site.xml`
   - Left `knox.token.exp.server-managed=true` in the `homepage` topology
   - Generated a token using the token generation page and confirmed the 
`Passcode Token` label was hidden
   ```
   $ curl -iku admin:admin-password 
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
   HTTP/1.1 200 OK
   ...
   
   
{"access_token":"eyJqa3...W7S7rAVtg","token_id":"bc6ae4b8-3064-4835-8601-5cfffa0cbc51","managed":"false","target_url":"proxy-token/","homepage_url":"homepage/home?profile=token&topologies=sandbox","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIfjC1dY...etfIPYZ5yWVL7Q==","token_type":"Bearer","expires_in":1660896802064}
   ```
   
   - Changed `knox.token.exp.server-managed` to `true` in the `sandbox` 
topology (please note, the token state backend is still 
`DefaultTokenStateService`
   ```
   $ curl -iku admin:admin-password 
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
   HTTP/1.1 200 OK
   ...
   
   
{"access_token":"eyJqa3UiOiJodH...Gfy157xezu3Q","token_id":"8fad76c1-147d-44f0-8d18-a067eea7d615","managed":"true","target_url":"proxy-token/","homepage_url":"homepage/home?profile=token&topologies=sandbox","endpoint_public_cert":"MIIDeDCCAmCgAwIBAgIIfj...aetfIPYZ5yWVL7Q==","token_type":"Bearer","expires_in":1660897040594}
   ```
   - Set `gateway.service.tokenstate.impl` to 
`org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService` in 
`gateway-site.xml` and re-started Knox
   ```
   
{"access_token":"eyJqa3UiOiJodHRwczp...3zAiz5ygsEBuOVQ","token_id":"f5aaa081-5de2-40aa-8d6f-9961a93bf502","managed":"true","target_url":"proxy-token/","homepage_url":"homepage/home?profile=token&topologies=sandbox","endpoint_public_cert":"MIIDeDCCAmCg...kEFdn5aetfIPYZ5yWVL7Q==","token_type":"Bearer","expires_in":1660896828475,"passcode":"WmpWaFlXRXdPREV0TldSbE1pMDBNR0ZoTFRoa05tWXRPVGsyTVdFNU0ySm1OVEF5OjpZVFF6T1dRd05UVXROamcwWWkwME9HWTNMVGxqT1RBdE16WTBZMkUwTlRFMllXRTM="}
   ```
   - Generated a token using the token generation page and confirmed the 
`Passcode Token` label was shown with the correct passcode
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 759868)
    Remaining Estimate: 0h
            Time Spent: 10m

> Exclude token passcode from KnoxToken responses when server-managed state is 
> disabled.
> --------------------------------------------------------------------------------------
>
>                 Key: KNOX-2734
>                 URL: https://issues.apache.org/jira/browse/KNOX-2734
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Responses from the KnoxToken service include a passcode, which is only 
> relevant/valid if the server-managed token state is enabled. In the case that 
> it is disabled, the passcode should not be included in the responses.
> {noformat}
> {
>   "access_token": 
> "eyJqa3UiOiJodHRwczpcL1wvc3NnM2RsLW1hc3RlcjAuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcms6ODQ0M1wvc3NnM2RsXC9rdC1rZXJiZXJvc1wva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJaWFF3UWtKMnNIMzNoUThYNEFlM05VODJKMTYySlBlYVRVMWZqazE3VzI4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJjc3NvX3NzZXRoIiwiamt1IjoiaHR0cHM6XC9cL3NzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrOjg0NDNcL3NzZzNkbFwva3Qta2VyYmVyb3NcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoiWlhRd1FrSjJzSDMzaFE4WDRBZTNOVTgySjE2MkpQZWFUVTFmamsxN1cyOCIsImlzcyI6IktOT1hTU08iLCJleHAiOjE2NTA0MTYwMzEsIm1hbmFnZWQudG9rZW4iOiJmYWxzZSIsImtub3guaWQiOiJmMGFlYzNjNC1kNzVhLTQ0M2ItODQ2YS1kM2FmMTNlNmJlOTEifQ.DFkepUDw6Nt9KhyOoz_u4cfMYkPlSiifZHEsj6Es5Ymy4BtASt4we3kWQc_NMAllRkL5HFK3ZZ58aFUbJvyjwklQpRQABMHSZuIkURcmz8dctH_JfWX_WtXyzwRd-KGDdLrHSn-x4tTjfc0iXdoxxqr-9wJNmcXcMZyQO3aJHV38q2hbSc9Muht_tbe_UgfI_ukfloDHxL9tWRctitjmz3T7H0SpJKxdvspIz-PaSvOOeNqTfCOKgY0hpK_CkBr1NjkyASjCyAz0hq41COt1BMbWc6djgTBl9C6bXNa1Abhn_e87Hh1kDBUdOIAd7Sbpd12oiH92ZQOnfnE0-yLS5Q",
>   "token_id": "f0aec3c4-d75a-443b-846a-d3af13e6be91",
>   "managed": "false",
>   "endpoint_public_cert": 
> "MIIE2DCCA0CgAwIBAgIJAPUXM8vonvD6MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnNzZzNkbC1tYXN0ZXIwMB4XDTIyMDMwMzE5NDcyNFoXDTIzMDMwMzIzNTk1OVowUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMTUwMwYDVQQDDCxzc2czZGwtbWFzdGVyMC5zc2dlMy54Y3UyLTh5OHguZGV2LmNsZHIud29yazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAN8XxFrYQiU4tnXrQ2TAyT2uQuCzmL38V7tyD15HQdhq3EHJkUx5bMS4XLkVuItBvDCLGwsAHEzqdzqrpuhP8XMqDbkviCamp8r3NKHrjlaDn9UIFKQ8pHPKsaTjt55lG0zrrUs4zTBq8O9Bn5AW5+QdBwGJG7ewiGXTuRso8mSzW8U2lUdS3WzhkN6TN01AyxibEfbRmWW1YFCXZfRLnfxF2h4uqkgLm7R5lQvKkOpzMim1ytgm/83wRIgY/ON/NK0Qxc1evMRyJWp+PF9qph89M3jy5edA6Hrdqq3eK2h7ZWQO7Z5n5iaFrASVI18LLsVzr+lrYnM1iiQo97GNU6NA81Rsyp/wmpRnl9Pe54H8aVEmnnujozdUISDzToXQjY3bYaMVGnws/Ui4k4oQFBbQYMx1CoU7raqbbTmzzHyL6P2As99ECwq4ATYvLeBeuNpBduBcC9e3YLQTbRRI1bz4wofh/roLVnZwTaoISRInO7LWzHv6fgxPUNbpnUVu4wIDAQABo4HqMIHnMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLYZL7P+P4yj5Yj2qhRzj2FNClemMB8GA1UdIwQYMBaAFPwwgDQrb+s4lS88JgMczSwtQctAMA4GA1UdDwEB/wQEAwIDqDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYDVR0RBF4wXIIsc3NnM2RsLWdhdGV3YXkuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcmuCLHNzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrMA0GCSqGSIb3DQEBCwUAA4IBgQCtYFcvUJgvhpNL0lrWP8/fHEbC3lO48gPK+7/fh/+9ZOj6xvbn5w9l0OB598msu0b5UOpd/xPynKYZSpP4JuyAD2cxzE4JUlqSfVtuIgaL+iQ/qkv64o4q1HAZKwUanL8ysWjuckz13U1iNf+ZMc17jYE0SCeJlDG+AOHYQeOq9JtvdiyjbQKvMFfPEv+nrSqqVscSEMi1i5ghmO2LBA1RWGRnwABnlCNCC1Wj1xOTb6Rpx54DtjAEurCXrIFKbvlNosUwZ/EenMX/sn2EfmM22s3k9dQoWmWOrermNeOzT5tbNfp0wimkRfCS8DhNthdFM5mzCNNoQ0XBH1c7m83/0X8xq1AQ9hFKEtMD3jH2xnQUQoAi5IPqTxs+dX1HEEb5RtpAoR78S+HWTOIXi8umVFOKrMEeciU5z5I2Tzu/4YOz87qhlwVUhRYxIB2gXM3F8DdiBmg4lVO2aH8eAUSwjpDa+6oMnNq4lg5weF3Gy0YedgGn2A/QwetNK+C9oiU=",
>   "token_type": "Bearer",
>   "expires_in": 1650416031187,
>   "passcode": 
> "WmpCaFpXTXpZelF0WkRjMVlTMDBORE5pTFRnME5tRXRaRE5oWmpFelpUWmlaVGt4OjpORGhsT0Rnek5UY3RZamcyTmkwME1UY3hMVGs1WTJFdE9EazVPRGM0TnpGalpqbG0="
> }{noformat}
> If a response includes *"managed" : "false"* , then it should NOT include the 
> passcode.
> Moreover, even if the token is {_}managed{_}, but the underlying token state 
> backend is only in-memory ({{{}gateway.service.tokenstate.impl = 
> org.apache.knox.gateway.services.token.impl.DefaultTokenStateService{}}} in 
> {{{}gateway-site.xml{}}}), the passcode should be excluded from the response 
> too.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)