[
https://issues.apache.org/jira/browse/KNOX-2734?focusedWorklogId=760390&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-760390
]
ASF GitHub Bot logged work on KNOX-2734:
----------------------------------------
Author: ASF GitHub Bot
Created on: 21/Apr/22 20:11
Start Date: 21/Apr/22 20:11
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #562:
URL: https://github.com/apache/knox/pull/562#discussion_r855557121
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -804,8 +804,11 @@ private Response getAuthenticationToken() {
if (endpointPublicCert != null) {
map.put(ENDPOINT_PUBLIC_CERT, endpointPublicCert);
}
+
final String passcode = UUID.randomUUID().toString();
- map.put(PASSCODE, generatePasscodeField(tokenId, passcode));
+ if (tokenStateService != null &&
!tokenStateService.storeTokensInMemoryOnly()) {
Review Comment:
This is where you could employ tokenStateService instanceof
PersistentTokenStateService
##########
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/TokenIDAsHTTPBasicCredsFederationFilterTest.java:
##########
@@ -372,6 +372,11 @@ public void start() throws ServiceLifecycleException {
public void stop() throws ServiceLifecycleException {
}
+ @Override
+ public boolean storeTokensInMemoryOnly() {
Review Comment:
Rather than adding this method to all the implementations, I tend to think
of these things in terms of interfaces (e.g., PersistentTokenStateService).
Then, the referencing code can check (tokenStateService instanceof
PersistentTokenStore).
Perhaps, the persistent implementations could extend an abstract
PersistentTokenStateService class, which itself extends
DefaultTokenStateService.
Issue Time Tracking
-------------------
Worklog Id: (was: 760390)
Time Spent: 20m (was: 10m)
> Exclude token passcode from KnoxToken responses when server-managed state is
> disabled.
> --------------------------------------------------------------------------------------
>
> Key: KNOX-2734
> URL: https://issues.apache.org/jira/browse/KNOX-2734
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Responses from the KnoxToken service include a passcode, which is only
> relevant/valid if the server-managed token state is enabled. In the case that
> it is disabled, the passcode should not be included in the responses.
> {noformat}
> {
> "access_token":
> "eyJqa3UiOiJodHRwczpcL1wvc3NnM2RsLW1hc3RlcjAuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcms6ODQ0M1wvc3NnM2RsXC9rdC1rZXJiZXJvc1wva25veHRva2VuXC9hcGlcL3YxXC9qd2tzLmpzb24iLCJraWQiOiJaWFF3UWtKMnNIMzNoUThYNEFlM05VODJKMTYySlBlYVRVMWZqazE3VzI4IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJjc3NvX3NzZXRoIiwiamt1IjoiaHR0cHM6XC9cL3NzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrOjg0NDNcL3NzZzNkbFwva3Qta2VyYmVyb3NcL2tub3h0b2tlblwvYXBpXC92MVwvandrcy5qc29uIiwia2lkIjoiWlhRd1FrSjJzSDMzaFE4WDRBZTNOVTgySjE2MkpQZWFUVTFmamsxN1cyOCIsImlzcyI6IktOT1hTU08iLCJleHAiOjE2NTA0MTYwMzEsIm1hbmFnZWQudG9rZW4iOiJmYWxzZSIsImtub3guaWQiOiJmMGFlYzNjNC1kNzVhLTQ0M2ItODQ2YS1kM2FmMTNlNmJlOTEifQ.DFkepUDw6Nt9KhyOoz_u4cfMYkPlSiifZHEsj6Es5Ymy4BtASt4we3kWQc_NMAllRkL5HFK3ZZ58aFUbJvyjwklQpRQABMHSZuIkURcmz8dctH_JfWX_WtXyzwRd-KGDdLrHSn-x4tTjfc0iXdoxxqr-9wJNmcXcMZyQO3aJHV38q2hbSc9Muht_tbe_UgfI_ukfloDHxL9tWRctitjmz3T7H0SpJKxdvspIz-PaSvOOeNqTfCOKgY0hpK_CkBr1NjkyASjCyAz0hq41COt1BMbWc6djgTBl9C6bXNa1Abhn_e87Hh1kDBUdOIAd7Sbpd12oiH92ZQOnfnE0-yLS5Q",
> "token_id": "f0aec3c4-d75a-443b-846a-d3af13e6be91",
> "managed": "false",
> "endpoint_public_cert":
> "MIIE2DCCA0CgAwIBAgIJAPUXM8vonvD6MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNVBAMMDnNzZzNkbC1tYXN0ZXIwMB4XDTIyMDMwMzE5NDcyNFoXDTIzMDMwMzIzNTk1OVowUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMTUwMwYDVQQDDCxzc2czZGwtbWFzdGVyMC5zc2dlMy54Y3UyLTh5OHguZGV2LmNsZHIud29yazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAN8XxFrYQiU4tnXrQ2TAyT2uQuCzmL38V7tyD15HQdhq3EHJkUx5bMS4XLkVuItBvDCLGwsAHEzqdzqrpuhP8XMqDbkviCamp8r3NKHrjlaDn9UIFKQ8pHPKsaTjt55lG0zrrUs4zTBq8O9Bn5AW5+QdBwGJG7ewiGXTuRso8mSzW8U2lUdS3WzhkN6TN01AyxibEfbRmWW1YFCXZfRLnfxF2h4uqkgLm7R5lQvKkOpzMim1ytgm/83wRIgY/ON/NK0Qxc1evMRyJWp+PF9qph89M3jy5edA6Hrdqq3eK2h7ZWQO7Z5n5iaFrASVI18LLsVzr+lrYnM1iiQo97GNU6NA81Rsyp/wmpRnl9Pe54H8aVEmnnujozdUISDzToXQjY3bYaMVGnws/Ui4k4oQFBbQYMx1CoU7raqbbTmzzHyL6P2As99ECwq4ATYvLeBeuNpBduBcC9e3YLQTbRRI1bz4wofh/roLVnZwTaoISRInO7LWzHv6fgxPUNbpnUVu4wIDAQABo4HqMIHnMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLYZL7P+P4yj5Yj2qhRzj2FNClemMB8GA1UdIwQYMBaAFPwwgDQrb+s4lS88JgMczSwtQctAMA4GA1UdDwEB/wQEAwIDqDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYDVR0RBF4wXIIsc3NnM2RsLWdhdGV3YXkuc3NnZTMueGN1Mi04eTh4LmRldi5jbGRyLndvcmuCLHNzZzNkbC1tYXN0ZXIwLnNzZ2UzLnhjdTItOHk4eC5kZXYuY2xkci53b3JrMA0GCSqGSIb3DQEBCwUAA4IBgQCtYFcvUJgvhpNL0lrWP8/fHEbC3lO48gPK+7/fh/+9ZOj6xvbn5w9l0OB598msu0b5UOpd/xPynKYZSpP4JuyAD2cxzE4JUlqSfVtuIgaL+iQ/qkv64o4q1HAZKwUanL8ysWjuckz13U1iNf+ZMc17jYE0SCeJlDG+AOHYQeOq9JtvdiyjbQKvMFfPEv+nrSqqVscSEMi1i5ghmO2LBA1RWGRnwABnlCNCC1Wj1xOTb6Rpx54DtjAEurCXrIFKbvlNosUwZ/EenMX/sn2EfmM22s3k9dQoWmWOrermNeOzT5tbNfp0wimkRfCS8DhNthdFM5mzCNNoQ0XBH1c7m83/0X8xq1AQ9hFKEtMD3jH2xnQUQoAi5IPqTxs+dX1HEEb5RtpAoR78S+HWTOIXi8umVFOKrMEeciU5z5I2Tzu/4YOz87qhlwVUhRYxIB2gXM3F8DdiBmg4lVO2aH8eAUSwjpDa+6oMnNq4lg5weF3Gy0YedgGn2A/QwetNK+C9oiU=",
> "token_type": "Bearer",
> "expires_in": 1650416031187,
> "passcode":
> "WmpCaFpXTXpZelF0WkRjMVlTMDBORE5pTFRnME5tRXRaRE5oWmpFelpUWmlaVGt4OjpORGhsT0Rnek5UY3RZamcyTmkwME1UY3hMVGs1WTJFdE9EazVPRGM0TnpGalpqbG0="
> }{noformat}
> If a response includes *"managed" : "false"* , then it should NOT include the
> passcode.
> Moreover, even if the token is {_}managed{_}, but the underlying token state
> backend is only in-memory ({{{}gateway.service.tokenstate.impl =
> org.apache.knox.gateway.services.token.impl.DefaultTokenStateService{}}} in
> {{{}gateway-site.xml{}}}), the passcode should be excluded from the response
> too.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
