[jira] [Work logged] (KNOX-2790) Split ConcurrentSessionVerifier.verifySessionForUser

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2790?focusedWorklogId=803309&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803309
 ]

ASF GitHub Bot logged work on KNOX-2790:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/Aug/22 17:11
            Start Date: 24/Aug/22 17:11
    Worklog Time Spent: 10m 
      Work Description: MrtnBalazs opened a new pull request, #624:
URL: https://github.com/apache/knox/pull/624

   ## What changes were proposed in this pull request?
   
   Changed the verifier, introduced a new function called `registerToken`, this 
function is checking the session limits for the given user and stores the  
given token. Changed `verifySessionForUser` function, now this function only 
checks the limit but do not store token. These changes were needed, because 
previously in case of an attack we would generate tokens needlessly before 
verifying the session and checking the limit. Now we check the limit without a 
token before token generation, so in case of an attack we do not waste 
resources. And we add the token after token generation and also check the limit 
because thread safety requires it.
   
   ## How was this patch tested?
   
   I have changed the unit tests in `InMemoryConcurrentSessionVerifierTest` and 
`WebSSOResourceTest` to test the new usage of the verifier.
   I also tested it manually with this configuration:
   ```
   <property>
           <name>gateway.session.verification.unlimited.users</name>
           <value>admin</value>
   </property>
   <property>
           <name>gateway.session.verification.privileged.users</name>
           <value>tom</value>
   </property>
   <property>
           <name>gateway.session.verification.privileged.user.limit</name>
           <value>2</value>
   </property>
   <property>
           <name>gateway.session.verification.non.privileged.user.limit</name>
           <value>1</value>
   </property>
   <property>
           
<name>gateway.session.verification.expired.tokens.cleaning.period</name>
           <value>80</value>
   </property>
   <property>
           <name>gateway.service.concurrentsessionverifier.impl</name>
           
<value>org.apache.knox.gateway.session.control.InMemoryConcurrentSessionVerifier</value>
   </property>
   ```
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 803309)
    Remaining Estimate: 0h
            Time Spent: 10m

> Split ConcurrentSessionVerifier.verifySessionForUser
> ----------------------------------------------------
>
>                 Key: KNOX-2790
>                 URL: https://issues.apache.org/jira/browse/KNOX-2790
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Balazs Marton
>            Priority: Critical
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the ConcurrentSessionVerifier.verifySessionForUser does 2 things:
>  * verifies the user if he/she is allowed to have another session
>  * registers the given token into the concurrentSessionCounter map
> These 2 functionalities should be split:
>  * boolean verifySessionForUser(String userName);
>  * void registerToken(String userName, JWT token);
> With this split, in WebSSOResource, the session verification can be done 
> before the token is actually created and token registration can be done 
> after. It's important because it might be a security leak to generate tokens 
> in advance that will not be used at all but, in case of token management is 
> enabled, may fill up the disk/memory with unused tokens.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)