smolnar82 opened a new pull request, #880: URL: https://github.com/apache/knox/pull/880
## What changes were proposed in this pull request? Implemented what's described in [KNOX-3019](https://issues.apache.org/jira/browse/KNOX-3019): - if `knox.token.exp.max-lifetime` is set to a negative value, tokens can be renewed without a maximum lifetime check - only non-expired tokens can be renewed ## How was this patch tested? Updated current and added new JUnit tests. Conducted manual testing. In both test rounds, the Token TTL was set to 60 seconds and the token renewal interval was 30 seconds **1. Maximum lifetime set to 120 seconds** ``` <param> <name>knox.token.exp.max-lifetime</name> <value>120000</value> </param> <param> <name>knox.token.exp.renew-interval</name> <value>30000</value> </param> ``` ``` curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 09:48:02 GMT ... {"access_token":"eyJqa3UiOiJo...cd3baa","managed":"true",...} ``` ``` curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 09:48:17 GMT ... {"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:03.445+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323343445,"maxLifetimeLong":1710323403574}]} ``` ``` export KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoiaEZLVjIwMFRvUlpvZ3h2STZGVnZrODgxY3dsbzhUZHV2NlV4OTZZbmVhRSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJoRktWMjAwVG9SWm9neHZJNkZWdms4ODFjd2xvOFRkdXY2VXg5NlluZWFFIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyMzM0MywibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiODk2ZmEzNTctMmRiNC00MmVjLWI3MGEtOGE2M2ZlY2QzYmFhIn0.B83Nk8tdo_rsOWTJNHjYqYTkJ89vCaTqb1ICc_4stNl-lI2qd7WHA6vJ_5r-8VJ3m-DnnM4eYobiiCM7cYcX8pOdTcKKJtdxf71qTjHaAcLLEfsZrPTNqjRaOyyXYSMc4FhAHgZST_tzalqCZlRkEXmjb8ujKiSy4mjKsTp0kBr-YuzX7pFXYmTm-MHhJMtsgUkRMUJJ1U_f8idX1ey75JKiQHpo6pq3f05hdUxE0Sf3cIgdu26i61Fz2LP4HiLdyEC2D8AsgshG0gcJ3iO9219G5JE7L7wBk2srmF5FSifw5r6ame9mbPC6jf38ILnAjH98ZxtsvLVlyKoPg1VN5w" ``` ``` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 09:48:35 GMT ... { "renewed": "true", "expires": "1710323345043" } ``` ``` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK ... {"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:05.043+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323345043,"maxLifetimeLong":1710323403574}]} ``` ``` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 09:49:02 GMT ... { "renewed": "true", "expires": "1710323372533" } ``` ``` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 400 Bad Request Date: Wed, 13 Mar 2024 09:49:15 GMT ... { "renewed": "false", "error": "The renewal limit for the token has been exceeded", "code": 30 } ``` ``` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 09:49:35 GMT ... {"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:32.533+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323372533,"maxLifetimeLong":1710323403574}]}$ ``` As you can see, if maximum lifetime is configured, tokens cannot be renewed after they reach that time (minus a 30-second hardcoded buffer). **2. Maximum lifetime set to -1** ```` <param> <name>knox.token.exp.max-lifetime</name> <value>-1</value> </param> <param> <name>knox.token.exp.renew-interval</name> <value>30000</value> </param> ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:09:39 GMT ... {"access_token":"eyJqa3UiOiJodH...-rp3MD-O0g","token_id":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","managed":"true",...} ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:09:50 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:39.105+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324639105,"maxLifetimeLong":-1}]} ```` ```` export KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoieUlFRFVtaEI3M2hxaG9vNmQ2LVRFMEtCTzVGNFYydzV6WU40MjZoMEZIbyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJ5SUVEVW1oQjczaHFob282ZDYtVEUwS0JPNUY0VjJ3NXpZTjQyNmgwRkhvIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyNDYzOSwibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiMTlmMDA3NWUtOTNlZC00ZGJjLWEyZTYtZWU2YTgzMWQwMjVlIn0.CBiaq_8Z08zNKFgqMCdtbgJkwTBEzVoa73V1M6CisDKVnQwMv-PjnlMMHtikQshoBjH5vZqsPyOYw4YJRPGPli0oBoG06cBGxVEuJGrTUogr1Jhb9F5k6vjnPAuTWZHbJKw47kI9lr-7YHqfMAginFXEhT4WgEnHT_vUgDJBlP5ljZe6_mgKn91AE1U_Jf3QdTKCd2ZMO-ptpRbEbvc4hqcdMagb7Qc_gx6peetteFqJdGGN5ErqDHAuWHNbwod7wHg2P0iZw6CuDdZoRyuwiHSKTV0Y0GtH3azA7Uv3W97xCer28cq4Kp3fKMDUUUzW-77QpWzqbPpY-rp3MD-O0g" ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:14 GMT ... { "renewed": "true", "expires": "1710324644107" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:19 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:44.107+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324644107,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:28 GMT ... { "renewed": "true", "expires": "1710324658434" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:32 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:58.434+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324658434,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:41 GMT ... { "renewed": "true", "expires": "1710324671849" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:49 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:11.849+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324671849,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:10:55 GMT ... { "renewed": "true", "expires": "1710324685194" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:02 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:25.194+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324685194,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:15 GMT ... { "renewed": "true", "expires": "1710324705093" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:17 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:45.093+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324705093,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:28 GMT ... { "renewed": "true", "expires": "1710324718352" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:31 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:58.352+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324718352,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:46 GMT ... { "renewed": "true", "expires": "1710324736987" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:11:50 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:16.987+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324736987,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:12:03 GMT ... { "renewed": "true", "expires": "1710324753051" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:12:06 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:33.051+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324753051,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:12:20 GMT ... { "renewed": "true", "expires": "1710324770295" } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:12:23 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]} ```` ```` $ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew HTTP/1.1 400 Bad Request Date: Wed, 13 Mar 2024 10:12:56 GMT ... { "renewed": "false", "error": "Expired tokens must not be renewed.", "code": 90 } ```` ```` $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin HTTP/1.1 200 OK Date: Wed, 13 Mar 2024 10:13:02 GMT ... {"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]} ```` As this test proves, setting the maximum lifetime allows token renewal operations as many times as one needs until the token was not expired. The original token expiration was `2024-03-13T11:10:39`, and I could extend that up until `2024-03-13T11:12:50` (more than 2 minutes) easily. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
