You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by sm...@apache.org on 2024/03/12 11:20:48 UTC
(knox) branch master updated: KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 37dc8a736 KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878)
37dc8a736 is described below
commit 37dc8a736507ecbd39eacfd206f8c05aa15e1745
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Tue Mar 12 12:20:43 2024 +0100
KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878)
---
.../gateway/services/token/impl/DefaultTokenStateService.java | 5 +++--
.../knox/gateway/services/token/impl/TokenStateDatabase.java | 4 ++--
.../gateway/services/token/impl/JDBCTokenStateServiceTest.java | 8 ++++++--
.../apache/knox/gateway/services/security/token/KnoxToken.java | 2 +-
.../token-generation/app/token-generation.service.ts | 2 +-
.../token-management/app/token.management.component.ts | 4 ++--
6 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 1676e14fa..18c7ea24f 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -392,9 +392,10 @@ public class DefaultTokenStateService implements TokenStateService {
* @return true, if the associated token state can be evicted; Otherwise, false.
*/
protected boolean needsEviction(final String tokenId) throws UnknownTokenException {
+ final long tokenExpiration = getTokenExpiration(tokenId, false);
// If the expiration time(+ grace period) has already passed, it should be considered expired
- long expirationWithGrace = getTokenExpiration(tokenId, false) + TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
- return (expirationWithGrace <= System.currentTimeMillis());
+ long expirationWithGrace = tokenExpiration + TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
+ return tokenExpiration > 0 && (expirationWithGrace <= System.currentTimeMillis());
}
/**
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
index a461171b4..b17b7c93b 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
@@ -43,8 +43,8 @@ public class TokenStateDatabase {
static final String TOKEN_METADATA_TABLE_NAME = "KNOX_TOKEN_METADATA";
private static final String ADD_TOKEN_SQL = "INSERT INTO " + TOKENS_TABLE_NAME + "(token_id, issue_time, expiration, max_lifetime) VALUES(?, ?, ?, ?)";
private static final String REMOVE_TOKEN_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
- private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ?";
- private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ?";
+ private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
+ private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
static final String GET_TOKEN_ISSUE_TIME_SQL = "SELECT issue_time FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
static final String GET_TOKEN_EXPIRATION_SQL = "SELECT expiration FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
private static final String UPDATE_TOKEN_EXPIRATION_SQL = "UPDATE " + TOKENS_TABLE_NAME + " SET expiration = ? WHERE token_id = ?";
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
index 205c59191..c30b53545 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
@@ -260,9 +260,13 @@ public class JDBCTokenStateServiceTest {
final String tokenId = UUID.randomUUID().toString();
jdbcTokenStateService.addToken(tokenId, 1, 1, 1);
}
- assertEquals(tokenCount, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
+
+ //add another token that never expires
+ jdbcTokenStateService.addToken(UUID.randomUUID().toString(), 1, -1, 1);
+
+ assertEquals(tokenCount + 1, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
jdbcTokenStateService.evictExpiredTokens();
- assertEquals(0, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
+ assertEquals(1, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL)); //the one that never expires should remain
}
private long getLongTokenAttributeFromDatabase(String tokenId, String sql) throws SQLException {
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
index b34397be0..21359ca88 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
@@ -60,7 +60,7 @@ public class KnoxToken implements Comparable<KnoxToken>{
}
public String getExpiration() {
- return KNOX_TOKEN_TS_FORMAT.get().format(new Date(expiration));
+ return expiration < 0 ? "Never" : KNOX_TOKEN_TS_FORMAT.get().format(new Date(expiration));
}
public long getExpirationLong() {
diff --git a/knox-token-generation-ui/token-generation/app/token-generation.service.ts b/knox-token-generation-ui/token-generation/app/token-generation.service.ts
index 4c74cab68..f315988f7 100644
--- a/knox-token-generation-ui/token-generation/app/token-generation.service.ts
+++ b/knox-token-generation-ui/token-generation/app/token-generation.service.ts
@@ -114,7 +114,7 @@ export class TokenGenService {
accessToken: tokenData.access_token,
user: jwtJson.sub,
accessPasscode: tokenData.passcode,
- expiry: new Date(tokenData.expires_in).toLocaleString(),
+ expiry: tokenData.expires_in < 0 ? 'Never expires' : new Date(tokenData.expires_in).toLocaleString(),
homepageURL: this.baseURL + tokenData.homepage_url,
targetURL: window.location.protocol + '//' + window.location.host + this.baseURL + tokenData.target_url
};
diff --git a/knox-token-management-ui/token-management/app/token.management.component.ts b/knox-token-management-ui/token-management/app/token.management.component.ts
index 7ed486c1c..7d83409ce 100644
--- a/knox-token-management-ui/token-management/app/token.management.component.ts
+++ b/knox-token-management-ui/token-management/app/token.management.component.ts
@@ -196,11 +196,11 @@ export class TokenManagementComponent implements OnInit {
}
formatDateTime(dateTime: number) {
- return new Date(dateTime).toLocaleString();
+ return dateTime < 0 ? 'Never' : new Date(dateTime).toLocaleString();
}
isTokenExpired(expiration: number): boolean {
- return Date.now() > expiration;
+ return expiration < 0 ? false : Date.now() > expiration;
}
getExpirationColor(expiration: number): string {