You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Sandor Molnar (Jira)" <ji...@apache.org> on 2021/09/23 12:27:00 UTC

[jira] [Updated] (KNOX-2670) AliasBasedTokenStateService does not throw UnknownTokenException at revocation time

     [ https://issues.apache.org/jira/browse/KNOX-2670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sandor Molnar updated KNOX-2670:
--------------------------------
    Description: 
*Steps to reproduce*
 # Configure Knox to use the AliasBasedTokenStateService implemntation
 # Generated token with 1 min lifespan on the token generation UI
 # Revoke the token on the token management page
 # Use knox token api to revoke again the already revoked token

The result is:
{noformat}
{ "revoked": "true" }{noformat}
 

*Root cause analysis*

{{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.

The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.

That means, the token was removed perfectly for the first time.

  was:
*Steps to reproduce*
 # *Configure Knox to use the AliasBasedTokenStateService implemntation*
 # *Generated token with 1 min lifespan on the token generation UI*
 # *Revoke the token on the token management page*
 # *Use knox token api to revoke again the already revoked token*

The result is:
{noformat}
{ "revoked": "true" }{noformat}
 

*Root cause analysis*

{{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.

The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.

That means, the token was removed perfectly for the first time.


> AliasBasedTokenStateService does not throw UnknownTokenException at revocation time
> -----------------------------------------------------------------------------------
>
>                 Key: KNOX-2670
>                 URL: https://issues.apache.org/jira/browse/KNOX-2670
>             Project: Apache Knox
>          Issue Type: Bug
>    Affects Versions: 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>
> *Steps to reproduce*
>  # Configure Knox to use the AliasBasedTokenStateService implemntation
>  # Generated token with 1 min lifespan on the token generation UI
>  # Revoke the token on the token management page
>  # Use knox token api to revoke again the already revoked token
> The result is:
> {noformat}
> { "revoked": "true" }{noformat}
>  
> *Root cause analysis*
> {{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.
> The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.
> That means, the token was removed perfectly for the first time.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)