You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by pz...@apache.org on 2021/04/08 01:23:54 UTC
[knox] branch master updated: KNOX-2572 - Unique token identifiers
still being logged in entirety (#432)
This is an automated email from the ASF dual-hosted git repository.
pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 0ce10e3 KNOX-2572 - Unique token identifiers still being logged in entirety (#432)
0ce10e3 is described below
commit 0ce10e34a4f58002b590d40070855259ecee14b1
Author: Phil Zampino <pz...@apache.org>
AuthorDate: Wed Apr 7 21:23:46 2021 -0400
KNOX-2572 - Unique token identifiers still being logged in entirety (#432)
---
.../token/impl/AliasBasedTokenStateService.java | 28 ++++++++--------
.../token/impl/DefaultTokenStateService.java | 19 ++++++-----
.../token/impl/JournalBasedTokenStateService.java | 9 ++---
.../token/impl/ZookeeperTokenStateService.java | 21 ++++++++----
.../impl/state/MultiFileTokenStateJournal.java | 33 +++++++++++++-----
.../token/impl/ZookeeperTokenStateServiceTest.java | 35 +++++++++++++++++--
.../impl/state/MultiFileTokenStateJournalTest.java | 39 ++++++++++++++++++++++
.../java/org/apache/knox/gateway/util/Tokens.java | 10 ++++++
.../org/apache/knox/gateway/util/TokensTest.java | 18 ++++++++++
9 files changed, 169 insertions(+), 43 deletions(-)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index 63431dd..9c38303 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
@@ -49,14 +49,16 @@ import org.apache.knox.gateway.services.token.impl.state.TokenStateJournalFactor
import org.apache.knox.gateway.services.token.state.JournalEntry;
import org.apache.knox.gateway.services.token.state.TokenStateJournal;
import org.apache.knox.gateway.util.ExecutorServiceUtils;
+import org.apache.knox.gateway.util.Tokens;
/**
* A TokenStateService implementation based on the AliasService.
*/
public class AliasBasedTokenStateService extends DefaultTokenStateService implements TokenStatePeristerMonitorListener {
- static final String TOKEN_MAX_LIFETIME_POSTFIX = "--max";
- static final String TOKEN_META_POSTFIX = "--meta";
+ static final String TOKEN_ALIAS_SUFFIX_DELIM = "--";
+ static final String TOKEN_MAX_LIFETIME_POSTFIX = TOKEN_ALIAS_SUFFIX_DELIM + "max";
+ static final String TOKEN_META_POSTFIX = TOKEN_ALIAS_SUFFIX_DELIM + "meta";
protected AliasService aliasService;
@@ -105,7 +107,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
unpersistedState.add(new TokenExpiration(id, expiration));
}
} catch (Exception e) {
- log.failedToLoadJournalEntry(id, e);
+ log.failedToLoadJournalEntry(Tokens.getTokenIDDisplayText(id), e);
}
}
} catch (IOException e) {
@@ -227,7 +229,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
}
for (String tokenId: tokenIds) {
- log.creatingTokenStateAliases(tokenId);
+ log.creatingTokenStateAliases(Tokens.getTokenIDDisplayText(tokenId));
}
// Write aliases in a batch
@@ -241,12 +243,12 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
}
for (String tokenId : tokenIds) {
- log.createdTokenStateAliases(tokenId);
+ log.createdTokenStateAliases(Tokens.getTokenIDDisplayText(tokenId));
// After the aliases have been successfully persisted, remove their associated state from the journal
try {
journal.remove(tokenId);
} catch (IOException e) {
- log.failedToRemoveJournalEntry(tokenId, e);
+ log.failedToRemoveJournalEntry(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
} catch (AliasServiceException e) {
@@ -272,7 +274,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
try {
journal.add(tokenId, issueTime, expiration, maxLifetimeDuration, null);
} catch (IOException e) {
- log.failedToAddJournalEntry(tokenId, e);
+ log.failedToAddJournalEntry(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
@@ -296,7 +298,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
result = convertCharArrayToLong(maxLifetimeStr);
}
} catch (AliasServiceException e) {
- log.errorAccessingTokenState(tokenId, e);
+ log.errorAccessingTokenState(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
return result;
@@ -342,7 +344,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
} catch (UnknownTokenException e) {
throw e;
} catch (Exception e) {
- log.errorAccessingTokenState(tokenId, e);
+ log.errorAccessingTokenState(Tokens.getTokenIDDisplayText(tokenId), e);
}
return expiration;
@@ -357,7 +359,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
try {
isUnknown = (getPasswordUsingAliasService(tokenId) == null);
} catch (AliasServiceException e) {
- log.errorAccessingTokenState(tokenId, e);
+ log.errorAccessingTokenState(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
return isUnknown;
@@ -396,7 +398,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
tokenStateServiceStatistics.interactKeystore(TokenStateServiceStatistics.KeystoreInteraction.REMOVE_ALIAS);
tokenStateServiceStatistics.setGatewayCredentialsFileSize(this.gatewayCredentialsFilePath.toFile().length());
}
- log.removedTokenStateAliases(String.join(", ", tokenIds));
+ log.removedTokenStateAliases(String.join(", ", Tokens.getDisplayableTokenIDsText(tokenIds)));
} catch (AliasServiceException e) {
log.failedToRemoveTokenStateAliases(e);
}
@@ -433,7 +435,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
journal.add(entry.getTokenId(), Long.parseLong(entry.getIssueTime()), Long.parseLong(entry.getExpiration()), Long.parseLong(entry.getMaxLifetime()), metadata);
}
} catch (IOException e) {
- log.failedToAddJournalEntry(tokenId, e);
+ log.failedToAddJournalEntry(Tokens.getTokenIDDisplayText(tokenId), e);
}
synchronized (unpersistedState) {
@@ -464,7 +466,7 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService implem
throw new UnknownTokenException(tokenId);
}
} catch (AliasServiceException e) {
- log.errorAccessingTokenState(tokenId, e);
+ log.errorAccessingTokenState(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
return tokenMetadata;
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index b90a295..8ffc0dc 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -45,6 +45,7 @@ import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import org.apache.knox.gateway.services.token.TokenStateServiceStatistics;
+import org.apache.knox.gateway.util.Tokens;
/**
* In-Memory authentication token state management implementation.
@@ -140,7 +141,7 @@ public class DefaultTokenStateService implements TokenStateService {
validateTokenIdentifier(tokenId);
tokenExpirations.put(tokenId, expiration);
setMaxLifetime(tokenId, issueTime, maxLifetimeDuration);
- log.addedToken(tokenId, getTimestampDisplay(expiration));
+ log.addedToken(Tokens.getTokenIDDisplayText(tokenId), getTimestampDisplay(expiration));
if (tokenStateServiceStatistics != null) {
tokenStateServiceStatistics.addToken();
}
@@ -156,7 +157,7 @@ public class DefaultTokenStateService implements TokenStateService {
if (permissiveValidationEnabled) {
String exp = token.getExpires();
if (exp != null) {
- log.permissiveTokenHandling(TokenUtils.getTokenId(token), e.getMessage());
+ log.permissiveTokenHandling(Tokens.getTokenIDDisplayText(TokenUtils.getTokenId(token)), e.getMessage());
expiration = Long.parseLong(exp);
}
}
@@ -215,12 +216,12 @@ public class DefaultTokenStateService implements TokenStateService {
if (hasRemainingRenewals(tokenId, renewInterval)) {
expiration = System.currentTimeMillis() + renewInterval;
updateExpiration(tokenId, expiration);
- log.renewedToken(tokenId, getTimestampDisplay(expiration));
+ log.renewedToken(Tokens.getTokenIDDisplayText(tokenId), getTimestampDisplay(expiration));
if (tokenStateServiceStatistics != null) {
tokenStateServiceStatistics.renewToken();
}
} else {
- log.renewalLimitExceeded(tokenId);
+ log.renewalLimitExceeded(Tokens.getTokenIDDisplayText(tokenId));
throw new IllegalArgumentException("The renewal limit for the token has been exceeded");
}
@@ -240,7 +241,7 @@ public class DefaultTokenStateService implements TokenStateService {
public void revokeToken(final String tokenId) throws UnknownTokenException {
/* no reason to keep revoked tokens around */
removeToken(tokenId);
- log.revokedToken(tokenId);
+ log.revokedToken(Tokens.getTokenIDDisplayText(tokenId));
}
@Override
@@ -286,7 +287,7 @@ public class DefaultTokenStateService implements TokenStateService {
tokenExpirations.keySet().removeAll(tokenIds);
maxTokenLifetimes.keySet().removeAll(tokenIds);
metadataMap.keySet().removeAll(tokenIds);
- log.removedTokenState(String.join(", ", tokenIds));
+ log.removedTokenState(String.join(", ", Tokens.getDisplayableTokenIDsText(tokenIds)));
}
protected boolean hasRemainingRenewals(final String tokenId, long renewInterval) {
@@ -317,7 +318,7 @@ public class DefaultTokenStateService implements TokenStateService {
// First, make sure the token is one we know about
if (isUnknown(tokenId)) {
- log.unknownToken(tokenId);
+ log.unknownToken(Tokens.getTokenIDDisplayText(tokenId));
throw new UnknownTokenException(tokenId);
}
}
@@ -336,11 +337,11 @@ public class DefaultTokenStateService implements TokenStateService {
for (final String tokenId : getTokenIds()) {
try {
if (needsEviction(tokenId)) {
- log.evictToken(tokenId);
+ log.evictToken(Tokens.getTokenIDDisplayText(tokenId));
tokensToEvict.add(tokenId); // Add the token to the set of tokens to evict
}
} catch (final Exception e) {
- log.failedExpiredTokenEviction(tokenId, e);
+ log.failedExpiredTokenEviction(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/JournalBasedTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/JournalBasedTokenStateService.java
index 25597e2..5a5c1dd 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/JournalBasedTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/JournalBasedTokenStateService.java
@@ -25,6 +25,7 @@ import org.apache.knox.gateway.services.security.token.UnknownTokenException;
import org.apache.knox.gateway.services.token.impl.state.TokenStateJournalFactory;
import org.apache.knox.gateway.services.token.state.JournalEntry;
import org.apache.knox.gateway.services.token.state.TokenStateJournal;
+import org.apache.knox.gateway.util.Tokens;
import java.io.IOException;
import java.util.List;
@@ -56,7 +57,7 @@ public class JournalBasedTokenStateService extends DefaultTokenStateService {
super.addToken(id, issueTime, expiration, maxLifetime);
} catch (Exception e) {
- log.failedToLoadJournalEntry(id, e);
+ log.failedToLoadJournalEntry(Tokens.getTokenIDDisplayText(id), e);
}
}
} catch (IOException e) {
@@ -71,7 +72,7 @@ public class JournalBasedTokenStateService extends DefaultTokenStateService {
try {
journal.add(tokenId, issueTime, expiration, maxLifetimeDuration, null);
} catch (IOException e) {
- log.failedToAddJournalEntry(tokenId, e);
+ log.failedToAddJournalEntry(Tokens.getTokenIDDisplayText(tokenId), e);
}
}
@@ -146,7 +147,7 @@ public class JournalBasedTokenStateService extends DefaultTokenStateService {
try {
JournalEntry entry = journal.get(tokenId);
if (entry == null) {
- log.journalEntryNotFound(tokenId);
+ log.journalEntryNotFound(Tokens.getTokenIDDisplayText(tokenId));
} else {
// Adding will overwrite the existing journal entry, thus updating it with the new expiration
journal.add(entry.getTokenId(),
@@ -178,7 +179,7 @@ public class JournalBasedTokenStateService extends DefaultTokenStateService {
try {
JournalEntry entry = journal.get(tokenId);
if (entry == null) {
- log.journalEntryNotFound(tokenId);
+ log.journalEntryNotFound(Tokens.getTokenIDDisplayText(tokenId));
} else {
journal.add(entry.getTokenId(), Long.parseLong(entry.getIssueTime()), Long.parseLong(entry.getExpiration()), Long.parseLong(entry.getMaxLifetime()), metadata);
}
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateService.java
index 60d0300..f5450a7 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateService.java
@@ -32,6 +32,7 @@ import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.impl.ZookeeperRemoteAliasService;
import org.apache.knox.gateway.services.security.token.TokenMetadata;
import org.apache.knox.gateway.services.token.RemoteTokenStateChangeListener;
+import org.apache.knox.gateway.util.Tokens;
/**
* A Zookeeper Token State Service is actually an Alias based TSS where the 'alias service' happens to be the 'zookeeper' implementation.
@@ -105,10 +106,10 @@ public class ZookeeperTokenStateService extends AliasBasedTokenStateService impl
while (password == null && timeLimit.isAfter(Instant.now())) {
try {
TimeUnit.SECONDS.sleep(1);
- log.retryZkFetchAlias(alias);
+ log.retryZkFetchAlias(getDisplayableAliasText(alias));
password = super.getPasswordUsingAliasService(alias);
} catch (InterruptedException e) {
- log.failedRetryZkFetchAlias(alias, e.getMessage(), e);
+ log.failedRetryZkFetchAlias(getDisplayableAliasText(alias), e.getMessage(), e);
}
}
return password;
@@ -117,14 +118,14 @@ public class ZookeeperTokenStateService extends AliasBasedTokenStateService impl
@Override
public void onChanged(String alias, String updatedState) {
processAlias(alias, updatedState);
- log.onRemoteTokenStateChanged(alias);
+ log.onRemoteTokenStateChanged(getDisplayableAliasText(alias));
}
@Override
public void onRemoved(String alias) {
final String tokenId = getTokenIdFromAlias(alias);
removeTokensFromMemory(Collections.singleton(tokenId));
- log.onRemoteTokenStateRemoval(alias);
+ log.onRemoteTokenStateRemoval(getDisplayableAliasText(alias));
}
private void processAlias(String alias, String value) {
@@ -141,12 +142,18 @@ public class ZookeeperTokenStateService extends AliasBasedTokenStateService impl
updateExpirationInMemory(tokenId, expiration);
}
} catch (Throwable e) {
- log.errorWhileProcessingTokenAlias(alias, e.getMessage(), e);
+ log.errorWhileProcessingTokenAlias(getDisplayableAliasText(alias), e.getMessage(), e);
}
}
}
- private String getTokenIdFromAlias(String alias) {
- return alias.indexOf("--") == -1 ? alias : alias.substring(0, alias.indexOf("--")); // both --max and --unused starts with '--';
+ private String getTokenIdFromAlias(final String alias) {
+ return alias.contains(TOKEN_ALIAS_SUFFIX_DELIM) ? alias.substring(0, alias.indexOf(TOKEN_ALIAS_SUFFIX_DELIM)) : alias;
+ }
+
+ private String getDisplayableAliasText(final String alias) {
+ String tokenId = getTokenIdFromAlias(alias);
+ String suffix = alias.length() > tokenId.length() ? alias.substring(tokenId.length()) : "";
+ return Tokens.getTokenIDDisplayText(tokenId) + suffix;
}
}
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournal.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournal.java
index 6fccd60..6094670 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournal.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournal.java
@@ -21,6 +21,7 @@ package org.apache.knox.gateway.services.token.impl.state;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.security.token.TokenMetadata;
import org.apache.knox.gateway.services.token.state.JournalEntry;
+import org.apache.knox.gateway.util.Tokens;
import java.io.BufferedWriter;
import java.io.IOException;
@@ -63,7 +64,7 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
// Persist each journal entry as an individual file in the journal directory
for (JournalEntry entry : entries) {
final Path entryFile = journalDir.resolve(entry.getTokenId() + ENTRY_FILE_EXT);
- log.persistingJournalEntry(entryFile.toString());
+ log.persistingJournalEntry(getDisplayableJournalFilepath(entry.getTokenId(), entryFile.toString()));
try (FileChannel fileChannel = FileChannel.open(entryFile, StandardOpenOption.WRITE,
StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING)) {
fileChannel.lock();
@@ -73,9 +74,9 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
writer.newLine();
writer.flush();
}
- log.addedJournalEntry(entry.getTokenId());
+ log.addedJournalEntry(Tokens.getTokenIDDisplayText(entry.getTokenId()));
} catch (IOException e){
- log.failedToPersistJournalEntry(entry.getTokenId(), e);
+ log.failedToPersistJournalEntry(Tokens.getTokenIDDisplayText(entry.getTokenId()), e);
throw e;
}
}
@@ -91,13 +92,13 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
fileChannel.lock(0L, Long.MAX_VALUE, true);
List<FileJournalEntry> entries = loadJournal(fileChannel);
if (entries.isEmpty()) {
- log.journalEntryNotFound(tokenId);
+ log.journalEntryNotFound(Tokens.getTokenIDDisplayText(tokenId));
} else {
result = entries.get(0);
}
}
} else {
- log.journalEntryNotFound(tokenId);
+ log.journalEntryNotFound(Tokens.getTokenIDDisplayText(tokenId));
}
return result;
@@ -110,7 +111,7 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
Path entryFilePath = journalDir.resolve(tokenId + ENTRY_FILE_EXT);
if (Files.exists(entryFilePath)) {
Files.delete(entryFilePath);
- log.removedJournalEntry(tokenId);
+ log.removedJournalEntry(Tokens.getTokenIDDisplayText(tokenId));
}
}
}
@@ -128,10 +129,10 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
fileChannel.lock(0L, Long.MAX_VALUE, true);
entries.addAll(loadJournal(fileChannel));
if (entries.isEmpty()) {
- log.emptyJournalEntry(entryFilePath.toString());
+ log.emptyJournalEntry(getDisplayableJournalFilepath(entryFilePath.toString()));
} else {
// Should only be a single entry for this implementation
- log.loadedPersistedJournalEntry(entries.get(0).getTokenId());
+ log.loadedPersistedJournalEntry(Tokens.getTokenIDDisplayText(entries.get(0).getTokenId()));
}
}
}
@@ -140,4 +141,20 @@ class MultiFileTokenStateJournal extends FileTokenStateJournal {
return entries;
}
+
+ private String getDisplayableJournalFilepath(final String tokenId, final String path) {
+ int idIndex = path.indexOf(tokenId);
+ return getDisplayableJournalFilepath(path, idIndex);
+ }
+
+ private String getDisplayableJournalFilepath(final String path) {
+ int extIndex = path.indexOf(ENTRY_FILE_EXT);
+ int idIndex = extIndex - 36; // 36 = UUID length
+ return getDisplayableJournalFilepath(path, idIndex);
+ }
+
+ private String getDisplayableJournalFilepath(final String path, int idIndex) {
+ String displayableTokenId = Tokens.getTokenIDDisplayText(path.substring(idIndex, path.indexOf(ENTRY_FILE_EXT)));
+ return path.substring(0, idIndex) + displayableTokenId + ENTRY_FILE_EXT;
+ }
}
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateServiceTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateServiceTest.java
index 0e99013..b446651 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateServiceTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/ZookeeperTokenStateServiceTest.java
@@ -26,6 +26,7 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
+import java.lang.reflect.Method;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
@@ -98,7 +99,7 @@ public class ZookeeperTokenStateServiceTest {
final ZookeeperTokenStateService zktokenStateService = setupZkTokenStateService(SHORT_TOKEN_STATE_ALIAS_PERSISTENCE_INTERVAL);
assertFalse(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1"));
- assertFalse(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1--max"));
+ assertFalse(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1" + AliasBasedTokenStateService.TOKEN_MAX_LIFETIME_POSTFIX));
zktokenStateService.addToken("a0-token1", 1L, 2L);
@@ -106,7 +107,7 @@ public class ZookeeperTokenStateServiceTest {
Thread.sleep(2 * SHORT_TOKEN_STATE_ALIAS_PERSISTENCE_INTERVAL * 1000);
assertTrue(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1"));
- assertTrue(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1--max"));
+ assertTrue(zkNodeExists("/knox/security/topology/__gateway/tokens/a0/a0-token1" + AliasBasedTokenStateService.TOKEN_MAX_LIFETIME_POSTFIX));
}
@Test
@@ -146,6 +147,36 @@ public class ZookeeperTokenStateServiceTest {
assertEquals(zktokenStateServiceNode1.getTokenExpiration(tokenId), zktokenStateServiceNode2.getTokenExpiration(tokenId));
}
+ @Test
+ public void testTokenIDDisplayText() throws Exception {
+ ZookeeperTokenStateService tss = setupZkTokenStateService(SHORT_TOKEN_STATE_ALIAS_PERSISTENCE_INTERVAL);
+ Method m = tss.getClass().getDeclaredMethod("getDisplayableAliasText", String.class);
+ m.setAccessible(true);
+ final String uuid = UUID.randomUUID().toString();
+ final String maxAlias = uuid + ZookeeperTokenStateService.TOKEN_MAX_LIFETIME_POSTFIX;
+ final String metaAlias = uuid + ZookeeperTokenStateService.TOKEN_META_POSTFIX;
+
+ // Check an expiration alias
+ String displayableUUID = (String) m.invoke(tss, uuid);
+ assertTrue(displayableUUID.length() < uuid.length());
+ assertEquals(8, displayableUUID.indexOf("..."));
+
+ // Check a max lifetime alias
+ String displayableMaxAlias = (String) m.invoke(tss, maxAlias);
+ assertFalse(displayableMaxAlias.contains(uuid));
+ assertTrue(displayableMaxAlias.length() < maxAlias.length());
+ assertEquals(8, displayableMaxAlias.indexOf("..."));
+ assertTrue(displayableMaxAlias.endsWith(ZookeeperTokenStateService.TOKEN_MAX_LIFETIME_POSTFIX));
+
+ // Check a metadata alias
+ String displayableMetaAlias = (String) m.invoke(tss, metaAlias);
+ assertFalse(displayableMetaAlias.contains(uuid));
+ assertTrue(displayableMetaAlias.length() < metaAlias.length());
+ assertEquals(8, displayableMetaAlias.indexOf("..."));
+ assertTrue(displayableMetaAlias.endsWith(ZookeeperTokenStateService.TOKEN_META_POSTFIX));
+
+ }
+
private ZookeeperTokenStateService setupZkTokenStateService(long persistenceInterval) throws IOException, KeystoreServiceException, ServiceLifecycleException {
// mocking GatewayConfig
final GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
diff --git a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournalTest.java b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournalTest.java
index 938a7e4..a2466e8 100644
--- a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournalTest.java
+++ b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/state/MultiFileTokenStateJournalTest.java
@@ -20,8 +20,15 @@ package org.apache.knox.gateway.services.token.impl.state;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.token.state.TokenStateJournal;
+import org.junit.Test;
import java.io.IOException;
+import java.lang.reflect.Method;
+import java.util.UUID;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
public class MultiFileTokenStateJournalTest extends AbstractFileTokenStateJournalTest {
@@ -30,4 +37,36 @@ public class MultiFileTokenStateJournalTest extends AbstractFileTokenStateJourna
return new MultiFileTokenStateJournal(config);
}
+ @Test
+ public void testGetDisplayableJournalFilepathWithoutID() throws Exception {
+ final String dirPath = "/tmp/test/tokens/journal/";
+ final String tokenId = UUID.randomUUID().toString();
+ final String entryFilePath = dirPath + tokenId + MultiFileTokenStateJournal.ENTRY_FILE_EXT;
+ MultiFileTokenStateJournal journal = (MultiFileTokenStateJournal) createTokenStateJournal(getGatewayConfig());
+ Method m = MultiFileTokenStateJournal.class.getDeclaredMethod("getDisplayableJournalFilepath", String.class);
+ assertNotNull(m);
+ m.setAccessible(true);
+ String displayablePath = (String) m.invoke(journal, entryFilePath);
+ assertNotNull(displayablePath);
+ assertTrue(displayablePath.length() < entryFilePath.length());
+ assertFalse(displayablePath.contains(tokenId));
+ }
+
+ @Test
+ public void testGetDisplayableJournalFilepathWithID() throws Exception {
+ final String dirPath = "/tmp/test/tokens/journal/";
+ final String tokenId = UUID.randomUUID().toString();
+ final String entryFilePath = dirPath + tokenId + MultiFileTokenStateJournal.ENTRY_FILE_EXT;
+ MultiFileTokenStateJournal journal = (MultiFileTokenStateJournal) createTokenStateJournal(getGatewayConfig());
+ Method m = MultiFileTokenStateJournal.class.getDeclaredMethod("getDisplayableJournalFilepath",
+ String.class,
+ String.class);
+ assertNotNull(m);
+ m.setAccessible(true);
+ String displayablePath = (String) m.invoke(journal, tokenId, entryFilePath);
+ assertNotNull(displayablePath);
+ assertTrue(displayablePath.length() < entryFilePath.length());
+ assertFalse(displayablePath.contains(tokenId));
+ }
+
}
diff --git a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Tokens.java b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Tokens.java
index 52b7a35..57235d5 100644
--- a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Tokens.java
+++ b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/Tokens.java
@@ -16,7 +16,9 @@
*/
package org.apache.knox.gateway.util;
+import java.util.HashSet;
import java.util.Locale;
+import java.util.Set;
public class Tokens {
@@ -58,4 +60,12 @@ public class Tokens {
return displayText;
}
+ public static Set<String> getDisplayableTokenIDsText(final Set<String> tokenIds) {
+ Set<String> displayableTokenIds = new HashSet<>();
+ for (String tokenId : tokenIds) {
+ displayableTokenIds.add(Tokens.getTokenIDDisplayText(tokenId));
+ }
+ return displayableTokenIds;
+ }
+
}
diff --git a/gateway-util-common/src/test/java/org/apache/knox/gateway/util/TokensTest.java b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/TokensTest.java
index 0d54375..afabc64 100644
--- a/gateway-util-common/src/test/java/org/apache/knox/gateway/util/TokensTest.java
+++ b/gateway-util-common/src/test/java/org/apache/knox/gateway/util/TokensTest.java
@@ -20,6 +20,8 @@ package org.apache.knox.gateway.util;
import org.junit.Test;
+import java.util.HashSet;
+import java.util.Set;
import java.util.UUID;
import static org.junit.Assert.assertEquals;
@@ -66,6 +68,21 @@ public class TokensTest {
doTestTokenDisplay(new String(invalid), true);
}
+ @Test
+ public void testDisplayableTokenIDSet() throws Exception {
+ final Set<String> tokenIDs = new HashSet<>();
+ for (int i=0 ; i < 5; i++) {
+ tokenIDs.add(UUID.randomUUID().toString());
+ }
+
+ Set<String> displayableTokenIDs = Tokens.getDisplayableTokenIDsText(tokenIDs);
+
+ for (String displayable : displayableTokenIDs) {
+ assertTrue(displayable.length() < 36);
+ assertTrue(displayable.contains("..."));
+ }
+ }
+
private void doTestTokenDisplay(final String tokenId) {
doTestTokenDisplay(tokenId, false);
}
@@ -82,4 +99,5 @@ public class TokensTest {
displayableTokenId);
}
}
+
}