You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by sm...@apache.org on 2021/09/15 19:22:05 UTC
[knox] branch master updated: KNOX-2664 - Let end-users revoke their own tokens (#495)

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a0a416  KNOX-2664 - Let end-users revoke their own tokens (#495)
2a0a416 is described below

commit 2a0a41637ff79a31062065456527b2a755dcfe9d
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Wed Sep 15 21:22:01 2021 +0200

    KNOX-2664 - Let end-users revoke their own tokens (#495)
---
 .../gateway/service/knoxtoken/TokenResource.java   | 46 ++++++++++++----------
 .../knoxtoken/TokenServiceResourceTest.java        |  6 +++
 2 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index f204720..c93f31c 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -489,27 +489,27 @@ public class TokenResource {
       error = "Token revocation support is not configured";
       errorCode = ErrorCode.CONFIGURATION_ERROR;
     } else {
-      String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
-      if (allowedRenewers.contains(renewer)) {
-        try {
-          final String tokenId = getTokenId(token);
-          tokenStateService.revokeToken(tokenId);
-          log.revokedToken(getTopologyName(),
-                           Tokens.getTokenDisplayText(token),
-                           Tokens.getTokenIDDisplayText(tokenId),
-                           renewer);
-        } catch (ParseException e) {
-          log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
-          error = safeGetMessage(e);
-          errorCode = ErrorCode.INVALID_TOKEN;
-        } catch (UnknownTokenException e) {
-          error = safeGetMessage(e);
-          errorCode = ErrorCode.UNKNOWN_TOKEN;
+      try {
+        final String revoker = SubjectUtils.getCurrentEffectivePrincipalName();
+        final String tokenId = getTokenId(token);
+        if (triesToRevokeOwnToken(tokenId, revoker) || allowedRenewers.contains(revoker)) {
+            tokenStateService.revokeToken(tokenId);
+            log.revokedToken(getTopologyName(),
+                Tokens.getTokenDisplayText(token),
+                Tokens.getTokenIDDisplayText(tokenId),
+                revoker);
+        } else {
+          errorStatus = Response.Status.FORBIDDEN;
+          error = "Caller (" + revoker + ") not authorized to revoke tokens.";
+          errorCode = ErrorCode.UNAUTHORIZED;
         }
-      } else {
-        errorStatus = Response.Status.FORBIDDEN;
-        error = "Caller (" + renewer + ") not authorized to revoke tokens.";
-        errorCode = ErrorCode.UNAUTHORIZED;
+      } catch (ParseException e) {
+        log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
+        error = safeGetMessage(e);
+        errorCode = ErrorCode.INVALID_TOKEN;
+      } catch (UnknownTokenException e) {
+        error = safeGetMessage(e);
+        errorCode = ErrorCode.UNKNOWN_TOKEN;
       }
     }
 
@@ -527,6 +527,12 @@ public class TokenResource {
     return resp;
   }
 
+  private boolean triesToRevokeOwnToken(String tokenId, String revoker) throws UnknownTokenException {
+    final TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+    final String tokenUserName = metadata == null ? "" : metadata.getUserName();
+    return StringUtils.isNotBlank(revoker) && revoker.equals(tokenUserName);
+  }
+
   /*
    * If the supplied 'token' conforms the UUID string representation, we consider
    * that as the token ID; otherwise we expect that 'token' is the entire JWT and
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index 301b46f..84f1efd 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -822,6 +822,12 @@ public class TokenServiceResourceTest {
   }
 
   @Test
+  public void testTokenRevocation_Enabled_RevokeOwnToken() throws Exception {
+    final Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(USER_NAME));
+    validateSuccessfulRevocationResponse(renewalResponse);
+  }
+
+  @Test
   public void testKidJkuClaims() throws Exception {
     final Map<String, String> contextExpectations = new HashMap<>();
     contextExpectations.put("knox.token.ttl", "60000");