You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by sm...@apache.org on 2021/09/15 19:22:05 UTC
[knox] branch master updated: KNOX-2664 - Let end-users revoke
their own tokens (#495)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 2a0a416 KNOX-2664 - Let end-users revoke their own tokens (#495)
2a0a416 is described below
commit 2a0a41637ff79a31062065456527b2a755dcfe9d
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Wed Sep 15 21:22:01 2021 +0200
KNOX-2664 - Let end-users revoke their own tokens (#495)
---
.../gateway/service/knoxtoken/TokenResource.java | 46 ++++++++++++----------
.../knoxtoken/TokenServiceResourceTest.java | 6 +++
2 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index f204720..c93f31c 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -489,27 +489,27 @@ public class TokenResource {
error = "Token revocation support is not configured";
errorCode = ErrorCode.CONFIGURATION_ERROR;
} else {
- String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
- if (allowedRenewers.contains(renewer)) {
- try {
- final String tokenId = getTokenId(token);
- tokenStateService.revokeToken(tokenId);
- log.revokedToken(getTopologyName(),
- Tokens.getTokenDisplayText(token),
- Tokens.getTokenIDDisplayText(tokenId),
- renewer);
- } catch (ParseException e) {
- log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
- error = safeGetMessage(e);
- errorCode = ErrorCode.INVALID_TOKEN;
- } catch (UnknownTokenException e) {
- error = safeGetMessage(e);
- errorCode = ErrorCode.UNKNOWN_TOKEN;
+ try {
+ final String revoker = SubjectUtils.getCurrentEffectivePrincipalName();
+ final String tokenId = getTokenId(token);
+ if (triesToRevokeOwnToken(tokenId, revoker) || allowedRenewers.contains(revoker)) {
+ tokenStateService.revokeToken(tokenId);
+ log.revokedToken(getTopologyName(),
+ Tokens.getTokenDisplayText(token),
+ Tokens.getTokenIDDisplayText(tokenId),
+ revoker);
+ } else {
+ errorStatus = Response.Status.FORBIDDEN;
+ error = "Caller (" + revoker + ") not authorized to revoke tokens.";
+ errorCode = ErrorCode.UNAUTHORIZED;
}
- } else {
- errorStatus = Response.Status.FORBIDDEN;
- error = "Caller (" + renewer + ") not authorized to revoke tokens.";
- errorCode = ErrorCode.UNAUTHORIZED;
+ } catch (ParseException e) {
+ log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
+ error = safeGetMessage(e);
+ errorCode = ErrorCode.INVALID_TOKEN;
+ } catch (UnknownTokenException e) {
+ error = safeGetMessage(e);
+ errorCode = ErrorCode.UNKNOWN_TOKEN;
}
}
@@ -527,6 +527,12 @@ public class TokenResource {
return resp;
}
+ private boolean triesToRevokeOwnToken(String tokenId, String revoker) throws UnknownTokenException {
+ final TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+ final String tokenUserName = metadata == null ? "" : metadata.getUserName();
+ return StringUtils.isNotBlank(revoker) && revoker.equals(tokenUserName);
+ }
+
/*
* If the supplied 'token' conforms the UUID string representation, we consider
* that as the token ID; otherwise we expect that 'token' is the entire JWT and
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index 301b46f..84f1efd 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -822,6 +822,12 @@ public class TokenServiceResourceTest {
}
@Test
+ public void testTokenRevocation_Enabled_RevokeOwnToken() throws Exception {
+ final Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(USER_NAME));
+ validateSuccessfulRevocationResponse(renewalResponse);
+ }
+
+ @Test
public void testKidJkuClaims() throws Exception {
final Map<String, String> contextExpectations = new HashMap<>();
contextExpectations.put("knox.token.ttl", "60000");