You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by pz...@apache.org on 2020/02/04 18:55:53 UTC
[knox] branch master updated: KNOX-2215 - Token service should
return a 403 response when the renewer is not white-listed (#251)
This is an automated email from the ASF dual-hosted git repository.
pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new d2ee4dc KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed (#251)
d2ee4dc is described below
commit d2ee4dcb75ac41a0f5664bff1199e22eea72d506
Author: Phil Zampino <pz...@apache.org>
AuthorDate: Tue Feb 4 13:55:43 2020 -0500
KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed (#251)
---
.../gateway/service/knoxtoken/TokenResource.java | 21 +++++++++++++++------
.../service/knoxtoken/TokenServiceResourceTest.java | 16 ++++++++--------
2 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index d6c93c1..10c62e0 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -215,7 +215,9 @@ public class TokenResource {
Response resp;
long expiration = 0;
- String error = "";
+
+ String error = "";
+ Response.Status errorStatus = Response.Status.BAD_REQUEST;
if (tokenStateService == null) {
error = "Token renewal support is not configured";
@@ -230,6 +232,7 @@ public class TokenResource {
error = e.getMessage();
}
} else {
+ errorStatus = Response.Status.FORBIDDEN;
error = "Caller (" + renewer + ") not authorized to renew tokens.";
}
}
@@ -240,7 +243,7 @@ public class TokenResource {
.build();
} else {
log.badRenewalRequest(getTopologyName(), error);
- resp = Response.status(Response.Status.BAD_REQUEST)
+ resp = Response.status(errorStatus)
.entity("{\n \"renewed\": \"false\",\n \"error\": \"" + error + "\"\n}\n")
.build();
}
@@ -254,7 +257,8 @@ public class TokenResource {
public Response revoke(String token) {
Response resp;
- String error = "";
+ String error = "";
+ Response.Status errorStatus = Response.Status.BAD_REQUEST;
if (tokenStateService == null) {
error = "Token revocation support is not configured";
@@ -267,6 +271,7 @@ public class TokenResource {
error = e.getMessage();
}
} else {
+ errorStatus = Response.Status.FORBIDDEN;
error = "Caller (" + renewer + ") not authorized to revoke tokens.";
}
}
@@ -277,7 +282,7 @@ public class TokenResource {
.build();
} else {
log.badRevocationRequest(getTopologyName(), error);
- resp = Response.status(Response.Status.BAD_REQUEST)
+ resp = Response.status(errorStatus)
.entity("{\n \"revoked\": \"false\",\n \"error\": \"" + error + "\"\n}\n")
.build();
}
@@ -298,10 +303,14 @@ public class TokenResource {
X509Certificate cert = extractCertificate(request);
if (cert != null) {
if (!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(403).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
+ return Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - untrusted client cert.\" }")
+ .build();
}
} else {
- return Response.status(403).entity("{ \"Unable to get token - client cert required.\" }").build();
+ return Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - client cert required.\" }")
+ .build();
}
}
GatewayServices services = (GatewayServices) request.getServletContext()
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index bbe6fdd..9ccee4d 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -640,7 +640,7 @@ public class TokenServiceResourceTest {
@Test
public void testTokenRenewal_Enabled_NoRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRenewal(true, null, null);
- validateRenewalResponse(renewalResponse, 400, false, "Caller (null) not authorized to renew tokens.");
+ validateRenewalResponse(renewalResponse, 403, false, "Caller (null) not authorized to renew tokens.");
}
@Test
@@ -648,7 +648,7 @@ public class TokenServiceResourceTest {
final String caller = "yarn";
Response renewalResponse = doTestTokenRenewal(true, null, createTestSubject(caller));
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to renew tokens.");
}
@@ -657,7 +657,7 @@ public class TokenServiceResourceTest {
public void testTokenRenewal_Enabled_WithRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRenewal(true, "larry, moe, curly ", null);
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to renew tokens.");
}
@@ -667,7 +667,7 @@ public class TokenServiceResourceTest {
final String caller = "shemp";
Response renewalResponse = doTestTokenRenewal(true, "larry, moe, curly ", createTestSubject(caller));
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to renew tokens.");
}
@@ -736,7 +736,7 @@ public class TokenServiceResourceTest {
public void testTokenRevocation_Enabled_NoRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRevocation(true, null, null);
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to revoke tokens.");
}
@@ -746,7 +746,7 @@ public class TokenServiceResourceTest {
final String caller = "yarn";
Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(caller));
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to revoke tokens.");
}
@@ -755,7 +755,7 @@ public class TokenServiceResourceTest {
public void testTokenRevocation_Enabled_WithRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRevocation(true, "larry, moe, curly ", null);
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to revoke tokens.");
}
@@ -765,7 +765,7 @@ public class TokenServiceResourceTest {
final String caller = "shemp";
Response renewalResponse = doTestTokenRevocation(true, "larry, moe, curly ", createTestSubject(caller));
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to revoke tokens.");
}