You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by sm...@apache.org on 2024/03/14 13:53:40 UTC
(knox) branch master updated: KNOX-3020 - Introducing the 'type' metadata for Knox Tokens (#881)
This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 67ebe9ae9 KNOX-3020 - Introducing the 'type' metadata for Knox Tokens (#881)
67ebe9ae9 is described below
commit 67ebe9ae9fffe73ca13c335b1aaa14446b343aa3
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Thu Mar 14 14:53:34 2024 +0100
KNOX-3020 - Introducing the 'type' metadata for Knox Tokens (#881)
---
.../federation/jwt/filter/AbstractJWTFilter.java | 12 ++-----
.../gateway/service/knoxsso/WebSSOResource.java | 2 +-
.../knoxtoken/TokenServiceResourceTest.java | 2 +-
.../services/security/token/TokenMetadata.java | 35 +++++++++++++++------
.../services/security/token/TokenMetadataType.java | 23 ++++++++++++++
.../token-management/app/metadata.ts | 2 +-
.../app/token.management.component.html | 7 ++---
.../app/token.management.component.ts | 8 ++---
.../token-management/assets/CLIENT_ID.png | Bin 0 -> 9938 bytes
.../token-management/assets/JWT.png | Bin 0 -> 26880 bytes
.../token-management/assets/KNOXSSO_COOKIE.png | Bin 0 -> 39938 bytes
11 files changed, 60 insertions(+), 31 deletions(-)
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index 90fd117b9..b58ad5e42 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -96,8 +96,6 @@ public abstract class AbstractJWTFilter implements Filter {
*/
public static final String JWT_EXPECTED_SIGALG = "jwt.expected.sigalg";
public static final String JWT_DEFAULT_SIGALG = "RS256";
- public static final String TYPE = "type";
- public static final String CLIENT_ID = "CLIENT_ID";
static JWTMessages log = MessagesFactory.get( JWTMessages.class );
@@ -302,9 +300,7 @@ public abstract class AbstractJWTFilter implements Filter {
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
- String username = null;
if (metadata != null) {
- String type = metadata.getMetadata(TYPE);
// using tokenID and passcode as CLIENT_ID and CLIENT_SECRET will
// result in a metadata item called "type". If the value is set
// to CLIENT_ID then it will be assumed to be a CLIENT_ID and we
@@ -312,12 +308,8 @@ public abstract class AbstractJWTFilter implements Filter {
// token id until it is created, the username is always the same
// in the record. Using the token id makes it a unique username for
// audit and the like.
- if (CLIENT_ID.equalsIgnoreCase(type)) {
- username = tokenId;
- }
- else {
- username = metadata.getUserName();
- }
+ final String username = metadata.isClientId() ? tokenId : metadata.getUserName();
+
return createSubjectFromTokenData(username, null);
}
return null;
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
index 56e72b317..641e15a7d 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
@@ -449,7 +449,7 @@ public class WebSSOResource {
final long issueTime = System.currentTimeMillis();
tokenStateService.addToken(tokenId, issueTime, token.getExpiresDate().getTime(), tokenStateService.getDefaultMaxLifetimeDuration());
final TokenMetadata tokenMetadata = new TokenMetadata(token.getSubject());
- tokenMetadata.setKnoxSsoCookie(true);
+ tokenMetadata.markKnoxSsoCookie();
tokenMetadata.useTokenNow();
tokenStateService.addMetadata(tokenId, tokenMetadata);
LOGGER.storedToken(getTopologyName(), Tokens.getTokenDisplayText(token.toString()), Tokens.getTokenIDDisplayText(tokenId));
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index 5dec1162b..169650e02 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -1130,7 +1130,7 @@ public class TokenServiceResourceTest {
final String tokenId = getTagValue(tokenResponse.getEntity().toString(), "token_id");
assertNotNull(tokenId);
final TokenMetadata tokenMetadata = new TokenMetadata(USER_NAME);
- tokenMetadata.setKnoxSsoCookie(true);
+ tokenMetadata.markKnoxSsoCookie();
tss.addMetadata(tokenId, tokenMetadata);
}
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java
index a48d38d05..cb4ee25ac 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java
@@ -37,9 +37,9 @@ public class TokenMetadata {
public static final String ENABLED = "enabled";
public static final String PASSCODE = "passcode";
public static final String CREATED_BY = "createdBy";
- public static final String KNOX_SSO_COOKIE = "knoxSSOCookie";
public static final String LAST_USED_AT = "lastUsedAt";
- private static final List<String> KNOWN_MD_NAMES = Arrays.asList(USER_NAME, COMMENT, ENABLED, PASSCODE, CREATED_BY, KNOX_SSO_COOKIE, LAST_USED_AT);
+ public static final String TYPE = "type";
+ private static final List<String> KNOWN_MD_NAMES = Arrays.asList(USER_NAME, COMMENT, ENABLED, PASSCODE, CREATED_BY, LAST_USED_AT, TYPE);
private final Map<String, String> metadataMap = new HashMap<>();
@@ -59,6 +59,7 @@ public class TokenMetadata {
saveMetadata(USER_NAME, userName);
saveMetadata(COMMENT, comment);
setEnabled(enabled);
+ setType(TokenMetadataType.JWT);
}
private void saveMetadata(String key, String value) {
@@ -125,14 +126,6 @@ public class TokenMetadata {
return getMetadata(CREATED_BY);
}
- public void setKnoxSsoCookie(boolean knoxSsoCookie) {
- saveMetadata(KNOX_SSO_COOKIE, String.valueOf(knoxSsoCookie));
- }
-
- public boolean isKnoxSsoCookie() {
- return Boolean.parseBoolean(getMetadata(KNOX_SSO_COOKIE));
- }
-
public void useTokenNow() {
saveMetadata(LAST_USED_AT, Instant.now().toString());
}
@@ -142,6 +135,28 @@ public class TokenMetadata {
return lastUsedAt == null ? null : Instant.parse(lastUsedAt);
}
+ public void setType(TokenMetadataType type) {
+ saveMetadata(TYPE, type.name());
+ }
+
+ public void markKnoxSsoCookie() {
+ setType(TokenMetadataType.KNOXSSO_COOKIE);
+ }
+
+ @JsonIgnore
+ public boolean isKnoxSsoCookie() {
+ return getType() == null ? false : TokenMetadataType.KNOXSSO_COOKIE == TokenMetadataType.valueOf(getType());
+ }
+
+ @JsonIgnore
+ public boolean isClientId() {
+ return getType() == null ? false : TokenMetadataType.CLIENT_ID == TokenMetadataType.valueOf(getType());
+ }
+
+ public String getType() {
+ return getMetadata(TYPE);
+ }
+
public String toJSON() {
return JsonUtils.renderAsJsonString(metadataMap);
}
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadataType.java b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadataType.java
new file mode 100644
index 000000000..a4c27140b
--- /dev/null
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadataType.java
@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.knox.gateway.services.security.token;
+
+public enum TokenMetadataType {
+
+ JWT, KNOXSSO_COOKIE, CLIENT_ID;
+
+}
diff --git a/knox-token-management-ui/token-management/app/metadata.ts b/knox-token-management-ui/token-management/app/metadata.ts
index e2ba28fa9..4560309fb 100644
--- a/knox-token-management-ui/token-management/app/metadata.ts
+++ b/knox-token-management-ui/token-management/app/metadata.ts
@@ -19,7 +19,7 @@ export class Metadata {
enabled: boolean;
userName: string;
createdBy: string;
- knoxSsoCookie: boolean;
+ type: string;
comment: string;
customMetadataMap: Map<string, string>;
}
diff --git a/knox-token-management-ui/token-management/app/token.management.component.html b/knox-token-management-ui/token-management/app/token.management.component.html
index 8751d1e5f..be371c4e9 100644
--- a/knox-token-management-ui/token-management/app/token.management.component.html
+++ b/knox-token-management-ui/token-management/app/token.management.component.html
@@ -91,11 +91,10 @@
</mat-cell>
</ng-container>
- <ng-container matColumnDef="knoxSso">
- <mat-header-cell *matHeaderCellDef mat-sort-header="knoxSso" style="text-align: center; justify-content: center;">KnoxSSO</mat-header-cell>
+ <ng-container matColumnDef="type">
+ <mat-header-cell *matHeaderCellDef mat-sort-header="type" style="text-align: center; justify-content: center;">Type</mat-header-cell>
<mat-cell *matCellDef="let knoxToken" style="text-align: center; justify-content: center;">
- <img *ngIf="isKnoxSsoCookie(knoxToken)" src="assets/green_checkmark.svg" style="height:20px; width:auto" />
- <img *ngIf="!isKnoxSsoCookie(knoxToken)" src="assets/red_cross_circle.svg" style="height:20px; width:auto" />
+ <img src="assets/{{knoxToken.metadata.type}}.png" style="height:30px; width:auto" />
</mat-cell>
</ng-container>
diff --git a/knox-token-management-ui/token-management/app/token.management.component.ts b/knox-token-management-ui/token-management/app/token.management.component.ts
index 7d83409ce..903ecd5d0 100644
--- a/knox-token-management-ui/token-management/app/token.management.component.ts
+++ b/knox-token-management-ui/token-management/app/token.management.component.ts
@@ -43,7 +43,7 @@ export class TokenManagementComponent implements OnInit {
selection = new SelectionModel<KnoxToken>(true, []);
allKnoxTokens: KnoxToken[];
- displayedColumns = ['select', 'tokenId', 'issued', 'expires', 'userName', 'impersonated', 'knoxSso', 'comment', 'metadata', 'actions'];
+ displayedColumns = ['select', 'tokenId', 'issued', 'expires', 'userName', 'impersonated', 'type', 'comment', 'metadata', 'actions'];
@ViewChild('knoxTokensPaginator') paginator: MatPaginator;
@ViewChild('knoxTokensSort') sort: MatSort = new MatSort();
@@ -130,7 +130,7 @@ export class TokenManagementComponent implements OnInit {
}
private isDisabledKnoxSsoCookie(token: KnoxToken): boolean {
- return token.metadata.knoxSsoCookie && !token.metadata.enabled;
+ return this.isKnoxSsoCookie(token) && !token.metadata.enabled;
}
private updateTokens(tokens: KnoxToken[]): void {
@@ -217,7 +217,7 @@ export class TokenManagementComponent implements OnInit {
}
isKnoxSsoCookie(knoxToken: KnoxToken): boolean {
- return knoxToken.metadata.knoxSsoCookie;
+ return 'KNOXSSO_COOKIE' === knoxToken.metadata.type;
}
isDisabledKnoxSSoCookie(knoxToken: KnoxToken): boolean {
@@ -269,7 +269,7 @@ export class TokenManagementComponent implements OnInit {
}
private selectionHasZeroKnoxSsoCookie(): boolean {
- return this.selection.selected.every(token => !token.metadata.knoxSsoCookie);
+ return this.selection.selected.every(token => !this.isKnoxSsoCookie(token));
}
private selectionHasZeroExpiredToken(): boolean {
diff --git a/knox-token-management-ui/token-management/assets/CLIENT_ID.png b/knox-token-management-ui/token-management/assets/CLIENT_ID.png
new file mode 100644
index 000000000..e86f6056d
Binary files /dev/null and b/knox-token-management-ui/token-management/assets/CLIENT_ID.png differ
diff --git a/knox-token-management-ui/token-management/assets/JWT.png b/knox-token-management-ui/token-management/assets/JWT.png
new file mode 100644
index 000000000..c62db0fea
Binary files /dev/null and b/knox-token-management-ui/token-management/assets/JWT.png differ
diff --git a/knox-token-management-ui/token-management/assets/KNOXSSO_COOKIE.png b/knox-token-management-ui/token-management/assets/KNOXSSO_COOKIE.png
new file mode 100644
index 000000000..0fbe3146a
Binary files /dev/null and b/knox-token-management-ui/token-management/assets/KNOXSSO_COOKIE.png differ