You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/03/04 09:15:00 UTC
[jira] [Work logged] (KNOX-2712) Adding arbitrary metadata to a Knox Token
[ https://issues.apache.org/jira/browse/KNOX-2712?focusedWorklogId=736538&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-736538 ]
ASF GitHub Bot logged work on KNOX-2712:
----------------------------------------
Author: ASF GitHub Bot
Created on: 04/Mar/22 09:14
Start Date: 04/Mar/22 09:14
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request #542:
URL: https://github.com/apache/knox/pull/542
## What changes were proposed in this pull request?
The following enhancements were added by this change:
- the simple `GET` API is extended to handle custom metadata information
- the `getUserTokens` API endpoint is extended to filter tokens by metadata name/value
- additional metadata information is displayed on the Knox Token Management page
## How was this patch tested?
Adjusted and ran JUnit tests:
```
$ mvn clean -Dshellcheck=true verify -Prelease,package -am -pl gateway-service-knoxtoken
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 06:01 min
[INFO] Finished at: 2022-03-04T09:32:59+01:00
[INFO] ------------------------------------------------------------------------
```
Additionally, I tested the API changes with the following `curl` commands:
```
curl -iku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?md_notebookName=accountantKnoxToken&md_souldBeRemovedBy=31March2022&md_otherMeaningfuMetadata=KnoxIsCool'
curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=DROP%20TABLE%20knox_token_metadata"
curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=%3Cscript%3Ealert%28%27smolnar%27%29%3B%3C%2Fscript%3E"
curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=<script>alert(\"smolnar\")</script>&md_otherMetadata=MyOtherMetadata"
curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_notebookName=%3Ca%20href%3D%22%23%22%20onClick%3D%22alert%28%27Hello%20World%21%27%29%22%3E%3Cimg%20title%3D%22The%20Link%22%20%2F%3E%3C%2Fa%3E"
curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?lifespan=P0DT1H0M&md_smolnarMd=dummyMd"
```
<img width="1773" alt="Screenshot 2022-03-04 at 10 08 01" src="https://user-images.githubusercontent.com/34065904/156733578-cae30c84-5533-4772-8aec-50d663ebb782.png">
As you can see I tried to challenge the `GET` API with
- SQL commands to make sure SQL injection is not an issue (in `TokenStateDatabase` we use `PreparedStatement` objects to communicate with the DB, so we are safe)
- different HTML scripts to make sure XSS attacks are not an issue. The prevention of XSS comes OOTB with Angular as we only use interpolated values in curly brackets that [are escaped in Angular](https://angular.io/guide/security#sanitization-example).
I also tested the updated `getUserTokens` API:
```
$ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=smolnarMd"
HTTP/1.1 200 OK
...
{
"tokens": [{
"tokenId": "97de921a-aa54-4308-803c-6c20cebcc1f9",
"issueTime": "2022-03-04T10:07:49.093+0100",
"expiration": "2022-03-04T11:07:48.928+0100",
"maxLifetime": "2022-03-11T10:07:49.093+0100",
"metadata": {
"customMetadataMap": {
"smolnarMd": "dummyMd"
},
"comment": null,
"enabled": true,
"userName": "admin"
},
"issueTimeLong": 1646384869093,
"expirationLong": 1646388468928,
"maxLifetimeLong": 1646989669093
}]
}
```
```
$ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=otherMetadata"
HTTP/1.1 200 OK
....
{
"tokens": [{
"tokenId": "e8e578ca-a782-4cd7-8fa1-3580b7a79541",
"issueTime": "2022-03-04T10:00:31.655+0100",
"expiration": "2022-03-04T11:00:31.645+0100",
"maxLifetime": "2022-03-11T10:00:31.655+0100",
"metadata": {
"customMetadataMap": {
"notebookName": "<script>alert(\"smolnar\")</script>",
"otherMetadata": "MyOtherMetadata"
},
"comment": null,
"enabled": true,
"userName": "admin"
},
"issueTimeLong": 1646384431655,
"expirationLong": 1646388031645,
"maxLifetimeLong": 1646989231655
}]
}
```
```
$ curl -iku admin:admin-password "https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=notebookName&mdValue=accountantKnoxToken"
HTTP/1.1 200 OK
...
{
"tokens": [{
"tokenId": "1487647b-b986-4b73-a250-854843aade9b",
"issueTime": "2022-03-04T09:58:03.155+0100",
"expiration": "2022-07-02T10:58:02.979+0200",
"maxLifetime": "2022-03-11T09:58:03.155+0100",
"metadata": {
"customMetadataMap": {
"souldBeRemovedBy": "31March2022",
"notebookName": "accountantKnoxToken",
"otherMeaningfuMetadata": "KnoxIsCool"
},
"comment": null,
"enabled": true,
"userName": "admin"
},
"issueTimeLong": 1646384283155,
"expirationLong": 1656752282979,
"maxLifetimeLong": 1646989083155
}]
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 736538)
Remaining Estimate: 0h
Time Spent: 10m
> Adding arbitrary metadata to a Knox Token
> -----------------------------------------
>
> Key: KNOX-2712
> URL: https://issues.apache.org/jira/browse/KNOX-2712
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.6.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We would need to enhance our GET API to accept an arbitrary list of key/value pairs as Knox token metadata. At the time of this Jira is being created, the following hard-coded metadata exists for a Knox Token:
> * userName
> * comment
> * enabled
> * passcode
> The plan is to modify our TokenResource to accept query parameters starting with the ‘{{{}md_{}}}’ prefix and treat them as Knox Token Metadata. For instance:
> {noformat}
> curl -iku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?md_notebookName=accountantKnoxToken&md_souldBeRemovedBy=31March2022&md_otherMeaningfuMetadata=KnoxIsCool'{noformat}
> When such a token is created by Knox, we should save the following metadata too:
> * {{notebookName=accountantKnoxToken}}
> * {{shouldBeRemovedBy=31March2022}}
> * {{otherMeaningfulMetadata=KnoxIsCool}}
> It’s not only Knox will be able to save these metadata, but we have to update our existing {{getUserTokens}} API endpoint to be able to fetch basic token information (see {{{}org.apache.knox.gateway.services.security.token.KnoxToken{}}}) using the supplied metadata name besides the user name information.
> For instance:
> {noformat}
> curl -iku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/getUserTokens?userName=admin&mdName=notebookName&mdValue=accountantKnoxToken'{noformat}
> will return all Knox tokens where metadata with _‘notebookName’_ exists and equals {_}‘accountantKnoxToken’{_}.
> Finally, the Token Management page should display metadata too.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)