knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pzamp...@apache.org
Subject [knox] branch master updated: KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed (#251)
Date Tue, 04 Feb 2020 18:55:53 GMT
This is an automated email from the ASF dual-hosted git repository.

pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new d2ee4dc  KNOX-2215 - Token service should return a 403 response when the renewer
is not white-listed (#251)
d2ee4dc is described below

commit d2ee4dcb75ac41a0f5664bff1199e22eea72d506
Author: Phil Zampino <pzampino@apache.org>
AuthorDate: Tue Feb 4 13:55:43 2020 -0500

    KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed
(#251)
---
 .../gateway/service/knoxtoken/TokenResource.java    | 21 +++++++++++++++------
 .../service/knoxtoken/TokenServiceResourceTest.java | 16 ++++++++--------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index d6c93c1..10c62e0 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -215,7 +215,9 @@ public class TokenResource {
     Response resp;
 
     long expiration = 0;
-    String  error   = "";
+
+    String          error       = "";
+    Response.Status errorStatus = Response.Status.BAD_REQUEST;
 
     if (tokenStateService == null) {
       error = "Token renewal support is not configured";
@@ -230,6 +232,7 @@ public class TokenResource {
           error = e.getMessage();
         }
       } else {
+        errorStatus = Response.Status.FORBIDDEN;
         error = "Caller (" + renewer + ") not authorized to renew tokens.";
       }
     }
@@ -240,7 +243,7 @@ public class TokenResource {
                       .build();
     } else {
       log.badRenewalRequest(getTopologyName(), error);
-      resp = Response.status(Response.Status.BAD_REQUEST)
+      resp = Response.status(errorStatus)
                      .entity("{\n  \"renewed\": \"false\",\n  \"error\": \"" + error + "\"\n}\n")
                      .build();
     }
@@ -254,7 +257,8 @@ public class TokenResource {
   public Response revoke(String token) {
     Response resp;
 
-    String error = "";
+    String          error       = "";
+    Response.Status errorStatus = Response.Status.BAD_REQUEST;
 
     if (tokenStateService == null) {
       error = "Token revocation support is not configured";
@@ -267,6 +271,7 @@ public class TokenResource {
           error = e.getMessage();
         }
       } else {
+        errorStatus = Response.Status.FORBIDDEN;
         error = "Caller (" + renewer + ") not authorized to revoke tokens.";
       }
     }
@@ -277,7 +282,7 @@ public class TokenResource {
                       .build();
     } else {
       log.badRevocationRequest(getTopologyName(), error);
-      resp = Response.status(Response.Status.BAD_REQUEST)
+      resp = Response.status(errorStatus)
                      .entity("{\n  \"revoked\": \"false\",\n  \"error\": \"" + error + "\"\n}\n")
                      .build();
     }
@@ -298,10 +303,14 @@ public class TokenResource {
       X509Certificate cert = extractCertificate(request);
       if (cert != null) {
         if (!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
-          return Response.status(403).entity("{ \"Unable to get token - untrusted client
cert.\" }").build();
+          return Response.status(Response.Status.FORBIDDEN)
+                         .entity("{ \"Unable to get token - untrusted client cert.\" }")
+                         .build();
         }
       } else {
-        return Response.status(403).entity("{ \"Unable to get token - client cert required.\"
}").build();
+        return Response.status(Response.Status.FORBIDDEN)
+                       .entity("{ \"Unable to get token - client cert required.\" }")
+                       .build();
       }
     }
     GatewayServices services = (GatewayServices) request.getServletContext()
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index bbe6fdd..9ccee4d 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -640,7 +640,7 @@ public class TokenServiceResourceTest {
   @Test
   public void testTokenRenewal_Enabled_NoRenewersNoSubject() throws Exception {
     Response renewalResponse = doTestTokenRenewal(true, null, null);
-    validateRenewalResponse(renewalResponse, 400, false, "Caller (null) not authorized to
renew tokens.");
+    validateRenewalResponse(renewalResponse, 403, false, "Caller (null) not authorized to
renew tokens.");
   }
 
   @Test
@@ -648,7 +648,7 @@ public class TokenServiceResourceTest {
     final String caller = "yarn";
     Response renewalResponse = doTestTokenRenewal(true, null, createTestSubject(caller));
     validateRenewalResponse(renewalResponse,
-                            400,
+                            403,
                             false,
                             "Caller (" + caller + ") not authorized to renew tokens.");
   }
@@ -657,7 +657,7 @@ public class TokenServiceResourceTest {
   public void testTokenRenewal_Enabled_WithRenewersNoSubject() throws Exception {
     Response renewalResponse = doTestTokenRenewal(true, "larry, moe,  curly ", null);
     validateRenewalResponse(renewalResponse,
-                            400,
+                            403,
                             false,
                             "Caller (null) not authorized to renew tokens.");
   }
@@ -667,7 +667,7 @@ public class TokenServiceResourceTest {
     final String caller = "shemp";
     Response renewalResponse = doTestTokenRenewal(true, "larry, moe,  curly ", createTestSubject(caller));
     validateRenewalResponse(renewalResponse,
-                            400,
+                            403,
                             false,
                             "Caller (" + caller + ") not authorized to renew tokens.");
   }
@@ -736,7 +736,7 @@ public class TokenServiceResourceTest {
   public void testTokenRevocation_Enabled_NoRenewersNoSubject() throws Exception {
     Response renewalResponse = doTestTokenRevocation(true, null, null);
     validateRevocationResponse(renewalResponse,
-                               400,
+                               403,
                                false,
                                "Caller (null) not authorized to revoke tokens.");
   }
@@ -746,7 +746,7 @@ public class TokenServiceResourceTest {
     final String caller = "yarn";
     Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(caller));
     validateRevocationResponse(renewalResponse,
-                               400,
+                               403,
                                false,
                                "Caller (" + caller + ") not authorized to revoke tokens.");
   }
@@ -755,7 +755,7 @@ public class TokenServiceResourceTest {
   public void testTokenRevocation_Enabled_WithRenewersNoSubject() throws Exception {
     Response renewalResponse = doTestTokenRevocation(true, "larry, moe,  curly ", null);
     validateRevocationResponse(renewalResponse,
-                               400,
+                               403,
                                false,
                                "Caller (null) not authorized to revoke tokens.");
   }
@@ -765,7 +765,7 @@ public class TokenServiceResourceTest {
     final String caller = "shemp";
     Response renewalResponse = doTestTokenRevocation(true, "larry, moe,  curly ", createTestSubject(caller));
     validateRevocationResponse(renewalResponse,
-                               400,
+                               403,
                                false,
                                "Caller (" + caller + ") not authorized to revoke tokens.");
   }


Mime
View raw message