knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject [knox] branch master updated: KNOX-2207 - TokenStateService revocation should remove persisted token state (#252)
Date Wed, 05 Feb 2020 20:14:09 GMT
This is an automated email from the ASF dual-hosted git repository.

more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 98e547f  KNOX-2207 - TokenStateService revocation should remove persisted token state
(#252)
98e547f is described below

commit 98e547f2d7f850994d880a97b07380eeb84b649f
Author: Sandeep Moré <moresandeep@gmail.com>
AuthorDate: Wed Feb 5 15:14:00 2020 -0500

    KNOX-2207 - TokenStateService revocation should remove persisted token state (#252)
---
 .../token/impl/AliasBasedTokenStateService.java    | 22 ++++++++++-----
 .../token/impl/DefaultTokenStateService.java       | 33 +++++++++-------------
 2 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index b5b1010..6d29cae 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
@@ -104,17 +104,12 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService
{
 
   @Override
   public void revokeToken(final String token) {
-    // Record the revocation by setting the expiration to -1
-    updateExpiration(token, -1L);
+    /* no reason to keep revoked tokens around */
+    removeToken(token);
     log.revokedToken(getTokenDisplayText(token));
   }
 
   @Override
-  protected boolean isRevoked(final String token) {
-    return (getTokenExpiration(token) < 0);
-  }
-
-  @Override
   protected boolean isUnknown(final String token) {
     boolean isUnknown = false;
     try {
@@ -126,6 +121,19 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService
{
   }
 
   @Override
+  protected void removeToken(final String token) {
+    validateToken(token);
+
+    try {
+      aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME, token);
+      aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME,token + "--max");
+    } catch (AliasServiceException e) {
+      log.failedToUpdateTokenExpiration(e);
+    }
+
+  }
+
+  @Override
   protected void updateExpiration(final String token, long expiration) {
     if (isUnknown(token)) {
       log.unknownToken(getTokenDisplayText(token));
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 77ab5a4..e158154 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -23,10 +23,8 @@ import org.apache.knox.gateway.services.security.token.TokenStateService;
 import org.apache.knox.gateway.services.security.token.impl.JWTToken;
 
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Set;
 
 /**
  * In-Memory authentication token state management implementation.
@@ -43,8 +41,6 @@ public class DefaultTokenStateService implements TokenStateService {
 
   private final Map<String, Long> tokenExpirations = new HashMap<>();
 
-  private final Set<String> revokedTokens = new HashSet<>();
-
   private final Map<String, Long> maxTokenLifetimes = new HashMap<>();
 
 
@@ -159,8 +155,8 @@ public class DefaultTokenStateService implements TokenStateService {
 
   @Override
   public void revokeToken(final String token) {
-    validateToken(token);
-    revokedTokens.add(token);
+    /* no reason to keep revoked tokens around */
+    removeToken(token);
     log.revokedToken(getTokenDisplayText(token));
   }
 
@@ -172,13 +168,11 @@ public class DefaultTokenStateService implements TokenStateService {
   @Override
   public boolean isExpired(final String token) {
     boolean isExpired;
-
-    isExpired = isRevoked(token); // Check if it has been revoked first
+    isExpired = isUnknown(token); // Check if the token exist
     if (!isExpired) {
-      // If it has not been revoked, check its expiration
+      // If it not unknown, check its expiration
       isExpired = (getTokenExpiration(token) <= System.currentTimeMillis());
     }
-
     return isExpired;
   }
 
@@ -208,6 +202,16 @@ public class DefaultTokenStateService implements TokenStateService {
     }
   }
 
+  protected void removeToken(final String token) {
+    validateToken(token);
+    synchronized (tokenExpirations) {
+        tokenExpirations.remove(token);
+    }
+    synchronized (maxTokenLifetimes) {
+      maxTokenLifetimes.remove(token);
+    }
+  }
+
   protected boolean hasRemainingRenewals(final String token, long renewInterval) {
     // Is the current time + 30-second buffer + the renewal interval is less than the max
lifetime for the token?
     return ((System.currentTimeMillis() + 30000 + renewInterval) < getMaxLifetime(token));
@@ -221,10 +225,6 @@ public class DefaultTokenStateService implements TokenStateService {
     return result;
   }
 
-  protected boolean isRevoked(final String token) {
-    return revokedTokens.contains(token);
-  }
-
   protected boolean isValidIdentifier(final String token) {
     return token != null && !token.isEmpty();
   }
@@ -258,11 +258,6 @@ public class DefaultTokenStateService implements TokenStateService {
       log.unknownToken(getTokenDisplayText(token));
       throw new IllegalArgumentException("Unknown token");
     }
-
-    // Then, make sure it has not been revoked
-    if (includeRevocation && isRevoked(token)) {
-      throw new IllegalArgumentException("The specified token has been revoked");
-    }
   }
 
   protected String getTokenDisplayText(final String token) {


Mime
View raw message