This is an automated email from the ASF dual-hosted git repository. more pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push: new 98e547f KNOX-2207 - TokenStateService revocation should remove persisted token state (#252) 98e547f is described below commit 98e547f2d7f850994d880a97b07380eeb84b649f Author: Sandeep Moré <moresand...@gmail.com> AuthorDate: Wed Feb 5 15:14:00 2020 -0500 KNOX-2207 - TokenStateService revocation should remove persisted token state (#252) --- .../token/impl/AliasBasedTokenStateService.java | 22 ++++++++++----- .../token/impl/DefaultTokenStateService.java | 33 +++++++++------------- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java index b5b1010..6d29cae 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java @@ -104,17 +104,12 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService { @Override public void revokeToken(final String token) { - // Record the revocation by setting the expiration to -1 - updateExpiration(token, -1L); + /* no reason to keep revoked tokens around */ + removeToken(token); log.revokedToken(getTokenDisplayText(token)); } @Override - protected boolean isRevoked(final String token) { - return (getTokenExpiration(token) < 0); - } - - @Override protected boolean isUnknown(final String token) { boolean isUnknown = false; try { @@ -126,6 +121,19 @@ public class AliasBasedTokenStateService extends DefaultTokenStateService { } @Override + protected void removeToken(final String token) { + validateToken(token); + + try { + aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME, token); + aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME,token + "--max"); + } catch (AliasServiceException e) { + log.failedToUpdateTokenExpiration(e); + } + + } + + @Override protected void updateExpiration(final String token, long expiration) { if (isUnknown(token)) { log.unknownToken(getTokenDisplayText(token)); diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java index 77ab5a4..e158154 100644 --- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java +++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java @@ -23,10 +23,8 @@ import org.apache.knox.gateway.services.security.token.TokenStateService; import org.apache.knox.gateway.services.security.token.impl.JWTToken; import java.util.HashMap; -import java.util.HashSet; import java.util.Locale; import java.util.Map; -import java.util.Set; /** * In-Memory authentication token state management implementation. @@ -43,8 +41,6 @@ public class DefaultTokenStateService implements TokenStateService { private final Map<String, Long> tokenExpirations = new HashMap<>(); - private final Set<String> revokedTokens = new HashSet<>(); - private final Map<String, Long> maxTokenLifetimes = new HashMap<>(); @@ -159,8 +155,8 @@ public class DefaultTokenStateService implements TokenStateService { @Override public void revokeToken(final String token) { - validateToken(token); - revokedTokens.add(token); + /* no reason to keep revoked tokens around */ + removeToken(token); log.revokedToken(getTokenDisplayText(token)); } @@ -172,13 +168,11 @@ public class DefaultTokenStateService implements TokenStateService { @Override public boolean isExpired(final String token) { boolean isExpired; - - isExpired = isRevoked(token); // Check if it has been revoked first + isExpired = isUnknown(token); // Check if the token exist if (!isExpired) { - // If it has not been revoked, check its expiration + // If it not unknown, check its expiration isExpired = (getTokenExpiration(token) <= System.currentTimeMillis()); } - return isExpired; } @@ -208,6 +202,16 @@ public class DefaultTokenStateService implements TokenStateService { } } + protected void removeToken(final String token) { + validateToken(token); + synchronized (tokenExpirations) { + tokenExpirations.remove(token); + } + synchronized (maxTokenLifetimes) { + maxTokenLifetimes.remove(token); + } + } + protected boolean hasRemainingRenewals(final String token, long renewInterval) { // Is the current time + 30-second buffer + the renewal interval is less than the max lifetime for the token? return ((System.currentTimeMillis() + 30000 + renewInterval) < getMaxLifetime(token)); @@ -221,10 +225,6 @@ public class DefaultTokenStateService implements TokenStateService { return result; } - protected boolean isRevoked(final String token) { - return revokedTokens.contains(token); - } - protected boolean isValidIdentifier(final String token) { return token != null && !token.isEmpty(); } @@ -258,11 +258,6 @@ public class DefaultTokenStateService implements TokenStateService { log.unknownToken(getTokenDisplayText(token)); throw new IllegalArgumentException("Unknown token"); } - - // Then, make sure it has not been revoked - if (includeRevocation && isRevoked(token)) { - throw new IllegalArgumentException("The specified token has been revoked"); - } } protected String getTokenDisplayText(final String token) {