This is an automated email from the ASF dual-hosted git repository.
more pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 98e547f KNOX-2207 - TokenStateService revocation should remove
persisted token state (#252)
98e547f is described below
commit 98e547f2d7f850994d880a97b07380eeb84b649f
Author: Sandeep Moré <moresand...@gmail.com>
AuthorDate: Wed Feb 5 15:14:00 2020 -0500
KNOX-2207 - TokenStateService revocation should remove persisted token
state (#252)
---
.../token/impl/AliasBasedTokenStateService.java | 22 ++++++++++-----
.../token/impl/DefaultTokenStateService.java | 33 +++++++++-------------
2 files changed, 29 insertions(+), 26 deletions(-)
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index b5b1010..6d29cae 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
@@ -104,17 +104,12 @@ public class AliasBasedTokenStateService extends
DefaultTokenStateService {
@Override
public void revokeToken(final String token) {
- // Record the revocation by setting the expiration to -1
- updateExpiration(token, -1L);
+ /* no reason to keep revoked tokens around */
+ removeToken(token);
log.revokedToken(getTokenDisplayText(token));
}
@Override
- protected boolean isRevoked(final String token) {
- return (getTokenExpiration(token) < 0);
- }
-
- @Override
protected boolean isUnknown(final String token) {
boolean isUnknown = false;
try {
@@ -126,6 +121,19 @@ public class AliasBasedTokenStateService extends
DefaultTokenStateService {
}
@Override
+ protected void removeToken(final String token) {
+ validateToken(token);
+
+ try {
+ aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME, token);
+ aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME,token +
"--max");
+ } catch (AliasServiceException e) {
+ log.failedToUpdateTokenExpiration(e);
+ }
+
+ }
+
+ @Override
protected void updateExpiration(final String token, long expiration) {
if (isUnknown(token)) {
log.unknownToken(getTokenDisplayText(token));
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 77ab5a4..e158154 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -23,10 +23,8 @@ import
org.apache.knox.gateway.services.security.token.TokenStateService;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
-import java.util.Set;
/**
* In-Memory authentication token state management implementation.
@@ -43,8 +41,6 @@ public class DefaultTokenStateService implements
TokenStateService {
private final Map<String, Long> tokenExpirations = new HashMap<>();
- private final Set<String> revokedTokens = new HashSet<>();
-
private final Map<String, Long> maxTokenLifetimes = new HashMap<>();
@@ -159,8 +155,8 @@ public class DefaultTokenStateService implements
TokenStateService {
@Override
public void revokeToken(final String token) {
- validateToken(token);
- revokedTokens.add(token);
+ /* no reason to keep revoked tokens around */
+ removeToken(token);
log.revokedToken(getTokenDisplayText(token));
}
@@ -172,13 +168,11 @@ public class DefaultTokenStateService implements
TokenStateService {
@Override
public boolean isExpired(final String token) {
boolean isExpired;
-
- isExpired = isRevoked(token); // Check if it has been revoked first
+ isExpired = isUnknown(token); // Check if the token exist
if (!isExpired) {
- // If it has not been revoked, check its expiration
+ // If it not unknown, check its expiration
isExpired = (getTokenExpiration(token) <= System.currentTimeMillis());
}
-
return isExpired;
}
@@ -208,6 +202,16 @@ public class DefaultTokenStateService implements
TokenStateService {
}
}
+ protected void removeToken(final String token) {
+ validateToken(token);
+ synchronized (tokenExpirations) {
+ tokenExpirations.remove(token);
+ }
+ synchronized (maxTokenLifetimes) {
+ maxTokenLifetimes.remove(token);
+ }
+ }
+
protected boolean hasRemainingRenewals(final String token, long
renewInterval) {
// Is the current time + 30-second buffer + the renewal interval is less
than the max lifetime for the token?
return ((System.currentTimeMillis() + 30000 + renewInterval) <
getMaxLifetime(token));
@@ -221,10 +225,6 @@ public class DefaultTokenStateService implements
TokenStateService {
return result;
}
- protected boolean isRevoked(final String token) {
- return revokedTokens.contains(token);
- }
-
protected boolean isValidIdentifier(final String token) {
return token != null && !token.isEmpty();
}
@@ -258,11 +258,6 @@ public class DefaultTokenStateService implements
TokenStateService {
log.unknownToken(getTokenDisplayText(token));
throw new IllegalArgumentException("Unknown token");
}
-
- // Then, make sure it has not been revoked
- if (includeRevocation && isRevoked(token)) {
- throw new IllegalArgumentException("The specified token has been
revoked");
- }
}
protected String getTokenDisplayText(final String token) {
