[jira] [Work logged] (KNOX-3005) Implement Knox idle session time

ASF GitHub Bot (Jira) Thu, 01 Feb 2024 08:58:11 -0800


     [ 
https://issues.apache.org/jira/browse/KNOX-3005?focusedWorklogId=903129&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-903129
 ]


ASF GitHub Bot logged work on KNOX-3005:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Feb/24 16:55
            Start Date: 01/Feb/24 16:55
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1474771285


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest 
request, final HttpServ
     return false;
   }
 
-  private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
-    final TokenMetadata tokenMetadata = tokenStateService == null ? null : 
tokenStateService.getTokenMetadata(tokenId);
+  private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
     return tokenMetadata == null ? true : tokenMetadata.isEnabled();
   }
 
+  private boolean isNotIdle(TokenMetadata tokenMetadata) throws 
UnknownTokenException {

Review Comment:
   I think isNotIdleLimitExceeded(tokenMetadata) (or something similar) might 
be a more accurate method name. If we're getting a request, the client is not 
currently idle. Actually, I would prefer to avoid the negative perspective, 
using hasIdleLimitExpired(tokenMetadata) and then 
!hasIdleLimitExpired(tokenMetadata) in it use. This is all a rather small point 
though, and perhaps not worth worrying about.



##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest 
request, final HttpServ
     return false;
   }
 
-  private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
-    final TokenMetadata tokenMetadata = tokenStateService == null ? null : 
tokenStateService.getTokenMetadata(tokenId);
+  private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
     return tokenMetadata == null ? true : tokenMetadata.isEnabled();
   }
 
+  private boolean isNotIdle(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
+    if (idleTimeoutSeconds > 0) {
+      final Instant lastUsedAt = tokenMetadata == null ? null : 
tokenMetadata.getLastUsedAt();
+      final Instant idleTimeoutLimit = lastUsedAt == null ? null : 
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+      return idleTimeoutLimit == null ? true : 
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+    }
+    return true; // no idle timeout is configured -> ignore idleness check
+  }
+
+  private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) 
throws UnknownTokenException {
+    if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+      // to avoid updating every single metadata value, we create a new token 
metadata
+      // instance only with the updated "LAST_USED_AT" information
+      final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+      updatedTokenMetadata.useTokenNow();
+      tokenStateService.addMetadata(tokenId, updatedTokenMetadata);

Review Comment:
   Does this mean there are multiple metadata entries for the same token in the 
state store?



##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java:
##########
@@ -104,4 +104,11 @@ public interface JWTMessages {
 
   @Message( level = MessageLevel.WARN, text = "Invalid SSO cookie found! 
Cleaning up..." )
   void invalidSsoCookie();
+
+  @Message( level = MessageLevel.WARN, text = "User with SSO token {0} 
exceeded the configured idle timeout of {1} seconds." )

Review Comment:
   Is it possible to include the principal name here for easier correlation to 
the user?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 903129)
    Time Spent: 20m  (was: 10m)

> Implement Knox idle session time
> --------------------------------
>
>                 Key: KNOX-3005
>                 URL: https://issues.apache.org/jira/browse/KNOX-3005
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: KnoxSSO
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.1.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> With the recent work of KNOX-2961, the new SSO token invalidation 
> functionality, Knox could provide idle session timeout behavior for UIs.
> It will likely not include the usual UI pop-up approach (like when the 
> end-user is informed about being idle too long), but it would effectively 
> terminate idle SSO sessions and force an explicit login.
> It's also worth mentioning the idleness measurement solely depends on backend 
> activities through the KnoxSSO Cookie federation filter. and will not take 
> any client-side action (such as scrolling on the page, client-side 
> pagination, etc..) into account.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (KNOX-3005) Implement Knox idle session time

Reply via email to