Re: [PR] KNOX-3005 - Implemented KnoxSSO idle timeout [knox]

Thu, 01 Feb 2024 23:26:55 -0800 


smolnar82 commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1475663053


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest 
request, final HttpServ
     return false;
   }
 
-  private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
-    final TokenMetadata tokenMetadata = tokenStateService == null ? null : 
tokenStateService.getTokenMetadata(tokenId);
+  private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
     return tokenMetadata == null ? true : tokenMetadata.isEnabled();
   }
 
+  private boolean isNotIdle(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
+    if (idleTimeoutSeconds > 0) {
+      final Instant lastUsedAt = tokenMetadata == null ? null : 
tokenMetadata.getLastUsedAt();
+      final Instant idleTimeoutLimit = lastUsedAt == null ? null : 
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+      return idleTimeoutLimit == null ? true : 
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+    }
+    return true; // no idle timeout is configured -> ignore idleness check
+  }
+
+  private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) 
throws UnknownTokenException {
+    if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+      // to avoid updating every single metadata value, we create a new token 
metadata
+      // instance only with the updated "LAST_USED_AT" information
+      final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+      updatedTokenMetadata.useTokenNow();
+      tokenStateService.addMetadata(tokenId, updatedTokenMetadata);

Review Comment:
   Yes, that was the design decision back in time when I added the 
`knox_token_metadata` table (see #447 ):
   ```
   CREATE TABLE IF NOT EXISTS KNOX_TOKEN_METADATA ( -- IF NOT EXISTS syntax is 
not supported by Derby
      token_id varchar(128) NOT NULL,
      md_name varchar(32) NOT NULL,
      md_value varchar(256) NOT NULL,
      PRIMARY KEY (token_id, md_name),
      CONSTRAINT fk_token_id FOREIGN KEY(token_id) REFERENCES 
KNOX_TOKENS(token_id) ON DELETE CASCADE
   )
   ```
   This is why we do not need to worry about schema changes between versions.
   
   Currently, the following metadata is known: `userName`, `comment`, 
`enabled`, `passcode`, `createdBy`, `knoxSSOCookie`, and now `lastUsedAt`. But 
these are only what is known to Knox.
   Please note that end-users [may add arbitrary 
metadata](https://issues.apache.org/jira/browse/KNOX-2712) using the KNOXTOKEN 
API.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to