Re: [PR] KNOX-3005 - Implemented KnoxSSO idle timeout [knox]

Fri, 02 Feb 2024 06:11:07 -0800 


zeroflag commented on code in PR #839:
URL: https://github.com/apache/knox/pull/839#discussion_r1476107686


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##########
@@ -381,11 +390,29 @@ protected boolean validateToken(final HttpServletRequest 
request, final HttpServ
     return false;
   }
 
-  private boolean isTokenEnabled(String tokenId) throws UnknownTokenException {
-    final TokenMetadata tokenMetadata = tokenStateService == null ? null : 
tokenStateService.getTokenMetadata(tokenId);
+  private boolean isTokenEnabled(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
     return tokenMetadata == null ? true : tokenMetadata.isEnabled();
   }
 
+  private boolean isNotIdle(TokenMetadata tokenMetadata) throws 
UnknownTokenException {
+    if (idleTimeoutSeconds > 0) {
+      final Instant lastUsedAt = tokenMetadata == null ? null : 
tokenMetadata.getLastUsedAt();
+      final Instant idleTimeoutLimit = lastUsedAt == null ? null : 
lastUsedAt.plusSeconds(idleTimeoutSeconds);
+      return idleTimeoutLimit == null ? true : 
(tokenMetadata.isKnoxSsoCookie() && idleTimeoutLimit.isAfter(Instant.now()));
+    }
+    return true; // no idle timeout is configured -> ignore idleness check
+  }
+
+  private void markLastUsedAt(String tokenId, TokenMetadata tokenMetadata) 
throws UnknownTokenException {
+    if (tokenMetadata != null && tokenMetadata.isKnoxSsoCookie()) {
+      // to avoid updating every single metadata value, we create a new token 
metadata
+      // instance only with the updated "LAST_USED_AT" information
+      final TokenMetadata updatedTokenMetadata = new TokenMetadata();
+      updatedTokenMetadata.useTokenNow();
+      tokenStateService.addMetadata(tokenId, updatedTokenMetadata);

Review Comment:
   I see, thanks, that was exactly what I was curious about.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to