[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917005&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917005
]
ASF GitHub Bot logged work on KNOX-3032:
----------------------------------------
Author: ASF GitHub Bot
Created on: 30/Apr/24 12:44
Start Date: 30/Apr/24 12:44
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584746910
##########
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##########
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+ testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+ testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+ final String topologyName = "jwt-topology";
+ final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+ final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+ final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+ final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+ final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+ EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+ final Properties filterConfigProps = getProperties();
+ filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+ filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+ final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+ handler.init(filterConfig);
+
+ final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+ EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+ final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+ if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+ }
+ EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+ SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+ final TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+
+ EasyMock.verify(response);
+ if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+ } else {
+ Assert.assertFalse(chain.doFilterCalled);
+ }
Review Comment:
Shouldn't we also test that it is a 401 rather than the current 200? Granted
it will only be coming from the mock but seems like we should test it anyway to
at least show expectations. Current behavior returns a 200 but does the filter
chain continue anyway or was it already being terminated?
Issue Time Tracking
-------------------
Worklog Id: (was: 917005)
Time Spent: 20m (was: 10m)
> Passcode token verification doesn't return error when TSS is disabled
> ---------------------------------------------------------------------
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
> https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
> HTTP/1.1 200 OK
> Date: Mon, 29 Apr 2024 08:33:06 GMT
> Content-Length: 0
> {noformat}
> *Expected results:*
> An HTTP response should have been received with 401 and the proper error
> message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
