[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917026&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917026
]
ASF GitHub Bot logged work on KNOX-3032:
----------------------------------------
Author: ASF GitHub Bot
Created on: 30/Apr/24 13:23
Start Date: 30/Apr/24 13:23
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584815961
##########
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##########
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+ testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+ testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+ final String topologyName = "jwt-topology";
+ final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+ final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+ final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+ final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+ final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+ EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+ final Properties filterConfigProps = getProperties();
+ filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+ filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+ final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+ handler.init(filterConfig);
+
+ final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+ EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+ final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+ if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+ }
+ EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+ SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+ final TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+
+ EasyMock.verify(response);
+ if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+ } else {
+ Assert.assertFalse(chain.doFilterCalled);
+ }
Review Comment:
Even with what we had in 2.0.0 and before, the filter chain is not invoked
if the token state service was disabled. See the relevant code in JWTProvider:
```
if (validateToken((HttpServletRequest) request,
(HttpServletResponse) response, chain, tokenId, passcode)) {
try {
Subject subject = createSubjectFromTokenIdentifier(tokenId);
continueWithEstablishedSecurityContext(subject,
(HttpServletRequest) request, (HttpServletResponse) response, chain);
} catch (UnknownTokenException e) {
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
```
If TSS was disabled, the `validateToken` returned `false` -> we did not
continue processing the request.
Moreover, we **_do test_** for 401. See the expectation a [couple more lines
above](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR142-R145).
If TSS is disabled, it's expected that `sendError` is invoked on `response`
with the proper params (401 and the error message).
Issue Time Tracking
-------------------
Worklog Id: (was: 917026)
Time Spent: 0.5h (was: 20m)
> Passcode token verification doesn't return error when TSS is disabled
> ---------------------------------------------------------------------
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
> https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
> HTTP/1.1 200 OK
> Date: Mon, 29 Apr 2024 08:33:06 GMT
> Content-Length: 0
> {noformat}
> *Expected results:*
> An HTTP response should have been received with 401 and the proper error
> message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
