smolnar82 commented on code in PR #902: URL: https://github.com/apache/knox/pull/902#discussion_r1584815961
########## gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java: ########## @@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws Exception { testCookieAuthSupport(true, "customCookie"); } + @Test + public void testVerifyPasscodeTokens() throws Exception { + testVerifyPasscodeTokens(true); + } + + @Test + public void testVerifyPasscodeTokensTssDisabled() throws Exception { + testVerifyPasscodeTokens(false); + } + + private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception { + final String topologyName = "jwt-topology"; + final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a"; + final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95"; + final String passcodeToken = "UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9"; + + final TokenStateService tokenStateService = EasyMock.createNiceMock(TokenStateService.class); + EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes(); + + final TokenMetadata tokenMetadata = EasyMock.createNiceMock(TokenMetadata.class); + EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes(); + EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes(); + EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes(); + + final Properties filterConfigProps = getProperties(); + filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED, Boolean.toString(tssEnabled)); + filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName); + final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps, tokenStateService); + handler.init(filterConfig); + + final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class); + EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes(); + EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " + passcodeToken); + + final HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class); + if (!tssEnabled) { + response.sendError(HttpServletResponse.SC_UNAUTHORIZED, AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR); + EasyMock.expectLastCall().once(); + } + EasyMock.replay(tokenStateService, tokenMetadata, request, response); + + SignatureVerificationCache.getInstance(topologyName, filterConfig).recordSignatureVerification(passcode); + + final TestFilterChain chain = new TestFilterChain(); + handler.doFilter(request, response, chain); + + EasyMock.verify(response); + if (tssEnabled) { + Assert.assertTrue(chain.doFilterCalled); + Assert.assertNotNull(chain.subject); + } else { + Assert.assertFalse(chain.doFilterCalled); + } Review Comment: Even with what we had in 2.0.0 and before, the filter chain is not invoked if the token state service was disabled. See the relevant code in JWTProvider: ``` if (validateToken((HttpServletRequest) request, (HttpServletResponse) response, chain, tokenId, passcode)) { try { Subject subject = createSubjectFromTokenIdentifier(tokenId); continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain); } catch (UnknownTokenException e) { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); } } ``` If TSS was disabled, the `validateToken` returned `false` -> we did not continue processing the request. Moreover, we **_do test_** for 401. See the expectation a [couple more lines above](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR142-R145). If TSS is disabled, it's expected that `sendError` is invoked on `response` with the proper params (401 and the error message). Verification of that expectation happens [here](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR153). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org