Re: [PR] KNOX-3032 - Passcode use without token state service returns 401 [knox]

Tue, 30 Apr 2024 06:24:16 -0700 


smolnar82 commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584815961


##########
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##########
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws 
Exception {
     testCookieAuthSupport(true, "customCookie");
   }
 
+  @Test
+  public void testVerifyPasscodeTokens() throws Exception {
+    testVerifyPasscodeTokens(true);
+  }
+
+  @Test
+  public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+    testVerifyPasscodeTokens(false);
+  }
+
+  private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+    final String topologyName = "jwt-topology";
+    final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+    final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+    final String passcodeToken = 
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+    final TokenStateService tokenStateService = 
EasyMock.createNiceMock(TokenStateService.class);
+    
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+    final TokenMetadata tokenMetadata = 
EasyMock.createNiceMock(TokenMetadata.class);
+    EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+    
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+    
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+    final Properties filterConfigProps = getProperties();
+    filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED, 
Boolean.toString(tssEnabled));
+    filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+    final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps, 
tokenStateService);
+    handler.init(filterConfig);
+
+    final HttpServletRequest request = 
EasyMock.createNiceMock(HttpServletRequest.class);
+    EasyMock.expect(request.getRequestURL()).andReturn(new 
StringBuffer(SERVICE_URL)).anyTimes();
+    EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " + 
passcodeToken);
+
+    final HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
+    if (!tssEnabled) {
+      response.sendError(HttpServletResponse.SC_UNAUTHORIZED, 
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+      EasyMock.expectLastCall().once();
+    }
+    EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+    SignatureVerificationCache.getInstance(topologyName, 
filterConfig).recordSignatureVerification(passcode);
+
+    final TestFilterChain chain = new TestFilterChain();
+    handler.doFilter(request, response, chain);
+
+    EasyMock.verify(response);
+    if (tssEnabled) {
+      Assert.assertTrue(chain.doFilterCalled);
+      Assert.assertNotNull(chain.subject);
+    } else {
+      Assert.assertFalse(chain.doFilterCalled);
+    }

Review Comment:
   Even with what we had in 2.0.0 and before, the filter chain is not invoked 
if the token state service was disabled. See the relevant code in JWTProvider:
   ```
           if (validateToken((HttpServletRequest) request, 
(HttpServletResponse) response, chain, tokenId, passcode)) {
             try {
               Subject subject = createSubjectFromTokenIdentifier(tokenId);
               continueWithEstablishedSecurityContext(subject, 
(HttpServletRequest) request, (HttpServletResponse) response, chain);
             } catch (UnknownTokenException e) {
               ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
             }
           }
   ```
   If TSS was disabled, the `validateToken` returned `false` -> we did not 
continue processing the request.
   
   Moreover, we **_do test_** for 401. See the expectation a [couple more lines 
above](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR142-R145).
 If TSS is disabled, it's expected that `sendError` is invoked on `response` 
with the proper params (401 and the error message). Verification of that 
expectation happens 
[here](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR153).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to