subject:"knox git commit\: KNOX\-1082 \- Add support to validate the \"nbf\" claim for JWTs"

[31/37] knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

2017-10-26 Thread lmccay

KNOX-1082 - Add support to validate the "nbf" claim for JWTs


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/bb467b8c
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/bb467b8c
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/bb467b8c

Branch: refs/heads/KNOX-1049
Commit: bb467b8c4ecd87fc83ec1cf2863767b0330f171e
Parents: 9c7aa7e
Author: Colm O hEigeartaigh 
Authored: Tue Oct 17 12:49:04 2017 +0100
Committer: Colm O hEigeartaigh 
Committed: Tue Oct 17 12:49:04 2017 +0100

--
 .../provider/federation/jwt/JWTMessages.java|  3 ++
 .../jwt/filter/AbstractJWTFilter.java   |  9 -
 .../federation/AbstractJWTFilterTest.java   | 40 ++--
 .../services/security/token/impl/JWT.java   |  3 ++
 .../services/security/token/impl/JWTToken.java  | 11 ++
 5 files changed, 61 insertions(+), 5 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
index f6969c6..f38d13b 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
@@ -34,6 +34,9 @@ public interface JWTMessages {
   @Message( level = MessageLevel.INFO, text = "Access token has expired; a new 
one must be acquired." )
   void tokenHasExpired();
 
+  @Message( level = MessageLevel.INFO, text = "The NotBefore check failed." )
+  void notBeforeCheckFailed();
+
   @Message( level = MessageLevel.WARN, text = "Expected Bearer token is 
missing." )
   void missingBearerToken();
 

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index deb3d5b..0d8ecb8 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -275,7 +275,14 @@ public abstract class AbstractJWTFilter implements Filter {
 if (tokenIsStillValid(token)) {
   boolean audValid = validateAudiences(token);
   if (audValid) {
-return true;
+  Date nbf = token.getNotBeforeDate();
+  if (nbf == null || new Date().after(nbf)) {
+return true;
+  } else {
+log.notBeforeCheckFailed();
+handleValidationError(request, response, 
HttpServletResponse.SC_BAD_REQUEST,
+  "Bad request: the NotBefore check 
failed");
+  }
   }
   else {
 log.failedToValidateAudience();

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
--
diff --git 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
index b261081..54c596b 100644
--- 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
+++ 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -505,7 +505,7 @@ public abstract class AbstractJWTFilterTest  {
   handler.init(new TestFilterConfig(props));
 
   SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice", 
new Date(new Date().getTime() + 5000),
- privateKey, JWSAlgorithm.RS512.getName());
+ new Date(), privateKey, 
JWSAlgorithm.RS512.getName());
 
   HttpServletRequest request = 
EasyMock.createNiceMock(HttpServletRequ

[03/17] knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

2017-10-25 Thread more

KNOX-1082 - Add support to validate the "nbf" claim for JWTs


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/bb467b8c
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/bb467b8c
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/bb467b8c

Branch: refs/heads/KNOX-998-Package_Restructuring
Commit: bb467b8c4ecd87fc83ec1cf2863767b0330f171e
Parents: 9c7aa7e
Author: Colm O hEigeartaigh 
Authored: Tue Oct 17 12:49:04 2017 +0100
Committer: Colm O hEigeartaigh 
Committed: Tue Oct 17 12:49:04 2017 +0100

--
 .../provider/federation/jwt/JWTMessages.java|  3 ++
 .../jwt/filter/AbstractJWTFilter.java   |  9 -
 .../federation/AbstractJWTFilterTest.java   | 40 ++--
 .../services/security/token/impl/JWT.java   |  3 ++
 .../services/security/token/impl/JWTToken.java  | 11 ++
 5 files changed, 61 insertions(+), 5 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
index f6969c6..f38d13b 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
@@ -34,6 +34,9 @@ public interface JWTMessages {
   @Message( level = MessageLevel.INFO, text = "Access token has expired; a new 
one must be acquired." )
   void tokenHasExpired();
 
+  @Message( level = MessageLevel.INFO, text = "The NotBefore check failed." )
+  void notBeforeCheckFailed();
+
   @Message( level = MessageLevel.WARN, text = "Expected Bearer token is 
missing." )
   void missingBearerToken();
 

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index deb3d5b..0d8ecb8 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -275,7 +275,14 @@ public abstract class AbstractJWTFilter implements Filter {
 if (tokenIsStillValid(token)) {
   boolean audValid = validateAudiences(token);
   if (audValid) {
-return true;
+  Date nbf = token.getNotBeforeDate();
+  if (nbf == null || new Date().after(nbf)) {
+return true;
+  } else {
+log.notBeforeCheckFailed();
+handleValidationError(request, response, 
HttpServletResponse.SC_BAD_REQUEST,
+  "Bad request: the NotBefore check 
failed");
+  }
   }
   else {
 log.failedToValidateAudience();

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
--
diff --git 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
index b261081..54c596b 100644
--- 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
+++ 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -505,7 +505,7 @@ public abstract class AbstractJWTFilterTest  {
   handler.init(new TestFilterConfig(props));
 
   SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice", 
new Date(new Date().getTime() + 5000),
- privateKey, JWSAlgorithm.RS512.getName());
+ new Date(), privateKey, 
JWSAlgorithm.RS512.getName());
 
   HttpServletRequest request = 
EasyMock.createNic

knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

2017-10-17 Thread coheigea

Repository: knox
Updated Branches:
  refs/heads/master 9c7aa7e1c -> bb467b8c4


KNOX-1082 - Add support to validate the "nbf" claim for JWTs


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/bb467b8c
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/bb467b8c
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/bb467b8c

Branch: refs/heads/master
Commit: bb467b8c4ecd87fc83ec1cf2863767b0330f171e
Parents: 9c7aa7e
Author: Colm O hEigeartaigh 
Authored: Tue Oct 17 12:49:04 2017 +0100
Committer: Colm O hEigeartaigh 
Committed: Tue Oct 17 12:49:04 2017 +0100

--
 .../provider/federation/jwt/JWTMessages.java|  3 ++
 .../jwt/filter/AbstractJWTFilter.java   |  9 -
 .../federation/AbstractJWTFilterTest.java   | 40 ++--
 .../services/security/token/impl/JWT.java   |  3 ++
 .../services/security/token/impl/JWTToken.java  | 11 ++
 5 files changed, 61 insertions(+), 5 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
index f6969c6..f38d13b 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
@@ -34,6 +34,9 @@ public interface JWTMessages {
   @Message( level = MessageLevel.INFO, text = "Access token has expired; a new 
one must be acquired." )
   void tokenHasExpired();
 
+  @Message( level = MessageLevel.INFO, text = "The NotBefore check failed." )
+  void notBeforeCheckFailed();
+
   @Message( level = MessageLevel.WARN, text = "Expected Bearer token is 
missing." )
   void missingBearerToken();
 

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
--
diff --git 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index deb3d5b..0d8ecb8 100644
--- 
a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++ 
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -275,7 +275,14 @@ public abstract class AbstractJWTFilter implements Filter {
 if (tokenIsStillValid(token)) {
   boolean audValid = validateAudiences(token);
   if (audValid) {
-return true;
+  Date nbf = token.getNotBeforeDate();
+  if (nbf == null || new Date().after(nbf)) {
+return true;
+  } else {
+log.notBeforeCheckFailed();
+handleValidationError(request, response, 
HttpServletResponse.SC_BAD_REQUEST,
+  "Bad request: the NotBefore check 
failed");
+  }
   }
   else {
 log.failedToValidateAudience();

http://git-wip-us.apache.org/repos/asf/knox/blob/bb467b8c/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
--
diff --git 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
index b261081..54c596b 100644
--- 
a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
+++ 
b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -505,7 +505,7 @@ public abstract class AbstractJWTFilterTest  {
   handler.init(new TestFilterConfig(props));
 
   SignedJWT jwt = getJWT(AbstractJWTFilter.JWT_DEFAULT_ISSUER, "alice", 
new Date(new Date().getTime() + 5000),
- privateKey, JWSAlgorithm.RS512.getName());
+ new Date(), privateKey, 
JWSAlgorithm.RS512.getName());

[31/37] knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

[03/17] knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

knox git commit: KNOX-1082 - Add support to validate the "nbf" claim for JWTs

3 matches

Site Navigation

Mail list logo

Footer information