lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564244621
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -853,105 +917,148 @@ private Response getAuthenticationToken() {
if (userTokens.size() >= tokenLimitPerUser) {
log.tokenLimitExceeded(userName);
if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction)
{
- return Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
+ response = Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
} else {
// userTokens is an ordered collection (by issue time) -> the
first element is the oldest one
final String oldestTokenId =
userTokens.iterator().next().getTokenId();
log.generalInfoMessage(String.format(Locale.getDefault(),
"Revoking %s's oldest token %s ...", userName,
Tokens.getTokenIDDisplayText(oldestTokenId)));
final Response revocationResponse = revoke(oldestTokenId);
if (Response.Status.OK.getStatusCode() !=
revocationResponse.getStatus()) {
- return
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
+ response =
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
.entity("{\n \"error\": \"An error occurred during the
oldest token revocation of " + userName + " \"\n}\n").build();
}
}
}
}
}
+ return response;
+ }
- try {
- final boolean managedToken = tokenStateService != null;
- JWT token;
- JWTokenAttributes jwtAttributes;
- final JWTokenAttributesBuilder jwtAttributesBuilder = new
JWTokenAttributesBuilder();
- jwtAttributesBuilder
- .setIssuer(tokenIssuer)
- .setUserName(userName)
- .setAlgorithm(signatureAlgorithm)
- .setExpires(expires)
- .setManaged(managedToken)
- .setJku(jku)
- .setType(tokenType);
- if (!targetAudiences.isEmpty()) {
- jwtAttributesBuilder.setAudiences(targetAudiences);
+ protected void setupPublicCertPEM() {
+ GatewayServices services = getGatewayServices();
+ if (endpointPublicCert == null) {
+ // acquire PEM for gateway identity of this gateway instance
+ KeystoreService ks = services.getService(ServiceType.KEYSTORE_SERVICE);
+ if (ks != null) {
+ try {
+ Certificate cert = ks.getCertificateForGateway();
+ byte[] bytes = cert.getEncoded();
+ endpointPublicCert = Base64.encodeBase64String(bytes);
+ } catch (KeyStoreException | KeystoreServiceException |
CertificateEncodingException e) {
+ // assuming that certs will be properly provisioned across all
clients
+ log.unableToAcquireCertForEndpointClients(e);
+ }
}
- if (shouldIncludeGroups()) {
- if (includeGroupsInTokenAllowed) {
- jwtAttributesBuilder.setGroups(groups());
- } else {
- return Response
- .status(Response.Status.BAD_REQUEST)
- .entity("{\n \"error\": \"Including group information in
tokens is disabled\"\n}\n")
- .build();
+ }
+ }
+
+ protected Response enforceClientCertIfRequired() {
+ Response response = null;
+ if (clientCertRequired) {
+ X509Certificate cert = extractCertificate(request);
+ if (cert != null) {
+ if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
+ response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - untrusted client
cert.\" }")
+ .build();
}
+ } else {
+ response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - client cert
required.\" }")
+ .build();
}
+ }
+ return response;
+ }
- jwtAttributes = jwtAttributesBuilder.build();
- token = ts.issueToken(jwtAttributes);
+ protected void persistTokenDetails(ResponseMap result, long expires, String
userName, String createdBy) {
+ // Optional token store service persistence
+ if (tokenStateService != null) {
+ final long issueTime = System.currentTimeMillis();
+ tokenStateService.addToken(result.tokenId,
+ issueTime,
+ expires,
+
maxTokenLifetime.orElse(tokenStateService.getDefaultMaxLifetimeDuration()));
+ final String comment = request.getParameter(COMMENT);
+ final TokenMetadata tokenMetadata = new TokenMetadata(userName,
StringUtils.isBlank(comment) ? null : comment);
+ tokenMetadata.setPasscode(tokenMAC.hash(result.tokenId, issueTime,
userName, result.passcode));
+ addArbitraryTokenMetadata(tokenMetadata);
+ if (createdBy != null) {
+ tokenMetadata.setCreatedBy(createdBy);
+ }
+ tokenStateService.addMetadata(result.tokenId, tokenMetadata);
+ log.storedToken(getTopologyName(),
Tokens.getTokenDisplayText(result.accessToken),
Tokens.getTokenIDDisplayText(result.tokenId));
+ }
+ }
- if (token != null) {
- String accessToken = token.toString();
- String tokenId = TokenUtils.getTokenId(token);
- log.issuedToken(getTopologyName(),
Tokens.getTokenDisplayText(accessToken), Tokens.getTokenIDDisplayText(tokenId));
-
- final HashMap<String, Object> map = new HashMap<>();
- map.put(ACCESS_TOKEN, accessToken);
- map.put(TOKEN_ID, tokenId);
- map.put(MANAGED_TOKEN, String.valueOf(managedToken));
- map.put(TOKEN_TYPE, BEARER);
- map.put(EXPIRES_IN, expires);
- if (tokenTargetUrl != null) {
- map.put(TARGET_URL, tokenTargetUrl);
- }
- if (tokenClientDataMap != null) {
- map.putAll(tokenClientDataMap);
- }
- if (endpointPublicCert != null) {
- map.put(ENDPOINT_PUBLIC_CERT, endpointPublicCert);
- }
+ protected ResponseMap buildResponseMap(JWT token, long expires) {
+ String accessToken = token.toString();
+ String tokenId = TokenUtils.getTokenId(token);
+ final boolean managedToken = tokenStateService != null;
+
+ log.issuedToken(getTopologyName(),
Tokens.getTokenDisplayText(accessToken), Tokens.getTokenIDDisplayText(tokenId));
+
+ final HashMap<String, Object> map = new HashMap<>();
Review Comment:
Missed that one. The intellij refactoring seems to have done that in a few
places. PMD caught two or three others which I already changed. I'll do this
one too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
