KNOX-3018 - Tokens that never expire should not be evicted automatica…

…lly and their expiration should be displayed properly
apache · Mar 11, 2024 · 1459964 · 1459964
1 parent c594fe7
commit 1459964
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 10 deletions.
diff --git a/...r/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/...r/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -392,9 +392,10 @@ protected Set<String> getExpiredTokens() {
    * @return true, if the associated token state can be evicted; Otherwise, false.
    */
   protected boolean needsEviction(final String tokenId) throws UnknownTokenException {
+    final long tokenExpiration = getTokenExpiration(tokenId, false);
     // If the expiration time(+ grace period) has already passed, it should be considered expired
-    long expirationWithGrace = getTokenExpiration(tokenId, false) + TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
-    return (expirationWithGrace <= System.currentTimeMillis());
+    long expirationWithGrace = tokenExpiration + TimeUnit.SECONDS.toMillis(tokenEvictionGracePeriod);
+    return tokenExpiration > 0 && (expirationWithGrace <= System.currentTimeMillis());
   }
 
   /**

diff --git a/...-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java b/...-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
@@ -43,8 +43,8 @@ public class TokenStateDatabase {
   static final String TOKEN_METADATA_TABLE_NAME = "KNOX_TOKEN_METADATA";
   private static final String ADD_TOKEN_SQL = "INSERT INTO " + TOKENS_TABLE_NAME + "(token_id, issue_time, expiration, max_lifetime) VALUES(?, ?, ?, ?)";
   private static final String REMOVE_TOKEN_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
-  private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ?";
-  private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ?";
+  private static final String GET_EXPIRED_TOKENS_SQL = "SELECT token_id FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
+  private static final String REMOVE_EXPIRED_TOKENS_SQL = "DELETE FROM " + TOKENS_TABLE_NAME + " WHERE expiration < ? AND expiration > 0";
   static final String GET_TOKEN_ISSUE_TIME_SQL = "SELECT issue_time FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
   static final String GET_TOKEN_EXPIRATION_SQL = "SELECT expiration FROM " + TOKENS_TABLE_NAME + " WHERE token_id = ?";
   private static final String UPDATE_TOKEN_EXPIRATION_SQL = "UPDATE " + TOKENS_TABLE_NAME + " SET expiration = ? WHERE token_id = ?";

diff --git a/.../src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java b/.../src/test/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateServiceTest.java
@@ -260,9 +260,13 @@ public void testEvictExpiredTokens() throws Exception {
       final String tokenId = UUID.randomUUID().toString();
       jdbcTokenStateService.addToken(tokenId, 1, 1, 1);
     }
-    assertEquals(tokenCount, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
+
+    //add another token that never expires
+    jdbcTokenStateService.addToken(UUID.randomUUID().toString(), 1, -1, 1);
+
+    assertEquals(tokenCount + 1, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
     jdbcTokenStateService.evictExpiredTokens();
-    assertEquals(0, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));
+    assertEquals(1, getLongTokenAttributeFromDatabase(null, GET_TOKENS_COUNT_SQL));  //the one that never expires should remain
   }
 
   private long getLongTokenAttributeFromDatabase(String tokenId, String sql) throws SQLException {

diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java b/gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/KnoxToken.java
@@ -60,7 +60,7 @@ public long getIssueTimeLong() {
   }
 
   public String getExpiration() {
-    return KNOX_TOKEN_TS_FORMAT.get().format(new Date(expiration));
+    return expiration < 0 ? "Never" : KNOX_TOKEN_TS_FORMAT.get().format(new Date(expiration));
   }
 
   public long getExpirationLong() {

diff --git a/knox-token-generation-ui/token-generation/app/token-generation.service.ts b/knox-token-generation-ui/token-generation/app/token-generation.service.ts
@@ -113,7 +113,7 @@ export class TokenGenService {
                 accessToken: tokenData.access_token,
                 user: jwtJson.sub,
                 accessPasscode: tokenData.passcode,
-                expiry: new Date(tokenData.expires_in).toLocaleString(),
+                expiry: tokenData.expires_in < 0 ? 'Never expires' : new Date(tokenData.expires_in).toLocaleString(),
                 homepageURL: this.baseURL + tokenData.homepage_url,
                 targetURL: window.location.protocol + '//' + window.location.host + this.baseURL + tokenData.target_url
             };

diff --git a/knox-token-management-ui/token-management/app/token.management.component.ts b/knox-token-management-ui/token-management/app/token.management.component.ts
@@ -196,11 +196,11 @@ export class TokenManagementComponent implements OnInit {
     }
 
     formatDateTime(dateTime: number) {
-        return new Date(dateTime).toLocaleString();
+        return dateTime < 0 ? 'Never' : new Date(dateTime).toLocaleString();
     }
 
     isTokenExpired(expiration: number): boolean {
-        return Date.now() > expiration;
+        return expiration < 0 ? false : Date.now() > expiration;
     }
 
     getExpirationColor(expiration: number): string {