Skip to content

Commit

Permalink
KNOX-2969 - KnoxSSO Cookies should be ignored while calculating token…
Browse files Browse the repository at this point in the history
… limit per user (#805)
  • Loading branch information
smolnar82 authored Oct 18, 2023
1 parent 01a422e commit eef24f4
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
import java.util.Map;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
Expand Down Expand Up @@ -821,7 +822,13 @@ private Response getAuthenticationToken() {

if (tokenStateService != null) {
if (tokenLimitPerUser != -1) { // if -1 => unlimited tokens for all users
final Collection<KnoxToken> userTokens = tokenStateService.getTokens(userName);
final Collection<KnoxToken> allUserTokens = tokenStateService.getTokens(userName);
final Collection<KnoxToken> userTokens = new LinkedList<>();
allUserTokens.stream().forEach(token -> {
if(!token.getMetadata().isKnoxSsoCookie()) {
userTokens.add(token);
}
});
if (userTokens.size() >= tokenLimitPerUser) {
log.tokenLimitExceeded(userName);
if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1102,16 +1102,34 @@ private void testLimitingTokensPerUser(int configuredLimit, int numberOfTokens,
tr.context = context;
tr.init();

// add some KnoxSSO Cookie, they should not be considered during token limit
// calculation
final int numberOfKnoxSsoCookies = 5;
for (int i = 0; i < numberOfKnoxSsoCookies; i++) {
final Response tokenResponse = acquireToken(tr);

final String tokenId = getTagValue(tokenResponse.getEntity().toString(), "token_id");
assertNotNull(tokenId);
final TokenMetadata tokenMetadata = new TokenMetadata(USER_NAME);
tokenMetadata.setKnoxSsoCookie(true);
tss.addMetadata(tokenId, tokenMetadata);
}

for (int i = 0; i < numberOfTokens; i++) {
final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction<Response>) () -> tr.doGet());
if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) {
throw new Exception(getTokenResponse.getEntity().toString());
}
acquireToken(tr);
}
final Response getKnoxTokensResponse = getUserTokensResponse(tr);
final Collection<String> tokens = ((Map<String, Collection<String>>) JsonUtils.getObjectFromJsonString(getKnoxTokensResponse.getEntity().toString()))
.get("tokens");
assertEquals(tokens.size(), revokeOldestToken ? configuredLimit : numberOfTokens);
assertEquals(tokens.size(), revokeOldestToken ? configuredLimit + numberOfKnoxSsoCookies : numberOfTokens + numberOfKnoxSsoCookies);
}

private Response acquireToken(TokenResource tokenResource) throws Exception {
final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction<Response>) () -> tokenResource.doGet());
if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) {
throw new Exception(getTokenResponse.getEntity().toString());
}
return getTokenResponse;
}

@Test
Expand Down

0 comments on commit eef24f4

Please sign in to comment.