Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KNOX-3019 - Allow token renewal without upper bound for non-expired tokens #880

Merged
merged 1 commit into from
Mar 13, 2024
Merged

KNOX-3019 - Allow token renewal without upper bound for non-expired tokens #880

merged 1 commit into from
Mar 13, 2024

Conversation

smolnar82
Copy link
Contributor

What changes were proposed in this pull request?

Implemented what's described in KNOX-3019:

  • if knox.token.exp.max-lifetime is set to a negative value, tokens can be renewed without a maximum lifetime check
  • only non-expired tokens can be renewed

How was this patch tested?

Updated current and added new JUnit tests.

Conducted manual testing. In both test rounds, the Token TTL was set to 60 seconds and the token renewal interval was 30 seconds

1. Maximum lifetime set to 120 seconds

<param>
  <name>knox.token.exp.max-lifetime</name>
  <value>120000</value>
</param>
<param>
  <name>knox.token.exp.renew-interval</name>
  <value>30000</value>
</param>

curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:02 GMT
...

{"access_token":"eyJqa3UiOiJo...cd3baa","managed":"true",...}

curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:17 GMT
...

{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:03.445+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323343445,"maxLifetimeLong":1710323403574}]}

export KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoiaEZLVjIwMFRvUlpvZ3h2STZGVnZrODgxY3dsbzhUZHV2NlV4OTZZbmVhRSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJoRktWMjAwVG9SWm9neHZJNkZWdms4ODFjd2xvOFRkdXY2VXg5NlluZWFFIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyMzM0MywibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiODk2ZmEzNTctMmRiNC00MmVjLWI3MGEtOGE2M2ZlY2QzYmFhIn0.B83Nk8tdo_rsOWTJNHjYqYTkJ89vCaTqb1ICc_4stNl-lI2qd7WHA6vJ_5r-8VJ3m-DnnM4eYobiiCM7cYcX8pOdTcKKJtdxf71qTjHaAcLLEfsZrPTNqjRaOyyXYSMc4FhAHgZST_tzalqCZlRkEXmjb8ujKiSy4mjKsTp0kBr-YuzX7pFXYmTm-MHhJMtsgUkRMUJJ1U_f8idX1ey75JKiQHpo6pq3f05hdUxE0Sf3cIgdu26i61Fz2LP4HiLdyEC2D8AsgshG0gcJ3iO9219G5JE7L7wBk2srmF5FSifw5r6ame9mbPC6jf38ILnAjH98ZxtsvLVlyKoPg1VN5w"

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:35 GMT
...

{
  "renewed": "true",
  "expires": "1710323345043"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
...

{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:05.043+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323345043,"maxLifetimeLong":1710323403574}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:02 GMT
...

{
  "renewed": "true",
  "expires": "1710323372533"
}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 400 Bad Request
Date: Wed, 13 Mar 2024 09:49:15 GMT
...

{
  "renewed": "false",
  "error": "The renewal limit for the token has been exceeded",
  "code": 30
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:35 GMT
...

{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:32.533+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323372533,"maxLifetimeLong":1710323403574}]}$

As you can see, if maximum lifetime is configured, tokens cannot be renewed after they reach that time (minus a 30-second hardcoded buffer).

2. Maximum lifetime set to -1

<param>
  <name>knox.token.exp.max-lifetime</name>
  <value>-1</value>
</param>
<param>
  <name>knox.token.exp.renew-interval</name>
  <value>30000</value>
</param>

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:09:39 GMT
...

{"access_token":"eyJqa3UiOiJodH...-rp3MD-O0g","token_id":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","managed":"true",...}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:09:50 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:39.105+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324639105,"maxLifetimeLong":-1}]}

export KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoieUlFRFVtaEI3M2hxaG9vNmQ2LVRFMEtCTzVGNFYydzV6WU40MjZoMEZIbyIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJ5SUVEVW1oQjczaHFob282ZDYtVEUwS0JPNUY0VjJ3NXpZTjQyNmgwRkhvIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyNDYzOSwibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiMTlmMDA3NWUtOTNlZC00ZGJjLWEyZTYtZWU2YTgzMWQwMjVlIn0.CBiaq_8Z08zNKFgqMCdtbgJkwTBEzVoa73V1M6CisDKVnQwMv-PjnlMMHtikQshoBjH5vZqsPyOYw4YJRPGPli0oBoG06cBGxVEuJGrTUogr1Jhb9F5k6vjnPAuTWZHbJKw47kI9lr-7YHqfMAginFXEhT4WgEnHT_vUgDJBlP5ljZe6_mgKn91AE1U_Jf3QdTKCd2ZMO-ptpRbEbvc4hqcdMagb7Qc_gx6peetteFqJdGGN5ErqDHAuWHNbwod7wHg2P0iZw6CuDdZoRyuwiHSKTV0Y0GtH3azA7Uv3W97xCer28cq4Kp3fKMDUUUzW-77QpWzqbPpY-rp3MD-O0g"

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:14 GMT
...

{
  "renewed": "true",
  "expires": "1710324644107"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:19 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:44.107+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324644107,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:28 GMT
...

{
  "renewed": "true",
  "expires": "1710324658434"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:32 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:10:58.434+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324658434,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:41 GMT
...

{
  "renewed": "true",
  "expires": "1710324671849"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:49 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:11.849+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324671849,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:10:55 GMT
...

{
  "renewed": "true",
  "expires": "1710324685194"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:02 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:25.194+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324685194,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:15 GMT
...

{
  "renewed": "true",
  "expires": "1710324705093"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:17 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:45.093+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324705093,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:28 GMT
...

{
  "renewed": "true",
  "expires": "1710324718352"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:31 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:11:58.352+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324718352,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:46 GMT
...

{
  "renewed": "true",
  "expires": "1710324736987"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:11:50 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:16.987+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324736987,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:03 GMT
...

{
  "renewed": "true",
  "expires": "1710324753051"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:06 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:33.051+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324753051,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:20 GMT
...

{
  "renewed": "true",
  "expires": "1710324770295"
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:12:23 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]}

$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 400 Bad Request
Date: Wed, 13 Mar 2024 10:12:56 GMT
...

{
  "renewed": "false",
  "error": "Expired tokens must not be renewed.",
  "code": 90
}

$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 10:13:02 GMT
...

{"tokens":[{"tokenId":"19f0075e-93ed-4dbc-a2e6-ee6a831d025e","issueTime":"2024-03-13T11:09:39.109+0100","expiration":"2024-03-13T11:12:50.295+0100","maxLifetime":"Unbounded","metadata":{"userName":"admin","enabled":true,"createdBy":null,"customMetadataMap":{},"knoxSsoCookie":false,"lastUsedAt":null,"comment":null},"issueTimeLong":1710324579109,"expirationLong":1710324770295,"maxLifetimeLong":-1}]}

As this test proves, setting the maximum lifetime allows token renewal operations as many times as one needs until the token was not expired. The original token expiration was 2024-03-13T11:10:39, and I could extend that up until 2024-03-13T11:12:50 (more than 2 minutes) easily.

@smolnar82 smolnar82 self-assigned this Mar 13, 2024
@smolnar82 smolnar82 merged commit c098afa into apache:master Mar 13, 2024
2 checks passed
@smolnar82 smolnar82 deleted the KNOX-3019 branch March 13, 2024 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroflag zeroflag zeroflag approved these changes

@moresandeep moresandeep Awaiting requested review from moresandeep

@lmccay lmccay Awaiting requested review from lmccay

Assignees

@smolnar82 smolnar82

Labels
knoxtoken
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smolnar82 @zeroflag