KNOX-2207 - TokenStateService revocation should remove persisted token state (#252)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index b5b1010..6d29cae 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
@@ -104,17 +104,12 @@
@Override
public void revokeToken(final String token) {
- // Record the revocation by setting the expiration to -1
- updateExpiration(token, -1L);
+ /* no reason to keep revoked tokens around */
+ removeToken(token);
log.revokedToken(getTokenDisplayText(token));
}
@Override
- protected boolean isRevoked(final String token) {
- return (getTokenExpiration(token) < 0);
- }
-
- @Override
protected boolean isUnknown(final String token) {
boolean isUnknown = false;
try {
@@ -126,6 +121,19 @@
}
@Override
+ protected void removeToken(final String token) {
+ validateToken(token);
+
+ try {
+ aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME, token);
+ aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME,token + "--max");
+ } catch (AliasServiceException e) {
+ log.failedToUpdateTokenExpiration(e);
+ }
+
+ }
+
+ @Override
protected void updateExpiration(final String token, long expiration) {
if (isUnknown(token)) {
log.unknownToken(getTokenDisplayText(token));
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 77ab5a4..e158154 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
@@ -23,10 +23,8 @@
import org.apache.knox.gateway.services.security.token.impl.JWTToken;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
-import java.util.Set;
/**
* In-Memory authentication token state management implementation.
@@ -43,8 +41,6 @@
private final Map<String, Long> tokenExpirations = new HashMap<>();
- private final Set<String> revokedTokens = new HashSet<>();
-
private final Map<String, Long> maxTokenLifetimes = new HashMap<>();
@@ -159,8 +155,8 @@
@Override
public void revokeToken(final String token) {
- validateToken(token);
- revokedTokens.add(token);
+ /* no reason to keep revoked tokens around */
+ removeToken(token);
log.revokedToken(getTokenDisplayText(token));
}
@@ -172,13 +168,11 @@
@Override
public boolean isExpired(final String token) {
boolean isExpired;
-
- isExpired = isRevoked(token); // Check if it has been revoked first
+ isExpired = isUnknown(token); // Check if the token exist
if (!isExpired) {
- // If it has not been revoked, check its expiration
+ // If it not unknown, check its expiration
isExpired = (getTokenExpiration(token) <= System.currentTimeMillis());
}
-
return isExpired;
}
@@ -208,6 +202,16 @@
}
}
+ protected void removeToken(final String token) {
+ validateToken(token);
+ synchronized (tokenExpirations) {
+ tokenExpirations.remove(token);
+ }
+ synchronized (maxTokenLifetimes) {
+ maxTokenLifetimes.remove(token);
+ }
+ }
+
protected boolean hasRemainingRenewals(final String token, long renewInterval) {
// Is the current time + 30-second buffer + the renewal interval is less than the max lifetime for the token?
return ((System.currentTimeMillis() + 30000 + renewInterval) < getMaxLifetime(token));
@@ -221,10 +225,6 @@
return result;
}
- protected boolean isRevoked(final String token) {
- return revokedTokens.contains(token);
- }
-
protected boolean isValidIdentifier(final String token) {
return token != null && !token.isEmpty();
}
@@ -258,11 +258,6 @@
log.unknownToken(getTokenDisplayText(token));
throw new IllegalArgumentException("Unknown token");
}
-
- // Then, make sure it has not been revoked
- if (includeRevocation && isRevoked(token)) {
- throw new IllegalArgumentException("The specified token has been revoked");
- }
}
protected String getTokenDisplayText(final String token) {