Google Git
Sign in
apache / knox / 98e547f2d7f850994d880a97b07380eeb84b649f^! / .
commit98e547f2d7f850994d880a97b07380eeb84b649f[log] [tgz]
authorSandeep Moré <moresandeep@gmail.com>Wed Feb 05 15:14:00 2020 -0500
committerGitHub <noreply@github.com>Wed Feb 05 15:14:00 2020 -0500
tree7f176197122a8b6505b0d44ab5cdb40dbdeea7a7
parent4c79ca3eb1f4d0a42712255200049406d173a0c8 [diff]
KNOX-2207 - TokenStateService revocation should remove persisted token state (#252)



diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
index b5b1010..6d29cae 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/AliasBasedTokenStateService.java

@@ -104,17 +104,12 @@
 
   @Override
   public void revokeToken(final String token) {
-    // Record the revocation by setting the expiration to -1
-    updateExpiration(token, -1L);
+    /* no reason to keep revoked tokens around */
+    removeToken(token);
     log.revokedToken(getTokenDisplayText(token));
   }
 
   @Override
-  protected boolean isRevoked(final String token) {
-    return (getTokenExpiration(token) < 0);
-  }
-
-  @Override
   protected boolean isUnknown(final String token) {
     boolean isUnknown = false;
     try {
@@ -126,6 +121,19 @@
   }
 
   @Override
+  protected void removeToken(final String token) {
+    validateToken(token);
+
+    try {
+      aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME, token);
+      aliasService.removeAliasForCluster(AliasService.NO_CLUSTER_NAME,token + "--max");
+    } catch (AliasServiceException e) {
+      log.failedToUpdateTokenExpiration(e);
+    }
+
+  }
+
+  @Override
   protected void updateExpiration(final String token, long expiration) {
     if (isUnknown(token)) {
       log.unknownToken(getTokenDisplayText(token));

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
index 77ab5a4..e158154 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java

@@ -23,10 +23,8 @@
 import org.apache.knox.gateway.services.security.token.impl.JWTToken;
 
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Set;
 
 /**
  * In-Memory authentication token state management implementation.
@@ -43,8 +41,6 @@
 
   private final Map<String, Long> tokenExpirations = new HashMap<>();
 
-  private final Set<String> revokedTokens = new HashSet<>();
-
   private final Map<String, Long> maxTokenLifetimes = new HashMap<>();
 
 
@@ -159,8 +155,8 @@
 
   @Override
   public void revokeToken(final String token) {
-    validateToken(token);
-    revokedTokens.add(token);
+    /* no reason to keep revoked tokens around */
+    removeToken(token);
     log.revokedToken(getTokenDisplayText(token));
   }
 
@@ -172,13 +168,11 @@
   @Override
   public boolean isExpired(final String token) {
     boolean isExpired;
-
-    isExpired = isRevoked(token); // Check if it has been revoked first
+    isExpired = isUnknown(token); // Check if the token exist
     if (!isExpired) {
-      // If it has not been revoked, check its expiration
+      // If it not unknown, check its expiration
       isExpired = (getTokenExpiration(token) <= System.currentTimeMillis());
     }
-
     return isExpired;
   }
 
@@ -208,6 +202,16 @@
     }
   }
 
+  protected void removeToken(final String token) {
+    validateToken(token);
+    synchronized (tokenExpirations) {
+        tokenExpirations.remove(token);
+    }
+    synchronized (maxTokenLifetimes) {
+      maxTokenLifetimes.remove(token);
+    }
+  }
+
   protected boolean hasRemainingRenewals(final String token, long renewInterval) {
     // Is the current time + 30-second buffer + the renewal interval is less than the max lifetime for the token?
     return ((System.currentTimeMillis() + 30000 + renewInterval) < getMaxLifetime(token));
@@ -221,10 +225,6 @@
     return result;
   }
 
-  protected boolean isRevoked(final String token) {
-    return revokedTokens.contains(token);
-  }
-
   protected boolean isValidIdentifier(final String token) {
     return token != null && !token.isEmpty();
   }
@@ -258,11 +258,6 @@
       log.unknownToken(getTokenDisplayText(token));
       throw new IllegalArgumentException("Unknown token");
     }
-
-    // Then, make sure it has not been revoked
-    if (includeRevocation && isRevoked(token)) {
-      throw new IllegalArgumentException("The specified token has been revoked");
-    }
   }
 
   protected String getTokenDisplayText(final String token) {