KNOX-2215 - Token service should return a 403 response when the renewer is not white-listed (#251)
diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index d6c93c1..10c62e0 100644
--- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -215,7 +215,9 @@
Response resp;
long expiration = 0;
- String error = "";
+
+ String error = "";
+ Response.Status errorStatus = Response.Status.BAD_REQUEST;
if (tokenStateService == null) {
error = "Token renewal support is not configured";
@@ -230,6 +232,7 @@
error = e.getMessage();
}
} else {
+ errorStatus = Response.Status.FORBIDDEN;
error = "Caller (" + renewer + ") not authorized to renew tokens.";
}
}
@@ -240,7 +243,7 @@
.build();
} else {
log.badRenewalRequest(getTopologyName(), error);
- resp = Response.status(Response.Status.BAD_REQUEST)
+ resp = Response.status(errorStatus)
.entity("{\n \"renewed\": \"false\",\n \"error\": \"" + error + "\"\n}\n")
.build();
}
@@ -254,7 +257,8 @@
public Response revoke(String token) {
Response resp;
- String error = "";
+ String error = "";
+ Response.Status errorStatus = Response.Status.BAD_REQUEST;
if (tokenStateService == null) {
error = "Token revocation support is not configured";
@@ -267,6 +271,7 @@
error = e.getMessage();
}
} else {
+ errorStatus = Response.Status.FORBIDDEN;
error = "Caller (" + renewer + ") not authorized to revoke tokens.";
}
}
@@ -277,7 +282,7 @@
.build();
} else {
log.badRevocationRequest(getTopologyName(), error);
- resp = Response.status(Response.Status.BAD_REQUEST)
+ resp = Response.status(errorStatus)
.entity("{\n \"revoked\": \"false\",\n \"error\": \"" + error + "\"\n}\n")
.build();
}
@@ -298,10 +303,14 @@
X509Certificate cert = extractCertificate(request);
if (cert != null) {
if (!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(403).entity("{ \"Unable to get token - untrusted client cert.\" }").build();
+ return Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - untrusted client cert.\" }")
+ .build();
}
} else {
- return Response.status(403).entity("{ \"Unable to get token - client cert required.\" }").build();
+ return Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - client cert required.\" }")
+ .build();
}
}
GatewayServices services = (GatewayServices) request.getServletContext()
diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index bbe6fdd..9ccee4d 100644
--- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -640,7 +640,7 @@
@Test
public void testTokenRenewal_Enabled_NoRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRenewal(true, null, null);
- validateRenewalResponse(renewalResponse, 400, false, "Caller (null) not authorized to renew tokens.");
+ validateRenewalResponse(renewalResponse, 403, false, "Caller (null) not authorized to renew tokens.");
}
@Test
@@ -648,7 +648,7 @@
final String caller = "yarn";
Response renewalResponse = doTestTokenRenewal(true, null, createTestSubject(caller));
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to renew tokens.");
}
@@ -657,7 +657,7 @@
public void testTokenRenewal_Enabled_WithRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRenewal(true, "larry, moe, curly ", null);
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to renew tokens.");
}
@@ -667,7 +667,7 @@
final String caller = "shemp";
Response renewalResponse = doTestTokenRenewal(true, "larry, moe, curly ", createTestSubject(caller));
validateRenewalResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to renew tokens.");
}
@@ -736,7 +736,7 @@
public void testTokenRevocation_Enabled_NoRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRevocation(true, null, null);
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to revoke tokens.");
}
@@ -746,7 +746,7 @@
final String caller = "yarn";
Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(caller));
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to revoke tokens.");
}
@@ -755,7 +755,7 @@
public void testTokenRevocation_Enabled_WithRenewersNoSubject() throws Exception {
Response renewalResponse = doTestTokenRevocation(true, "larry, moe, curly ", null);
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (null) not authorized to revoke tokens.");
}
@@ -765,7 +765,7 @@
final String caller = "shemp";
Response renewalResponse = doTestTokenRevocation(true, "larry, moe, curly ", createTestSubject(caller));
validateRevocationResponse(renewalResponse,
- 400,
+ 403,
false,
"Caller (" + caller + ") not authorized to revoke tokens.");
}