Search in sources :

Example 26 with TokenStateService

use of org.apache.knox.gateway.services.security.token.TokenStateService in project knox by apache.

the class DefaultTokenStateServiceTest method testTokenPermissiveness.

@Test
public void testTokenPermissiveness() throws Exception {
    final long expiry = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(300);
    final JWT token = getJWTToken(expiry);
    TokenStateService tss = new DefaultTokenStateService();
    try {
        tss.init(createMockGatewayConfig(true), Collections.emptyMap());
    } catch (ServiceLifecycleException e) {
        fail("Error creating TokenStateService: " + e.getMessage());
    }
    assertEquals(TimeUnit.MILLISECONDS.toSeconds(expiry), TimeUnit.MILLISECONDS.toSeconds(tss.getTokenExpiration(token)));
}
Also used : JWT(org.apache.knox.gateway.services.security.token.impl.JWT) ServiceLifecycleException(org.apache.knox.gateway.services.ServiceLifecycleException) TokenStateService(org.apache.knox.gateway.services.security.token.TokenStateService) Test(org.junit.Test)

Example 27 with TokenStateService

use of org.apache.knox.gateway.services.security.token.TokenStateService in project knox by apache.

the class JournalBasedTokenStateServiceTest method testTokenEvictionIncludesPreviouslyPersistedJournalEntries.

/*
     * Verify that the token state reaper includes previously-persisted token state, so it's not left in the file
     * system forever.
     */
@Test
public void testTokenEvictionIncludesPreviouslyPersistedJournalEntries() throws Exception {
    final int TOKEN_COUNT = 5;
    final long evictionInterval = TimeUnit.SECONDS.toMillis(3);
    final long maxTokenLifetime = evictionInterval * 3;
    final Set<JWTToken> testTokens = new HashSet<>();
    for (int i = 0; i < TOKEN_COUNT; i++) {
        testTokens.add(createMockToken(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(60)));
    }
    TokenStateJournal testJournal = TokenStateJournalFactory.create(createMockGatewayConfig(false, getGatewaySecurityDir(), getTokenStatePersistenceInterval()));
    // Add a journal entry prior to initializing the TokenStateService
    final JWTToken uncachedToken = createMockToken(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(60));
    final String uncachedTokenId = uncachedToken.getClaim(JWTToken.KNOX_ID_CLAIM);
    testJournal.add(uncachedTokenId, System.currentTimeMillis(), uncachedToken.getExpiresDate().getTime(), maxTokenLifetime, null);
    assertEquals("Expected the uncached journal entry", 1, testJournal.get().size());
    // Create and initialize the TokenStateService
    TokenStateService tss = createTokenStateService();
    TokenStateJournal journal = getJournalField(tss);
    Map<String, Long> tokenExpirations = getTokenExpirationsField(tss);
    Map<String, Long> maxTokenLifetimes = getMaxTokenLifetimesField(tss);
    assertEquals("Expected the previously-persisted journal entry to have been loaded into the cache.", 1, tokenExpirations.size());
    assertEquals("Expected the previously-persisted journal entry to have been loaded into the cache.", 1, maxTokenLifetimes.size());
    try {
        tss.start();
        // Add the expired tokens
        for (JWTToken token : testTokens) {
            tss.addToken(token.getClaim(JWTToken.KNOX_ID_CLAIM), System.currentTimeMillis(), token.getExpiresDate().getTime(), maxTokenLifetime);
        }
        assertEquals("Expected the tokens to have been added in the base class cache.", TOKEN_COUNT + 1, tokenExpirations.size());
        assertEquals("Expected the tokens lifetimes to have been added in the base class cache.", TOKEN_COUNT + 1, maxTokenLifetimes.size());
        assertEquals("Expected the uncached journal entry in addition to the cached tokens", TOKEN_COUNT + 1, journal.get().size());
        // Sleep to allow the eviction evaluation to be performed, but only one iteration
        Thread.sleep(evictionInterval + (evictionInterval / 4));
    } finally {
        tss.stop();
    }
    assertEquals("Expected the tokens to have been removed from the base class cache as a result of eviction.", 0, tokenExpirations.size());
    assertEquals("Expected the tokens lifetimes to have been removed from the base class cache as a result of eviction.", 0, maxTokenLifetimes.size());
    assertEquals("Expected the journal entries to have been removed as a result of the eviction", 0, journal.get().size());
}
Also used : TokenStateService(org.apache.knox.gateway.services.security.token.TokenStateService) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) TokenStateJournal(org.apache.knox.gateway.services.token.state.TokenStateJournal) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 28 with TokenStateService

use of org.apache.knox.gateway.services.security.token.TokenStateService in project knox by apache.

the class JournalBasedTokenStateServiceTest method testUpdateExpirationUsesCache.

@Test
public void testUpdateExpirationUsesCache() throws Exception {
    final int TOKEN_COUNT = 10;
    TokenStateService tss = createTokenStateService();
    Map<String, Long> tokenExpirations = getTokenExpirationsField(tss);
    final long evictionInterval = TimeUnit.SECONDS.toMillis(3);
    final long maxTokenLifetime = evictionInterval * 3;
    final Set<JWTToken> testTokens = new HashSet<>();
    for (int i = 0; i < TOKEN_COUNT; i++) {
        testTokens.add(createMockToken(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(60)));
    }
    try {
        tss.start();
        // Add the expired tokens
        for (JWTToken token : testTokens) {
            tss.addToken(token.getClaim(JWTToken.KNOX_ID_CLAIM), System.currentTimeMillis(), token.getExpiresDate().getTime(), maxTokenLifetime);
        }
        assertEquals("Expected the tokens expirations to have been added in the base class cache.", TOKEN_COUNT, tokenExpirations.size());
        // Set the cache values to be different from the underlying journal entry value
        final long updatedExpiration = System.currentTimeMillis();
        for (String tokenId : tokenExpirations.keySet()) {
            ((JournalBasedTokenStateService) tss).updateExpiration(tokenId, updatedExpiration);
        }
        // Invoking with true/false validation flags as it should not affect if values are coming from the cache
        int count = 0;
        for (String tokenId : tokenExpirations.keySet()) {
            assertEquals("Expected the cached expiration to have been updated.", updatedExpiration, tss.getTokenExpiration(tokenId, count++ % 2 == 0));
        }
    } finally {
        tss.stop();
    }
}
Also used : TokenStateService(org.apache.knox.gateway.services.security.token.TokenStateService) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

TokenStateService (org.apache.knox.gateway.services.security.token.TokenStateService)28 Test (org.junit.Test)21 JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)14 HashSet (java.util.HashSet)5 Map (java.util.Map)5 Field (java.lang.reflect.Field)4 HashMap (java.util.HashMap)4 UnknownTokenException (org.apache.knox.gateway.services.security.token.UnknownTokenException)3 JWT (org.apache.knox.gateway.services.security.token.impl.JWT)3 AliasBasedTokenStateService (org.apache.knox.gateway.services.token.impl.AliasBasedTokenStateService)3 DefaultTokenStateService (org.apache.knox.gateway.services.token.impl.DefaultTokenStateService)3 JournalBasedTokenStateService (org.apache.knox.gateway.services.token.impl.JournalBasedTokenStateService)3 ZookeeperTokenStateService (org.apache.knox.gateway.services.token.impl.ZookeeperTokenStateService)3 ServiceLifecycleException (org.apache.knox.gateway.services.ServiceLifecycleException)2 TokenMetadata (org.apache.knox.gateway.services.security.token.TokenMetadata)2 TokenStateJournal (org.apache.knox.gateway.services.token.state.TokenStateJournal)2 EasyMock.anyString (org.easymock.EasyMock.anyString)1