Examples with UnknownTokenException org.apache.knox.gateway.services.security.token.UnknownTokenException used on opensource projects

Example 11 with UnknownTokenException

use of org.apache.knox.gateway.services.security.token.UnknownTokenException in project knox by apache.

the class HadoopAuthPostFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    Subject subject = null;
    if (shouldUseJwtFilter(jwtFilter, (HttpServletRequest) request)) {
        try {
            Pair<JWTFederationFilter.TokenType, String> wireToken = jwtFilter.getWireToken(request);
            JWTFederationFilter.TokenType tokenType = wireToken.getLeft();
            String token = wireToken.getRight();
            if (JWTFederationFilter.TokenType.JWT.equals(tokenType)) {
                subject = jwtFilter.createSubjectFromToken(token);
            } else if (JWTFederationFilter.TokenType.Passcode.equals(tokenType)) {
                subject = jwtFilter.createSubjectFromTokenIdentifier(token);
            }
        } catch (ParseException | UnknownTokenException e) {
        // NOP: subject remains null -> SC_FORBIDDEN will be returned
        }
    } else {
        final String principal = ((HttpServletRequest) request).getRemoteUser();
        if (principal != null) {
            subject = new Subject();
            subject.getPrincipals().add(new PrimaryPrincipal(principal));
            AuditContext context = auditService.getContext();
            context.setUsername(principal);
            auditService.attachContext(context);
        }
    }
    if (subject != null) {
        log.hadoopAuthAssertedPrincipal(getPrincipalsAsString(subject));
        String sourceUri = (String) request.getAttribute(AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME);
        auditor.audit(Action.AUTHENTICATION, sourceUri, ResourceType.URI, ActionOutcome.SUCCESS);
        doAs(request, response, chain, subject);
    } else {
        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, "User not authenticated");
    }
}

Example 12 with UnknownTokenException

use of org.apache.knox.gateway.services.security.token.UnknownTokenException in project knox by apache.

the class DefaultTokenStateService method getTokens.

@Override
public Collection<KnoxToken> getTokens(String userName) {
    final Collection<KnoxToken> tokens = new TreeSet<>();
    metadataMap.entrySet().stream().filter(entry -> entry.getValue().getUserName().equals(userName)).forEach(metadata -> {
        String tokenId = metadata.getKey();
        try {
            tokens.add(new KnoxToken(tokenId, getTokenIssueTime(tokenId), getTokenExpiration(tokenId), getMaxLifetime(tokenId), metadata.getValue()));
        } catch (UnknownTokenException e) {
        // NOP: since this is coming from memory the only reason an UTE is thrown that the token got removed/revoked.
        // In that case we would not want to return it anyway
        }
    });
    return tokens;
}

Example 13 with UnknownTokenException

use of org.apache.knox.gateway.services.security.token.UnknownTokenException in project knox by apache.

the class JournalBasedTokenStateService method getTokenIssueTime.

@Override
public long getTokenIssueTime(String tokenId) throws UnknownTokenException {
    try {
        // Check the in-memory collection first, to avoid file access when possible
        return super.getTokenIssueTime(tokenId);
    } catch (UnknownTokenException e) {
    // It's not in memory
    }
    validateToken(tokenId);
    // If there is no associated state in the in-memory cache, proceed to check the journal
    long issueTime = 0;
    try {
        JournalEntry entry = journal.get(tokenId);
        if (entry == null) {
            throw new UnknownTokenException(tokenId);
        }
        issueTime = Long.parseLong(entry.getIssueTime());
    } catch (IOException e) {
        log.failedToLoadJournalEntry(e);
    }
    return issueTime;
}

Example 14 with UnknownTokenException

use of org.apache.knox.gateway.services.security.token.UnknownTokenException in project knox by apache.

the class DefaultTokenStateServiceTest method testTokenEviction.

@Test
public void testTokenEviction() throws Exception {
    final JWTToken token = createMockToken(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(60));
    final TokenStateService tss = createTokenStateService();
    final long evictionInterval = TimeUnit.SECONDS.toMillis(3);
    final long maxTokenLifetime = evictionInterval * 3;
    try {
        tss.start();
        // Add the expired token
        addToken(tss, token.getClaim(JWTToken.KNOX_ID_CLAIM), System.currentTimeMillis(), token.getExpiresDate().getTime(), maxTokenLifetime);
        assertTrue("Expected the token to have expired.", tss.isExpired(token));
        // Sleep to allow the eviction evaluation to be performed
        Thread.sleep(evictionInterval + (evictionInterval / 2));
        // Expect the renew call to fail since the token should have been evicted
        final UnknownTokenException e = assertThrows(UnknownTokenException.class, () -> tss.renewToken(token));
        assertEquals("Unknown token: " + Tokens.getTokenIDDisplayText(TokenUtils.getTokenId(token)), e.getMessage());
    } finally {
        tss.stop();
    }
}

Example 15 with UnknownTokenException

use of org.apache.knox.gateway.services.security.token.UnknownTokenException in project knox by apache.

the class TokenResource method revoke.

@DELETE
@Path(REVOKE_PATH)
@Produces({ APPLICATION_JSON })
public Response revoke(String token) {
    Response resp;
    String error = "";
    ErrorCode errorCode = ErrorCode.UNKNOWN;
    Response.Status errorStatus = Response.Status.BAD_REQUEST;
    if (tokenStateService == null) {
        error = "Token revocation support is not configured";
        errorCode = ErrorCode.CONFIGURATION_ERROR;
    } else {
        try {
            final String revoker = SubjectUtils.getCurrentEffectivePrincipalName();
            final String tokenId = getTokenId(token);
            if (triesToRevokeOwnToken(tokenId, revoker) || allowedRenewers.contains(revoker)) {
                tokenStateService.revokeToken(tokenId);
                log.revokedToken(getTopologyName(), Tokens.getTokenDisplayText(token), Tokens.getTokenIDDisplayText(tokenId), revoker);
            } else {
                errorStatus = Response.Status.FORBIDDEN;
                error = "Caller (" + revoker + ") not authorized to revoke tokens.";
                errorCode = ErrorCode.UNAUTHORIZED;
            }
        } catch (ParseException e) {
            log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
            error = safeGetMessage(e);
            errorCode = ErrorCode.INVALID_TOKEN;
        } catch (UnknownTokenException e) {
            error = safeGetMessage(e);
            errorCode = ErrorCode.UNKNOWN_TOKEN;
        }
    }
    if (error.isEmpty()) {
        resp = Response.status(Response.Status.OK).entity("{\n  \"revoked\": \"true\"\n}\n").build();
    } else {
        log.badRevocationRequest(getTopologyName(), Tokens.getTokenDisplayText(token), error);
        resp = Response.status(errorStatus).entity("{\n  \"revoked\": \"false\",\n  \"error\": \"" + error + "\",\n  \"code\": " + errorCode.toInt() + "\n}\n").build();
    }
    return resp;
}