From 24e12f5f525f9cb4fdb1e6e7fd082d9c3430803e Mon Sep 17 00:00:00 2001 From: Sandor Molnar Date: Wed, 18 Oct 2023 13:46:33 +0200 Subject: [PATCH] KNOX-2969 - KnoxSSO Cookies should be ignored while calculating token limit per user --- .../service/knoxtoken/TokenResource.java | 9 +++++- .../knoxtoken/TokenServiceResourceTest.java | 28 +++++++++++++++---- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java index 209fa66f3a..78d5d1d0c0 100644 --- a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java +++ b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java @@ -33,6 +33,7 @@ import java.util.Map; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Locale; import java.util.Optional; @@ -821,7 +822,13 @@ private Response getAuthenticationToken() { if (tokenStateService != null) { if (tokenLimitPerUser != -1) { // if -1 => unlimited tokens for all users - final Collection userTokens = tokenStateService.getTokens(userName); + final Collection allUserTokens = tokenStateService.getTokens(userName); + final Collection userTokens = new LinkedList<>(); + allUserTokens.stream().forEach(token -> { + if(!token.getMetadata().isKnoxSsoCookie()) { + userTokens.add(token); + } + }); if (userTokens.size() >= tokenLimitPerUser) { log.tokenLimitExceeded(userName); if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction) { diff --git a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java index 44c6f58e2c..332d2ce1e9 100644 --- a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java +++ b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java @@ -1102,16 +1102,34 @@ private void testLimitingTokensPerUser(int configuredLimit, int numberOfTokens, tr.context = context; tr.init(); + // add some KnoxSSO Cookie, they should not be considered during token limit + // calculation + final int numberOfKnoxSsoCookies = 5; + for (int i = 0; i < numberOfKnoxSsoCookies; i++) { + final Response tokenResponse = acquireToken(tr); + + final String tokenId = getTagValue(tokenResponse.getEntity().toString(), "token_id"); + assertNotNull(tokenId); + final TokenMetadata tokenMetadata = new TokenMetadata(USER_NAME); + tokenMetadata.setKnoxSsoCookie(true); + tss.addMetadata(tokenId, tokenMetadata); + } + for (int i = 0; i < numberOfTokens; i++) { - final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction) () -> tr.doGet()); - if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) { - throw new Exception(getTokenResponse.getEntity().toString()); - } + acquireToken(tr); } final Response getKnoxTokensResponse = getUserTokensResponse(tr); final Collection tokens = ((Map>) JsonUtils.getObjectFromJsonString(getKnoxTokensResponse.getEntity().toString())) .get("tokens"); - assertEquals(tokens.size(), revokeOldestToken ? configuredLimit : numberOfTokens); + assertEquals(tokens.size(), revokeOldestToken ? configuredLimit + numberOfKnoxSsoCookies : numberOfTokens + numberOfKnoxSsoCookies); + } + + private Response acquireToken(TokenResource tokenResource) throws Exception { + final Response getTokenResponse = Subject.doAs(createTestSubject(USER_NAME), (PrivilegedAction) () -> tokenResource.doGet()); + if (getTokenResponse.getStatus() != Response.Status.OK.getStatusCode()) { + throw new Exception(getTokenResponse.getEntity().toString()); + } + return getTokenResponse; } @Test