@Override public int hashCode() { return Objects.hashCode(getUsername(), getGroups(), getIssueTimestamp(), getExpireTimestamp()); }
long expireTime = issueTime + tokenValidity; AccessTokenIdentifier tokenIdentifier = new AccessTokenIdentifier(username, userGroups, issueTime, expireTime); AccessToken token = tokenManager.signIdentifier(tokenIdentifier); LOG.debug("Issued token for user {}", username);
@Test public void testKeyDistribution() throws Exception { DistributedKeyManager manager1 = getKeyManager(injector1, true); DistributedKeyManager manager2 = getKeyManager(injector2, false); TimeUnit.MILLISECONDS.sleep(1000); TestingTokenManager tokenManager1 = new TestingTokenManager(manager1, injector1.getInstance(AccessTokenIdentifierCodec.class)); TestingTokenManager tokenManager2 = new TestingTokenManager(manager2, injector2.getInstance(AccessTokenIdentifierCodec.class)); tokenManager1.startAndWait(); tokenManager2.startAndWait(); long now = System.currentTimeMillis(); AccessTokenIdentifier ident1 = new AccessTokenIdentifier("testuser", Lists.newArrayList("users", "admins"), now, now + 60 * 60 * 1000); AccessToken token1 = tokenManager1.signIdentifier(ident1); // make sure the second token manager has the secret key required to validate the signature tokenManager2.waitForKey(tokenManager1.getCurrentKey().getKeyId(), 2000, TimeUnit.MILLISECONDS); tokenManager2.validateSecret(token1); tokenManager2.waitForCurrentKey(2000, TimeUnit.MILLISECONDS); AccessToken token2 = tokenManager2.signIdentifier(ident1); tokenManager1.validateSecret(token2); assertEquals(token1.getIdentifier().getUsername(), token2.getIdentifier().getUsername()); assertEquals(token1.getIdentifier().getGroups(), token2.getIdentifier().getGroups()); assertEquals(token1, token2); tokenManager1.stopAndWait(); tokenManager2.stopAndWait(); }
"CDAP-verified " + tokenPair.getAccessTokenIdentifierStr()); request.headers().set(Constants.Security.Headers.USER_ID, tokenPair.getAccessTokenIdentifierObj().getUsername()); String clientIP = Networks.getIP(channel.remoteAddress()); if (clientIP != null) {
/** * Given an {@link AccessToken} instance, checks that the token has not yet expired and that the digest matches * the expected value. To validate the token digest, we recompute the digest value, based on the asserted identity * and our own view of the secret keys. * @param token The token instance to validate. * @throws InvalidTokenException If the provided token instance is expired or the digest does not match the * recomputed value. */ public void validateSecret(AccessToken token) throws InvalidTokenException { long now = System.currentTimeMillis(); if (token.getIdentifier().getExpireTimestamp() < now) { throw new InvalidTokenException(TokenState.EXPIRED, "Token is expired."); } try { keyManager.validateMAC(identifierCodec, token); } catch (InvalidDigestException ide) { throw new InvalidTokenException(TokenState.INVALID, "Token signature is not valid!"); } catch (InvalidKeyException ike) { throw new InvalidTokenException(TokenState.INTERNAL, "Invalid key for token.", ike); } } }
Assert.assertEquals(getAuthenticatedUserName(), token.getIdentifier().getUsername()); LOG.info("AccessToken got from ExternalAuthenticationServer is: " + encodedToken); } finally {
AccessTokenTransformer.AccessTokenIdentifierPair accessTokenIdentifierPair = accessTokenTransformer.transform(accessToken); logEntry.setUserName(accessTokenIdentifierPair.getAccessTokenIdentifierObj().getUsername()); msg.setHeader(HttpHeaders.Names.AUTHORIZATION, "CDAP-verified " + accessTokenIdentifierPair.getAccessTokenIdentifierStr());
long now = System.currentTimeMillis(); List<String> groups = Lists.newArrayList("users", "admins"); AccessTokenIdentifier identifier = new AccessTokenIdentifier(user, groups, now, now + TOKEN_DURATION);
Assert.assertEquals(getAuthenticatedUserName(), token.getIdentifier().getUsername()); LOG.info("AccessToken got from ExternalAuthenticationServer is: " + encodedToken); } finally {
@Test public void testTokenSerialization() throws Exception { ImmutablePair<TokenManager, Codec<AccessToken>> pair = getTokenManagerAndCodec(); TokenManager tokenManager = pair.getFirst(); tokenManager.startAndWait(); Codec<AccessToken> tokenCodec = pair.getSecond(); long now = System.currentTimeMillis(); String user = "testuser"; List<String> groups = Lists.newArrayList("users", "admins"); AccessTokenIdentifier ident1 = new AccessTokenIdentifier(user, groups, now, now + TOKEN_DURATION); AccessToken token1 = tokenManager.signIdentifier(ident1); byte[] tokenBytes = tokenCodec.encode(token1); AccessToken token2 = tokenCodec.decode(tokenBytes); assertEquals(token1, token2); LOG.info("Deserialized token is: " + Bytes.toStringBinary(tokenCodec.encode(token2))); // should be valid since we just signed it tokenManager.validateSecret(token2); tokenManager.stopAndWait(); } }
String user = "testuser"; List<String> groups = Lists.newArrayList("users", "admins"); AccessTokenIdentifier ident1 = new AccessTokenIdentifier(user, groups, now, now + TOKEN_DURATION); AccessToken token1 = tokenManager.signIdentifier(ident1); AccessTokenIdentifier expiredIdent = new AccessTokenIdentifier(user, groups, now - 1000, now - 1); AccessToken expiredToken = tokenManager.signIdentifier(expiredIdent); try {