/** * * @param accessToken is the access token from Authorization header in HTTP Request * @return the serialized access token identifer * @throws IOException */ public AccessTokenIdentifierPair transform(String accessToken) throws IOException { byte[] decodedAccessToken = Base64.decodeBase64(accessToken); AccessToken accessTokenObj = accessTokenCodec.decode(decodedAccessToken); AccessTokenIdentifier accessTokenIdentifierObj = accessTokenObj.getIdentifier(); byte[] encodedAccessTokenIdentifier = accessTokenIdentifierCodec.encode(accessTokenIdentifierObj); return new AccessTokenIdentifierPair(Base64.encodeBase64String(encodedAccessTokenIdentifier).trim(), accessTokenIdentifierObj); }
@Override public int hashCode() { return Objects.hashCode(getIdentifier(), getKeyId(), Bytes.hashCode(getDigestBytes())); }
/** * Given an {@link AccessToken} instance, checks that the token has not yet expired and that the digest matches * the expected value. To validate the token digest, we recompute the digest value, based on the asserted identity * and our own view of the secret keys. * @param token The token instance to validate. * @throws InvalidTokenException If the provided token instance is expired or the digest does not match the * recomputed value. */ public void validateSecret(AccessToken token) throws InvalidTokenException { long now = System.currentTimeMillis(); if (token.getIdentifier().getExpireTimestamp() < now) { throw new InvalidTokenException(TokenState.EXPIRED, "Token is expired."); } try { keyManager.validateMAC(identifierCodec, token); } catch (InvalidDigestException ide) { throw new InvalidTokenException(TokenState.INVALID, "Token signature is not valid!"); } catch (InvalidKeyException ike) { throw new InvalidTokenException(TokenState.INTERNAL, "Invalid key for token.", ike); } } }
Assert.assertEquals(getAuthenticatedUserName(), token.getIdentifier().getUsername()); LOG.info("AccessToken got from ExternalAuthenticationServer is: " + encodedToken); } finally {
Assert.assertEquals(getAuthenticatedUserName(), token.getIdentifier().getUsername()); LOG.info("AccessToken got from ExternalAuthenticationServer is: " + encodedToken); } finally {
@Test public void testKeyDistribution() throws Exception { DistributedKeyManager manager1 = getKeyManager(injector1, true); DistributedKeyManager manager2 = getKeyManager(injector2, false); TimeUnit.MILLISECONDS.sleep(1000); TestingTokenManager tokenManager1 = new TestingTokenManager(manager1, injector1.getInstance(AccessTokenIdentifierCodec.class)); TestingTokenManager tokenManager2 = new TestingTokenManager(manager2, injector2.getInstance(AccessTokenIdentifierCodec.class)); tokenManager1.startAndWait(); tokenManager2.startAndWait(); long now = System.currentTimeMillis(); AccessTokenIdentifier ident1 = new AccessTokenIdentifier("testuser", Lists.newArrayList("users", "admins"), now, now + 60 * 60 * 1000); AccessToken token1 = tokenManager1.signIdentifier(ident1); // make sure the second token manager has the secret key required to validate the signature tokenManager2.waitForKey(tokenManager1.getCurrentKey().getKeyId(), 2000, TimeUnit.MILLISECONDS); tokenManager2.validateSecret(token1); tokenManager2.waitForCurrentKey(2000, TimeUnit.MILLISECONDS); AccessToken token2 = tokenManager2.signIdentifier(ident1); tokenManager1.validateSecret(token2); assertEquals(token1.getIdentifier().getUsername(), token2.getIdentifier().getUsername()); assertEquals(token1.getIdentifier().getGroups(), token2.getIdentifier().getGroups()); assertEquals(token1, token2); tokenManager1.stopAndWait(); tokenManager2.stopAndWait(); }
byte[] invalidDigest = token1.getDigestBytes(); random.nextBytes(invalidDigest); AccessToken invalidToken = new AccessToken(token1.getIdentifier(), token1.getKeyId(), invalidDigest); try { tokenManager.validateSecret(invalidToken); AccessToken invalidKeyToken = new AccessToken(token1.getIdentifier(), token1.getKeyId() + 1, token1.getDigestBytes()); try {