KNOX-2664 - Let end-users revoke their own tokens (apache#495)

spolavarpau1 · Sep 15, 2021 · 2a0a416 · 2a0a416
1 parent eb82cd9
commit 2a0a416
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 20 deletions.
diff --git a/...vice-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java b/...vice-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -489,27 +489,27 @@ public Response revoke(String token) {
       error = "Token revocation support is not configured";
       errorCode = ErrorCode.CONFIGURATION_ERROR;
     } else {
-      String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
-      if (allowedRenewers.contains(renewer)) {
-        try {
-          final String tokenId = getTokenId(token);
-          tokenStateService.revokeToken(tokenId);
-          log.revokedToken(getTopologyName(),
-                           Tokens.getTokenDisplayText(token),
-                           Tokens.getTokenIDDisplayText(tokenId),
-                           renewer);
-        } catch (ParseException e) {
-          log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
-          error = safeGetMessage(e);
-          errorCode = ErrorCode.INVALID_TOKEN;
-        } catch (UnknownTokenException e) {
-          error = safeGetMessage(e);
-          errorCode = ErrorCode.UNKNOWN_TOKEN;
+      try {
+        final String revoker = SubjectUtils.getCurrentEffectivePrincipalName();
+        final String tokenId = getTokenId(token);
+        if (triesToRevokeOwnToken(tokenId, revoker) || allowedRenewers.contains(revoker)) {
+            tokenStateService.revokeToken(tokenId);
+            log.revokedToken(getTopologyName(),
+                Tokens.getTokenDisplayText(token),
+                Tokens.getTokenIDDisplayText(tokenId),
+                revoker);
+        } else {
+          errorStatus = Response.Status.FORBIDDEN;
+          error = "Caller (" + revoker + ") not authorized to revoke tokens.";
+          errorCode = ErrorCode.UNAUTHORIZED;
         }
-      } else {
-        errorStatus = Response.Status.FORBIDDEN;
-        error = "Caller (" + renewer + ") not authorized to revoke tokens.";
-        errorCode = ErrorCode.UNAUTHORIZED;
+      } catch (ParseException e) {
+        log.invalidToken(getTopologyName(), Tokens.getTokenDisplayText(token), e);
+        error = safeGetMessage(e);
+        errorCode = ErrorCode.INVALID_TOKEN;
+      } catch (UnknownTokenException e) {
+        error = safeGetMessage(e);
+        errorCode = ErrorCode.UNKNOWN_TOKEN;
       }
     }
 
@@ -527,6 +527,12 @@ public Response revoke(String token) {
     return resp;
   }
 
+  private boolean triesToRevokeOwnToken(String tokenId, String revoker) throws UnknownTokenException {
+    final TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+    final String tokenUserName = metadata == null ? "" : metadata.getUserName();
+    return StringUtils.isNotBlank(revoker) && revoker.equals(tokenUserName);
+  }
+
   /*
    * If the supplied 'token' conforms the UUID string representation, we consider
    * that as the token ID; otherwise we expect that 'token' is the entire JWT and

diff --git a/...ken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java b/...ken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -821,6 +821,12 @@ public void testTokenRevocation_Enabled_WithRenewersWithValidSubject() throws Ex
     validateSuccessfulRevocationResponse(renewalResponse);
   }
 
+  @Test
+  public void testTokenRevocation_Enabled_RevokeOwnToken() throws Exception {
+    final Response renewalResponse = doTestTokenRevocation(true, null, createTestSubject(USER_NAME));
+    validateSuccessfulRevocationResponse(renewalResponse);
+  }
+
   @Test
   public void testKidJkuClaims() throws Exception {
     final Map<String, String> contextExpectations = new HashMap<>();