Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support concurrent refresh of refresh tokens #39631

Merged
merged 24 commits into from Mar 4, 2019
Merged

Support concurrent refresh of refresh tokens #39631

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
70e620f
allow tokens to be reissued in a given time window
jkakavas Feb 4, 2019
318af42
Concludes work for supporting concurrent refreshes of access tokens i…
jkakavas Feb 4, 2019
541fc34
Merge remote-tracking branch 'origin/master' into support-concurrent-…
jkakavas Feb 4, 2019
55b7428
remove debug logging
jkakavas Feb 4, 2019
27324ab
fix merge woes
jkakavas Feb 5, 2019
f51a8f8
messing up while resolving merge conflicts is my super power
jkakavas Feb 5, 2019
44e0036
Merge remote-tracking branch 'origin/master' into support-concurrent-…
jkakavas Feb 5, 2019
7b70ca5
Handle/not handle deprecation warnings as needed
jkakavas Feb 5, 2019
2b54388
Handle deprecation header-AbstractUpgradeTestCase
jkakavas Feb 5, 2019
6a66302
Revert "Handle deprecation header-AbstractUpgradeTestCase"
jkakavas Feb 5, 2019
7337574
address feedback
jkakavas Feb 11, 2019
e655b0d
Fix versions for master. Will be changed back to V7_1_0 on backport
jkakavas Feb 11, 2019
0fa0f3c
add test with concurrent refreshes
jkakavas Feb 13, 2019
4d1e1dc
Implement suggested modifications
jkakavas Feb 26, 2019
d0971d1
Address feedback
jkakavas Feb 26, 2019
03475ac
Merge remote-tracking branch 'origin/master' into support-concurrent-…
jkakavas Feb 26, 2019
8f804c1
Fix TokenServiceTests
jkakavas Feb 27, 2019
309c8d1
address ffedback
jkakavas Feb 28, 2019
e13fd13
Merge remote-tracking branch 'origin/master' into support-concurrent-…
jkakavas Feb 28, 2019
35eb8ef
address feedback
jkakavas Feb 28, 2019
cbc626d
address feedback
jkakavas Mar 1, 2019
5b153e4
handle serializing/deserializing attemptCounter in the necessary vers…
jkakavas Mar 4, 2019
24a07c5
Revert "handle serializing/deserializing attemptCounter in the necess…
jkakavas Mar 4, 2019
7098ed4
Merge remote-tracking branch 'origin/master' into support-concurrent-…
jkakavas Mar 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 9 additions & 10 deletions ...in/java/org/elasticsearch/xpack/core/security/authc/support/TokensInvalidationResult.java
View file
Open in desktop
Expand Up @@ -7,6 +7,7 @@
package org.elasticsearch.xpack.core.security.authc.support;

import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
Expand All @@ -32,10 +33,9 @@ public class TokensInvalidationResult implements ToXContentObject, Writeable {
private final List<String> invalidatedTokens;
private final List<String> previouslyInvalidatedTokens;
private final List<ElasticsearchException> errors;
private final int attemptCount;

public TokensInvalidationResult(List<String> invalidatedTokens, List<String> previouslyInvalidatedTokens,
@Nullable List<ElasticsearchException> errors, int attemptCount) {
@Nullable List<ElasticsearchException> errors) {
Objects.requireNonNull(invalidatedTokens, "invalidated_tokens must be provided");
this.invalidatedTokens = invalidatedTokens;
Objects.requireNonNull(previouslyInvalidatedTokens, "previously_invalidated_tokens must be provided");
Expand All @@ -45,18 +45,19 @@ public TokensInvalidationResult(List<String> invalidatedTokens, List<String> pre
} else {
this.errors = Collections.emptyList();
}
this.attemptCount = attemptCount;
}

public TokensInvalidationResult(StreamInput in) throws IOException {
this.invalidatedTokens = in.readStringList();
this.previouslyInvalidatedTokens = in.readStringList();
this.errors = in.readList(StreamInput::readException);
this.attemptCount = in.readVInt();
if (in.getVersion().before(Version.V_8_0_0)) {
in.readVInt();
}
}

public static TokensInvalidationResult emptyResult() {
return new TokensInvalidationResult(Collections.emptyList(), Collections.emptyList(), Collections.emptyList(), 0);
return new TokensInvalidationResult(Collections.emptyList(), Collections.emptyList(), Collections.emptyList());
}


Expand All @@ -72,10 +73,6 @@ public List<ElasticsearchException> getErrors() {
return errors;
}

public int getAttemptCount() {
return attemptCount;
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject()
Expand All @@ -100,6 +97,8 @@ public void writeTo(StreamOutput out) throws IOException {
out.writeStringCollection(invalidatedTokens);
out.writeStringCollection(previouslyInvalidatedTokens);
out.writeCollection(errors, StreamOutput::writeException);
out.writeVInt(attemptCount);
if (out.getVersion().before(Version.V_8_0_0)) {
out.writeVInt(5);
}
}
}
7 changes: 7 additions & 0 deletions x-pack/plugin/core/src/main/resources/security-index-template.json
View file
Open in desktop
Expand Up @@ -199,6 +199,13 @@
"refreshed" : {
"type" : "boolean"
},
"refresh_time": {
"type": "date",
"format": "epoch_millis"
},
"superseded_by": {
"type": "keyword"
},
"invalidated" : {
"type" : "boolean"
},
Expand Down
9 changes: 3 additions & 6 deletions ...java/org/elasticsearch/xpack/core/security/action/token/InvalidateTokenResponseTests.java
View file
Open in desktop
Expand Up @@ -29,8 +29,7 @@ public void testSerialization() throws IOException {
TokensInvalidationResult result = new TokensInvalidationResult(Arrays.asList(generateRandomStringArray(20, 15, false)),
Arrays.asList(generateRandomStringArray(20, 15, false)),
Arrays.asList(new ElasticsearchException("foo", new IllegalArgumentException("this is an error message")),
new ElasticsearchException("bar", new IllegalArgumentException("this is an error message2"))),
randomIntBetween(0, 5));
new ElasticsearchException("bar", new IllegalArgumentException("this is an error message2"))));
InvalidateTokenResponse response = new InvalidateTokenResponse(result);
try (BytesStreamOutput output = new BytesStreamOutput()) {
response.writeTo(output);
Expand All @@ -47,8 +46,7 @@ public void testSerialization() throws IOException {
}

result = new TokensInvalidationResult(Arrays.asList(generateRandomStringArray(20, 15, false)),
Arrays.asList(generateRandomStringArray(20, 15, false)),
Collections.emptyList(), randomIntBetween(0, 5));
Arrays.asList(generateRandomStringArray(20, 15, false)), Collections.emptyList());
response = new InvalidateTokenResponse(result);
try (BytesStreamOutput output = new BytesStreamOutput()) {
response.writeTo(output);
Expand All @@ -68,8 +66,7 @@ public void testToXContent() throws IOException {
List previouslyInvalidatedTokens = Arrays.asList(generateRandomStringArray(20, 15, false));
TokensInvalidationResult result = new TokensInvalidationResult(invalidatedTokens, previouslyInvalidatedTokens,
Arrays.asList(new ElasticsearchException("foo", new IllegalArgumentException("this is an error message")),
new ElasticsearchException("bar", new IllegalArgumentException("this is an error message2"))),
randomIntBetween(0, 5));
new ElasticsearchException("bar", new IllegalArgumentException("this is an error message2"))));
InvalidateTokenResponse response = new InvalidateTokenResponse(result);
XContentBuilder builder = XContentFactory.jsonBuilder();
response.toXContent(builder, ToXContent.EMPTY_PARAMS);
Expand Down
2 changes: 1 addition & 1 deletion ...in/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java
View file
Open in desktop
Expand Up @@ -63,7 +63,7 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
final Map<String, Object> tokenMeta = (Map<String, Object>) result.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
tokenService.createUserToken(authentication, originatingAuthentication,
ActionListener.wrap(tuple -> {
final String tokenString = tokenService.getUserTokenString(tuple.v1());
final String tokenString = tokenService.getAccessTokenAsString(tuple.v1());
final TimeValue expiresIn = tokenService.getExpirationDelay();
listener.onResponse(
new SamlAuthenticateResponse(authentication.getUser().principal(), tokenString, tuple.v2(), expiresIn));
Expand Down
2 changes: 1 addition & 1 deletion ...c/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java
View file
Open in desktop
Expand Up @@ -89,7 +89,7 @@ private void createToken(CreateTokenRequest request, Authentication authenticati
boolean includeRefreshToken, ActionListener<CreateTokenResponse> listener) {
try {
tokenService.createUserToken(authentication, originatingAuth, ActionListener.wrap(tuple -> {
final String tokenStr = tokenService.getUserTokenString(tuple.v1());
final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
final String scope = getResponseScopeValue(request.getScope());

final CreateTokenResponse response =
Expand Down
2 changes: 1 addition & 1 deletion .../main/java/org/elasticsearch/xpack/security/action/token/TransportRefreshTokenAction.java
View file
Open in desktop
Expand Up @@ -31,7 +31,7 @@ public TransportRefreshTokenAction(TransportService transportService, ActionFilt
@Override
protected void doExecute(Task task, CreateTokenRequest request, ActionListener<CreateTokenResponse> listener) {
tokenService.refreshToken(request.getRefreshToken(), ActionListener.wrap(tuple -> {
final String tokenStr = tokenService.getUserTokenString(tuple.v1());
final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
final String scope = getResponseScopeValue(request.getScope());

final CreateTokenResponse response =
Expand Down