Skip to content

Remove bwc logic for token invalidation #36893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Dec 28, 2018
Merged

Remove bwc logic for token invalidation #36893

merged 10 commits into from
Dec 28, 2018

Conversation

@jkakavas
Copy link
Contributor

@jkakavas jkakavas commented Dec 20, 2018

Removes bwc for token invalidation

  • Removes bwc invalidation logic from the TokenService
  • Removes bwc serialization for InvalidateTokenResponse objects as
    old nodes in supported mixed clusters during upgrade will be 6.7 and
    thus will know of the new format
  • Removes the created field from the TokensInvalidationResult and the
    InvalidateTokenResponse as it is no longer useful in > 7.0

Resolves: #36727

@jkakavas
Removes bwc for token invalidation
d0e072d 
- Removes bwc invalidation logic from the TokenService
- Removes bwc serialization for InvalidateTokenResponse objects as
olf nodes in supported mixed clusters during upgade will be 6.7 and
thus will know of the new format
- Removes the created field from the InvalidateTokenResponse as it
is no longer useful in > 7.0
@jkakavas
Do not check for invalidated token documents anymore
494a5fb
@jkakavas
Fix tests to mock Get requests for invalidation
1236d9e
@jkakavas
merge getAndValidateToken with decodeAndValidateToken
5ae8f86
@jkakavas
define document id
8e87a27
@jkakavas
fix test
9801f22
@jkakavas
Remove created field from rest tests
fed803f
@jkakavas jkakavas added >enhancement >breaking >breaking-java v7.0.0 :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Dec 20, 2018
@jkakavas jkakavas requested review from jaymode and tvernum December 20, 2018 13:28
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 20, 2018

Pinging @elastic/es-security

@jkakavas
Copy link
Contributor Author

jkakavas commented Dec 20, 2018

@elasticmachine run the gradle build tests 2 σε παρακαλώ πολύ

@kobelb kobelb mentioned this pull request Dec 20, 2018
Merged
jaymode
jaymode approved these changes Dec 20, 2018
View reviewed changes
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tvernum
tvernum approved these changes Dec 28, 2018
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...lugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ExpiredTokenRemover.java Outdated
.should(QueryBuilders.rangeQuery("creation_time").lte(now.minus(24L, ChronoUnit.HOURS).toEpochMilli()))));
.filter(QueryBuilders.termsQuery("doc_type", "token"))
.filter(QueryBuilders.boolQuery()
.must(QueryBuilders.rangeQuery("creation_time").lte(now.minus(24L, ChronoUnit.HOURS).toEpochMilli()))));
Copy link
Contributor

@tvernum tvernum Dec 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a bool here? Can't we just add the range directly to the filter?

@jkakavas jkakavas merged commit 0cae979 into elastic:master Dec 28, 2018
@jkakavas jkakavas deleted the remove-bwc-invalidate-tokens branch December 28, 2018 11:09
@tvernum tvernum mentioned this pull request Jan 2, 2019
Closed
@jkakavas jkakavas mentioned this pull request Jan 2, 2019
Closed
jkakavas added a commit that referenced this pull request Jan 9, 2019
@jkakavas
Ensure that ActionListener is called exactly once
2a79c46 
This bug was introduced in #36893 and had the effect that
execution would continue after calling onFailure on the the
listener in checkIfTokenIsValid in the case that the token is
expired. In a case of many consecutive requests this could lead to
the unwelcome side effect of an expired access token producing a
successful authentication response.
@jkakavas jkakavas mentioned this pull request Jan 16, 2019
Closed
@jimczi jimczi removed the v7.0.0 label Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

@jaymode jaymode jaymode approved these changes

Assignees

No one assigned

Labels

>breaking >breaking-java >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.0.0-beta1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jkakavas @elasticmachine @tvernum @jaymode @jimczi