[HWORKS-992] Remove obsolete code for renewing JWT tokens (#1491)

[HWORKS-992] Remove testing for renewal tokens

Author: kouzant

hopsworks-IT/src/test/ruby/spec/jwt_spec.rb

@@ -44,8 +44,6 @@
         expect_status_details(200)
         expect(headers["authorization"]).not_to be_nil
         expect(headers["authorization"]).not_to be_empty
-        renew_tokens = json_body[:renewTokens]
-        expect(renew_tokens.length).to eql(5)
       end
 
       describe "#logged in as service user" do
@@ -57,7 +55,6 @@
 
           post "#{ENV['HOPSWORKS_API']}/auth/service",
                URI.encode_www_form({ email: "agent@hops.io", password: "admin"}), { content_type: 'application/x-www-form-urlencoded'}
-          @renew_tokens = json_body[:renewTokens]
           @master_token = headers["authorization"].split[1].strip
         end
 

hopsworks-api/src/main/java/io/hops/hopsworks/api/user/AuthService.java

@@ -52,13 +52,11 @@
 import io.hops.hopsworks.common.user.AuthController;
 import io.hops.hopsworks.common.user.QrCode;
 import io.hops.hopsworks.common.user.UsersController;
-import io.hops.hopsworks.common.util.DateUtils;
 import io.hops.hopsworks.common.util.Settings;
 import io.hops.hopsworks.exceptions.HopsSecurityException;
 import io.hops.hopsworks.exceptions.UserException;
 import io.hops.hopsworks.jwt.Constants;
 import io.hops.hopsworks.jwt.JWTController;
-import io.hops.hopsworks.jwt.JsonWebToken;
 import io.hops.hopsworks.jwt.annotation.JWTRequired;
 import io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException;
 import io.hops.hopsworks.jwt.exception.InvalidationException;
@@ -93,12 +91,6 @@
 import javax.ws.rs.core.SecurityContext;
 import java.security.GeneralSecurityException;
 import java.security.NoSuchAlgorithmException;
-import java.time.LocalDateTime;
-import java.time.temporal.ChronoUnit;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -230,18 +222,14 @@ public Response serviceLogin(@FormParam("email") String email, @FormParam("passw
     if (!needLogin(request, null, user)) {
       return Response.ok().build();
     }
+
     if (!userController.isUserInRole(user, "AGENT")) {
       throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE,
           "Users are not allowed to access this endpoint, use auth/login instead",
           "User " + user.getUsername() + " tried to login but they don't have AGENT role");
     }
     request.getSession();
 
-    Collection roles = user.getBbcGroupCollection();
-    if (roles == null || roles.isEmpty()) {
-      throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE);
-    }
-    
     statusValidator.checkStatus(user.getStatus());
     String saltedPassword = authController.preLoginCheck(user, password, null);
 
@@ -251,47 +239,9 @@ public Response serviceLogin(@FormParam("email") String email, @FormParam("passw
       authController.registerAuthenticationFailure(user);
       throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, null, ex.getMessage(), ex);
     }
-  
-    // First generate the one-time tokens for renewal of master token
-    String renewalKeyName = jwtController.getServiceOneTimeJWTSigningKeyname(user.getUsername(),
-        request.getRemoteHost());
-    LocalDateTime masterExpiration = DateUtils.getNow().plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
-    LocalDateTime notBefore = jwtController.computeNotBefore4ServiceRenewalTokens(masterExpiration);
-    LocalDateTime expiresAt = notBefore.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
-    List<String> userRoles = userUtilities.getUserRoles(user);
-    
-    JsonWebToken renewalJWTSpec = new JsonWebToken();
-    renewalJWTSpec.setSubject(user.getUsername());
-    renewalJWTSpec.setIssuer(settings.getJWTIssuer());
-    renewalJWTSpec.setAudience(JWTHelper.SERVICE_RENEW_JWT_AUDIENCE);
-    renewalJWTSpec.setKeyId(renewalKeyName);
-    renewalJWTSpec.setNotBefore(DateUtils.localDateTime2Date(notBefore));
-    renewalJWTSpec.setExpiresAt(DateUtils.localDateTime2Date(expiresAt));
-    
-    Map<String, Object> claims = new HashMap<>(4);
-    claims.put(Constants.RENEWABLE, false);
-    claims.put(Constants.EXPIRY_LEEWAY, 3600);
-    claims.put(Constants.ROLES, userRoles.toArray(new String[1]));
-    
-    String[] oneTimeRenewalTokens = jwtController.generateOneTimeTokens4ServiceJWTRenewal(renewalJWTSpec, claims,
-        settings.getJWTSigningKeyName());
-  
-    // Then generate the master service token
-    try {
-      String signingKeyID = jwtController.getSignKeyID(oneTimeRenewalTokens[0]);
-      claims.clear();
-      // The rest of JWT claims will be added by JWTHelper
-      claims.put(Constants.RENEWABLE, false);
-      claims.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signingKeyID);
-      String token = jWTHelper.createToken(user, settings.getJWTIssuer(), claims);
-      
-      ServiceJWTDTO renewTokensResponse = new ServiceJWTDTO();
-      renewTokensResponse.setRenewTokens(oneTimeRenewalTokens);
-      return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).entity(renewTokensResponse).build();
-    } catch (Exception ex) {
-      jwtController.deleteSigningKey(renewalKeyName);
-      throw ex;
-    }
+
+    String token = jWTHelper.createToken(user, settings.getJWTIssuer(), null);
+    return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).build();
   }
 
   @GET

hopsworks-api/src/main/java/io/hops/hopsworks/api/user/ServiceJWTDTO.java

@@ -22,8 +22,7 @@ public class Constants {
   public static final String EXPIRY_LEEWAY = "expLeeway";
   public static final String ROLES = "roles";
   public static final String WWW_AUTHENTICATE_VALUE="Bearer realm=\"Cauth Realm\"";
-  public static final String SERVICE_JWT_RENEWAL_KEY_ID = "renewal_key_id";
-  
+
   public static final int DEFAULT_EXPIRY_LEEWAY = 60; //60 secs for exp
   public static final boolean DEFAULT_RENEWABLE = false;
 

hopsworks-jwt/src/main/java/io/hops/hopsworks/jwt/Constants.java

@@ -37,9 +37,6 @@
 import javax.ejb.TransactionAttribute;
 import javax.ejb.TransactionAttributeType;
 import java.security.NoSuchAlgorithmException;
-import java.time.LocalDateTime;
-import java.time.ZoneId;
-import java.time.temporal.ChronoUnit;
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.Date;
@@ -55,7 +52,6 @@
 import static io.hops.hopsworks.jwt.Constants.DEFAULT_EXPIRY_LEEWAY;
 import static io.hops.hopsworks.jwt.Constants.DEFAULT_RENEWABLE;
 import static io.hops.hopsworks.jwt.Constants.EXPIRY_LEEWAY;
-import static io.hops.hopsworks.jwt.Constants.ONE_TIME_JWT_SIGNING_KEY_NAME;
 import static io.hops.hopsworks.jwt.Constants.RENEWABLE;
 import static io.hops.hopsworks.jwt.Constants.ROLES;
 
@@ -463,70 +459,6 @@ public String renewToken(String token, Date newExp, Date notBefore, boolean inva
     return renewedToken;
   }
 
-  public String getSignKeyID(String token) {
-    DecodedJWT jwt = decodeToken(token);
-    return jwt.getKeyId();
-  }
-  
-  public String[] generateOneTimeTokens4ServiceJWTRenewal(JsonWebToken jwtSpecs, Map<String, Object> claims,
-      String defaultJWTSigningKeyName)
-    throws NoSuchAlgorithmException, SigningKeyNotFoundException {
-    String[] renewalTokens = new String[5];
-    SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(Constants.ONE_TIME_JWT_SIGNATURE_ALGORITHM);
-    String[] audienceArray = jwtSpecs.getAudience().toArray(new String[1]);
-    try {
-      renewalTokens[0] = createToken(jwtSpecs.getKeyId(), true, jwtSpecs.getIssuer(),
-          audienceArray, jwtSpecs.getExpiresAt(), jwtSpecs.getNotBefore(), jwtSpecs.getSubject(), claims,
-          algorithm);
-    } catch (DuplicateSigningKeyException ex) {
-      LOGGER.log(Level.FINE, "Signing key already exist for service JWT key " + jwtSpecs.getKeyId()
-          + ". Removing old one");
-      if (defaultJWTSigningKeyName != null) {
-        if (!defaultJWTSigningKeyName.equals(jwtSpecs.getKeyId())
-            && !ONE_TIME_JWT_SIGNING_KEY_NAME.equals(jwtSpecs.getKeyId())) {
-          deleteSigningKey(jwtSpecs.getKeyId());
-        }
-      }
-      try {
-        renewalTokens[0] = createToken(jwtSpecs.getKeyId(), true, jwtSpecs.getIssuer(),
-            audienceArray, jwtSpecs.getExpiresAt(), jwtSpecs.getNotBefore(), jwtSpecs.getSubject(), claims,
-            algorithm);
-      } catch (DuplicateSigningKeyException dskex) {
-        // This should never happen, we handle it above
-      }
-    }
-    for (int i = 1; i < renewalTokens.length; i++) {
-      try {
-        renewalTokens[i] = createToken(jwtSpecs.getKeyId(), false, jwtSpecs.getIssuer(),
-            audienceArray, jwtSpecs.getExpiresAt(), jwtSpecs.getNotBefore(), jwtSpecs.getSubject(), claims,
-            algorithm);
-      } catch (DuplicateSigningKeyException dskex) {
-        // This should never happen, we do not create new signing key here
-      }
-    }
-    return renewalTokens;
-  }
-  
-  private Date localDateTime2Date(LocalDateTime localDateTime) {
-    return Date.from(localDateTime.atZone(ZoneId.systemDefault()).toInstant());
-  }
-  
-  public LocalDateTime computeNotBefore4ServiceRenewalTokens(LocalDateTime masterExpiration) {
-    LocalDateTime notBefore = null;
-    if (masterExpiration.minus(3L, ChronoUnit.MINUTES).isBefore(LocalDateTime.now())) {
-      notBefore = masterExpiration.minus(3L, ChronoUnit.MILLIS);
-    } else {
-      notBefore = masterExpiration.minus(3L, ChronoUnit.MINUTES);
-    }
-    return notBefore;
-  }
-  
-  private static final String SERVICE_ONE_TIME_SIGNING_KEYNAME = "%s_%s__%d";
-  public String getServiceOneTimeJWTSigningKeyname(String username, String remoteHost) {
-    long now = System.currentTimeMillis();
-    return String.format(SERVICE_ONE_TIME_SIGNING_KEYNAME, username, remoteHost, now);
-  }
-  
   public Map<String, Object> addDefaultClaimsIfMissing(Map<String, Object> userClaims, boolean isRenewable, int leeway,
       String[] roles) {
     if (userClaims == null) {