deny access if STS token is found in revoked table

Author: Fabian Morgan

hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/exceptions/OMException.java

@@ -275,5 +275,7 @@ public enum ResultCodes {
     KEY_UNDER_LEASE_SOFT_LIMIT_PERIOD,
 
     TOO_MANY_SNAPSHOTS,
+
+    REVOKED_TOKEN,
   }
 }

hadoop-ozone/interface-client/src/main/proto/OmClientProtocol.proto

@@ -569,6 +569,8 @@ enum Status {
     KEY_UNDER_LEASE_SOFT_LIMIT_PERIOD = 97;
 
     TOO_MANY_SNAPSHOTS = 98;
+
+    REVOKED_TOKEN = 99;
 }
 
 /**

hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/S3SecurityUtil.java

@@ -18,14 +18,17 @@
 package org.apache.hadoop.ozone.security;
 
 import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_TOKEN;
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.REVOKED_TOKEN;
 import static org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO;
 
 import com.google.protobuf.ServiceException;
 import java.time.Clock;
 import java.time.ZoneOffset;
 import org.apache.hadoop.hdds.annotation.InterfaceAudience;
 import org.apache.hadoop.hdds.annotation.InterfaceStability;
+import org.apache.hadoop.hdds.utils.db.Table;
 import org.apache.hadoop.io.Text;
+import org.apache.hadoop.ozone.om.OMMetadataManager;
 import org.apache.hadoop.ozone.om.OzoneManager;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.exceptions.OMLeaderNotReadyException;
@@ -34,6 +37,8 @@
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication;
 import org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB;
 import org.apache.hadoop.security.token.SecretManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Utility class which holds methods required for parse/validation of
@@ -44,6 +49,7 @@
 public final class S3SecurityUtil {
 
   private static final Clock CLOCK = Clock.system(ZoneOffset.UTC);
+  private static final Logger LOG = LoggerFactory.getLogger(S3SecurityUtil.class);
 
   private S3SecurityUtil() {
   }
@@ -64,6 +70,13 @@ public static void validateS3Credential(OMRequest omRequest,
         if (!token.isEmpty()) {
           final STSTokenIdentifier stsTokenIdentifier = STSSecurityUtil.constructValidateAndDecryptSTSToken(
               token, ozoneManager.getSecretKeyClient(), CLOCK);
+
+          // Ensure the token is not revoked
+          if (isRevokedStsTempAccessKeyId(stsTokenIdentifier, ozoneManager)) {
+            LOG.info("Session token has been revoked: {}, {}", stsTokenIdentifier.getTempAccessKeyId(), token);
+            throw new OMException("STS token has been revoked", REVOKED_TOKEN);
+          }
+
           // HMAC signature and expiration were validated above.  Now validate AWS signature.
           validateSTSTokenAwsSignature(stsTokenIdentifier, omRequest);
           OzoneManager.setStsTokenIdentifier(stsTokenIdentifier);
@@ -124,4 +137,32 @@ private static void validateSTSTokenAwsSignature(STSTokenIdentifier stsTokenIden
     throw new OMException(
         "STS token validation failed for token: " + omRequest.getS3Authentication().getSessionToken(), INVALID_TOKEN);
   }
+
+  /**
+   * Returns true if the STS token's temporary access key ID is present in the revoked STS token table.
+   */
+  private static boolean isRevokedStsTempAccessKeyId(STSTokenIdentifier stsTokenIdentifier, OzoneManager ozoneManager) {
+    try {
+      final OMMetadataManager metadataManager = ozoneManager.getMetadataManager();
+      if (metadataManager == null) {
+        return false;
+      }
+
+      final Table<String, String> revokedStsTokenTable = metadataManager.getS3RevokedStsTokenTable();
+      if (revokedStsTokenTable == null) {
+        return false;
+      }
+
+      final String tempAccessKeyId = stsTokenIdentifier.getTempAccessKeyId();
+      if (tempAccessKeyId == null || tempAccessKeyId.isEmpty()) {
+        return false;
+      }
+
+      return revokedStsTokenTable.getIfExist(tempAccessKeyId) != null;
+    } catch (Exception e) {
+      // Any DB or codec problem is treated as best-effort failure.
+      LOG.warn("Failed to check STS token revocation state: {}", e.getMessage());
+      return false;
+    }
+  }
 }

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestS3SecurityUtil.java

@@ -0,0 +1,190 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.security;
+
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.REVOKED_TOKEN;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.CALLS_REAL_METHODS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.mockStatic;
+import static org.mockito.Mockito.when;
+
+import java.io.IOException;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.UUID;
+import java.util.concurrent.ThreadLocalRandom;
+import org.apache.hadoop.hdds.security.symmetric.SecretKeyClient;
+import org.apache.hadoop.hdds.utils.db.InMemoryTestTable;
+import org.apache.hadoop.hdds.utils.db.Table;
+import org.apache.hadoop.ozone.om.OMMetadataManager;
+import org.apache.hadoop.ozone.om.OzoneManager;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMRequest;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.S3Authentication;
+import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.Type;
+import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
+
+/**
+ * Tests for STS revocation handling in {@link S3SecurityUtil}.
+ */
+public class TestS3SecurityUtil {
+  private static final byte[] ENCRYPTION_KEY = new byte[5];
+
+  {
+    ThreadLocalRandom.current().nextBytes(ENCRYPTION_KEY);
+  }
+
+  @Test
+  public void testValidateS3CredentialFailsWhenTokenRevoked() throws Exception {
+    // If the revoked STS token table contains an entry for the temporary access key id extracted from the session
+    // token, validateS3Credential should reject the request with REVOKED_TOKEN
+    final String sessionToken = "session-token-a";
+    final String tempAccessKeyId = "ASIA123456789";
+
+    try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
+      when(ozoneManager.isSecurityEnabled()).thenReturn(true);
+      when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
+
+      final OMMetadataManager metadataManager = mock(OMMetadataManager.class);
+      when(ozoneManager.getMetadataManager()).thenReturn(metadataManager);
+
+      final Table<String, String> revokedSTSTokenTable = new InMemoryTestTable<>();
+      when(metadataManager.getS3RevokedStsTokenTable()).thenReturn(revokedSTSTokenTable);
+
+      // Mock STSSecurityUtil to return a token whose tempAccessKeyId matches the one that's revoked.
+      final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
+          tempAccessKeyId, "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
+          Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
+          ENCRYPTION_KEY);
+
+      try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS)) {
+        stsSecurityUtilMock.when(
+            () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
+                eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
+            .thenReturn(stsTokenIdentifier);
+
+        // Revoke the tempAccessKeyId
+        revokedSTSTokenTable.put(tempAccessKeyId, sessionToken);
+
+        final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
+        final OMException ex = assertThrows(
+            OMException.class, () -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+        assertEquals(REVOKED_TOKEN, ex.getResult());
+      }
+    }
+  }
+
+  @Test
+  public void testValidateS3CredentialWhenMetadataUnavailable() {
+    // If the metadata manager is not available, the revocation check should not cause the request to be rejected.
+    final String sessionToken = "session-token-b";
+
+    try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
+      when(ozoneManager.isSecurityEnabled()).thenReturn(true);
+      when(ozoneManager.getMetadataManager()).thenReturn(null);
+      when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
+
+      final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
+
+      try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS);
+           MockedStatic<AWSV4AuthValidator> awsV4AuthValidatorMock = mockStatic(
+               AWSV4AuthValidator.class, CALLS_REAL_METHODS)) {
+
+        final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
+            "temp-access-key-id", "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
+            Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
+            ENCRYPTION_KEY);
+
+        stsSecurityUtilMock.when(
+            () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
+                eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
+            .thenReturn(stsTokenIdentifier);
+
+        // Mock AWS V4 signature validation
+        awsV4AuthValidatorMock.when(() -> AWSV4AuthValidator.validateRequest(anyString(), anyString(), anyString()))
+            .thenReturn(true);
+
+        assertDoesNotThrow(() -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+      }
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  @Test
+  public void testValidateS3CredentialSuccessWhenNotRevoked() {
+    // Normal case: token is NOT revoked and request is accepted
+    final String sessionToken = "session-token-c";
+
+    try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
+      when(ozoneManager.isSecurityEnabled()).thenReturn(true);
+      when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
+
+      final OMMetadataManager metadataManager = mock(OMMetadataManager.class);
+      when(ozoneManager.getMetadataManager()).thenReturn(metadataManager);
+
+      final Table<String, String> revokedSTSTokenTable = new InMemoryTestTable<>();
+      when(metadataManager.getS3RevokedStsTokenTable()).thenReturn(revokedSTSTokenTable);
+
+      // Not revoked -> getIfExist returns null by default in InMemoryTestTable
+      final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
+      final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
+          "temp-access-key-id", "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
+          Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
+          ENCRYPTION_KEY);
+
+      try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS);
+           MockedStatic<AWSV4AuthValidator> awsV4AuthValidatorMock = mockStatic(
+               AWSV4AuthValidator.class, CALLS_REAL_METHODS)) {
+
+        stsSecurityUtilMock.when(
+                () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
+                    eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
+            .thenReturn(stsTokenIdentifier);
+        awsV4AuthValidatorMock.when(() -> AWSV4AuthValidator.validateRequest(anyString(), anyString(), anyString()))
+            .thenReturn(true);
+
+        assertDoesNotThrow(() -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+      }
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static OMRequest createRequestWithSessionToken(String sessionToken) {
+    final S3Authentication s3Authentication = S3Authentication.newBuilder()
+        .setAccessId("accessKeyId")
+        .setStringToSign("string-to-sign")
+        .setSignature("signature")
+        .setSessionToken(sessionToken)
+        .build();
+
+    return OMRequest.newBuilder()
+        .setClientId(UUID.randomUUID().toString())
+        .setCmdType(Type.CreateVolume)
+        .setS3Authentication(s3Authentication)
+        .build();
+  }
+}

hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestSTSTokenIdentifier.java

@@ -28,6 +28,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.UUID;
+import java.util.concurrent.ThreadLocalRandom;
 import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos.OMTokenProto;
 import org.junit.jupiter.api.Test;
 
@@ -39,7 +40,7 @@ public class TestSTSTokenIdentifier {
   private static final byte[] ENCRYPTION_KEY = new byte[5];
 
   {
-    new SecureRandom().nextBytes(ENCRYPTION_KEY);
+    ThreadLocalRandom.current().nextBytes(ENCRYPTION_KEY);
   }
 
   @Test