fix(gms): Change MessageDigest to be thread safe (#5405)

2025-08-22 08:08:01 +00:00 · 2022-07-15 11:58:59 +01:00 · 2022-07-15 11:58:59 +01:00 · 5b61bcc4e0
commit 5b61bcc4e0
parent fdea718e38
1 changed files with 7 additions and 26 deletions
--- a/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatefulTokenService.java
+++ b/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatefulTokenService.java
@ -16,13 +16,6 @@ import com.linkedin.metadata.resources.entity.AspectUtils;
 import com.linkedin.metadata.utils.AuditStampUtils;
 import com.linkedin.metadata.utils.GenericRecordUtils;
 import com.linkedin.mxe.MetadataChangeProposal;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang.ArrayUtils;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.Date;
 import java.util.HashMap;
@ -31,11 +24,13 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang.ArrayUtils;
-import static com.datahub.authentication.token.TokenClaims.ACTOR_ID_CLAIM_NAME;
+import static com.datahub.authentication.token.TokenClaims.*;
 import static com.datahub.authentication.token.TokenClaims.ACTOR_TYPE_CLAIM_NAME;
 import static com.datahub.authentication.token.TokenClaims.TOKEN_TYPE_CLAIM_NAME;
 import static com.datahub.authentication.token.TokenClaims.TOKEN_VERSION_CLAIM_NAME;
 /**
@ -48,7 +43,6 @@ public class StatefulTokenService extends StatelessTokenService {
  private final EntityService _entityService;
  private final LoadingCache<String, Boolean> _revokedTokenCache;
  private final String salt;
  private final MessageDigest sha256;
  public StatefulTokenService(@Nonnull final String signingKey, @Nonnull final String signingAlgorithm,
      @Nullable final String iss, @Nonnull final EntityService entityService, @Nonnull final String salt) {
@ -65,11 +59,6 @@ public class StatefulTokenService extends StatelessTokenService {
          }
        });
    this.salt = salt;
    try {
      this.sha256 = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
      throw new RuntimeException("Unable to get SHA-256 algorithm.");
    }
  }
  /**
@ -179,14 +168,6 @@ public class StatefulTokenService extends StatelessTokenService {
    throw new TokenException("Access token no longer exists");
  }
  public boolean isTokenRevoked(@Nonnull String hashToken) {
    try {
      return _revokedTokenCache.get(hashToken);
    } catch (ExecutionException e) {
      return false;
    }
  }
  /**
   * Hashes the input after salting it.
   */
@ -194,7 +175,7 @@ public class StatefulTokenService extends StatelessTokenService {
    final byte[] saltingKeyBytes = this.salt.getBytes();
    final byte[] inputBytes = input.getBytes();
    final byte[] concatBytes = ArrayUtils.addAll(inputBytes, saltingKeyBytes);
-    final byte[] bytes = sha256.digest(concatBytes);
+    final byte[] bytes = DigestUtils.sha256(concatBytes);
    return Base64.getEncoder().encodeToString(bytes);
  }
 }