From 6bf05babf76cedff6773e8b8956e9349748434ce Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Fri, 6 Jan 2023 14:26:26 -0600 Subject: [PATCH 1/2] Update tool scripts to run in windows (#2371) (#2379) (cherry picked from commit 8ccad5c7d2653fda12acabc1b94afe2b3d9a99dd) Co-authored-by: Peter Nied --- tools/audit_config_migrater.bat | 13 ++++++++----- tools/hash.bat | 13 ++++++++----- tools/securityadmin.bat | 13 ++++++++----- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/tools/audit_config_migrater.bat b/tools/audit_config_migrater.bat index d33cd8c794..52ccd84915 100644 --- a/tools/audit_config_migrater.bat +++ b/tools/audit_config_migrater.bat @@ -1,16 +1,19 @@ @echo off -set SCRIPT_DIR=%~dp0 +set DIR=%~dp0 echo "**************************************************************************" echo "** This tool will be deprecated in the next major release of OpenSearch **" echo "** https://github.com/opensearch-project/security/issues/1755 **" echo "**************************************************************************" -rem comparing to empty string makes this equivalent to bash -v check on env var -if not "%OPENSEARCH_JAVA_HOME%" == "" ( +if defined OPENSEARCH_JAVA_HOME ( set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" -) else ( +) else if defined JAVA_HOME ( set BIN_PATH="%JAVA_HOME%\bin\java.exe" +) else ( + echo Unable to find java runtime + echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined + exit /b 1 ) -%BIN_PATH% -cp "%SCRIPT_DIR%\..\..\opendistro_security_ssl\*;%SCRIPT_DIR%\..\deps\*;%SCRIPT_DIR%\..\*;%SCRIPT_DIR%\..\..\..\lib\*" org.opensearch.security.tools.AuditConfigMigrater %* +%BIN_PATH% -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.AuditConfigMigrater %* diff --git a/tools/hash.bat b/tools/hash.bat index 182596fa8d..fe5f57b823 100644 --- a/tools/hash.bat +++ b/tools/hash.bat @@ -1,17 +1,20 @@ @echo off -set SCRIPT_DIR=%~dp0 +set DIR=%~dp0 echo "**************************************************************************" echo "** This tool will be deprecated in the next major release of OpenSearch **" echo "** https://github.com/opensearch-project/security/issues/1755 **" echo "**************************************************************************" -rem comparing to empty string makes this equivalent to bash -v check on env var -if not "%OPENSEARCH_JAVA_HOME%" == "" ( +if defined OPENSEARCH_JAVA_HOME ( set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" -) else ( +) else if defined JAVA_HOME ( set BIN_PATH="%JAVA_HOME%\bin\java.exe" +) else ( + echo Unable to find java runtime + echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined + exit /b 1 ) -%BIN_PATH% -cp "%SCRIPT_DIR%\..\..\opendistro_security_ssl\*;%SCRIPT_DIR%\..\deps\*;%SCRIPT_DIR%\..\*;%SCRIPT_DIR%\..\..\..\lib\*" org.opensearch.security.tools.Hasher %* +%BIN_PATH% -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.Hasher %* diff --git a/tools/securityadmin.bat b/tools/securityadmin.bat index 359727c20a..d798f78bf0 100644 --- a/tools/securityadmin.bat +++ b/tools/securityadmin.bat @@ -1,16 +1,19 @@ @echo off -set SCRIPT_DIR=%~dp0 +set DIR=%~dp0 echo "**************************************************************************" echo "** This tool will be deprecated in the next major release of OpenSearch **" echo "** https://github.com/opensearch-project/security/issues/1755 **" echo "**************************************************************************" -rem comparing to empty string makes this equivalent to bash -v check on env var -if not "%OPENSEARCH_JAVA_HOME%" == "" ( +if defined OPENSEARCH_JAVA_HOME ( set BIN_PATH="%OPENSEARCH_JAVA_HOME%\bin\java.exe" -) else ( +) else if defined JAVA_HOME ( set BIN_PATH="%JAVA_HOME%\bin\java.exe" +) else ( + echo Unable to find java runtime + echo OPENSEARCH_JAVA_HOME or JAVA_HOME must be defined + exit /b 1 ) -%BIN_PATH% -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%SCRIPT_DIR%\..\..\opendistro_security-ssl\*;%SCRIPT_DIR%\..\deps\*;%SCRIPT_DIR%\..\*;%SCRIPT_DIR%\..\..\..\lib\*" org.opensearch.security.tools.SecurityAdmin %* 2> nul +%BIN_PATH% -Dorg.apache.logging.log4j.simplelog.StatusLogger.level=OFF -cp "%DIR%\..\*;%DIR%\..\..\..\lib\*;%DIR%\..\deps\*" org.opensearch.security.tools.SecurityAdmin %* 2> nul \ No newline at end of file From 6a405845b82d97f985275fa2e28714dfc5e42c67 Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Fri, 6 Jan 2023 14:27:09 -0600 Subject: [PATCH 2/2] Remove trimming of whitespace when extracting SAML backend roles (#2381) (#2383) Signed-off-by: Craig Perkins (cherry picked from commit 8ee28d18bb7f61b73c9540457ecd96442f3d29d4) --- .../jwt/AbstractHTTPJwtAuthenticator.java | 4 -- .../http/saml/HTTPSamlAuthenticatorTest.java | 39 +++++++++++++++++++ 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java index d2e14d6145..e57b73f75c 100644 --- a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java @@ -216,10 +216,6 @@ public String[] extractRoles(JwtClaims claims) { roles = ((Collection) rolesObject).toArray(new String[0]); } - for (int i = 0; i < roles.length; i++) { - roles[i] = roles[i].trim(); - } - return roles; } diff --git a/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java index b9f9952256..186539521b 100644 --- a/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java +++ b/src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java @@ -314,6 +314,45 @@ public void shouldNotEscapeSamlEntities() throws Exception { Assert.assertEquals("ABC/Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]); } + @Test + public void shouldNotTrimWhitespaceInJwtRoles() throws Exception { + mockSamlIdpServer.setAuthenticateUser("ABC/User1"); + mockSamlIdpServer.setEndpointQueryString(null); + mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate); + mockSamlIdpServer.setEncryptAssertion(true); + mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList(" ABC/Admin ")); + + Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri()) + .put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId()) + .put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n" + + Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-") + .put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build(); + + HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null); + + AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator); + + String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location); + + RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders); + TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest); + + samlAuthenticator.reRequestAuthentication(tokenRestChannel, null); + + String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content())); + HashMap response = DefaultObjectMapper.objectMapper.readValue(responseJson, + new TypeReference>() { + }); + String authorization = (String) response.get("authorization"); + + Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", "")); + JwtToken jwt = jwtConsumer.getJwtToken(); + + Assert.assertEquals("ABC/Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]); + } + @Test public void testMetadataBody() throws Exception { mockSamlIdpServer.setSignResponses(true);