From 9ce36dc690f60de97936dd7b646ae88b6795b758 Mon Sep 17 00:00:00 2001
From: Ryan Liang <jiallian@amazon.com>
Date: Tue, 22 Aug 2023 01:11:24 -0700
Subject: [PATCH] Refactor the OBO Authenticator part2

Signed-off-by: Ryan Liang <jiallian@amazon.com>
---
 .../http/OnBehalfOfAuthenticator.java         | 65 ++++++++++---------
 1 file changed, 36 insertions(+), 29 deletions(-)

diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
index f312ea2fc3..9deb262bec 100644
--- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
@@ -16,7 +16,6 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map.Entry;
-import java.util.Objects;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
@@ -136,7 +135,7 @@ public AuthCredentials run() {
 
     private AuthCredentials extractCredentials0(final RestRequest request) {
         if (!oboEnabled) {
-            log.error("On-behalf-of authentication has been disabled");
+            log.error("On-behalf-of authentication is disabled");
             return null;
         }
 
@@ -145,53 +144,33 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
             return null;
         }
 
-        String jwtToken = request.header(HttpHeaders.AUTHORIZATION);
-
-        if (jwtToken == null || jwtToken.length() == 0) {
-            if (log.isDebugEnabled()) {
-                log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
-            }
+        String jwtToken = extractJwtFromHeader(request);
+        if (jwtToken == null) {
             return null;
         }
 
-        if (!BEARER.matcher(jwtToken).matches()) {
-            jwtToken = null;
-        }
-
-        if (jwtToken != null && Pattern.compile(BEARER_PREFIX).matcher(jwtToken.toLowerCase()).find()) {
-            jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());
-        } else {
-            if (log.isDebugEnabled()) {
-                log.debug("No Bearer scheme found in header");
-            }
-        }
-
-        if (jwtToken == null) {
+        if (!isAllowedRequest(request)) {
             return null;
         }
 
         try {
-            if (!isAllowedRequest(request)) {
-                return null;
-            }
-
             final Claims claims = jwtParser.parseClaimsJws(jwtToken).getBody();
 
             final String subject = claims.getSubject();
-            if (Objects.isNull(subject)) {
+            if (subject == null) {
                 log.error("Valid jwt on behalf of token with no subject");
                 return null;
             }
 
             final String audience = claims.getAudience();
-            if (Objects.isNull(audience)) {
+            if (audience == null) {
                 log.error("Valid jwt on behalf of token with no audience");
                 return null;
             }
 
             final String issuer = claims.getIssuer();
             if (!issuer.equals(clusterName)) {
-                log.error("This issuer of this OBO does not match the current cluster identifier");
+                log.error("The issuer of this OBO does not match the current cluster identifier");
                 return null;
             }
 
@@ -208,13 +187,41 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
 
         } catch (WeakKeyException e) {
             log.error("Cannot authenticate user with JWT because of ", e);
-            return null;
         } catch (Exception e) {
             if (log.isDebugEnabled()) {
                 log.debug("Invalid or expired JWT token.", e);
             }
+        }
+
+        return null;
+    }
+
+    private String extractJwtFromHeader(RestRequest request) {
+        String jwtToken = request.header(HttpHeaders.AUTHORIZATION);
+
+        if (jwtToken == null || jwtToken.isEmpty()) {
+            logDebug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
+            return null;
+        }
+
+        if (!BEARER.matcher(jwtToken).matches()) {
             return null;
         }
+
+        if (jwtToken.toLowerCase().contains(BEARER_PREFIX)) {
+            jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());
+        } else {
+            logDebug("No Bearer scheme found in header");
+            return null;
+        }
+
+        return jwtToken;
+    }
+
+    private void logDebug(String message, Object... args) {
+        if (log.isDebugEnabled()) {
+            log.debug(message, args);
+        }
     }
 
     public Boolean isAllowedRequest(final RestRequest request) {