From bef85da1de64fd5f2c525c0e0eb7bf17af9704aa Mon Sep 17 00:00:00 2001 From: Ryan Liang Date: Wed, 16 Aug 2023 11:57:39 -0700 Subject: [PATCH] Remove the enforcing of token type for OBO auth Signed-off-by: Ryan Liang --- .../security/authtoken/jwt/JwtVendor.java | 3 -- .../http/OnBehalfOfAuthenticator.java | 10 +++--- .../security/authtoken/jwt/JwtVendorTest.java | 1 - .../http/OnBehalfOfAuthenticatorTest.java | 36 ++++--------------- 4 files changed, 11 insertions(+), 39 deletions(-) diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java index 0b9154a09b..714293598a 100644 --- a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java +++ b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java @@ -113,7 +113,6 @@ public String createJwt( List roles, List backendRoles ) throws Exception { - String tokenIdentifier = "obo"; long timeMillis = timeProvider.getAsLong(); Instant now = Instant.ofEpochMilli(timeProvider.getAsLong()); @@ -121,8 +120,6 @@ public String createJwt( JwtClaims jwtClaims = new JwtClaims(); JwtToken jwt = new JwtToken(jwtClaims); - jwtClaims.setProperty("typ", tokenIdentifier); - jwtClaims.setIssuer(issuer); jwtClaims.setIssuedAt(timeMillis); diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 23d3bb6d75..daf7ea659e 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -204,11 +204,11 @@ private AuthCredentials extractCredentials0(final RestRequest request) { return null; } - final String tokenType = claims.get(TOKEN_TYPE_CLAIM).toString(); - if (!tokenType.equals(TOKEN_TYPE)) { - log.error("This toke is not verifying as an on-behalf-of token"); - return null; - } +// final String tokenType = claims.get(TOKEN_TYPE_CLAIM).toString(); +// if (!tokenType.equals(TOKEN_TYPE)) { +// log.error("This toke is not verifying as an on-behalf-of token"); +// return null; +// } final String issuer = claims.getIssuer(); final String clusterName = OpenSearchSecurityPlugin.getClusterName().getClusterName().value(); diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java index 3477432462..ad3509a4e0 100644 --- a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java +++ b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java @@ -63,7 +63,6 @@ public void testCreateJwtWithRoles() throws Exception { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt); JwtToken jwt = jwtConsumer.getJwtToken(); - Assert.assertEquals("obo", jwt.getClaim("typ")); Assert.assertEquals("cluster_0", jwt.getClaim("iss")); Assert.assertEquals("admin", jwt.getClaim("sub")); Assert.assertEquals("audience_0", jwt.getClaim("aud")); diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java index b3b1ef1a81..d68130981b 100644 --- a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java @@ -74,7 +74,7 @@ public void testNoKey() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( null, claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"), false ); Assert.fail("Expected a RuntimeException"); @@ -90,7 +90,7 @@ public void testEmptyKey() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( null, claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"), false ); Assert.fail("Expected a RuntimeException"); @@ -106,7 +106,7 @@ public void testBadKey() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( BaseEncoding.base64().encode(new byte[] { 1, 3, 3, 4, 3, 6, 7, 8, 3, 10 }), claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy"), false ); Assert.fail("Expected a WeakKeyException"); @@ -143,7 +143,6 @@ public void testInvalid() throws Exception { public void testDisabled() throws Exception { String jwsToken = Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512) @@ -161,7 +160,6 @@ public void testDisabled() throws Exception { public void testNonSpecifyOBOSetting() throws Exception { String jwsToken = Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512) @@ -180,7 +178,6 @@ public void testBearer() throws Exception { String jwsToken = Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512) @@ -196,7 +193,7 @@ public void testBearer() throws Exception { Assert.assertEquals("Leonard McCoy", credentials.getUsername()); Assert.assertEquals(0, credentials.getSecurityRoles().size()); Assert.assertEquals(0, credentials.getBackendRoles().size()); - Assert.assertEquals(4, credentials.getAttributes().size()); + Assert.assertEquals(3, credentials.getAttributes().size()); } @Test @@ -204,7 +201,6 @@ public void testBearerWrongPosition() throws Exception { String jwsToken = Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(secretKey, SignatureAlgorithm.HS512) @@ -223,7 +219,6 @@ public void testBearerWrongPosition() throws Exception { public void testBasicAuthHeader() throws Exception { String jwsToken = Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(secretKey, SignatureAlgorithm.HS512) @@ -244,7 +239,6 @@ public void testRoles() throws Exception { claimsEncryptionKey, Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .claim("dr", "role1,role2") .setAudience("svc1"), @@ -257,19 +251,6 @@ public void testRoles() throws Exception { Assert.assertEquals(0, credentials.getBackendRoles().size()); } - @Test - public void testNoTokenType() throws Exception { - - final AuthCredentials credentials = extractCredentialsFromJwtHeader( - signingKeyB64Encoded, - claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"), - true - ); - - Assert.assertNull(credentials); - } - @Test public void testNullClaim() throws Exception { @@ -278,7 +259,6 @@ public void testNullClaim() throws Exception { claimsEncryptionKey, Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .claim("dr", null) .setAudience("svc1"), @@ -298,7 +278,6 @@ public void testNonStringClaim() throws Exception { claimsEncryptionKey, Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Leonard McCoy") .claim("dr", 123L) .setAudience("svc1"), @@ -317,7 +296,7 @@ public void testRolesMissing() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Leonard McCoy").setAudience("svc1"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").setAudience("svc1"), false ); @@ -335,7 +314,6 @@ public void testWrongSubjectKey() throws Exception { claimsEncryptionKey, Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .claim("roles", "role1,role2") .claim("asub", "Dr. Who") .setAudience("svc1"), @@ -351,7 +329,7 @@ public void testExp() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder().setIssuer(clusterNameString).claim("typ", "obo").setSubject("Expired").setExpiration(new Date(100)), + Jwts.builder().setIssuer(clusterNameString).setSubject("Expired").setExpiration(new Date(100)), false ); @@ -366,7 +344,6 @@ public void testNbf() throws Exception { claimsEncryptionKey, Jwts.builder() .setIssuer(clusterNameString) - .claim("typ", "obo") .setSubject("Expired") .setNotBefore(new Date(System.currentTimeMillis() + (1000 * 36000))), false @@ -404,7 +381,6 @@ public void testDifferentIssuer() throws Exception { String jwsToken = Jwts.builder() .setIssuer("Wrong Cluster Identifier") - .claim("typ", "obo") .setSubject("Leonard McCoy") .setAudience("ext_0") .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)