Skip to content

Commit

Permalink
Refactor the bwc mode into roleSecurityMode
Browse files Browse the repository at this point in the history
Signed-off-by: Ryan Liang <[email protected]>
  • Loading branch information
RyanL1997 committed Aug 23, 2023
1 parent c1a825b commit e1021c2
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 35 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1119,23 +1119,6 @@ public Settings additionalSettings() {
}
return builder.build();
}
// CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings

@Override
public List<Setting<?>> getExtensionSettings() {
List<Setting<?>> extensionSettings = new ArrayList<Setting<?>>();

extensionSettings.add(
Setting.boolSetting(
ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT,
Property.ExtensionScope,
Property.Final
)
);
return extensionSettings;
}
// CS-ENFORCE-SINGLE:

@Override
public List<Setting<?>> getSettings() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,10 @@ public void accept(RestChannel channel) throws Exception {
.map(value -> Math.min(value, OBO_MAX_EXPIRY_SECONDS)) // Max duration seconds are 600
.orElse(OBO_DEFAULT_EXPIRY_SECONDS); // Fallback to default

final Boolean roleSecurityMode = Optional.ofNullable(requestBody.get("roleSecurityMode"))
.map(value -> (Boolean) value)
.orElse(false); // Default to false if null

final String service = (String) requestBody.getOrDefault("service", "self-issued");
final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
Set<String> mappedRoles = mapRoles(user, /*Do not include host based mappings*/ null);
Expand All @@ -148,7 +152,8 @@ public void accept(RestChannel channel) throws Exception {
service,
tokenDuration,
mappedRoles.stream().collect(Collectors.toList()),
user.getRoles().stream().collect(Collectors.toList())
user.getRoles().stream().collect(Collectors.toList()),
roleSecurityMode
);
builder.field("authenticationToken", token);
builder.field("durationSeconds", tokenDuration);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -608,7 +608,7 @@ private User impersonate(final RestRequest request, final User originalUser) thr
for (final AuthDomain authDomain : restAuthDomains) {
final AuthenticationBackend authenticationBackend = authDomain.getBackend();

//Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation
// Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation
if (authDomain.getHttpAuthenticator() instanceof OnBehalfOfAuthenticator) {
continue;
}
Expand Down
13 changes: 3 additions & 10 deletions src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@

import org.opensearch.common.settings.Settings;
import org.opensearch.security.ssl.util.ExceptionUtils;
import org.opensearch.security.support.ConfigConstants;

public class JwtVendor {
private static final Logger logger = LogManager.getLogger(JwtVendor.class);
Expand All @@ -42,7 +41,6 @@ public class JwtVendor {
private final JsonWebKey signingKey;
private final JoseJwtProducer jwtProducer;
private final LongSupplier timeProvider;
private final Boolean bwcModeEnabled;
private final EncryptionDecryptionUtil encryptionDecryptionUtil;

public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvider) {
Expand All @@ -64,12 +62,6 @@ public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvi
} else {
this.timeProvider = () -> System.currentTimeMillis() / 1000;
}
// CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
this.bwcModeEnabled = settings.getAsBoolean(
ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT
);
// CS-ENFORCE-SINGLE
}

/*
Expand Down Expand Up @@ -114,7 +106,8 @@ public String createJwt(
String audience,
Integer expirySeconds,
List<String> roles,
List<String> backendRoles
List<String> backendRoles,
Boolean roleSecruityMode
) throws Exception {
final long nowAsMillis = timeProvider.getAsLong();
final Instant nowAsInstant = Instant.ofEpochMilli(timeProvider.getAsLong());
Expand Down Expand Up @@ -147,7 +140,7 @@ public String createJwt(
throw new Exception("Roles cannot be null");
}

if (bwcModeEnabled && backendRoles != null) {
if (roleSecruityMode && backendRoles != null) {
String listOfBackendRoles = String.join(",", backendRoles);
jwtClaims.setProperty("br", listOfBackendRoles);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public void testCreateJwtWithRoles() throws Exception {
Long expectedExp = currentTime.getAsLong() + expirySeconds;

JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles);
String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false);

JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
JwtToken jwt = jwtConsumer.getJwtToken();
Expand All @@ -84,7 +84,7 @@ public void testCreateJwtWithRoles() throws Exception {
}

@Test
public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception {
public void testCreateJwtWithRoleSecurityMode() throws Exception {
String issuer = "cluster_0";
String subject = "admin";
String audience = "audience_0";
Expand All @@ -104,7 +104,7 @@ public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception {
Long expectedExp = currentTime.getAsLong() + expirySeconds;

JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles);
String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true);

JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
JwtToken jwt = jwtConsumer.getJwtToken();
Expand Down Expand Up @@ -134,7 +134,7 @@ public void testCreateJwtWithBadExpiry() {

Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
try {
jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
} catch (Exception e) {
throw new RuntimeException(e);
}
Expand All @@ -154,7 +154,7 @@ public void testCreateJwtWithBadEncryptionKey() {

Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
try {
new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
} catch (Exception e) {
throw new RuntimeException(e);
}
Expand All @@ -175,7 +175,7 @@ public void testCreateJwtWithBadRoles() {

Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
try {
jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
} catch (Exception e) {
throw new RuntimeException(e);
}
Expand Down

0 comments on commit e1021c2

Please sign in to comment.