diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index edd04862ea..6f906d2a5e 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1119,23 +1119,6 @@ public Settings additionalSettings() { } return builder.build(); } - // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings - - @Override - public List> getExtensionSettings() { - List> extensionSettings = new ArrayList>(); - - extensionSettings.add( - Setting.boolSetting( - ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE, - ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT, - Property.ExtensionScope, - Property.Final - ) - ); - return extensionSettings; - } - // CS-ENFORCE-SINGLE: @Override public List> getSettings() { diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java index 15936eb4b7..5ffdfa8552 100644 --- a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java +++ b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java @@ -135,6 +135,10 @@ public void accept(RestChannel channel) throws Exception { .map(value -> Math.min(value, OBO_MAX_EXPIRY_SECONDS)) // Max duration seconds are 600 .orElse(OBO_DEFAULT_EXPIRY_SECONDS); // Fallback to default + final Boolean roleSecurityMode = Optional.ofNullable(requestBody.get("roleSecurityMode")) + .map(value -> (Boolean) value) + .orElse(false); // Default to false if null + final String service = (String) requestBody.getOrDefault("service", "self-issued"); final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); Set mappedRoles = mapRoles(user, /*Do not include host based mappings*/ null); @@ -148,7 +152,8 @@ public void accept(RestChannel channel) throws Exception { service, tokenDuration, mappedRoles.stream().collect(Collectors.toList()), - user.getRoles().stream().collect(Collectors.toList()) + user.getRoles().stream().collect(Collectors.toList()), + roleSecurityMode ); builder.field("authenticationToken", token); builder.field("durationSeconds", tokenDuration); diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 4de8d4da79..c16f90fb6a 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -608,7 +608,7 @@ private User impersonate(final RestRequest request, final User originalUser) thr for (final AuthDomain authDomain : restAuthDomains) { final AuthenticationBackend authenticationBackend = authDomain.getBackend(); - //Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation + // Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation if (authDomain.getHttpAuthenticator() instanceof OnBehalfOfAuthenticator) { continue; } diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java index c798386379..c87db61e1c 100644 --- a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java +++ b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java @@ -31,7 +31,6 @@ import org.opensearch.common.settings.Settings; import org.opensearch.security.ssl.util.ExceptionUtils; -import org.opensearch.security.support.ConfigConstants; public class JwtVendor { private static final Logger logger = LogManager.getLogger(JwtVendor.class); @@ -42,7 +41,6 @@ public class JwtVendor { private final JsonWebKey signingKey; private final JoseJwtProducer jwtProducer; private final LongSupplier timeProvider; - private final Boolean bwcModeEnabled; private final EncryptionDecryptionUtil encryptionDecryptionUtil; public JwtVendor(final Settings settings, final Optional timeProvider) { @@ -64,12 +62,6 @@ public JwtVendor(final Settings settings, final Optional timeProvi } else { this.timeProvider = () -> System.currentTimeMillis() / 1000; } - // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings - this.bwcModeEnabled = settings.getAsBoolean( - ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE, - ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT - ); - // CS-ENFORCE-SINGLE } /* @@ -114,7 +106,8 @@ public String createJwt( String audience, Integer expirySeconds, List roles, - List backendRoles + List backendRoles, + Boolean roleSecruityMode ) throws Exception { final long nowAsMillis = timeProvider.getAsLong(); final Instant nowAsInstant = Instant.ofEpochMilli(timeProvider.getAsLong()); @@ -147,7 +140,7 @@ public String createJwt( throw new Exception("Roles cannot be null"); } - if (bwcModeEnabled && backendRoles != null) { + if (roleSecruityMode && backendRoles != null) { String listOfBackendRoles = String.join(",", backendRoles); jwtClaims.setProperty("br", listOfBackendRoles); } diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java index 006f6ebc8d..9e5d311c0b 100644 --- a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java +++ b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java @@ -67,7 +67,7 @@ public void testCreateJwtWithRoles() throws Exception { Long expectedExp = currentTime.getAsLong() + expirySeconds; JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime)); - String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles); + String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false); JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt); JwtToken jwt = jwtConsumer.getJwtToken(); @@ -84,7 +84,7 @@ public void testCreateJwtWithRoles() throws Exception { } @Test - public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception { + public void testCreateJwtWithRoleSecurityMode() throws Exception { String issuer = "cluster_0"; String subject = "admin"; String audience = "audience_0"; @@ -104,7 +104,7 @@ public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception { Long expectedExp = currentTime.getAsLong() + expirySeconds; JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime)); - String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles); + String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true); JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt); JwtToken jwt = jwtConsumer.getJwtToken(); @@ -134,7 +134,7 @@ public void testCreateJwtWithBadExpiry() { Throwable exception = Assert.assertThrows(RuntimeException.class, () -> { try { - jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of()); + jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false); } catch (Exception e) { throw new RuntimeException(e); } @@ -154,7 +154,7 @@ public void testCreateJwtWithBadEncryptionKey() { Throwable exception = Assert.assertThrows(RuntimeException.class, () -> { try { - new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of()); + new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false); } catch (Exception e) { throw new RuntimeException(e); } @@ -175,7 +175,7 @@ public void testCreateJwtWithBadRoles() { Throwable exception = Assert.assertThrows(RuntimeException.class, () -> { try { - jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of()); + jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false); } catch (Exception e) { throw new RuntimeException(e); }