Skip to content

Commit

Permalink
Refactor the OBO Authenticator part2
Browse files Browse the repository at this point in the history 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
  • Loading branch information
@RyanL1997
RyanL1997 committed Aug 22, 2023
1 parent e52c5ce commit 9ce36dc
Showing 1 changed file with 36 additions and 29 deletions.
65 changes: 36 additions & 29 deletions src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
import java.util.Arrays;
import java.util.List;
import java.util.Map.Entry;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
Expand Down Expand Up @@ -136,7 +135,7 @@ public AuthCredentials run() {

private AuthCredentials extractCredentials0(final RestRequest request) {
if (!oboEnabled) {
log.error("On-behalf-of authentication has been disabled");
log.error("On-behalf-of authentication is disabled");
return null;

Check warning on line 139 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L138-L139 

Added lines #L138 - L139 were not covered by tests
}

Expand All @@ -145,53 +144,33 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
return null;

Check warning on line 144 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L143-L144 

Added lines #L143 - L144 were not covered by tests
}

String jwtToken = request.header(HttpHeaders.AUTHORIZATION);

if (jwtToken == null || jwtToken.length() == 0) {
if (log.isDebugEnabled()) {
log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
}
String jwtToken = extractJwtFromHeader(request);

Check warning on line 147 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L147 

Added line #L147 was not covered by tests
if (jwtToken == null) {
return null;

Check warning on line 149 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L149 

Added line #L149 was not covered by tests
}

if (!BEARER.matcher(jwtToken).matches()) {
jwtToken = null;
}

if (jwtToken != null && Pattern.compile(BEARER_PREFIX).matcher(jwtToken.toLowerCase()).find()) {
jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());
} else {
if (log.isDebugEnabled()) {
log.debug("No Bearer scheme found in header");
}
}

if (jwtToken == null) {
if (!isAllowedRequest(request)) {
return null;

Check warning on line 153 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L153 

Added line #L153 was not covered by tests
}

try {
if (!isAllowedRequest(request)) {
return null;
}

final Claims claims = jwtParser.parseClaimsJws(jwtToken).getBody();

Check warning on line 157 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L157 

Added line #L157 was not covered by tests

final String subject = claims.getSubject();

Check warning on line 159 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L159 

Added line #L159 was not covered by tests
if (Objects.isNull(subject)) {
if (subject == null) {
log.error("Valid jwt on behalf of token with no subject");
return null;

Check warning on line 162 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L161-L162 

Added lines #L161 - L162 were not covered by tests
}

final String audience = claims.getAudience();

Check warning on line 165 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L165 

Added line #L165 was not covered by tests
if (Objects.isNull(audience)) {
if (audience == null) {
log.error("Valid jwt on behalf of token with no audience");
return null;

Check warning on line 168 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L167-L168 

Added lines #L167 - L168 were not covered by tests
}

final String issuer = claims.getIssuer();

Check warning on line 171 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L171 

Added line #L171 was not covered by tests
if (!issuer.equals(clusterName)) {
log.error("This issuer of this OBO does not match the current cluster identifier");
log.error("The issuer of this OBO does not match the current cluster identifier");
return null;

Check warning on line 174 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L173-L174 

Added lines #L173 - L174 were not covered by tests
}

Expand All @@ -208,13 +187,41 @@ private AuthCredentials extractCredentials0(final RestRequest request) {

} catch (WeakKeyException e) {
log.error("Cannot authenticate user with JWT because of ", e);
return null;
} catch (Exception e) {

Check warning on line 190 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L188-L190 

Added lines #L188 - L190 were not covered by tests
if (log.isDebugEnabled()) {
log.debug("Invalid or expired JWT token.", e);

Check warning on line 192 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L192 

Added line #L192 was not covered by tests
}
}

Check warning on line 194 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L194 

Added line #L194 was not covered by tests

return null;

Check warning on line 196 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L196 

Added line #L196 was not covered by tests
}

private String extractJwtFromHeader(RestRequest request) {
String jwtToken = request.header(HttpHeaders.AUTHORIZATION);

Check warning on line 200 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L200 

Added line #L200 was not covered by tests

if (jwtToken == null || jwtToken.isEmpty()) {
logDebug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
return null;

Check warning on line 204 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L203-L204 

Added lines #L203 - L204 were not covered by tests
}

if (!BEARER.matcher(jwtToken).matches()) {
return null;

Check warning on line 208 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L208 

Added line #L208 was not covered by tests
}

if (jwtToken.toLowerCase().contains(BEARER_PREFIX)) {
jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());

Check warning on line 212 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L212 

Added line #L212 was not covered by tests
} else {
logDebug("No Bearer scheme found in header");
return null;

Check warning on line 215 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L214-L215 

Added lines #L214 - L215 were not covered by tests
}

return jwtToken;

Check warning on line 218 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L218 

Added line #L218 was not covered by tests
}

private void logDebug(String message, Object... args) {
if (log.isDebugEnabled()) {
log.debug(message, args);

Check warning on line 223 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L223 

Added line #L223 was not covered by tests
}
}

Check warning on line 225 in src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java#L225 

Added line #L225 was not covered by tests

public Boolean isAllowedRequest(final RestRequest request) {
Expand Down

0 comments on commit 9ce36dc

Please sign in to comment.