Made LdapUser class unneccessary by introducing AuthenticationContext

Signed-off-by: Nils Bandener <[email protected]>

Author: nibix

src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java

@@ -11,22 +11,7 @@
 
 package com.amazon.dlic.auth.ldap;
 
-import java.io.IOException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-import com.google.common.collect.ImmutableSet;
-
-import org.opensearch.core.common.io.stream.StreamInput;
-import org.opensearch.core.common.io.stream.StreamOutput;
-import org.opensearch.security.auth.ldap.util.Utils;
-import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.user.AuthCredentials;
-import org.opensearch.security.user.User;
-
-import org.ldaptive.LdapAttribute;
-import org.ldaptive.LdapEntry;
+import org.opensearch.security.user.serialized.User;
 
 /**
  * This class intentionally remains in the com.amazon.dlic.auth.ldap package
@@ -42,78 +27,10 @@
 public class LdapUser extends User {
 
     private static final long serialVersionUID = 1L;
-    private final transient LdapEntry userEntry;
     private final String originalUsername;
 
-    public LdapUser(
-        final String name,
-        String originalUsername,
-        final LdapEntry userEntry,
-        final AuthCredentials credentials,
-        int customAttrMaxValueLen,
-        WildcardMatcher allowlistedCustomLdapAttrMatcher
-    ) {
-        super(name, ImmutableSet.of(), credentials);
-        this.originalUsername = originalUsername;
-        this.userEntry = userEntry;
-        Map<String, String> attributes = getCustomAttributesMap();
-        // TODO
-        attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
-    }
-
-    public LdapUser(StreamInput in) throws IOException {
-        super(in);
-        userEntry = null;
-        originalUsername = in.readString();
-    }
-
-    /**
-     * May return null because ldapEntry is transient
-     *
-     * @return ldapEntry or null if object was deserialized
-     */
-    public LdapEntry getUserEntry() {
-        return userEntry;
-    }
-
-    public String getDn() {
-        return userEntry.getDn();
-    }
-
-    public String getOriginalUsername() {
-        return originalUsername;
-    }
-
-    public static Map<String, String> extractLdapAttributes(
-        String originalUsername,
-        final LdapEntry userEntry,
-        int customAttrMaxValueLen,
-        WildcardMatcher allowlistedCustomLdapAttrMatcher
-    ) {
-        Map<String, String> attributes = new HashMap<>();
-        attributes.put("ldap.original.username", originalUsername);
-        attributes.put("ldap.dn", userEntry.getDn());
-
-        if (customAttrMaxValueLen > 0) {
-            for (LdapAttribute attr : userEntry.getAttributes()) {
-                if (attr != null && !attr.isBinary() && !attr.getName().toLowerCase().contains("password")) {
-                    final String val = Utils.getSingleStringValue(attr);
-                    // only consider attributes which are not binary and where its value is not
-                    // longer than customAttrMaxValueLen characters
-                    if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) {
-                        if (allowlistedCustomLdapAttrMatcher.test(attr.getName())) {
-                            attributes.put("attr.ldap." + attr.getName(), val);
-                        }
-                    }
-                }
-            }
-        }
-        return Collections.unmodifiableMap(attributes);
-    }
-
-    @Override
-    public void writeTo(StreamOutput out) throws IOException {
-        super.writeTo(out);
-        out.writeString(originalUsername);
+    public LdapUser(org.opensearch.security.user.User user) {
+        super(user);
+        this.originalUsername = null;
     }
 }

src/main/java/org/opensearch/security/auth/AuthenticationBackend.java

@@ -59,11 +59,10 @@ public interface AuthenticationBackend {
      * <p/>
      * Results of this method are normally cached so that we not need to query the backend for every authentication attempt.
      * <p/>
-     * @param The credentials to be validated, never null
+     * @param context The context of this authentication; contains the auth credentials
      * @return the authenticated User, never null
      * @throws OpenSearchSecurityException in case an authentication failure
      * (when credentials are incorrect, the user does not exist or the backend is not reachable)
      */
-    User authenticate(AuthCredentials credentials) throws OpenSearchSecurityException;
-
+    User authenticate(AuthenticationContext context) throws OpenSearchSecurityException;
 }

src/main/java/org/opensearch/security/auth/AuthenticationContext.java

@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.security.auth;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+import org.opensearch.security.user.AuthCredentials;
+
+/**
+ * This class allows HTTPAuthenticators and authentication backends to provide context data to authorization backends.
+ * This is especially useful for siblings of authentication backends and authorization backends (like LDAP authc and
+ * LDAP authz) to pass data which is specific to the auth type (like the LDAP user entry).
+ * <p>
+ * This allows to abolish specialized sub-classes of the User object (like LdapUser).
+ */
+public class AuthenticationContext {
+    private final AuthCredentials credentials;
+    private final Map<Class<?>, Object> contextData = new HashMap<>();
+
+    public AuthenticationContext(AuthCredentials credentials) {
+        this.credentials = credentials;
+    }
+
+    public <T> void addContextData(Class<T> contextDataType, T contextDataObject) {
+        this.contextData.put(contextDataType, contextDataObject);
+    }
+
+    public <T> Optional<T> getContextData(Class<T> contextDataType) {
+        @SuppressWarnings("unchecked")
+        T result = (T) this.contextData.get(contextDataType);
+        return Optional.ofNullable(result);
+    }
+
+    public AuthCredentials getCredentials() {
+        return credentials;
+    }
+}

src/main/java/org/opensearch/security/auth/AuthorizationBackend.java

@@ -27,7 +27,6 @@
 package org.opensearch.security.auth;
 
 import org.opensearch.OpenSearchSecurityException;
-import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
 /**
@@ -60,11 +59,11 @@ public interface AuthorizationBackend {
      * Add them by calling either {@code user.addRole()} or {@code user.addRoles()}
      * </P>
      * @param user The authenticated user to populate with backend roles, never null
-     * @param credentials Credentials to authenticate to the authorization backend, maybe null.
+     * @param context Context data specific to the request that is currently processed.
      * <em>This parameter is for future usage, currently always empty credentials are passed!</em>
      * @throws OpenSearchSecurityException in case when the authorization backend cannot be reached
      * or the {@code credentials} are insufficient to authenticate to the authorization backend.
      */
-    User addRoles(User user, AuthCredentials credentials) throws OpenSearchSecurityException;
+    User addRoles(User user, AuthenticationContext context) throws OpenSearchSecurityException;
 
 }

src/main/java/org/opensearch/security/auth/BackendRegistry.java

@@ -528,7 +528,9 @@ public User call() throws Exception {
 
                     Optional<User> impersonatedUser = impersonationBackend.impersonate(user);
                     if (impersonatedUser.isPresent()) {
-                        return authz(impersonatedUser.get(), null, authorizers); // no role cache because no miss here in case of noop
+                        AuthenticationContext context = new AuthenticationContext(new AuthCredentials(user.getName()));
+                        return authz(context, impersonatedUser.get(), null, authorizers); // no role cache because no miss here in case of
+                                                                                          // noop
                     }
 
                     if (isDebugEnabled) {
@@ -545,7 +547,12 @@ public User call() throws Exception {
         }
     }
 
-    private User authz(User authenticatedUser, Cache<User, Set<String>> roleCache, final Set<AuthorizationBackend> authorizers) {
+    private User authz(
+        AuthenticationContext context,
+        User authenticatedUser,
+        Cache<User, Set<String>> roleCache,
+        final Set<AuthorizationBackend> authorizers
+    ) {
 
         if (authenticatedUser == null) {
             return authenticatedUser;
@@ -575,7 +582,7 @@ private User authz(User authenticatedUser, Cache<User, Set<String>> roleCache, f
                     );
                 }
 
-                authenticatedUser = ab.addRoles(authenticatedUser, new AuthCredentials(authenticatedUser.getName()));
+                authenticatedUser = ab.addRoles(authenticatedUser, context);
             } catch (Exception e) {
                 log.error("Cannot retrieve roles for {} from {} due to {}", authenticatedUser, ab.getType(), e.toString(), e);
             }
@@ -603,13 +610,16 @@ private User authcz(
         if (ac == null) {
             return null;
         }
+
+        AuthenticationContext context = new AuthenticationContext(ac);
+
         try {
 
             // noop backend configured and no authorizers
             // that mean authc and authz was completely done via HTTP (like JWT or PKI)
             if (authBackend.getClass() == NoOpAuthenticationBackend.class && authorizers.isEmpty()) {
                 // no cache
-                return authBackend.authenticate(ac);
+                return authBackend.authenticate(context);
             }
 
             return cache.get(ac, new Callable<User>() {
@@ -622,8 +632,8 @@ public User call() throws Exception {
                             authBackend.getType()
                         );
                     }
-                    final User authenticatedUser = authBackend.authenticate(ac);
-                    return authz(authenticatedUser, roleCache, authorizers);
+                    final User authenticatedUser = authBackend.authenticate(context);
+                    return authz(context, authenticatedUser, roleCache, authorizers);
                 }
             });
         } catch (Exception e) {

src/main/java/org/opensearch/security/auth/internal/InternalAuthenticationBackend.java

@@ -39,6 +39,7 @@
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.security.auth.AuthenticationBackend;
+import org.opensearch.security.auth.AuthenticationContext;
 import org.opensearch.security.auth.AuthorizationBackend;
 import org.opensearch.security.auth.ImpersonationBackend;
 import org.opensearch.security.hasher.PasswordHasher;
@@ -98,7 +99,8 @@ public boolean passwordMatchesHash(String hash, char[] array) {
     }
 
     @Override
-    public User authenticate(final AuthCredentials credentials) {
+    public User authenticate(AuthenticationContext context) {
+        AuthCredentials credentials = context.getCredentials();
 
         boolean userExists;
 
@@ -159,7 +161,7 @@ public String getType() {
     }
 
     @Override
-    public User addRoles(User user, AuthCredentials credentials) throws OpenSearchSecurityException {
+    public User addRoles(User user, AuthenticationContext context) throws OpenSearchSecurityException {
         if (internalUsersModel == null) {
             throw new OpenSearchSecurityException(
                 "Internal authentication backend not configured. May be OpenSearch Security is not initialized."

src/main/java/org/opensearch/security/auth/internal/NoOpAuthenticationBackend.java

@@ -33,6 +33,7 @@
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auth.AuthenticationBackend;
+import org.opensearch.security.auth.AuthenticationContext;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
@@ -48,7 +49,8 @@ public String getType() {
     }
 
     @Override
-    public User authenticate(final AuthCredentials credentials) {
+    public User authenticate(AuthenticationContext context) {
+        AuthCredentials credentials = context.getCredentials();
         return new User(
             credentials.getUsername(),
             ImmutableSet.copyOf(credentials.getBackendRoles()),

src/main/java/org/opensearch/security/auth/internal/NoOpAuthorizationBackend.java

@@ -29,8 +29,8 @@
 import java.nio.file.Path;
 
 import org.opensearch.common.settings.Settings;
+import org.opensearch.security.auth.AuthenticationContext;
 import org.opensearch.security.auth.AuthorizationBackend;
-import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
 
 public class NoOpAuthorizationBackend implements AuthorizationBackend {
@@ -45,7 +45,7 @@ public String getType() {
     }
 
     @Override
-    public User addRoles(User user, AuthCredentials credentials) {
+    public User addRoles(User user, AuthenticationContext context) {
         return user;
     }
 }