Implements token handlers and tests #2787
Implements token handlers and tests #2787stephen-crawford wants to merge 3 commits intoopensearch-project:mainfrom
Conversation
stephen-crawford
requested review from
DarshitChanpura,
RyanL1997,
cliu123,
cwperks,
davidlago,
peternied and
reta
as code owners
RyanL1997
left a comment
RyanL1997
left a comment
There was a problem hiding this comment.
Hi @scrawfor99, thank you for putting this together. I just left some general questions and also some notes related to the part I built for future reference.
|
|
||
| @Test | ||
| public void testIssueTokenWithValidAccount() throws IOException { | ||
| when(userService.generateAuthToken("test")).thenReturn("Basic dGVzdDp0ZTpzdA=="); // test:te:st |
There was a problem hiding this comment.
Just for my understanding what is meaning of this comment? Is this like the ${username}:${password}?
There was a problem hiding this comment.
Oh nvm I think I saw that at the below lines. :D
|
|
||
| String jwsToken = Jwts.builder().setSubject("Leonard McCoy").signWith(secretKey, SignatureAlgorithm.HS512).compact(); | ||
|
|
||
| HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null); |
There was a problem hiding this comment.
This will be fixed on the next sync up with main branch. It should be change to the testing case of HTTPOnBehalfOfAuthenticator() for testing.
| @Test | ||
| public void testBasicAuthHeader() throws Exception { | ||
| Settings settings = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKeyBytes)).build(); | ||
| HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null); |
| import org.junit.Assert; | ||
| import org.junit.Test; | ||
|
|
||
| import com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator; |
There was a problem hiding this comment.
This was a mistake. And it will be fixed at the next sync with main branch.
| return SecurityAdmin.execute(commandLineArguments); | ||
| } | ||
|
|
||
| public int updateConfig(File configFile) throws Exception { |
There was a problem hiding this comment.
Just for my knowledge, why we need to modify the AdminLauncher?
| mismatchDescription | ||
| .appendText("Response contains settings of indices: ") | ||
| .appendValue(indexToSettings.keySet()); | ||
| .appendValue(indexToSettings.keySet().toArray()); |
|
|
||
| @Override | ||
| public Subject getSubject() { | ||
| return null; |
There was a problem hiding this comment.
should we return some form of NoOp subject here instead of null?
|
|
||
|
|
||
| saveAndUpdateConfigs(this.securityIndexName,client, CType.INTERNALUSERS, internalUsersConfiguration, new OnSucessActionListener<IndexResponse>(channel) { | ||
| saveAndUpdateConfigs(this.securityIndexName,client, CType.INTERNALUSERS, internalUsersConfiguration, new OnSucessActionListener<>(channel) { |
There was a problem hiding this comment.
why remove "IndexResponse" here?
| if (!checkAndAuthenticateRequest(request, channel, client)) { | ||
| User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); | ||
| if (userIsSuperAdmin(user, adminDNs) || (whitelistingSettings.checkRequestIsAllowed(request, channel, client) && allowlistingSettings.checkRequestIsAllowed(request, channel, client))) { | ||
| //TODO: If the request is going to the ext, issue a JWT for authenticated user. |
There was a problem hiding this comment.
if it helps, you can create a stub method like this:
if (original instanceOf RestSendToExtensionAction) {
stubbedMethodToIssueJwt();
}
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
|
|
||
| public static class OnBehalfOf { |
There was a problem hiding this comment.
Do we need the class to be public?
|
|
||
| } | ||
|
|
||
| public static class OnBehalfOf { |
There was a problem hiding this comment.
same as above, do we need the class to be public?
| * @return configuration loaded with given CType data | ||
| */ | ||
| protected static final SecurityDynamicConfiguration<?> load(final CType config, boolean logComplianceEvent) { | ||
| protected final SecurityDynamicConfiguration<?> load(final CType config, boolean logComplianceEvent) { |
There was a problem hiding this comment.
why remove static non-access modifier here?
There was a problem hiding this comment.
Are using the term service-account and internal user interchangeably?
| System.out.println("IAT is : " + iat); | ||
| System.out.println("EXP is : " + exp); | ||
| System.out.println("Current time is : " + System.currentTimeMillis()); | ||
| System.out.println("Exists in revoked is: " + revokedTokens.exists(bearerAuthToken.getCompleteToken())); |
There was a problem hiding this comment.
You can remove this sys outs and replace them with log.info if/as necessary.
|
This is waiting for the merge to main from the feature branch. |
stephen-crawford
force-pushed
the
extensions
branch
from
a3af495 to
cacb0bb
Compare
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
|
@davidlago should I make this mergable and go forward with this or a similar approach or is someone else taking care of these efforts? |
|
Closing this. Can be added to work @RyanL1997 is doing on the feature branch. |
4 participants
Description
[Describe what this change achieves]
First introduces the feature branch into the main branch.
This PR introduces both internalUser and Security User (JWT) token handlers inside the security plugin. These handlers are managed by an overlying SecurityTokenManager class which sorts the token interaction requests coming from core.
These three managers work in concert to provide the required functionality of the Identity Plugin in core for Extensions to be live.
NOTE: This requires opensearch-project/OpenSearch#7452 to pass.
Testing
Adds three new test files with mocked tests for all methods.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.