[Feature/Extension] Extension token handler

[RyanL1997]

Description

This PR is the refactor/modification based on @scrawfor99's previous PR(#2787) against main branch for Extension token handler. However, the scope of this PR is only for OBO related changes.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
  New Feature

Issues Resolved

• Pre-requisite Implement on behalf of token passing for extensions OpenSearch#8679
• Relate [META] On-Behalf-Of Authentication #2573
• Resolve Determine how auth tokens are forwarded to Extensions #2764

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #3034 (8e1f399) into feature/extensions (058f8ec) will decrease coverage by 56.92%.
The diff coverage is 0.00%.

❗ Current head 8e1f399 differs from pull request most recent head 03a7875. Consider uploading reports for the commit 03a7875 to get more accurate results

@@                   Coverage Diff                    @@
##             feature/extensions   #3034       +/-   ##
========================================================
- Coverage                 62.38%   5.47%   -56.92%     
+ Complexity                 3390     222     -3168     
========================================================
  Files                       259     275       +16     
  Lines                     20044   20198      +154     
  Branches                   3371    3392       +21     
========================================================
- Hits                      12505    1105    -11400     
- Misses                     5888   18913    +13025     
+ Partials                   1651     180     -1471     

Files Changed	Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java	10.87% <0.00%> (-73.55%)	⬇️
...y/action/onbehalf/CreateOnBehalfOfTokenAction.java	0.00% <ø> (-28.82%)	⬇️
...security/dlic/rest/api/InternalUsersApiAction.java	0.00% <0.00%> (-64.08%)	⬇️
...g/opensearch/security/dlic/rest/support/Utils.java	0.00% <0.00%> (-54.66%)	⬇️
...search/security/identity/SecurityTokenManager.java	0.00% <0.00%> (ø)
...g/opensearch/security/securityconf/impl/CType.java	0.00% <0.00%> (-100.00%)	⬇️
...search/security/user/InternalUserTokenHandler.java	0.00% <0.00%> (ø)
...java/org/opensearch/security/user/UserService.java	0.00% <0.00%> (-50.87%)	⬇️
...org/opensearch/security/user/UserTokenHandler.java	0.00% <0.00%> (ø)

... and 230 files with indirect coverage changes

[RyanL1997]

Moving some of the communication between me and @scrawfor99 over here

1. The scope of this PR should only focus on the interface of issueOnBehalfOfToken(), reference to here.
2. For the changes that got carried over from Implements token handlers and tests  #2787, if the team thinks it is not in the scope of this PR, it is ok to remove them. I'm leaving them here for now cuz I think it is easier to continue the service account work from here.

[RyanL1997]

Adding some additional context here:

[RyanL1997]

The reason I make this validation is that I think we do have different expectations for obo tokens than the other bearer auth tokens. For obo tokens, according to its feature of just-in-time, we do expect the payload of iat and nbf have the same value.

[RyanL1997]

This is the idea that can be also applied for the potential approach of handling the edge cases of OBO endpoint (see comments). By having a token type as the identifier, it will be easier for us to know if it is a obo token or not so that we can have different expectations.

If we decide to go with this design, I will also update the threat model documentation

[RyanL1997]

If we choose to split the validations between obo tokens and other bearer auth tokens in this way, then I don't think we need this line here, since the revocation is not in the scope of obo token. (At least for now)

[cwperks]

@RyanL1997 There looks to be a lot more on this PR than an implementation of issueOnBehalfOfToken. Is everything in this PR needed for the issuance of obo tokens? Can we narrow the PR to the issuance of obo tokens and have a subsequent PR address the issuance of service account tokens?

[cwperks]

Can this variable be called tokenType?

Sometimes JWTs include a claim called jti that is a unique identifier for a token. In my experience, systems use jti to invalidate tokens since this identifier uniquely identifies a token.

[cwperks]

This class looks like its doing too much. In the PR description it mentions that this PR is for issueOnBehalfOfToken. Are all of these methods being utilized in this class?

[DarshitChanpura]

this should be removed. Check this PR for more details: https://github.com/opensearch-project/security/pull/3066/files

[DarshitChanpura]

Why add this catch block to then throw RuntimeException?

[DarshitChanpura]

we should extract: dcm.getDynamicOnBehalfOfSettings() to a variable

[DarshitChanpura]

why make this change?

[DarshitChanpura]

Is this class different that InternalUserTokenHandler in the sense that this class deals with actual user vs the other one deals with service accounts?
If so why not combine them into 1 class?

[DarshitChanpura]

can write this as: Map.of(JwtConstants.CLAIM_AUDIENCE, "ext_0");