Skip to content

OnBehalfOf authenticator and token generator#3179

Merged
peternied merged 2 commits intoopensearch-project:mainfrom
RyanL1997:merg-to-main
Aug 25, 2023
Merged

OnBehalfOf authenticator and token generator#3179
peternied merged 2 commits intoopensearch-project:mainfrom
RyanL1997:merg-to-main

Conversation

@RyanL1997
Copy link
Collaborator

@RyanL1997 RyanL1997 commented Aug 15, 2023
edited
Loading

Description

Merge OBO Authentication into 'main' branch

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    New Feature

Major Components:

  • JwtVendor: assemble the jwt based OBO token.
  • OnBehalfOfAuthenticator: the authentication backend for validate OBO Token
  • CreateOnBehalfOfTokenAction: the endpoint of creation of OBO Token

Major Testing Components:

  • JwtVendorTest: Unit tests for JwtVendor
  • OnBehalfOfAuthenticatorTest: Unit tests for OBO authentication backend
  • OnBehalfOfAuthenticationTest: Integration test for OBO issuing endpoints

Issues Resolved

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov
Copy link

codecov bot commented Aug 15, 2023
edited
Loading

Codecov Report

Merging #3179 (887f9fe) into main (ed61646) will increase coverage by 0.00%.
Report is 1 commits behind head on main.
The diff coverage is 66.29%.

Impacted file tree graph

@@            Coverage Diff             @@
##               main    #3179    +/-   ##
==========================================
  Coverage     62.51%   62.51%            
- Complexity     3353     3402    +49     
==========================================
  Files           254      259     +5     
  Lines         19732    20055   +323     
  Branches       3334     3370    +36     
==========================================
+ Hits          12336    12538   +202     
- Misses         5767     5866    +99     
- Partials       1629     1651    +22
Files Changed Coverage Δ
.../org/opensearch/security/auth/BackendRegistry.java 59.72% <0.00%> (-0.42%) ⬇️
...arch/security/securityconf/DynamicConfigModel.java 100.00% <ø> (ø)
...ch/security/securityconf/DynamicConfigModelV6.java 0.00% <0.00%> (ø)
...search/security/securityconf/impl/v6/ConfigV6.java 55.14% <0.00%> (-9.00%) ⬇️
...g/opensearch/security/ssl/util/ExceptionUtils.java 47.82% <0.00%> (-7.18%) ⬇️
...g/opensearch/security/support/ConfigConstants.java 94.73% <ø> (ø)
...y/action/onbehalf/CreateOnBehalfOfTokenAction.java 32.25% <32.25%> (ø)
...nsearch/security/http/OnBehalfOfAuthenticator.java 67.64% <67.64%> (ø)
...g/opensearch/security/authtoken/jwt/JwtVendor.java 75.75% <75.75%> (ø)
...search/security/securityconf/impl/v7/ConfigV7.java 76.96% <81.25%> (+0.39%) ⬆️
... and 9 more

cwperks
cwperks reviewed Aug 15, 2023
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @RyanL1997. I took a first pass at the review and left a few comments.

DarshitChanpura
DarshitChanpura reviewed Aug 17, 2023
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for putting together this PR and adding this feature. Took a detailed look. One generic comment is to add javadoc to the methods that were introduced in this PR.
Also, I apologize if I missed some of these in your PRs to feature branch.

DarshitChanpura
DarshitChanpura reviewed Aug 22, 2023
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really close. Just a few comments. Also there are some codecov comments that might need addressing

@RyanL1997
Copy link
Collaborator Author

RyanL1997 commented Aug 22, 2023
edited
Loading

hmm.. in that case can you throw a custom exception instead of runtime?

@DarshitChanpura, Yes, I have created an exception called createJwkCreationException in ExceptionUtils

DarshitChanpura
DarshitChanpura previously approved these changes Aug 22, 2023
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Could you please look into Codecov warnings.

cwperks
cwperks reviewed Aug 22, 2023
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took another pass and left a few more comments. Thank you for adding tests that show the obo endpoint authorization!

peternied
peternied reviewed Aug 22, 2023
View reviewed changes
@peternied
Copy link
Member

peternied commented Aug 22, 2023

Thanks for putting this out @RyanL1997 - there might be debates such as around naming - I don't think we need perfect names, but lets try to be really solid on the customer facing interfaces and APIs. As long as we've got buy in from a couple folks lets try to iterate quickly.

@peternied peternied changed the title [Feature/Extension] Merge OBO Authentication into 'main' branch OnBehalfOf authenticator and token generator Aug 22, 2023
@RyanL1997 RyanL1997 mentioned this pull request Aug 24, 2023
Closed
3 tasks
@peternied peternied mentioned this pull request Aug 24, 2023
Closed
3 tasks
@cwperks cwperks mentioned this pull request Aug 24, 2023
Closed
6 tasks
@RyanL1997 RyanL1997 mentioned this pull request Aug 24, 2023
Closed
cwperks
cwperks reviewed Aug 24, 2023
View reviewed changes
cwperks
cwperks reviewed Aug 24, 2023
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few more comments, but this looks ready to me. All comments left were nits. Thank you for filing a follow up issue to abstract the logic to determine if the obo configuration is valid.

@peternied
Copy link
Member

peternied commented Aug 25, 2023

@RyanL1997 Looks like you've got a DCO failure, can you resolve that?

@peternied
Copy link
Member

peternied commented Aug 25, 2023

@RyanL1997 Could you check over all the unresolved comments and make sure they are addressed and resolved? Once there are 0 unresolved comments (resolutions like won't fix, defer to an issue, or make a change), I'll be happy to approve.

DarshitChanpura
DarshitChanpura reviewed Aug 25, 2023
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ready to me. Generic comment: There are multiple usages of Exception and RuntimeException being thrown. I would suggest using OpenSearchException in place of these.

None of these comments are blockers and can be followed up in a separate PR. Once all comments are resolved I'll approve the PR. Thank you @RyanL1997 for putting this feature together and for your patience working through the comments.

cwperks
cwperks reviewed Aug 25, 2023
View reviewed changes
@RyanL1997
Copy link
Collaborator Author

RyanL1997 commented Aug 25, 2023
edited
Loading

@RyanL1997 Looks like you've got a DCO failure, can you resolve that?

Commit sha: [c1d2127](https://github.com/opensearch-project/security/pull/3179/commits/c1d212722d503f723b412c016cb14b85b8990980), Author: Derek Ho, Committer: Ryan Liang; Can not find "Derek Ho [derek01778@gmail.com](mailto:derek01778@gmail.com)", in ["Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)"].
Commit sha: [df75a37](https://github.com/opensearch-project/security/pull/3179/commits/df75a377ba3bd26f7ba12001e18d478370624575), Author: MaciejMierzwa, Committer: GitHub; Expected "MaciejMierzwa [dev.maciej.mierzwa@gmail.com](mailto:dev.maciej.mierzwa@gmail.com)", but got "Maciej Mierzwa [dev.maciej.mierzwa@gmail.com](mailto:dev.maciej.mierzwa@gmail.com)".
Commit sha: [95efddd](https://github.com/opensearch-project/security/pull/3179/commits/95efddd472888b9342d4b4ce7b83e9b0e3be7ffc), Author: pawel-gudel-eliatra, Committer: Ryan Liang; Expected "pawel-gudel-eliatra [136344230+pawel-gudel-eliatra@users.noreply.github.com](mailto:136344230+pawel-gudel-eliatra@users.noreply.github.com)", but got "Pawel Gudel [pawel.gudel@eliatra.com](mailto:pawel.gudel@eliatra.com)".
Commit sha: [1681823](https://github.com/opensearch-project/security/pull/3179/commits/1681823c960233e7089258aba995c284a547190b), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [73ab1fc](https://github.com/opensearch-project/security/pull/3179/commits/73ab1fc2f61b8dffc8c52505fd34a1cc1aa6c585), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [95f9c77](https://github.com/opensearch-project/security/pull/3179/commits/95f9c77ea2cff30c60d783de041e3386bb43f634), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [fa0fcc3](https://github.com/opensearch-project/security/pull/3179/commits/fa0fcc3be29f3c6c61c9d011508b0fb0b87c34a2), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [748a711](https://github.com/opensearch-project/security/pull/3179/commits/748a71139695422eccf253112321a7a5f6b9b83d), Author: Ryan Liang, Committer: GitHub; Can not find "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", in ["Bhavana Ramaram [rbhavna@amazon.com](mailto:rbhavna@amazon.com)", "Stephen Crawford [steecraw@amazon.com](mailto:steecraw@amazon.com)", "Andrey Pleskach [ples@aiven.io](mailto:ples@aiven.io)", "Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Peter Nied [peternied@hotmail.com](mailto:peternied@hotmail.com)", "Peter Nied [peternied@hotmail.com](mailto:peternied@hotmail.com)", "Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Peter Nied [peternied@hotmail.com](mailto:peternied@hotmail.com)", "Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Andrey Pleskach [ples@aiven.io](mailto:ples@aiven.io)", "Stephen Crawford [steecraw@amazon.com](mailto:steecraw@amazon.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", "Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Pawel Gudel [pawel.gudel@eliatra.com](mailto:pawel.gudel@eliatra.com)", "Andrey Pleskach [ples@aiven.io](mailto:ples@aiven.io)", "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)", "Bhavana Ramaram [rbhavna@amazon.com](mailto:rbhavna@amazon.com)", "Stephen Crawford [steecraw@amazon.com](mailto:steecraw@amazon.com)", "Andrey Pleskach [ples@aiven.io](mailto:ples@aiven.io)", "Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Craig Perkins [cwperx@amazon.com](mailto:cwperx@amazon.com)", "Peter Nied [peternied@hotmail.com](mailto:peternied@hotmail.com)", "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", "Derek Ho [dxho@amazon.com](mailto:dxho@amazon.com)", "Pawel Gudel [pawel.gudel@eliatra.com](mailto:pawel.gudel@eliatra.com)", "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)"].
Commit sha: [8ad24ad](https://github.com/opensearch-project/security/pull/3179/commits/8ad24ad794beaf5335591dbfc55c32c196a7ece6), Author: Ryan Liang, Committer: GitHub; The sign-off is missing.
Commit sha: [88f32e9](https://github.com/opensearch-project/security/pull/3179/commits/88f32e98304aa1aedfbcba6f471b74f6457262df), Author: Ryan Liang, Committer: GitHub; Can not find "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", in ["Peter Nied [petern@amazon.com](mailto:petern@amazon.com)", "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)"].
Commit sha: [d634d60](https://github.com/opensearch-project/security/pull/3179/commits/d634d60d2c7aa85266d6d8de5d2b9737c4c3317d), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [d643fb2](https://github.com/opensearch-project/security/pull/3179/commits/d643fb285fa7173357627f2756ec42fd56cb7145), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [30cf5b1](https://github.com/opensearch-project/security/pull/3179/commits/30cf5b1138503c8af7b2818e6a478b58b6f17c23), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [e42e4d3](https://github.com/opensearch-project/security/pull/3179/commits/e42e4d3568d25b00507f88a0fc533db7664bacfb), Author: Ryan Liang, Committer: GitHub; Expected "Ryan Liang [109499885+RyanL1997@users.noreply.github.com](mailto:109499885+RyanL1997@users.noreply.github.com)", but got "Ryan Liang [jiallian@amazon.com](mailto:jiallian@amazon.com)".
Commit sha: [8a96cab](https://github.com/opensearch-project/security/pull/3179/commits/8a96cab07cdffd754fb43a91dc1e17033703be77), Author: Sam, Committer: GitHub; Expected "Sam [128482925+samuelcostae@users.noreply.github.com](mailto:128482925+samuelcostae@users.noreply.github.com)", but got "Sam [samuel.costa@eliatra.com](mailto:samuel.costa@eliatra.com)".
Commit sha: [ef048a2](https://github.com/opensearch-project/security/pull/3179/commits/ef048a2bb26e0520d53717df334a0ee627aa7442), Author: Stephen Crawford, Committer: Ryan Liang; Expected "Stephen Crawford [65832608+scrawfor99@users.noreply.github.com](mailto:65832608+scrawfor99@users.noreply.github.com)", but got "Stephen Crawford [steecraw@amazon.com](mailto:steecraw@amazon.com)".
Commit sha: [ef6224c](https://github.com/opensearch-project/security/pull/3179/commits/ef6224c6bb9d0893b9dd8d186515e19698b1a28a), Author: Stephen Crawford, Committer: Ryan Liang; The sign-off is missing.

Hate to say, but I can't :(. First, according to the above log from DCO, instead of expecting my correct email, it expected my email to be 109499885+RyanL1997@users.noreply.github.com. Secondly, some of the signoff error is not coming from my commits. So I think I can only set the DCO to be passed manually.

@peternied
Copy link
Member

peternied commented Aug 25, 2023

@RyanL1997 IMO the fastest way to fix the DCO is like this, it will require a force-push to your branch, but its pretty straight forward

git fetch origin
git rev-parse HEAD   # Save this commit id
git checkout origin/main
git merge --squash {SAVED_COMMIT_ID}
git commit -s

@RyanL1997 RyanL1997 force-pushed the merg-to-main branch 2 times, most recently from ed4c0ff to fa0199d Compare August 25, 2023 19:58
@RyanL1997
OnBehalfOf authenticator and token generator
5e68d80 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
cwperks
cwperks previously approved these changes Aug 25, 2023
View reviewed changes
@cwperks
Copy link
Member

cwperks commented Aug 25, 2023
edited
Loading

Thank you for the quick follow-up @RyanL1997 ! There's nothing left to address from me. Any follow-ups have already been captured in issues.

@RyanL1997
Fix the toString in V7 and V6
887f9fe 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
DarshitChanpura
DarshitChanpura approved these changes Aug 25, 2023
View reviewed changes
Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you @RyanL1997 . All my outstanding comments have been addressed.

@peternied peternied merged commit d7eabcf into opensearch-project:main Aug 25, 2023
@RyanL1997 RyanL1997 mentioned this pull request Oct 17, 2023
Closed
@RyanL1997 RyanL1997 mentioned this pull request Nov 2, 2023
Closed
35 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willyborankin willyborankin willyborankin left review comments

@cwperks cwperks cwperks approved these changes

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@stephen-crawford stephen-crawford Awaiting requested review from stephen-crawford

@reta reta Awaiting requested review from reta reta is a code owner

+1 more reviewer

@peternied peternied peternied left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@RyanL1997 RyanL1997

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature/Extension] Add permission for access create OBO Token endpoint. [Spike] Work pending to merge Feature/Extensions into Main

5 participants

@RyanL1997 @peternied @cwperks @willyborankin @DarshitChanpura