From b64f7e1f2641a36fda2b1416f13a331cfb3dd0c3 Mon Sep 17 00:00:00 2001 From: Ryan Liang Date: Wed, 16 Aug 2023 12:26:39 -0700 Subject: [PATCH] Encapsulate the logic for endpoints access checking into a method Signed-off-by: Ryan Liang --- .../onbehalf/CreateOnBehalfOfTokenAction.java | 5 +++- .../http/OnBehalfOfAuthenticator.java | 19 ++++++++++----- .../http/OnBehalfOfAuthenticatorTest.java | 24 ++++--------------- 3 files changed, 21 insertions(+), 27 deletions(-) diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java index 88d21c6794..c5862a1537 100644 --- a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java +++ b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java @@ -110,7 +110,10 @@ public void accept(RestChannel channel) throws Exception { try { if (vendor == null) { channel.sendResponse( - new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE, "on_behalf_of is either disabled or the configuration is invalid") + new BytesRestResponse( + RestStatus.SERVICE_UNAVAILABLE, + "on_behalf_of is either disabled or the configuration is invalid" + ) ); return; } diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 182bce0023..7a1815a695 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -181,12 +181,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) { } try { - Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); - final String suffix = matcher.matches() ? matcher.group(2) : null; - if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix) - || request.method() == RestRequest.Method.PUT && ACCOUNT_SUFFIX.equals(suffix)) { - final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException(); - log.error(exception.toString()); + if (!isAllowedRequest(request)) { return null; } @@ -234,6 +229,18 @@ private AuthCredentials extractCredentials0(final RestRequest request) { } } + public Boolean isAllowedRequest(final RestRequest request) { + Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); + final String suffix = matcher.matches() ? matcher.group(2) : null; + if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix) + || request.method() == RestRequest.Method.PUT && ACCOUNT_SUFFIX.equals(suffix)) { + final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException(); + log.error(exception.toString()); + return false; + } + return true; + } + @Override public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { return false; diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java index d68130981b..bf8cb71a12 100644 --- a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java @@ -237,11 +237,7 @@ public void testRoles() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder() - .setIssuer(clusterNameString) - .setSubject("Leonard McCoy") - .claim("dr", "role1,role2") - .setAudience("svc1"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"), true ); @@ -257,11 +253,7 @@ public void testNullClaim() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder() - .setIssuer(clusterNameString) - .setSubject("Leonard McCoy") - .claim("dr", null) - .setAudience("svc1"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", null).setAudience("svc1"), false ); @@ -276,11 +268,7 @@ public void testNonStringClaim() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder() - .setIssuer(clusterNameString) - .setSubject("Leonard McCoy") - .claim("dr", 123L) - .setAudience("svc1"), + Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", 123L).setAudience("svc1"), true ); @@ -312,11 +300,7 @@ public void testWrongSubjectKey() throws Exception { final AuthCredentials credentials = extractCredentialsFromJwtHeader( signingKeyB64Encoded, claimsEncryptionKey, - Jwts.builder() - .setIssuer(clusterNameString) - .claim("roles", "role1,role2") - .claim("asub", "Dr. Who") - .setAudience("svc1"), + Jwts.builder().setIssuer(clusterNameString).claim("roles", "role1,role2").claim("asub", "Dr. Who").setAudience("svc1"), false );