opensearch-project · stephen-crawford · Oct 24, 2023 · Oct 19, 2023 · Oct 19, 2023
@@ -61,7 +61,6 @@
 import org.opensearch.security.filter.SecurityRequest;
 import org.opensearch.security.filter.SecurityRequestChannel;
 import org.opensearch.security.filter.SecurityResponse;
-import org.opensearch.security.http.OnBehalfOfAuthenticator;
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.support.ConfigConstants;
@@ -619,8 +618,7 @@ private User impersonate(final SecurityRequest request, final User originalUser)
             for (final AuthDomain authDomain : restAuthDomains) {
                 final AuthenticationBackend authenticationBackend = authDomain.getBackend();
 
-                // Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation
-                if (authDomain.getHttpAuthenticator() instanceof OnBehalfOfAuthenticator) {
+                if (!authDomain.getHttpAuthenticator().supportsImpersonation()) {
                     continue;
                 }
 

@@ -83,4 +83,13 @@ public interface HTTPAuthenticator {
      * @return Optional response if is not supported/necessary, response object otherwise.
      */
     Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials credentials);
+
+    /**
+     * Indicates whether this authenticator supports user impersonation.
+     *
+     * @return true if impersonation is supported, false otherwise.
+     */
+    default boolean supportsImpersonation() {
+        return true;
+    }
 }
@@ -67,8 +67,18 @@
         String oboEnabledSetting = settings.get("enabled", "true");
         oboEnabled = Boolean.parseBoolean(oboEnabledSetting);
         encryptionKey = settings.get("encryption_key");
-        JwtParserBuilder builder = initParserBuilder(settings.get("signing_key"));
-        jwtParser = builder.build();
+
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+        jwtParser = AccessController.doPrivileged(new PrivilegedAction<JwtParser>() {
+            @Override
+            public JwtParser run() {
+                JwtParserBuilder builder = initParserBuilder(settings.get("signing_key"));
+                return builder.build();
+            }
+        });
 
         this.clusterName = clusterName;
         this.encryptionUtil = new EncryptionDecryptionUtil(encryptionKey);
@@ -244,4 +254,8 @@
         return "onbehalfof_jwt";
     }
 
+    @Override
+    public boolean supportsImpersonation() {
+        return false;
+    }
 }
@@ -349,7 +349,7 @@ public void testSecurityManagerCheck() {
             System.setSecurityManager(null);
         }
 
-        verify(mockSecurityManager, times(2)).checkPermission(any(SpecialPermission.class));
+        verify(mockSecurityManager, times(3)).checkPermission(any(SpecialPermission.class));
     }
 
     @Test
-Original file line number
+Diff line change
@@ Expand Up / @@ -349,7 +349,7 @@ public void testSecurityManagerCheck() { @@
                 System.setSecurityManager(null);
             }
-            verify(mockSecurityManager, times(2)).checkPermission(any(SpecialPermission.class));
+            verify(mockSecurityManager, times(3)).checkPermission(any(SpecialPermission.class));
         }
         @Test
@@ Expand Down @@