diff --git a/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java index 2a60d236ba..1d517f6590 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java @@ -53,7 +53,6 @@ import org.mockito.Mockito; import static org.hamcrest.MatcherAssert.assertThat; -import static org.mockito.Mockito.mock; import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isAllowed; import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isForbidden; import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isPartiallyOk; @@ -64,6 +63,7 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; /** * Unit tests for ActionPrivileges. As the ActionPrivileges provides quite a few different code paths for checking @@ -1134,7 +1134,7 @@ static PrivilegesEvaluationContext ctxWithUserName(String userName, String... ro null, new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)), null, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); } diff --git a/src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java b/src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java index c63a63af93..ce139934c8 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java @@ -27,12 +27,12 @@ import org.opensearch.security.support.WildcardMatcher; import org.opensearch.security.user.User; -import static org.mockito.Mockito.mock; import static org.opensearch.security.util.MockIndexMetadataBuilder.indices; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; public class IndexPatternTest { final static int CURRENT_YEAR = ZonedDateTime.now().get(ChronoField.YEAR); @@ -249,7 +249,7 @@ private static PrivilegesEvaluationContext ctx() { indexResolverReplacer, indexNameExpressionResolver, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); } } diff --git a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java index 6755347f59..f5b1529f46 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java @@ -53,11 +53,11 @@ import org.opensearch.security.securityconf.impl.v7.RoleV7; import org.opensearch.security.user.User; -import static org.mockito.Mockito.mock; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.CERTS_INFO_ACTION; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; +import static org.mockito.Mockito.mock; /** * Moved from https://github.com/opensearch-project/security/blob/54361468f5c4b3a57f3ecffaf1bbe8dccee562be/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java @@ -253,7 +253,17 @@ static SecurityDynamicConfiguration createRolesConfig() throws IOExcepti } static PrivilegesEvaluationContext ctx(String... roles) { - return new PrivilegesEvaluationContext(new User("test_user"), ImmutableSet.copyOf(roles), null, null, null, null, null, null, mock(ApiTokenRepository.class)); + return new PrivilegesEvaluationContext( + new User("test_user"), + ImmutableSet.copyOf(roles), + null, + null, + null, + null, + null, + null, + mock(ApiTokenRepository.class) + ); } } diff --git a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java index 1224c1bc23..398b08dcb9 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DlsFlsLegacyHeadersTest.java @@ -48,7 +48,6 @@ import org.mockito.Mockito; -import static org.mockito.Mockito.mock; import static org.opensearch.security.Song.ARTIST_STRING; import static org.opensearch.security.Song.ARTIST_TWINS; import static org.opensearch.security.Song.FIELD_ARTIST; @@ -57,6 +56,7 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; public class DlsFlsLegacyHeadersTest { static NamedXContentRegistry xContentRegistry = new NamedXContentRegistry( @@ -348,7 +348,7 @@ public void prepare_ccs() throws Exception { null, new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)), () -> clusterState, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); DlsFlsLegacyHeaders.prepare(threadContext, ctx, dlsFlsProcessedConfig(exampleRolesConfig(), metadata), metadata, false); @@ -368,7 +368,7 @@ static PrivilegesEvaluationContext ctx(Metadata metadata, String... roles) { null, new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY)), () -> clusterState, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); } diff --git a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java index 262498ff9e..3d7c67c922 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java @@ -62,7 +62,6 @@ import org.opensearch.test.framework.TestSecurityConfig; import static org.hamcrest.MatcherAssert.assertThat; -import static org.mockito.Mockito.mock; import static org.opensearch.security.util.MockIndexMetadataBuilder.dataStreams; import static org.opensearch.security.util.MockIndexMetadataBuilder.indices; import static org.junit.Assert.assertEquals; @@ -70,6 +69,7 @@ import static org.junit.Assert.assertNotEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import static org.mockito.Mockito.mock; /** * Unit tests for the DocumentPrivileges class and the underlying AbstractRuleBasedPrivileges class. As these classes @@ -529,7 +529,7 @@ public IndicesAndAliases_getRestriction( null, null, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); this.statefulness = statefulness; this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE; @@ -845,7 +845,7 @@ public IndicesRequest indices(String... strings) { RESOLVER_REPLACER, INDEX_NAME_EXPRESSION_RESOLVER, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); this.statefulness = statefulness; this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE; @@ -1131,7 +1131,7 @@ public DataStreams_getRestriction( null, null, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); this.statefulness = statefulness; this.dfmEmptyOverridesAll = dfmEmptyOverridesAll == DfmEmptyOverridesAll.DFM_EMPTY_OVERRIDES_ALL_TRUE; @@ -1151,7 +1151,19 @@ public void invalidQuery() throws Exception { @Test(expected = PrivilegesEvaluationException.class) public void invalidTemplatedQuery() throws Exception { DocumentPrivileges.DlsQuery.create("{\"invalid\": \"totally ${attr.foo}\"}", xContentRegistry) - .evaluate(new PrivilegesEvaluationContext(new User("test_user"), ImmutableSet.of(), null, null, null, null, null, null, mock(ApiTokenRepository.class))); + .evaluate( + new PrivilegesEvaluationContext( + new User("test_user"), + ImmutableSet.of(), + null, + null, + null, + null, + null, + null, + mock(ApiTokenRepository.class) + ) + ); } @Test diff --git a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java index 9ee43263e1..ad40329679 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldMaskingTest.java @@ -31,12 +31,12 @@ import org.opensearch.security.user.User; import org.opensearch.test.framework.TestSecurityConfig; -import static org.mockito.Mockito.mock; import static org.opensearch.security.util.MockIndexMetadataBuilder.indices; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; /** * Unit tests on the FieldMasking class - top-level functionality is tested in FieldMaskingTest.Basic. The inner classes FieldMasking.Field @@ -126,7 +126,7 @@ static PrivilegesEvaluationContext ctx(String... roles) { null, null, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); } } diff --git a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java index 394296b7d3..a1386de521 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/dlsfls/FieldPrivilegesTest.java @@ -30,11 +30,11 @@ import org.opensearch.security.user.User; import org.opensearch.test.framework.TestSecurityConfig; -import static org.mockito.Mockito.mock; import static org.opensearch.security.util.MockIndexMetadataBuilder.indices; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; /** * Unit tests on the FieldMasking class - top-level functionality is tested in FieldMaskingTest.Basic. The inner classes FieldMasking.Field @@ -161,7 +161,7 @@ static PrivilegesEvaluationContext ctx(String... roles) { null, null, () -> CLUSTER_STATE, - mock(ApiTokenRepository.class) + mock(ApiTokenRepository.class) ); } } diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 1c4b2602db..8c945de408 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -1126,7 +1126,7 @@ public Collection createComponents( cih, irr, namedXContentRegistry.get(), - ar + ar ); dlsFlsBaseContext = new DlsFlsBaseContext(evaluator, threadPool.getThreadContext(), adminDns); diff --git a/src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java b/src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java index d690083ba1..26116714ac 100644 --- a/src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java +++ b/src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java @@ -23,9 +23,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.client.Client; import org.opensearch.client.node.NodeClient; -import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; import org.opensearch.core.action.ActionListener; import org.opensearch.core.rest.RestStatus; @@ -35,7 +33,6 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestHandler; import org.opensearch.rest.RestRequest; -import org.opensearch.security.identity.SecurityTokenManager; import static org.opensearch.rest.RestRequest.Method.DELETE; import static org.opensearch.rest.RestRequest.Method.GET; @@ -55,8 +52,6 @@ public class ApiTokenAction extends BaseRestHandler { private ApiTokenRepository apiTokenRepository; public Logger log = LogManager.getLogger(this.getClass()); - - private static final List ROUTES = addRoutesPrefix( ImmutableList.of( new RestHandler.Route(POST, "/apitokens"), @@ -68,7 +63,7 @@ public class ApiTokenAction extends BaseRestHandler { @Inject public ApiTokenAction(ApiTokenRepository apiTokenRepository) { this.apiTokenRepository = apiTokenRepository; -// this.apiTokenRepository = new ApiTokenRepository(client, clusterService, securityTokenManager); + // this.apiTokenRepository = new ApiTokenRepository(client, clusterService, securityTokenManager); } @Override diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/ApiTokenJwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/ApiTokenJwtVendor.java index da07d6e087..87de477fe4 100644 --- a/src/main/java/org/opensearch/security/authtoken/jwt/ApiTokenJwtVendor.java +++ b/src/main/java/org/opensearch/security/authtoken/jwt/ApiTokenJwtVendor.java @@ -14,16 +14,13 @@ import java.security.AccessController; import java.security.PrivilegedAction; import java.text.ParseException; -import java.util.Base64; import java.util.Date; -import java.util.List; import java.util.Optional; import java.util.function.LongSupplier; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.OpenSearchException; import org.opensearch.common.collect.Tuple; import org.opensearch.common.settings.Settings; @@ -31,16 +28,11 @@ import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSSigner; -import com.nimbusds.jose.KeyLengthException; -import com.nimbusds.jose.crypto.MACSigner; import com.nimbusds.jose.jwk.JWK; -import com.nimbusds.jose.jwk.KeyUse; -import com.nimbusds.jose.jwk.OctetSequenceKey; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; import static org.opensearch.security.authtoken.jwt.JwtVendor.createJwkFromSettings; -import static org.opensearch.security.util.AuthTokenUtils.isKeyNull; public class ApiTokenJwtVendor extends JwtVendor { private static final Logger logger = LogManager.getLogger(ApiTokenJwtVendor.class); @@ -61,7 +53,7 @@ public ApiTokenJwtVendor(final Settings settings, final Optional t @Override @SuppressWarnings("removal") public ExpiringBearerAuthToken createJwt(final String issuer, final String subject, final String audience, final long expiration) - throws JOSEException, ParseException { + throws JOSEException, ParseException { final long currentTimeMs = timeProvider.getAsLong(); final Date now = new Date(currentTimeMs); @@ -77,13 +69,13 @@ public ExpiringBearerAuthToken createJwt(final String issuer, final String subje final JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.parse(signingKey.getAlgorithm().getName())).build(); final SignedJWT signedJwt = AccessController.doPrivileged( - (PrivilegedAction) () -> new SignedJWT(header, claimsBuilder.build()) + (PrivilegedAction) () -> new SignedJWT(header, claimsBuilder.build()) ); // Sign the JWT so it can be serialized signedJwt.sign(signer); if (logger.isDebugEnabled()) { logger.debug( - "Created JWT: " + signedJwt.serialize() + "\n" + signedJwt.getHeader().toJSONObject() + "\n" + signedJwt.getJWTClaimsSet() + "Created JWT: " + signedJwt.serialize() + "\n" + signedJwt.getHeader().toJSONObject() + "\n" + signedJwt.getJWTClaimsSet() ); } return new ExpiringBearerAuthToken(signedJwt.serialize(), subject, expiryTime); diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java index c66fdd2254..32da3eadb7 100644 --- a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java +++ b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java @@ -11,6 +11,14 @@ package org.opensearch.security.authtoken.jwt; +import java.text.ParseException; +import java.util.Base64; +import java.util.List; + +import org.opensearch.OpenSearchException; +import org.opensearch.common.collect.Tuple; +import org.opensearch.common.settings.Settings; + import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSSigner; @@ -19,32 +27,24 @@ import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.KeyUse; import com.nimbusds.jose.jwk.OctetSequenceKey; -import org.opensearch.OpenSearchException; -import org.opensearch.common.collect.Tuple; -import org.opensearch.common.settings.Settings; - -import java.text.ParseException; -import java.util.Base64; -import java.util.List; import static org.opensearch.security.util.AuthTokenUtils.isKeyNull; public abstract class JwtVendor { public ExpiringBearerAuthToken createJwt( - final String issuer, - final String subject, - final String audience, - final long requestedExpirySeconds, - final List roles, - final List backendRoles, - final boolean includeBackendRoles + final String issuer, + final String subject, + final String audience, + final long requestedExpirySeconds, + final List roles, + final List backendRoles, + final boolean includeBackendRoles ) throws JOSEException, ParseException { throw new UnsupportedOperationException("createJwt with given params is not supported."); } - public ExpiringBearerAuthToken createJwt( - final String issuer, final String subject, final String audience, final long expiration - ) throws JOSEException, ParseException { + public ExpiringBearerAuthToken createJwt(final String issuer, final String subject, final String audience, final long expiration) + throws JOSEException, ParseException { throw new UnsupportedOperationException("createJwt with given params is not supported."); }; @@ -59,21 +59,21 @@ static Tuple createJwkFromSettings(final Settings settings) { if (!isKeyNull(settings, "signing_key")) { final String signingKey = settings.get("signing_key"); key = new OctetSequenceKey.Builder(Base64.getDecoder().decode(signingKey)).algorithm(JWSAlgorithm.HS512) - .keyUse(KeyUse.SIGNATURE) - .build(); + .keyUse(KeyUse.SIGNATURE) + .build(); } else { final Settings jwkSettings = settings.getAsSettings("jwt").getAsSettings("key"); if (jwkSettings.isEmpty()) { throw new OpenSearchException( - "Settings for signing key is missing. Please specify at least the option signing_key with a shared secret." + "Settings for signing key is missing. Please specify at least the option signing_key with a shared secret." ); } final String signingKey = jwkSettings.get("k"); key = new OctetSequenceKey.Builder(Base64.getDecoder().decode(signingKey)).algorithm(JWSAlgorithm.HS512) - .keyUse(KeyUse.SIGNATURE) - .build(); + .keyUse(KeyUse.SIGNATURE) + .build(); } try { diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/OBOJwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/OBOJwtVendor.java index bde3d1980c..e5f7e65541 100644 --- a/src/main/java/org/opensearch/security/authtoken/jwt/OBOJwtVendor.java +++ b/src/main/java/org/opensearch/security/authtoken/jwt/OBOJwtVendor.java @@ -11,10 +11,7 @@ package org.opensearch.security.authtoken.jwt; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.text.ParseException; -import java.util.Base64; import java.util.Date; import java.util.List; import java.util.Optional; @@ -23,7 +20,6 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.OpenSearchException; import org.opensearch.common.collect.Tuple; import org.opensearch.common.settings.Settings; @@ -31,11 +27,7 @@ import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSSigner; -import com.nimbusds.jose.KeyLengthException; -import com.nimbusds.jose.crypto.MACSigner; import com.nimbusds.jose.jwk.JWK; -import com.nimbusds.jose.jwk.KeyUse; -import com.nimbusds.jose.jwk.OctetSequenceKey; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; diff --git a/src/main/java/org/opensearch/security/http/ApiTokenAuthenticator.java b/src/main/java/org/opensearch/security/http/ApiTokenAuthenticator.java index 9b6a5e0e34..88bd0c9ae6 100644 --- a/src/main/java/org/opensearch/security/http/ApiTokenAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/ApiTokenAuthenticator.java @@ -25,7 +25,6 @@ import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; import org.opensearch.SpecialPermission; -import org.opensearch.common.inject.Inject; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.security.action.apitokens.ApiTokenRepository; diff --git a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java index 3ff3c4e2d8..d8840df14b 100644 --- a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java +++ b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java @@ -100,7 +100,6 @@ ApiTokenJwtVendor createApiTokenJwtVendor(final Settings settings) { } } - public boolean issueOnBehalfOfTokenAllowed() { return oboJwtVendor != null && configModel != null; } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java index a1c7a041de..3314f3f99d 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluationContext.java @@ -22,7 +22,6 @@ import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.metadata.IndexAbstraction; import org.opensearch.cluster.metadata.IndexNameExpressionResolver; -import org.opensearch.common.inject.Inject; import org.opensearch.security.action.apitokens.ApiTokenRepository; import org.opensearch.security.action.apitokens.Permissions; import org.opensearch.security.resolver.IndexResolverReplacer; diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index 185eb68b9d..1d9eb4f3c1 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -79,7 +79,6 @@ import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.metadata.Metadata; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.inject.Inject; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.core.common.Strings; @@ -304,7 +303,17 @@ public PrivilegesEvaluationContext createContext( TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS); ImmutableSet mappedRoles = ImmutableSet.copyOf((injectedRoles == null) ? mapRoles(user, caller) : injectedRoles); - return new PrivilegesEvaluationContext(user, mappedRoles, action0, request, task, irr, resolver, clusterStateSupplier, apiTokenRepository); + return new PrivilegesEvaluationContext( + user, + mappedRoles, + action0, + request, + task, + irr, + resolver, + clusterStateSupplier, + apiTokenRepository + ); } public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context) { diff --git a/src/test/java/org/opensearch/security/action/apitokens/ApiTokenActionTest.java b/src/test/java/org/opensearch/security/action/apitokens/ApiTokenActionTest.java index ef40d3c1bc..e7193710e1 100644 --- a/src/test/java/org/opensearch/security/action/apitokens/ApiTokenActionTest.java +++ b/src/test/java/org/opensearch/security/action/apitokens/ApiTokenActionTest.java @@ -19,8 +19,6 @@ import org.junit.Test; -import org.opensearch.cluster.service.ClusterService; - import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.empty; import static org.hamcrest.Matchers.is; diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/OBOJwtVendorTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java similarity index 86% rename from src/test/java/org/opensearch/security/authtoken/jwt/OBOJwtVendorTest.java rename to src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java index a723c356a2..0c1258f831 100644 --- a/src/test/java/org/opensearch/security/authtoken/jwt/OBOJwtVendorTest.java +++ b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java @@ -30,9 +30,6 @@ import org.opensearch.OpenSearchException; import org.opensearch.common.collect.Tuple; import org.opensearch.common.settings.Settings; -import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.core.xcontent.ToXContent; -import org.opensearch.security.action.apitokens.ApiToken; import org.opensearch.security.support.ConfigConstants; import com.nimbusds.jose.JWSSigner; @@ -54,7 +51,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; -public class OBOJwtVendorTest { +public class JwtVendorTest { private Appender mockAppender; private ArgumentCaptor logEventCaptor; @@ -104,7 +101,15 @@ public void testCreateJwtWithRoles() throws Exception { Settings settings = Settings.builder().put("signing_key", signingKeyB64Encoded).put("encryption_key", claimsEncryptionKey).build(); OBOJwtVendor OBOJwtVendor = new OBOJwtVendor(settings, Optional.of(currentTime)); - final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false); + final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt( + issuer, + subject, + audience, + expirySeconds, + roles, + backendRoles, + false + ); SignedJWT signedJWT = SignedJWT.parse(authToken.getCompleteToken()); @@ -141,7 +146,15 @@ public void testCreateJwtWithBackendRolesIncluded() throws Exception { // CS-ENFORCE-SINGLE .build(); final OBOJwtVendor OBOJwtVendor = new OBOJwtVendor(settings, Optional.of(currentTime)); - final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true); + final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt( + issuer, + subject, + audience, + expirySeconds, + roles, + backendRoles, + true + ); SignedJWT signedJWT = SignedJWT.parse(authToken.getCompleteToken()); @@ -191,7 +204,15 @@ public void testCreateJwtWithExceededExpiry() throws Exception { Settings settings = Settings.builder().put("signing_key", signingKeyB64Encoded).put("encryption_key", claimsEncryptionKey).build(); OBOJwtVendor OBOJwtVendor = new OBOJwtVendor(settings, Optional.of(currentTime)); - final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true); + final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt( + issuer, + subject, + audience, + expirySeconds, + roles, + backendRoles, + true + ); // Expiry is a hint, the max value is controlled by the JwtVendor and reduced as is seen fit. assertThat(authToken.getExpiresInSeconds(), not(equalTo(expirySeconds))); assertThat(authToken.getExpiresInSeconds(), equalTo(600L)); @@ -279,19 +300,12 @@ public void testCreateJwtForApiTokenSuccess() throws Exception { final String issuer = "cluster_0"; final String subject = "test-token"; final String audience = "test-token"; - final List clusterPermissions = List.of("cluster:admin/*"); - ApiToken.IndexPermission indexPermission = new ApiToken.IndexPermission(List.of("*"), List.of("read")); - final List indexPermissions = List.of(indexPermission); - final String expectedClusterPermissions = "cluster:admin/*"; - final String expectedIndexPermissions = "[" - + indexPermission.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS).toString() - + "]"; LongSupplier currentTime = () -> (long) 100; String claimsEncryptionKey = "1234567890123456"; Settings settings = Settings.builder().put("signing_key", signingKeyB64Encoded).put("encryption_key", claimsEncryptionKey).build(); - final OBOJwtVendor OBOJwtVendor = new OBOJwtVendor(settings, Optional.of(currentTime)); - final ExpiringBearerAuthToken authToken = OBOJwtVendor.createJwt(issuer, subject, audience, Long.MAX_VALUE); + final ApiTokenJwtVendor apiTokenJwtVendor = new ApiTokenJwtVendor(settings, Optional.of(currentTime)); + final ExpiringBearerAuthToken authToken = apiTokenJwtVendor.createJwt(issuer, subject, audience, Long.MAX_VALUE); SignedJWT signedJWT = SignedJWT.parse(authToken.getCompleteToken()); @@ -303,19 +317,6 @@ public void testCreateJwtForApiTokenSuccess() throws Exception { assertThat(((Date) signedJWT.getJWTClaimsSet().getClaims().get("exp")).getTime() / 1000, equalTo(Long.MAX_VALUE / 1000)); } - @Test - public void testEncryptJwtCorrectly() { - String claimsEncryptionKey = BaseEncoding.base64().encode("1234567890123456".getBytes(StandardCharsets.UTF_8)); - String token = - "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJkZXJlayI6ImlzIGF3ZXNvbWUifQ.aPp9mSaBRBUzMJ8V_MYWUs8UoGYnJDNVriu3B9MRJpPNZtOhnIfATE0Ghmms2bGRNw9rmyRn1VIDQRmxSOTu3w"; - String expectedEncryptedToken = - "k3JQNRXR57Y4V4W1LNkpEP7FTJZos7fySJDJDGuBQXe7pi9aiEIGJ7JqjezssGRZ1AZGD/QTPQ0jjaV+rEICxBO9oyfTYWIoDdnAg5LijqPAzaULp48hi+/dqXXAAhi1zIlCSjqTDoZMTyjFxq4aRlPLjjQFuVxR3gIDMNnAUnvmFu5xh5AiVeKa1dwGy5X34Ou2i9pnQzmEDJDnf6mh7w2ODkDThJGh8JUlsUlfZEq6NwVN1XNyOr2IhPd3IZYUMgN3vWHyfjs6uwQNyHKHHcxIj4P8bJXLIGxJy3+LV5Y="; - Settings settings = Settings.builder().put("signing_key", signingKeyB64Encoded).put("encryption_key", claimsEncryptionKey).build(); - LongSupplier currentTime = () -> (long) 100; - OBOJwtVendor OBOJwtVendor = new OBOJwtVendor(settings, Optional.of(currentTime)); - assertThat(OBOJwtVendor.encryptString(token), equalTo(expectedEncryptedToken)); - } - @Test public void testKeyTooShortThrowsException() { String claimsEncryptionKey = RandomStringUtils.randomAlphanumeric(16); diff --git a/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java b/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java index 4c3efc4aab..fb553f8a11 100644 --- a/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java +++ b/src/test/java/org/opensearch/security/identity/SecurityTokenManagerTest.java @@ -28,6 +28,7 @@ import org.opensearch.identity.Subject; import org.opensearch.identity.tokens.AuthToken; import org.opensearch.identity.tokens.OnBehalfOfClaims; +import org.opensearch.security.authtoken.jwt.ApiTokenJwtVendor; import org.opensearch.security.authtoken.jwt.ExpiringBearerAuthToken; import org.opensearch.security.authtoken.jwt.OBOJwtVendor; import org.opensearch.security.securityconf.ConfigModel; @@ -61,7 +62,9 @@ public class SecurityTokenManagerTest { private SecurityTokenManager tokenManager; @Mock - private OBOJwtVendor OBOJwtVendor; + private OBOJwtVendor oboJwtVendor; + @Mock + private ApiTokenJwtVendor apiTokenJwtVendor; @Mock private ClusterService cs; @Mock @@ -113,7 +116,7 @@ public void onDynamicConfigModelChanged_JwtVendorDisabled() { assertThat(tokenManager.issueOnBehalfOfTokenAllowed(), equalTo(false)); verify(dcm).getDynamicOnBehalfOfSettings(); - verify(tokenManager, never()).createJwtVendor(any()); + verify(tokenManager, never()).createOboJwtVendor(any()); } /** Creates the jwt vendor and returns a mock for validation if needed */ @@ -122,7 +125,7 @@ private DynamicConfigModel createMockJwtVendorInTokenManager() { final DynamicConfigModel dcm = mock(DynamicConfigModel.class); when(dcm.getDynamicOnBehalfOfSettings()).thenReturn(settings); when(dcm.getDynamicApiTokenSettings()).thenReturn(settings); - doAnswer((invocation) -> OBOJwtVendor).when(tokenManager).createJwtVendor(settings); + doAnswer((invocation) -> oboJwtVendor).when(tokenManager).createOboJwtVendor(settings); tokenManager.onDynamicConfigModelChanged(dcm); return dcm; } @@ -213,7 +216,7 @@ public void issueOnBehalfOfToken_jwtGenerationFailure() throws Exception { createMockJwtVendorInTokenManager(); - when(OBOJwtVendor.createJwt(any(), anyString(), anyString(), anyLong(), any(), any(), anyBoolean())).thenThrow( + when(oboJwtVendor.createJwt(any(), anyString(), anyString(), anyLong(), any(), any(), anyBoolean())).thenThrow( new RuntimeException("foobar") ); final OpenSearchSecurityException exception = assertThrows( @@ -240,7 +243,7 @@ public void issueOnBehalfOfToken_success() throws Exception { createMockJwtVendorInTokenManager(); final ExpiringBearerAuthToken authToken = mock(ExpiringBearerAuthToken.class); - when(OBOJwtVendor.createJwt(any(), anyString(), anyString(), anyLong(), any(), any(), anyBoolean())).thenReturn(authToken); + when(oboJwtVendor.createJwt(any(), anyString(), anyString(), anyLong(), any(), any(), anyBoolean())).thenReturn(authToken); final AuthToken returnedToken = tokenManager.issueOnBehalfOfToken(null, new OnBehalfOfClaims("elmo", 450L)); assertThat(returnedToken, equalTo(authToken)); @@ -261,7 +264,7 @@ public void issueApiToken_success() throws Exception { createMockJwtVendorInTokenManager(); final ExpiringBearerAuthToken authToken = mock(ExpiringBearerAuthToken.class); - when(OBOJwtVendor.createJwt(anyString(), anyString(), anyString(), anyLong())).thenReturn(authToken); + when(apiTokenJwtVendor.createJwt(anyString(), anyString(), anyString(), anyLong())).thenReturn(authToken); final AuthToken returnedToken = tokenManager.issueApiToken("elmo", Long.MAX_VALUE); assertThat(returnedToken, equalTo(authToken)); @@ -282,7 +285,7 @@ public void encryptCallsJwtEncrypt() throws Exception { createMockJwtVendorInTokenManager(); final ExpiringBearerAuthToken authToken = mock(ExpiringBearerAuthToken.class); - when(OBOJwtVendor.createJwt(anyString(), anyString(), anyString(), anyLong())).thenReturn(authToken); + when(oboJwtVendor.createJwt(anyString(), anyString(), anyString(), anyLong())).thenReturn(authToken); final AuthToken returnedToken = tokenManager.issueApiToken("elmo", Long.MAX_VALUE); assertThat(returnedToken, equalTo(authToken)); diff --git a/src/test/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluatorTest.java index da35226d62..9fdba2b407 100644 --- a/src/test/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/RestLayerPrivilegesEvaluatorTest.java @@ -31,6 +31,7 @@ import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.security.action.apitokens.ApiTokenRepository; import org.opensearch.security.auditlog.NullAuditLog; import org.opensearch.security.securityconf.ConfigModel; import org.opensearch.security.securityconf.DynamicConfigModel; @@ -160,7 +161,8 @@ PrivilegesEvaluator createPrivilegesEvaluator(SecurityDynamicConfiguration