Refactor the bwc mode into roleSecurityMode

RyanL1997 · RyanL1997 · commit e1021c258b63 · 2023-08-23T13:36:05.000-07:00
Signed-off-by: Ryan Liang &lt;jiallian@amazon.com&gt;
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -1119,23 +1119,6 @@ public Settings additionalSettings() {
         }
         return builder.build();
     }
-    // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
-
-    @Override
-    public List<Setting<?>> getExtensionSettings() {
-        List<Setting<?>> extensionSettings = new ArrayList<Setting<?>>();
-
-        extensionSettings.add(
-            Setting.boolSetting(
-                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
-                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT,
-                Property.ExtensionScope,
-                Property.Final
-            )
-        );
-        return extensionSettings;
-    }
-    // CS-ENFORCE-SINGLE:
 
     @Override
     public List<Setting<?>> getSettings() {
diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
@@ -135,6 +135,10 @@ public void accept(RestChannel channel) throws Exception {
                         .map(value -> Math.min(value, OBO_MAX_EXPIRY_SECONDS)) // Max duration seconds are 600
                         .orElse(OBO_DEFAULT_EXPIRY_SECONDS); // Fallback to default
 
+                    final Boolean roleSecurityMode = Optional.ofNullable(requestBody.get("roleSecurityMode"))
+                        .map(value -> (Boolean) value)
+                        .orElse(false); // Default to false if null
+
                     final String service = (String) requestBody.getOrDefault("service", "self-issued");
                     final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
                     Set<String> mappedRoles = mapRoles(user, /*Do not include host based mappings*/ null);
@@ -148,7 +152,8 @@ public void accept(RestChannel channel) throws Exception {
                         service,
                         tokenDuration,
                         mappedRoles.stream().collect(Collectors.toList()),
-                        user.getRoles().stream().collect(Collectors.toList())
+                        user.getRoles().stream().collect(Collectors.toList()),
+                        roleSecurityMode
                     );
                     builder.field("authenticationToken", token);
                     builder.field("durationSeconds", tokenDuration);
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -608,7 +608,7 @@ private User impersonate(final RestRequest request, final User originalUser) thr
             for (final AuthDomain authDomain : restAuthDomains) {
                 final AuthenticationBackend authenticationBackend = authDomain.getBackend();
 
-                //Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation
+                // Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation
                 if (authDomain.getHttpAuthenticator() instanceof OnBehalfOfAuthenticator) {
                     continue;
                 }
diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
@@ -31,7 +31,6 @@
 
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.ssl.util.ExceptionUtils;
-import org.opensearch.security.support.ConfigConstants;
 
 public class JwtVendor {
     private static final Logger logger = LogManager.getLogger(JwtVendor.class);
@@ -42,7 +41,6 @@ public class JwtVendor {
     private final JsonWebKey signingKey;
     private final JoseJwtProducer jwtProducer;
     private final LongSupplier timeProvider;
-    private final Boolean bwcModeEnabled;
     private final EncryptionDecryptionUtil encryptionDecryptionUtil;
 
     public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvider) {
@@ -64,12 +62,6 @@ public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvi
         } else {
             this.timeProvider = () -> System.currentTimeMillis() / 1000;
         }
-        // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
-        this.bwcModeEnabled = settings.getAsBoolean(
-            ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
-            ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT
-        );
-        // CS-ENFORCE-SINGLE
     }
 
     /*
@@ -114,7 +106,8 @@ public String createJwt(
         String audience,
         Integer expirySeconds,
         List<String> roles,
-        List<String> backendRoles
+        List<String> backendRoles,
+        Boolean roleSecruityMode
     ) throws Exception {
         final long nowAsMillis = timeProvider.getAsLong();
         final Instant nowAsInstant = Instant.ofEpochMilli(timeProvider.getAsLong());
@@ -147,7 +140,7 @@ public String createJwt(
             throw new Exception("Roles cannot be null");
         }
 
-        if (bwcModeEnabled && backendRoles != null) {
+        if (roleSecruityMode && backendRoles != null) {
             String listOfBackendRoles = String.join(",", backendRoles);
             jwtClaims.setProperty("br", listOfBackendRoles);
         }
diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java
@@ -67,7 +67,7 @@ public void testCreateJwtWithRoles() throws Exception {
         Long expectedExp = currentTime.getAsLong() + expirySeconds;
 
         JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
-        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles);
+        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false);
 
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
         JwtToken jwt = jwtConsumer.getJwtToken();
@@ -84,7 +84,7 @@ public void testCreateJwtWithRoles() throws Exception {
     }
 
     @Test
-    public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception {
+    public void testCreateJwtWithRoleSecurityMode() throws Exception {
         String issuer = "cluster_0";
         String subject = "admin";
         String audience = "audience_0";
@@ -104,7 +104,7 @@ public void testCreateJwtWithBackwardsCompatibilityMode() throws Exception {
         Long expectedExp = currentTime.getAsLong() + expirySeconds;
 
         JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
-        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles);
+        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true);
 
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
         JwtToken jwt = jwtConsumer.getJwtToken();
@@ -134,7 +134,7 @@ public void testCreateJwtWithBadExpiry() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
+                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
@@ -154,7 +154,7 @@ public void testCreateJwtWithBadEncryptionKey() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
+                new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
@@ -175,7 +175,7 @@ public void testCreateJwtWithBadRoles() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of());
+                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }

Original file line number	Diff line number	Diff line change
`@@ -608,7 +608,7 @@ private User impersonate(final RestRequest request, final User originalUser) thr`
`608`	`608`	`for (final AuthDomain authDomain : restAuthDomains) {`
`609`	`609`	`final AuthenticationBackend authenticationBackend = authDomain.getBackend();`
`610`	`610`
`611`		`- //Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation`
	`611`	`+ // Skip over the OnBehalfOfAuthenticator since it is not compatible for user impersonation`
`612`	`612`	`if (authDomain.getHttpAuthenticator() instanceof OnBehalfOfAuthenticator) {`
`613`	`613`	`continue;`
`614`	`614`	`}`