Encapsulate the logic for endpoints access checking into a method

RyanL1997 · RyanL1997 · commit e23d757a9328 · 2023-08-22T09:24:56.000-07:00
Signed-off-by: Ryan Liang &lt;jiallian@amazon.com&gt;
diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
@@ -110,7 +110,10 @@ public void accept(RestChannel channel) throws Exception {
                 try {
                     if (vendor == null) {
                         channel.sendResponse(
-                            new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE, "on_behalf_of is either disabled or the configuration is invalid")
+                            new BytesRestResponse(
+                                RestStatus.SERVICE_UNAVAILABLE,
+                                "on_behalf_of is either disabled or the configuration is invalid"
+                            )
                         );
                         return;
                     }
diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
@@ -181,12 +181,7 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
         }
 
         try {
-            Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path());
-            final String suffix = matcher.matches() ? matcher.group(2) : null;
-            if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix)
-                || request.method() == RestRequest.Method.PUT && ACCOUNT_SUFFIX.equals(suffix)) {
-                final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException();
-                log.error(exception.toString());
+            if (!isAllowedRequest(request)) {
                 return null;
             }
 
@@ -234,6 +229,18 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
         }
     }
 
+    public Boolean isAllowedRequest(final RestRequest request) {
+        Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path());
+        final String suffix = matcher.matches() ? matcher.group(2) : null;
+        if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix)
+            || request.method() == RestRequest.Method.PUT && ACCOUNT_SUFFIX.equals(suffix)) {
+            final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException();
+            log.error(exception.toString());
+            return false;
+        }
+        return true;
+    }
+
     @Override
     public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) {
         return false;
diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java
@@ -237,11 +237,7 @@ public void testRoles() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder()
-                .setIssuer(clusterNameString)
-                .setSubject("Leonard McCoy")
-                .claim("dr", "role1,role2")
-                .setAudience("svc1"),
+            Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"),
             true
         );
 
@@ -257,11 +253,7 @@ public void testNullClaim() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder()
-                .setIssuer(clusterNameString)
-                .setSubject("Leonard McCoy")
-                .claim("dr", null)
-                .setAudience("svc1"),
+            Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", null).setAudience("svc1"),
             false
         );
 
@@ -276,11 +268,7 @@ public void testNonStringClaim() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder()
-                .setIssuer(clusterNameString)
-                .setSubject("Leonard McCoy")
-                .claim("dr", 123L)
-                .setAudience("svc1"),
+            Jwts.builder().setIssuer(clusterNameString).setSubject("Leonard McCoy").claim("dr", 123L).setAudience("svc1"),
             true
         );
 
@@ -312,11 +300,7 @@ public void testWrongSubjectKey() throws Exception {
         final AuthCredentials credentials = extractCredentialsFromJwtHeader(
             signingKeyB64Encoded,
             claimsEncryptionKey,
-            Jwts.builder()
-                .setIssuer(clusterNameString)
-                .claim("roles", "role1,role2")
-                .claim("asub", "Dr. Who")
-                .setAudience("svc1"),
+            Jwts.builder().setIssuer(clusterNameString).claim("roles", "role1,role2").claim("asub", "Dr. Who").setAudience("svc1"),
             false
         );
 
