OBO edge cases commit 0

Signed-off-by: Ryan Liang <jiallian@amazon.com>

src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java

@@ -105,13 +105,16 @@ public String createJwt(
         List<String> roles,
         List<String> backendRoles
     ) throws Exception {
+        String tokenIdentifier = "OBO";
         long timeMillis = timeProvider.getAsLong();
         Instant now = Instant.ofEpochMilli(timeProvider.getAsLong());
 
         jwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(signingKey));
         JwtClaims jwtClaims = new JwtClaims();
         JwtToken jwt = new JwtToken(jwtClaims);
 
+        jwtClaims.setProperty("token_identifier", tokenIdentifier);
+
         jwtClaims.setIssuer(issuer);
 
         jwtClaims.setIssuedAt(timeMillis);

src/main/java/org/opensearch/security/filter/SecurityRestFilter.java

@@ -259,6 +259,17 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
             }
         }
 
+        if (HTTPHelper.containsOBOToken(request)) {
+            String OBO_ENDPOINT_PREFIX = "_plugins/_security/api/user/onbehalfof";
+            if (request.method() == Method.POST && OBO_ENDPOINT_PREFIX.equals(suffix)) {
+                final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException();
+                log.error(exception.toString());
+                auditLog.logBadHeaders(request);
+                channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, exception));
+                return true;
+            }
+        }
+
         return false;
     }
 

src/main/java/org/opensearch/security/ssl/util/ExceptionUtils.java

@@ -64,6 +64,10 @@ public static OpenSearchException createBadHeaderException() {
         );
     }
 
+    public static OpenSearchException invalidUsageOfOBOTokenException() {
+        return new OpenSearchException("On-Behalf-Token is not allowed to access this endopoint.");
+    }
+
     public static OpenSearchException createTransportClientNoLongerSupportedException() {
         return new OpenSearchException("Transport client authentication no longer supported.");
     }

src/main/java/org/opensearch/security/support/HTTPHelper.java

@@ -31,6 +31,9 @@
 import java.util.List;
 import java.util.Map;
 
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.Jwts;
 import org.apache.logging.log4j.Logger;
 
 import org.opensearch.rest.RestRequest;
@@ -100,4 +103,40 @@ public static boolean containsBadHeader(final RestRequest request) {
 
         return false;
     }
+
+    public static boolean containsOBOToken(final RestRequest request){
+        final Map<String, List<String>> headers;
+
+        if (request != null && (headers = request.getHeaders()) != null) {
+            List<String> authHeaders = headers.get("Authorization");
+            if (authHeaders != null && !authHeaders.isEmpty()) {
+                // Iterate through the list of 'Authorization' headers, checking each for the 'Bearer' prefix.
+                for (String authHeader : authHeaders) {
+                    if (authHeader != null && authHeader.startsWith("Bearer ")) {
+                        // Header found, extract the token to verify it's an OBO token.
+                        String token = authHeader.substring("Bearer ".length());
+                        if (isOBOToken(token)) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
+    private static boolean isOBOToken(String token) {
+        String tokenIdentifierClaimKey = "token_identifier";
+        String tokenIdentifier = "OBO";
+
+        Jws<Claims> claimsJws = Jwts.parserBuilder().build().parseClaimsJws(token);
+        Claims claims = claimsJws.getBody();
+
+        if (claims.containsKey(tokenIdentifierClaimKey) && tokenIdentifier.equals(claims.get(tokenIdentifierClaimKey))) {
+            return true;
+        }
+        return false;
+    }
+
 }