Refactor the wrapper of security manager into keyutils and fix lint

Signed-off-by: Ryan Liang <jiallian@amazon.com>
RyanL1997 · Jul 25, 2023 · 12cf998 · 12cf998
1 parent 6d3a168
commit 12cf998
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 49 deletions.
diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
@@ -59,24 +59,12 @@ public OnBehalfOfAuthenticator(Settings settings) {
     }
 
     private JwtParser initParser(final String signingKey) {
-        final SecurityManager sm = System.getSecurityManager();
+        JwtParser _jwtParser = keyUtil.keyAlgorithmCheck(signingKey, log);
 
-        if (sm != null) {
-            sm.checkPermission(new SpecialPermission());
+        if (_jwtParser == null) {
+            throw new RuntimeException("Unable to find on behalf of authenticator signing key");
         }
 
-        JwtParser _jwtParser = AccessController.doPrivileged(new PrivilegedAction<JwtParser>() {
-            @Override
-            public JwtParser run() {
-                JwtParser parser = keyUtil.keyAlgorithmCheck(signingKey, log);
-                if (parser != null) {
-                    return parser;
-                } else {
-                    throw new RuntimeException("Unable to find on behalf of authenticator signing key");
-                }
-            }
-        });
-
         return _jwtParser;
     }
 

diff --git a/src/main/java/org/opensearch/security/util/keyUtil.java b/src/main/java/org/opensearch/security/util/keyUtil.java
@@ -14,10 +14,13 @@
 import io.jsonwebtoken.JwtParser;
 import io.jsonwebtoken.Jwts;
 import org.apache.logging.log4j.Logger;
+import org.opensearch.SpecialPermission;
 
+import java.security.AccessController;
 import java.security.Key;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedAction;
 import java.security.PublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.X509EncodedKeySpec;
@@ -27,40 +30,55 @@
 public class keyUtil {
 
     public static JwtParser keyAlgorithmCheck(final String signingKey, final Logger log) {
-        if (signingKey == null || signingKey.length() == 0) {
-            log.error("Unable to find signing key");
-            return null;
-        } else {
-            try {
-                Key key = null;
-
-                final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "")
-                    .replace("-----END PUBLIC KEY-----", "");
-
-                final byte[] decoded = Base64.getDecoder().decode(minimalKeyFormat);
-
-                try {
-                    key = getPublicKey(decoded, "RSA");
-                } catch (Exception e) {
-                    log.debug("No public RSA key, try other algos ({})", e.toString());
-                }
+        final SecurityManager sm = System.getSecurityManager();
 
-                try {
-                    key = getPublicKey(decoded, "EC");
-                } catch (final Exception e) {
-                    log.debug("No public ECDSA key, try other algos ({})", e.toString());
-                }
+        JwtParser jwtParser = null;
 
-                if (Objects.nonNull(key)) {
-                    return Jwts.parserBuilder().setSigningKey(key).build();
-                }
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+
+        jwtParser = AccessController.doPrivileged(new PrivilegedAction<JwtParser>() {
+            @Override
+            public JwtParser run() {
+                if (signingKey == null || signingKey.length() == 0) {
+                    log.error("Unable to find signing key");
+                    return null;
+                } else {
+                    try {
+                        Key key = null;
+
+                        final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "")
+                            .replace("-----END PUBLIC KEY-----", "");
+
+                        final byte[] decoded = Base64.getDecoder().decode(minimalKeyFormat);
 
-                return Jwts.parserBuilder().setSigningKey(decoded).build();
-            } catch (Throwable e) {
-                log.error("Error while creating JWT authenticator", e);
-                throw new RuntimeException(e);
+                        try {
+                            key = getPublicKey(decoded, "RSA");
+                        } catch (Exception e) {
+                            log.debug("No public RSA key, try other algos ({})", e.toString());
+                        }
+
+                        try {
+                            key = getPublicKey(decoded, "EC");
+                        } catch (final Exception e) {
+                            log.debug("No public ECDSA key, try other algos ({})", e.toString());
+                        }
+
+                        if (Objects.nonNull(key)) {
+                            return Jwts.parserBuilder().setSigningKey(key).build();
+                        }
+
+                        return Jwts.parserBuilder().setSigningKey(decoded).build();
+                    } catch (Throwable e) {
+                        log.error("Error while creating JWT authenticator", e);
+                        throw new RuntimeException(e);
+                    }
+                }
             }
-        }
+        });
+
+        return jwtParser;
     }
 
     private static PublicKey getPublicKey(final byte[] keyBytes, final String algo) throws NoSuchAlgorithmException,

diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java
@@ -136,10 +136,10 @@ public void testDisabled() throws Exception {
     @Test
     public void testNonSpecifyOBOSetting() throws Exception {
         String jwsToken = Jwts.builder()
-                .setSubject("Leonard McCoy")
-                .setAudience("ext_0")
-                .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
-                .compact();
+            .setSubject("Leonard McCoy")
+            .setAudience("ext_0")
+            .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
+            .compact();
 
         OnBehalfOfAuthenticator jwtAuth = new OnBehalfOfAuthenticator(nonSpecifyOBOSetting());
         Map<String, String> headers = new HashMap<String, String>();