From 12cf9981008e31c06be8b2c731070f54bc5957ab Mon Sep 17 00:00:00 2001 From: Ryan Liang Date: Mon, 24 Jul 2023 17:23:31 -0700 Subject: [PATCH] Refactor the wrapper of security manager into keyutils and fix lint Signed-off-by: Ryan Liang --- .../http/OnBehalfOfAuthenticator.java | 18 +---- .../org/opensearch/security/util/keyUtil.java | 78 ++++++++++++------- .../http/OnBehalfOfAuthenticatorTest.java | 8 +- 3 files changed, 55 insertions(+), 49 deletions(-) diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index d2defa7345..14b67c3571 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -59,24 +59,12 @@ public OnBehalfOfAuthenticator(Settings settings) { } private JwtParser initParser(final String signingKey) { - final SecurityManager sm = System.getSecurityManager(); + JwtParser _jwtParser = keyUtil.keyAlgorithmCheck(signingKey, log); - if (sm != null) { - sm.checkPermission(new SpecialPermission()); + if (_jwtParser == null) { + throw new RuntimeException("Unable to find on behalf of authenticator signing key"); } - JwtParser _jwtParser = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public JwtParser run() { - JwtParser parser = keyUtil.keyAlgorithmCheck(signingKey, log); - if (parser != null) { - return parser; - } else { - throw new RuntimeException("Unable to find on behalf of authenticator signing key"); - } - } - }); - return _jwtParser; } diff --git a/src/main/java/org/opensearch/security/util/keyUtil.java b/src/main/java/org/opensearch/security/util/keyUtil.java index 2dc7d1e72b..6d35d2c395 100644 --- a/src/main/java/org/opensearch/security/util/keyUtil.java +++ b/src/main/java/org/opensearch/security/util/keyUtil.java @@ -14,10 +14,13 @@ import io.jsonwebtoken.JwtParser; import io.jsonwebtoken.Jwts; import org.apache.logging.log4j.Logger; +import org.opensearch.SpecialPermission; +import java.security.AccessController; import java.security.Key; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; +import java.security.PrivilegedAction; import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.X509EncodedKeySpec; @@ -27,40 +30,55 @@ public class keyUtil { public static JwtParser keyAlgorithmCheck(final String signingKey, final Logger log) { - if (signingKey == null || signingKey.length() == 0) { - log.error("Unable to find signing key"); - return null; - } else { - try { - Key key = null; - - final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "") - .replace("-----END PUBLIC KEY-----", ""); - - final byte[] decoded = Base64.getDecoder().decode(minimalKeyFormat); - - try { - key = getPublicKey(decoded, "RSA"); - } catch (Exception e) { - log.debug("No public RSA key, try other algos ({})", e.toString()); - } + final SecurityManager sm = System.getSecurityManager(); - try { - key = getPublicKey(decoded, "EC"); - } catch (final Exception e) { - log.debug("No public ECDSA key, try other algos ({})", e.toString()); - } + JwtParser jwtParser = null; - if (Objects.nonNull(key)) { - return Jwts.parserBuilder().setSigningKey(key).build(); - } + if (sm != null) { + sm.checkPermission(new SpecialPermission()); + } + + jwtParser = AccessController.doPrivileged(new PrivilegedAction() { + @Override + public JwtParser run() { + if (signingKey == null || signingKey.length() == 0) { + log.error("Unable to find signing key"); + return null; + } else { + try { + Key key = null; + + final String minimalKeyFormat = signingKey.replace("-----BEGIN PUBLIC KEY-----\n", "") + .replace("-----END PUBLIC KEY-----", ""); + + final byte[] decoded = Base64.getDecoder().decode(minimalKeyFormat); - return Jwts.parserBuilder().setSigningKey(decoded).build(); - } catch (Throwable e) { - log.error("Error while creating JWT authenticator", e); - throw new RuntimeException(e); + try { + key = getPublicKey(decoded, "RSA"); + } catch (Exception e) { + log.debug("No public RSA key, try other algos ({})", e.toString()); + } + + try { + key = getPublicKey(decoded, "EC"); + } catch (final Exception e) { + log.debug("No public ECDSA key, try other algos ({})", e.toString()); + } + + if (Objects.nonNull(key)) { + return Jwts.parserBuilder().setSigningKey(key).build(); + } + + return Jwts.parserBuilder().setSigningKey(decoded).build(); + } catch (Throwable e) { + log.error("Error while creating JWT authenticator", e); + throw new RuntimeException(e); + } + } } - } + }); + + return jwtParser; } private static PublicKey getPublicKey(final byte[] keyBytes, final String algo) throws NoSuchAlgorithmException, diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java index 2b21de56ca..669245dac2 100644 --- a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java @@ -136,10 +136,10 @@ public void testDisabled() throws Exception { @Test public void testNonSpecifyOBOSetting() throws Exception { String jwsToken = Jwts.builder() - .setSubject("Leonard McCoy") - .setAudience("ext_0") - .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512) - .compact(); + .setSubject("Leonard McCoy") + .setAudience("ext_0") + .signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512) + .compact(); OnBehalfOfAuthenticator jwtAuth = new OnBehalfOfAuthenticator(nonSpecifyOBOSetting()); Map headers = new HashMap();