Skip to content

Commit

Permalink
Add the check for token type and modify the test cases
Browse files Browse the repository at this point in the history 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
  • Loading branch information
@RyanL1997
RyanL1997 committed Jul 18, 2023
1 parent bd5b0ae commit 169a920
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 12 deletions.
9 changes: 8 additions & 1 deletion src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@ public class OnBehalfOfAuthenticator implements HTTPAuthenticator {

private static final Pattern BEARER = Pattern.compile("^\\s*Bearer\\s.*", Pattern.CASE_INSENSITIVE);
private static final String BEARER_PREFIX = "bearer ";
private static final String SUBJECT_CLAIM = "sub";
private static final String TOKEN_TYPE_CLAIM = "typ";
private static final String TOKEN_TYPE = "obo";

private final JwtParser jwtParser;
private final String encryptionKey;
Expand Down Expand Up @@ -173,6 +174,12 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
return null;
}

final String tokenType = claims.get(TOKEN_TYPE_CLAIM).toString();
if (tokenType != TOKEN_TYPE) {
log.error("This toke is not verifying as an on-behalf-of token");
return null;
}

List<String> roles = extractSecurityRolesFromClaims(claims);
String[] backendRoles = extractBackendRolesFromClaims(claims);

Expand Down
1 change: 1 addition & 0 deletions src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ public void testCreateJwtWithRoles() throws Exception {
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
JwtToken jwt = jwtConsumer.getJwtToken();

Assert.assertEquals("obo", jwt.getClaim("typ"));
Assert.assertEquals("cluster_0", jwt.getClaim("iss"));
Assert.assertEquals("admin", jwt.getClaim("sub"));
Assert.assertEquals("audience_0", jwt.getClaim("aud"));
Expand Down
37 changes: 26 additions & 11 deletions src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public void testNoKey() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
null,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy"),
false
);
Assert.fail("Expected a RuntimeException");
Expand All @@ -66,7 +66,7 @@ public void testEmptyKey() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
null,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy"),
false
);
Assert.fail("Expected a RuntimeException");
Expand Down Expand Up @@ -119,6 +119,7 @@ public void testInvalid() throws Exception {
public void testBearer() throws Exception {

String jwsToken = Jwts.builder()
.claim("typ", "obo")
.setSubject("Leonard McCoy")
.setAudience("ext_0")
.signWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKeyB64Encoded)), SignatureAlgorithm.HS512)
Expand All @@ -141,6 +142,7 @@ public void testBearer() throws Exception {
public void testBearerWrongPosition() throws Exception {

String jwsToken = Jwts.builder()
.claim("typ", "obo")
.setSubject("Leonard McCoy")
.setAudience("ext_0")
.signWith(secretKey, SignatureAlgorithm.HS512)
Expand All @@ -158,6 +160,7 @@ public void testBearerWrongPosition() throws Exception {
@Test
public void testBasicAuthHeader() throws Exception {
String jwsToken = Jwts.builder()
.claim("typ", "obo")
.setSubject("Leonard McCoy")
.setAudience("ext_0")
.signWith(secretKey, SignatureAlgorithm.HS512)
Expand All @@ -173,11 +176,10 @@ public void testBasicAuthHeader() throws Exception {
@Test
public void testRoles() throws Exception {

List<String> roles = List.of("IT", "HR");
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"),
true
);

Expand All @@ -187,13 +189,26 @@ public void testRoles() throws Exception {
Assert.assertEquals(0, credentials.getBackendRoles().size());
}

@Test
public void testNoTokenType() throws Exception {

final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy").claim("dr", "role1,role2").setAudience("svc1"),
true
);

Assert.assertNull(credentials);
}

@Test
public void testNullClaim() throws Exception {

final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy").claim("dr", null).setAudience("svc1"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy").claim("dr", null).setAudience("svc1"),
false
);

Expand All @@ -208,7 +223,7 @@ public void testNonStringClaim() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy").claim("dr", 123L).setAudience("svc1"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy").claim("dr", 123L).setAudience("svc1"),
true
);

Expand All @@ -224,7 +239,7 @@ public void testRolesMissing() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Leonard McCoy").setAudience("svc1"),
Jwts.builder().claim("typ", "obo").setSubject("Leonard McCoy").setAudience("svc1"),
false
);

Expand All @@ -240,7 +255,7 @@ public void testWrongSubjectKey() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().claim("roles", "role1,role2").claim("asub", "Dr. Who").setAudience("svc1"),
Jwts.builder().claim("typ", "obo").claim("roles", "role1,role2").claim("asub", "Dr. Who").setAudience("svc1"),
false
);

Expand All @@ -253,7 +268,7 @@ public void testExp() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Expired").setExpiration(new Date(100)),
Jwts.builder().claim("typ", "obo").setSubject("Expired").setExpiration(new Date(100)),
false
);

Expand All @@ -266,7 +281,7 @@ public void testNbf() throws Exception {
final AuthCredentials credentials = extractCredentialsFromJwtHeader(
signingKeyB64Encoded,
claimsEncryptionKey,
Jwts.builder().setSubject("Expired").setNotBefore(new Date(System.currentTimeMillis() + (1000 * 36000))),
Jwts.builder().claim("typ", "obo").setSubject("Expired").setNotBefore(new Date(System.currentTimeMillis() + (1000 * 36000))),
false
);

Expand All @@ -277,7 +292,7 @@ public void testNbf() throws Exception {
public void testRolesArray() throws Exception {

JwtBuilder builder = Jwts.builder()
.setPayload("{" + "\"sub\": \"Cluster_0\"," + "\"aud\": \"ext_0\"," + "\"dr\": \"a,b,3rd\"" + "}");
.setPayload("{" + "\"typ\": \"obo\"," + "\"sub\": \"Cluster_0\"," + "\"aud\": \"ext_0\"," + "\"dr\": \"a,b,3rd\"" + "}");

final AuthCredentials credentials = extractCredentialsFromJwtHeader(signingKeyB64Encoded, claimsEncryptionKey, builder, true);

Expand Down

0 comments on commit 169a920

Please sign in to comment.