From c7082416fa0ecf946beb3c59253879d463f3e1fa Mon Sep 17 00:00:00 2001 From: Ryan Liang Date: Wed, 11 Oct 2023 15:26:11 -0400 Subject: [PATCH] Add test for MissingBearerScheme Signed-off-by: Ryan Liang --- .../http/OnBehalfOfAuthenticator.java | 10 ++---- .../http/OnBehalfOfAuthenticatorTest.java | 31 +++++++++++++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 9ff082ba9b..56da7ade68 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -206,17 +206,13 @@ private String extractJwtFromHeader(SecurityRequest request) { return null; } - if (!BEARER.matcher(jwtToken).matches()) { - return null; - } - - if (jwtToken.toLowerCase().contains(BEARER_PREFIX)) { - jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length()); - } else { + if (!BEARER.matcher(jwtToken).matches() || !jwtToken.toLowerCase().contains(BEARER_PREFIX)) { logDebug("No Bearer scheme found in header"); return null; } + jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length()); + return jwtToken; } diff --git a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java index df1f38efad..57e8343882 100644 --- a/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/OnBehalfOfAuthenticatorTest.java @@ -321,6 +321,37 @@ public void testBasicAuthHeader() throws Exception { Assert.assertNull(credentials); } + @Test + public void testMissingBearerScheme() throws Exception { + Appender mockAppender = Mockito.mock(Appender.class); + ArgumentCaptor logEventCaptor = ArgumentCaptor.forClass(LogEvent.class); + Mockito.when(mockAppender.getName()).thenReturn("MockAppender"); + Mockito.when(mockAppender.isStarted()).thenReturn(true); + Logger logger = (Logger) LogManager.getLogger(OnBehalfOfAuthenticator.class); + logger.addAppender(mockAppender); + logger.setLevel(Level.DEBUG); + Mockito.doNothing().when(mockAppender).append(logEventCaptor.capture()); + + String craftedToken = "beaRerSomeActualToken"; // This token matches the BEARER pattern but doesn't contain the BEARER_PREFIX + + OnBehalfOfAuthenticator jwtAuth = new OnBehalfOfAuthenticator(defaultSettings(), clusterName); + Map headers = Collections.singletonMap(HttpHeaders.AUTHORIZATION, craftedToken); + + AuthCredentials credentials = jwtAuth.extractCredentials( + new FakeRestRequest(headers, Collections.emptyMap()).asSecurityRequest(), + null + ); + + Assert.assertNull(credentials); + + boolean foundLog = logEventCaptor.getAllValues() + .stream() + .anyMatch(event -> event.getMessage().getFormattedMessage().contains("No Bearer scheme found in header")); + Assert.assertTrue(foundLog); + + logger.removeAppender(mockAppender); + } + @Test public void testMissingBearerPrefixInAuthHeader() { String jwsToken = Jwts.builder()