forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Ryan Liang <jiallian@amazon.com>
- Loading branch information
Showing
7 changed files
with
511 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
146 changes: 146 additions & 0 deletions
146
src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * | ||
| * The OpenSearch Contributors require contributions made to | ||
| * this file be licensed under the Apache-2.0 license or a | ||
| * compatible open source license. | ||
| * | ||
| * Modifications Copyright OpenSearch Contributors. See | ||
| * GitHub history for details. | ||
| */ | ||
|
|
||
| package org.opensearch.security.identity; | ||
|
|
||
| import java.util.Collections; | ||
| import org.opensearch.client.Client; | ||
| import org.opensearch.cluster.service.ClusterService; | ||
| import org.opensearch.common.inject.Inject; | ||
| import org.opensearch.common.settings.Settings; | ||
| import org.opensearch.identity.tokens.AuthToken; | ||
| import org.opensearch.identity.tokens.BasicAuthToken; | ||
| import org.opensearch.identity.tokens.BearerAuthToken; | ||
| import org.opensearch.identity.tokens.TokenManager; | ||
| import org.opensearch.security.configuration.ConfigurationRepository; | ||
| import org.opensearch.security.securityconf.DynamicConfigFactory; | ||
| import org.opensearch.security.securityconf.impl.CType; | ||
| import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; | ||
| import org.opensearch.security.user.InternalUserTokenHandler; | ||
| import org.opensearch.security.user.UserService; | ||
| import org.opensearch.security.user.UserServiceException; | ||
| import org.opensearch.security.user.UserTokenHandler; | ||
| import org.opensearch.threadpool.ThreadPool; | ||
|
|
||
| /** | ||
| * This class serves as a funneling implementation of the TokenManager interface. | ||
| * The class allows the Security Plugin to implement two separate types of token managers without requiring specific interfaces | ||
| * in the IdentityPlugin. | ||
| */ | ||
| public class SecurityTokenManager implements TokenManager { | ||
|
|
||
| Settings settings; | ||
|
|
||
| ThreadPool threadPool; | ||
|
|
||
| ClusterService clusterService; | ||
| Client client; | ||
| ConfigurationRepository configurationRepository; | ||
| UserService userService; | ||
| UserTokenHandler userTokenHandler; | ||
| InternalUserTokenHandler internalUserTokenHandler; | ||
|
|
||
| public final String TOKEN_NOT_SUPPORTED_MESSAGE = "The provided token type is not supported by the Security Plugin."; | ||
|
|
||
| @Inject | ||
| public SecurityTokenManager( | ||
| ThreadPool threadPool, | ||
| ClusterService clusterService, | ||
| ConfigurationRepository configurationRepository, | ||
| Client client, | ||
| Settings settings, | ||
| UserService userService | ||
| ) { | ||
| this.threadPool = threadPool; | ||
| this.clusterService = clusterService; | ||
| this.client = client; | ||
| this.configurationRepository = configurationRepository; | ||
| this.settings = settings; | ||
| this.userService = userService; | ||
| userTokenHandler = new UserTokenHandler(threadPool, clusterService, configurationRepository, client); | ||
| internalUserTokenHandler = new InternalUserTokenHandler(settings, userService); | ||
|
|
||
| } | ||
|
|
||
| @Override | ||
| public AuthToken issueToken(String account) { | ||
|
|
||
| AuthToken token; | ||
| final SecurityDynamicConfiguration<?> internalUsersConfiguration = load(UserService.getUserConfigName(), false); | ||
| if (internalUsersConfiguration.exists(account)) { | ||
| token = internalUserTokenHandler.issueToken(account); | ||
| } else { | ||
| token = userTokenHandler.issueToken(account); | ||
| } | ||
| return token; | ||
| } | ||
|
|
||
| public boolean validateToken(AuthToken authToken) { | ||
|
|
||
| if (authToken instanceof BearerAuthToken) { | ||
| return userTokenHandler.validateToken(authToken); | ||
| } | ||
| if (authToken instanceof BasicAuthToken) { | ||
| return internalUserTokenHandler.validateToken(authToken); | ||
| } | ||
| throw new UserServiceException(TOKEN_NOT_SUPPORTED_MESSAGE); | ||
| } | ||
|
|
||
| public String getTokenInfo(AuthToken authToken) { | ||
|
|
||
| if (authToken instanceof BearerAuthToken) { | ||
| return userTokenHandler.getTokenInfo(authToken); | ||
| } | ||
| if (authToken instanceof BasicAuthToken) { | ||
| return internalUserTokenHandler.getTokenInfo(authToken); | ||
| } | ||
| throw new UserServiceException(TOKEN_NOT_SUPPORTED_MESSAGE); | ||
| } | ||
|
|
||
| public void revokeToken(AuthToken authToken) { | ||
| if (authToken instanceof BearerAuthToken) { | ||
| userTokenHandler.revokeToken(authToken); | ||
| return; | ||
| } | ||
| if (authToken instanceof BasicAuthToken) { | ||
| internalUserTokenHandler.revokeToken(authToken); | ||
| return; | ||
| } | ||
| throw new UserServiceException(TOKEN_NOT_SUPPORTED_MESSAGE); | ||
| } | ||
|
|
||
| /** | ||
| * Only for testing | ||
| */ | ||
| public void setInternalUserTokenHandler(InternalUserTokenHandler handler) { | ||
| this.internalUserTokenHandler = handler; | ||
| } | ||
|
|
||
| /** | ||
| * Only for testing | ||
| */ | ||
| public void setUserTokenHandler(UserTokenHandler handler) { | ||
| this.userTokenHandler = handler; | ||
| } | ||
|
|
||
| /** | ||
| * Load data for a given CType | ||
| * @param config CType whose data is to be loaded in-memory | ||
| * @return configuration loaded with given CType data | ||
| */ | ||
| protected final SecurityDynamicConfiguration<?> load(final CType config, boolean logComplianceEvent) { | ||
| SecurityDynamicConfiguration<?> loaded = configurationRepository.getConfigurationsFromIndex( | ||
| Collections.singleton(config), | ||
| logComplianceEvent | ||
| ).get(config).deepClone(); | ||
| return DynamicConfigFactory.addStatics(loaded); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
100 changes: 100 additions & 0 deletions
100
src/main/java/org/opensearch/security/user/InternalUserTokenHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| /* | ||
| * SPDX-License-Identifier: Apache-2.0 | ||
| * | ||
| * The OpenSearch Contributors require contributions made to | ||
| * this file be licensed under the Apache-2.0 license or a | ||
| * compatible open source license. | ||
| * | ||
| * Modifications Copyright OpenSearch Contributors. See | ||
| * GitHub history for details. | ||
| */ | ||
|
|
||
| package org.opensearch.security.user; | ||
|
|
||
| import org.opensearch.common.inject.Inject; | ||
| import org.opensearch.common.settings.Settings; | ||
| import org.opensearch.identity.tokens.AuthToken; | ||
| import org.opensearch.identity.tokens.BasicAuthToken; | ||
| import org.opensearch.identity.tokens.TokenManager; | ||
| import org.opensearch.security.securityconf.Hashed; | ||
| import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration; | ||
|
|
||
| import java.io.IOException; | ||
| import java.security.NoSuchAlgorithmException; | ||
|
|
||
| import static org.opensearch.security.dlic.rest.support.Utils.universalHash; | ||
|
|
||
| public class InternalUserTokenHandler implements TokenManager { | ||
|
|
||
| Settings settings; | ||
|
|
||
| UserService userService; | ||
|
|
||
| public SecurityDynamicConfiguration<?> internalUsersConfiguration; | ||
|
|
||
| @Inject | ||
| public InternalUserTokenHandler(final Settings settings, UserService userService) { | ||
| this.settings = settings; | ||
| this.userService = userService; | ||
| this.internalUsersConfiguration = userService.geInternalUsersConfigurationRepository(); | ||
| } | ||
|
|
||
| public AuthToken issueToken() { | ||
| throw new UserServiceException( | ||
| "The InternalUserTokenHandler is unable to issue generic auth tokens. Please specify a valid internal user." | ||
| ); | ||
| } | ||
|
|
||
| public AuthToken issueToken(String internalUser) { | ||
| String tokenAsString; | ||
| try { | ||
| tokenAsString = this.userService.generateAuthToken(internalUser); | ||
| } catch (IOException | UserServiceException ex) { | ||
| throw new UserServiceException("Failed to generate an auth token for " + internalUser); | ||
| } | ||
| return new BasicAuthToken(tokenAsString); | ||
| } | ||
|
|
||
| public boolean validateToken(AuthToken token) { | ||
| if (!(token instanceof BasicAuthToken)) { | ||
| throw new UserServiceException("The provided auth token is of an incorrect type. Please provide a BasicAuthToken object."); | ||
| } | ||
| BasicAuthToken basicToken = (BasicAuthToken) token; | ||
| String accountName = basicToken.getUser(); | ||
| String password = basicToken.getPassword(); | ||
| String hash; | ||
| try { | ||
| hash = universalHash(password); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| throw new UserServiceException("The provided token could not be validated."); | ||
| } | ||
| return (internalUsersConfiguration.exists(accountName) | ||
| && hash.equals(((Hashed) internalUsersConfiguration.getCEntry(accountName)).getHash())); | ||
| } | ||
|
|
||
| public String getTokenInfo(AuthToken token) { | ||
| if (!(token instanceof BasicAuthToken)) { | ||
| throw new UserServiceException("The provided token is not a BasicAuthToken."); | ||
| } | ||
| BasicAuthToken basicAuthToken = (BasicAuthToken) token; | ||
| return "The provided token is a BasicAuthToken with content: " + basicAuthToken; | ||
| } | ||
|
|
||
| public void revokeToken(AuthToken token) { | ||
| if (validateToken(token)) { | ||
| BasicAuthToken basicToken = (BasicAuthToken) token; | ||
| String accountName = basicToken.getUser(); | ||
| try { | ||
| userService.clearHash(accountName); | ||
| return; | ||
| } catch (IOException e) { | ||
| throw new UserServiceException(e.getMessage()); | ||
| } | ||
| } | ||
| throw new UserServiceException("The token could not be revoked."); | ||
| } | ||
|
|
||
| public void resetToken(AuthToken token) { | ||
| throw new UserServiceException("The InternalUserTokenHandler is unable to reset auth tokens."); | ||
| } | ||
| } |
Oops, something went wrong.