Fix runtime exception in obo authenticator

Signed-off-by: Ryan Liang <jiallian@amazon.com>
RyanL1997 · Jul 24, 2023 · d58af05 · d58af05
1 parent 6a2f773
commit d58af05
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
@@ -54,13 +54,10 @@ public class OnBehalfOfAuthenticator implements HTTPAuthenticator {
     public OnBehalfOfAuthenticator(Settings settings) {
         oboEnabled = Boolean.valueOf(settings.get("on_behalf_of_enabled"));
         encryptionKey = settings.get("encryption_key");
-        jwtParser = initParser(settings.get("signing_key"), oboEnabled);
+        jwtParser = initParser(settings.get("signing_key"));
     }
 
-    private JwtParser initParser(final String signingKey, final Boolean oboEnabled) {
-        if (oboEnabled != true) {
-            throw new RuntimeException("On-behalf-of authentication has been disabled");
-        }
+    private JwtParser initParser(final String signingKey) {
         JwtParser _jwtParser = keyUtil.keyAlgorithmCheck(signingKey, log);
         if (_jwtParser != null) {
             return _jwtParser;
@@ -133,6 +130,11 @@ public AuthCredentials run() {
     }
 
     private AuthCredentials extractCredentials0(final RestRequest request) {
+        if (oboEnabled != true) {
+            log.error("On-behalf-of authentication has been disabled");
+            return null;
+        }
+
         if (jwtParser == null) {
             log.error("Missing Signing Key. JWT authentication will not work");
             return null;

diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java b/src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java
@@ -523,7 +523,13 @@ public void setEncryptionKey(String encryptionKey) {
 
         @Override
         public String toString() {
-            return "OnBehalfOf [ on_behalf_of=" + oboEnabled + ", signing_key=" + signingKey + ", encryption_key=" + encryptionKey + "]";
+            return "OnBehalfOf [ on_behalf_of_enabled="
+                + oboEnabled
+                + ", signing_key="
+                + signingKey
+                + ", encryption_key="
+                + encryptionKey
+                + "]";
         }
     }
 

diff --git a/src/main/java/org/opensearch/security/util/keyUtil.java b/src/main/java/org/opensearch/security/util/keyUtil.java
@@ -52,10 +52,10 @@ public static JwtParser keyAlgorithmCheck(final String signingKey, final Logger
                 }
 
                 if (Objects.nonNull(key)) {
-                    return Jwts.parser().setSigningKey(key);
+                    return Jwts.parserBuilder().setSigningKey(key).build();
                 }
 
-                return Jwts.parser().setSigningKey(decoded);
+                return Jwts.parserBuilder().setSigningKey(decoded).build();
             } catch (Throwable e) {
                 log.error("Error while creating JWT authenticator", e);
                 throw new RuntimeException(e);