initial changes

Signed-off-by: Sam <samuel.costa@eliatra.com>
samuelcostae · Jul 26, 2023 · 11d70ba · 11d70ba
1 parent a9451dd
commit 11d70ba
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 1 deletion.
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -100,12 +100,16 @@
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
 import org.opensearch.core.index.Index;
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.cache.query.QueryCache;
 import org.opensearch.indices.IndicesService;
 import org.opensearch.indices.SystemIndexDescriptor;
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.ClusterPlugin;
+import org.opensearch.plugins.ExtensionAwarePlugin;
+import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
@@ -128,6 +132,7 @@
 import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries;
 import org.opensearch.security.auditlog.impl.AuditLogImpl;
 import org.opensearch.security.auth.BackendRegistry;
+import org.opensearch.security.auth.SecurityTokenManager;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl;
 import org.opensearch.security.configuration.AdminDNs;
@@ -194,7 +199,12 @@
 import org.opensearch.watcher.ResourceWatcherService;
 // CS-ENFORCE-SINGLE
 
-public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin {
+    public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
+        implements
+        ClusterPlugin,
+        MapperPlugin,
+        ExtensionAwarePlugin,
+        IdentityPlugin {
 
     private static final String KEYWORD = ".keyword";
     private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace");
@@ -1111,6 +1121,21 @@ public Settings additionalSettings() {
         return builder.build();
     }
 
+    @Override
+    public List<Setting<?>> getExtensionSettings() {
+        List<Setting<?>> extentionSettings = new ArrayList<Setting<?>>();
+
+        extentionSettings.add(
+            Setting.boolSetting(
+                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
+                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT,
+                Property.ExtensionScope,
+                Property.Final
+            )
+        );
+        return extentionSettings;
+    }
+
     @Override
     public List<Setting<?>> getSettings() {
         List<Setting<?>> settings = new ArrayList<Setting<?>>();
@@ -1898,6 +1923,22 @@ public static void setLocalNode(DiscoveryNode node) {
         localNode = node;
     }
 
+
+        @Override
+        public Subject getSubject() {
+            return null;
+        }
+
+        @Override
+        public TokenManager getTokenManager() {
+            return new SecurityTokenManager(
+                    threadPool,
+                    new XFFResolver(threadPool),
+                    auditLog,
+                    settings
+            );
+        }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;

diff --git a/src/main/java/org/opensearch/security/auth/SecurityTokenManager.java b/src/main/java/org/opensearch/security/auth/SecurityTokenManager.java
@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.security.auth;
+
+import org.greenrobot.eventbus.Subscribe;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.common.util.set.Sets;
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.tokens.BasicAuthToken;
+import org.opensearch.identity.tokens.TokenManager;
+import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.http.XFFResolver;
+import org.opensearch.security.securityconf.ConfigModel;
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.user.User;
+import org.opensearch.threadpool.ThreadPool;
+
+import java.util.*;
+
+public class SecurityTokenManager implements TokenManager {
+
+    Boolean extensionBwcCompatMode;
+    User user;
+    ConfigModel configModel;
+    Set<String> mappedRoles;
+    UserInjector userInjector;
+
+    @Subscribe
+    public void onConfigModelChanged(ConfigModel configModel) {
+        this.configModel = configModel;
+    }
+
+    public SecurityTokenManager(
+            ThreadPool threadPool,
+            final XFFResolver xffResolver,
+            AuditLog auditLog,
+            Settings settings
+    ) {
+        this.userInjector = new UserInjector(settings, threadPool, auditLog, xffResolver);
+        this.extensionBwcCompatMode = settings.getAsBoolean(ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE, ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT);
+        this.user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        final TransportAddress caller = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
+
+        if (user == null) {
+            user = userInjector.getInjectedUser();
+        }
+        this.mappedRoles = configModel.mapSecurityRoles(user, caller);
+    }
+
+    @Override
+    public AuthToken issueToken(String audience) {
+        if (extensionBwcCompatMode) {
+            StringJoiner joiner = new StringJoiner("|");
+            joiner.add(user.getName());
+            joiner.add(String.join(",", user.getRoles()));
+            joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles)));
+
+            return new BasicAuthToken(joiner.toString() + "This is the Token including the encrypted backend roles");
+        } else {
+            return new BasicAuthToken("This is standard Token without the roles");
+        }
+    }
+}
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -320,6 +320,10 @@ public enum RolesMappingResolution {
     public static final String TENANCY_GLOBAL_TENANT_NAME = "global";
     public static final String TENANCY_GLOBAL_TENANT_DEFAULT_NAME = "";
 
+    public static final String EXTENSIONS_BWC_PLUGIN_MODE = "bwcPluginMode";
+    public static final boolean EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT = false;
+
+
     public static Set<String> getSettingAsSet(
         final Settings settings,
         final String key,