Merge pull request #39 from peternied/basic-auth-via-internal-idp

Add token authentication flow
opensearch-project · Nov 1, 2022 · 529daab · 529daab
2 parents af1b10f + 5669965
commit 529daab
Show file tree

Hide file tree

Showing 7 changed files with 166 additions and 4 deletions.
diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
@@ -19,4 +19,9 @@ public interface Subject {
      * */
     Principal getPrincipal();
 
+
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken);
 }
diff --git a/...er/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java b/...er/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity.noop;
+
+import org.opensearch.identity.AccessTokenManager;
+import org.opensearch.identity.AuthenticationManager;
+import org.opensearch.identity.noop.InternalSubject;
+import org.opensearch.authn.Subject;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.SecurityManager;
+
+/**
+ * Implementation of authentication manager that does not enforce authentication
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class InternalAuthenticationManager implements AuthenticationManager {
+
+    public InternalAuthenticationManager() {
+        final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE);
+        SecurityUtils.setSecurityManager(securityManager);
+    }
+
+    @Override
+    public Subject getSubject() {
+        return new InternalSubject(SecurityUtils.getSubject());
+    }
+
+    @Override
+    public AccessTokenManager getAccessTokenManager() {
+        return null;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java b/server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity.noop;
+
+import java.security.Principal;
+import java.util.Objects;
+
+import org.opensearch.authn.Subject;
+import org.opensearch.authn.Principals;
+import org.apache.shiro.authc.UsernamePasswordToken;
+
+/**
+ * Implementation of subject that is always authenticated
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class InternalSubject implements Subject {
+
+    private final org.apache.shiro.subject.Subject shiroSubject;
+
+    public InternalSubject(org.apache.shiro.subject.Subject subject) {
+        shiroSubject = subject;
+    }
+
+    @Override
+    public Principal getPrincipal() {
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        Subject that = (Subject) obj;
+        return Objects.equals(getPrincipal(), that.getPrincipal());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getPrincipal());
+    }
+
+    @Override
+    public String toString() {
+        return "InternalSubject(principal=" + getPrincipal() + ")";
+    }
+
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken) {
+
+        AuthenticationToken authToken;
+
+        if (authenticationToken instanceof HttpHeaderToken) {
+            final HttpHeaderToken headerToken = (HttpHeaderToken) authenticationToken;
+
+            if (token.getHeaderValue().contains("Basic")) {
+                final byte[] decodedAuthHeader = Base64.getDecoder().decode(token.getHeaderValue().substring("Basic".length()).trim());
+                final String[] decodedUserNamePassword = decodedAuthHeader.toString().split(":");
+
+                authToken = new UsernamePasswordToken(decodedUserNamePassword[0], decodedUserNamePassword[1]);
+           }
+        }
+
+
+        shiroSubject.login(authToken);
+
+        return; // Do nothing we are already logged in to nothing
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java b/server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.identity.noop;
+
+import org.opensearch.authn.AccessToken;
+import org.opensearch.identity.AccessTokenManager;
+
+/**
+ * Implementation of access token manager that does not enforce authentication
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class NoopAccessTokenManager implements AccessTokenManager {
+
+    @Override
+    public void expireAllTokens() {
+        // Tokens cannot be expired
+    }
+
+    @Override
+    public AccessToken generate() {
+        return new AccessToken();
+    }
+
+    @Override
+    public AccessToken refresh(final AccessToken token) {
+        return new AccessToken();
+    }
+
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/package-info.java b/server/src/main/java/org/opensearch/identity/internal/noop/package-info.java
@@ -0,0 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/** Classes for the internal authentication in OpenSearch */
+package org.opensearch.identity.internal;
diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
@@ -43,4 +43,10 @@ public String toString() {
         return "NoopSubject(principal=" + getPrincipal() + ")";
     }
 
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken) {
+        return; // Do nothing we are already logged in to nothing
+    }
 }
diff --git a/server/src/main/java/org/opensearch/node/Node.java b/server/src/main/java/org/opensearch/node/Node.java
@@ -36,7 +36,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.SetOnce;
-import org.opensearch.authn.realm.InternalRealm;
 import org.opensearch.common.util.FeatureFlags;
 import org.opensearch.cluster.routing.allocation.AwarenessReplicaBalance;
 import org.opensearch.index.IndexingPressureService;
@@ -347,9 +346,6 @@ public static class DiscoverySettings {
     final NamedWriteableRegistry namedWriteableRegistry;
     private final AtomicReference<RunnableTaskExecutionListener> runnableTaskListener;
 
-    // TODO: Find out the correct realm instance to be used
-    public static final InternalRealm INTERNAL_REALM = InternalRealm.INSTANCE;
-
     public Node(Environment environment) {
         this(environment, Collections.emptyList(), true);
     }