From 5669965a3e1a1bed7b09ab75fc1a40fe1b83297c Mon Sep 17 00:00:00 2001
From: Peter Nied <petern@amazon.com>
Date: Tue, 18 Oct 2022 18:34:42 +0000
Subject: [PATCH] Add token authentication flow

Signed-off-by: Peter Nied <petern@amazon.com>
---
 .../java/org/opensearch/authn/Subject.java    |  5 ++
 .../noop/InternalAuthenticationManager.java   | 39 ++++++++++
 .../internal/noop/InternalSubject.java        | 75 +++++++++++++++++++
 .../internal/noop/NoopAccessTokenManager.java | 34 +++++++++
 .../identity/internal/noop/package-info.java  |  7 ++
 .../opensearch/identity/noop/NoopSubject.java |  6 ++
 .../main/java/org/opensearch/node/Node.java   |  4 -
 7 files changed, 166 insertions(+), 4 deletions(-)
 create mode 100644 server/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java
 create mode 100644 server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java
 create mode 100644 server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java
 create mode 100644 server/src/main/java/org/opensearch/identity/internal/noop/package-info.java

diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
index 9aeed127d6b52..e67ae7272567b 100644
--- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
+++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
@@ -19,4 +19,9 @@ public interface Subject {
      * */
     Principal getPrincipal();
 
+
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken);
 }
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java b/server/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java
new file mode 100644
index 0000000000000..5efd2d5854bdd
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/internal/noop/InternalAuthenticationManager.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity.noop;
+
+import org.opensearch.identity.AccessTokenManager;
+import org.opensearch.identity.AuthenticationManager;
+import org.opensearch.identity.noop.InternalSubject;
+import org.opensearch.authn.Subject;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.mgt.DefaultSecurityManager;
+import org.apache.shiro.mgt.SecurityManager;
+
+/**
+ * Implementation of authentication manager that does not enforce authentication
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class InternalAuthenticationManager implements AuthenticationManager {
+
+    public InternalAuthenticationManager() {
+        final SecurityManager securityManager = new DefaultSecurityManager(InternalRealm.INSTANCE);
+        SecurityUtils.setSecurityManager(securityManager);
+    }
+
+    @Override
+    public Subject getSubject() {
+        return new InternalSubject(SecurityUtils.getSubject());
+    }
+
+    @Override
+    public AccessTokenManager getAccessTokenManager() {
+        return null;
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java b/server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java
new file mode 100644
index 0000000000000..ab7f7412874f1
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/internal/noop/InternalSubject.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.identity.noop;
+
+import java.security.Principal;
+import java.util.Objects;
+
+import org.opensearch.authn.Subject;
+import org.opensearch.authn.Principals;
+import org.apache.shiro.authc.UsernamePasswordToken;
+
+/**
+ * Implementation of subject that is always authenticated
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class InternalSubject implements Subject {
+
+    private final org.apache.shiro.subject.Subject shiroSubject;
+
+    public InternalSubject(org.apache.shiro.subject.Subject subject) {
+        shiroSubject = subject;
+    }
+
+    @Override
+    public Principal getPrincipal() {
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) return true;
+        if (obj == null || getClass() != obj.getClass()) return false;
+        Subject that = (Subject) obj;
+        return Objects.equals(getPrincipal(), that.getPrincipal());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getPrincipal());
+    }
+
+    @Override
+    public String toString() {
+        return "InternalSubject(principal=" + getPrincipal() + ")";
+    }
+
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken) {
+
+        AuthenticationToken authToken;
+
+        if (authenticationToken instanceof HttpHeaderToken) {
+            final HttpHeaderToken headerToken = (HttpHeaderToken) authenticationToken;
+
+            if (token.getHeaderValue().contains("Basic")) {
+                final byte[] decodedAuthHeader = Base64.getDecoder().decode(token.getHeaderValue().substring("Basic".length()).trim());
+                final String[] decodedUserNamePassword = decodedAuthHeader.toString().split(":");
+        
+                authToken = new UsernamePasswordToken(decodedUserNamePassword[0], decodedUserNamePassword[1]);
+           }
+        }
+
+
+        shiroSubject.login(authToken);
+
+        return; // Do nothing we are already logged in to nothing
+    }
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java b/server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java
new file mode 100644
index 0000000000000..f21e3ee249cbd
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/internal/noop/NoopAccessTokenManager.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.identity.noop;
+
+import org.opensearch.authn.AccessToken;
+import org.opensearch.identity.AccessTokenManager;
+
+/**
+ * Implementation of access token manager that does not enforce authentication
+ *
+ * This class and related classes in this package will not return nulls or fail permissions checks
+ *
+ * @opensearch.internal
+ */
+public class NoopAccessTokenManager implements AccessTokenManager {
+
+    @Override
+    public void expireAllTokens() {
+        // Tokens cannot be expired
+    }
+
+    @Override
+    public AccessToken generate() {
+        return new AccessToken();
+    }
+
+    @Override
+    public AccessToken refresh(final AccessToken token) {
+        return new AccessToken();
+    }
+
+}
diff --git a/server/src/main/java/org/opensearch/identity/internal/noop/package-info.java b/server/src/main/java/org/opensearch/identity/internal/noop/package-info.java
new file mode 100644
index 0000000000000..81f1a1ac79a37
--- /dev/null
+++ b/server/src/main/java/org/opensearch/identity/internal/noop/package-info.java
@@ -0,0 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/** Classes for the internal authentication in OpenSearch */
+package org.opensearch.identity.internal;
diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
index c92cddf151ab2..0359b11b27e60 100644
--- a/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
+++ b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
@@ -43,4 +43,10 @@ public String toString() {
         return "NoopSubject(principal=" + getPrincipal() + ")";
     }
 
+    /**
+     * Logs the user in
+     */
+    void login(AuthenticationToken authenticationToken) {
+        return; // Do nothing we are already logged in to nothing
+    }
 }
diff --git a/server/src/main/java/org/opensearch/node/Node.java b/server/src/main/java/org/opensearch/node/Node.java
index 27127f30827c2..a70cf7c33d17d 100644
--- a/server/src/main/java/org/opensearch/node/Node.java
+++ b/server/src/main/java/org/opensearch/node/Node.java
@@ -36,7 +36,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.SetOnce;
-import org.opensearch.authn.realm.InternalRealm;
 import org.opensearch.common.util.FeatureFlags;
 import org.opensearch.cluster.routing.allocation.AwarenessReplicaBalance;
 import org.opensearch.index.IndexingPressureService;
@@ -347,9 +346,6 @@ public static class DiscoverySettings {
     final NamedWriteableRegistry namedWriteableRegistry;
     private final AtomicReference<RunnableTaskExecutionListener> runnableTaskListener;
 
-    // TODO: Find out the correct realm instance to be used
-    public static final InternalRealm INTERNAL_REALM = InternalRealm.INSTANCE;
-
     public Node(Environment environment) {
         this(environment, Collections.emptyList(), true);
     }