Basic token passing

Signed-off-by: Stephen Crawford <steecraw@amazon.com>

plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroTokenManager.java

@@ -20,8 +20,10 @@
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.UnauthenticatedException;
 import org.opensearch.common.Randomness;
 import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.BasicAuthToken;
 import org.opensearch.identity.tokens.TokenManager;
@@ -51,7 +53,6 @@ public Optional<AuthenticationToken> translateAuthToken(org.opensearch.identity.
             final BasicAuthToken basicAuthToken = (BasicAuthToken) authenticationToken;
             return Optional.of(new UsernamePasswordToken(basicAuthToken.getUser(), basicAuthToken.getPassword()));
         }
-
         return Optional.empty();
     }
 
@@ -68,6 +69,21 @@ public AuthToken issueToken(String audience) {
         return token;
     }
 
+    @Override
+    public Subject authenticateToken(AuthToken authToken) {
+        Optional<AuthenticationToken> translatedToken = null;
+        if (authToken instanceof BasicAuthToken) {
+            if (shiroTokenPasswordMap.containsKey(authToken)) {
+                translatedToken = translateAuthToken(authToken);
+            } else {
+                throw new UnauthenticatedException("Invalid token");
+            }
+        }
+        SecurityUtils.getSubject().login(translatedToken.get());
+        return new ShiroSubject(this, SecurityUtils.getSubject());
+    }
+
+
     public boolean validateToken(AuthToken token) {
         if (token instanceof BasicAuthToken) {
             final BasicAuthToken basicAuthToken = (BasicAuthToken) token;

server/src/main/java/org/opensearch/extensions/rest/RestSendToExtensionAction.java

@@ -242,15 +242,6 @@ public String executor() {
         };
 
         try {
-            // Will be replaced with ExtensionTokenProcessor and PrincipalIdentifierToken classes from feature/identity
-
-            final String extensionTokenProcessor = "placeholder_token_processor";
-
-            // Authenticate the token
-            // identityService.getTokenManager().authenticateToken();
-
-            // Resolve a principal to identify the token type required
-            // Subject requester = identityService.identifyRequester(identityService.toPrincipal(discoveryExtensionNode.getId()));
 
             Map<String, List<String>> filteredHeaders = filterHeaders(headers, allowList, denyList);
 

server/src/main/java/org/opensearch/identity/IdentityService.java

@@ -5,7 +5,6 @@
 
 package org.opensearch.identity;
 
-import java.security.Principal;
 import java.util.List;
 import java.util.stream.Collectors;
 import org.apache.logging.log4j.LogManager;
@@ -57,16 +56,4 @@ public Subject getSubject() {
     public TokenManager getTokenManager() {
         return identityPlugin.getTokenManager();
     }
-
-    /**
-     * Identifies the Subject associated with a request
-     */
-    public Subject identifyRequester(final Principal principal){
-
-        return identityPlugin.identifyRequester(principal);
-    }
-
-    public Principal toPrincipal(String principal) {
-        return identityPlugin.toPrincipal(principal);
-    }
 }

server/src/main/java/org/opensearch/identity/noop/NoopTokenManager.java

@@ -11,6 +11,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensearch.identity.IdentityService;
+import org.opensearch.identity.Subject;
 import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.TokenManager;
 
@@ -30,4 +31,9 @@ public AuthToken issueToken(String audience) {
         return new AuthToken() {
         };
     }
+
+    @Override
+    public Subject authenticateToken(AuthToken authToken) {
+        return null;
+    }
 }

server/src/main/java/org/opensearch/identity/tokens/TokenManager.java

@@ -16,7 +16,9 @@
 public interface TokenManager {
 
     /**
-     * Create a new auth token
+     * Create a new auth token.
+     * If the audience is an application ? serviceAccountToken : OnBehalfOf token
+     *
      * @param audience: The audience for the token
      * @return A new auth token
      */

server/src/test/java/org/opensearch/extensions/rest/RestSendToExtensionActionTests.java

@@ -10,20 +10,14 @@
 
 import java.net.InetAddress;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
-import java.util.Set;
 import java.util.Map;
-import java.util.Arrays;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
-
-import static java.util.Collections.emptyList;
-import static java.util.Collections.emptyMap;
-import static java.util.Collections.emptySet;
-import static org.mockito.Mockito.mock;
-
 import org.junit.After;
 import org.junit.Before;
 import org.opensearch.Version;
@@ -57,6 +51,10 @@
 import org.opensearch.transport.TransportService;
 import org.opensearch.transport.nio.MockNioTransport;
 import org.opensearch.usage.UsageService;
+import static java.util.Collections.emptyList;
+import static java.util.Collections.emptyMap;
+import static java.util.Collections.emptySet;
+import static org.mockito.Mockito.mock;
 
 public class RestSendToExtensionActionTests extends OpenSearchTestCase {
 
@@ -65,6 +63,7 @@ public class RestSendToExtensionActionTests extends OpenSearchTestCase {
     private DiscoveryExtensionNode discoveryExtensionNode;
     private ActionModule actionModule;
     private DynamicActionRegistry dynamicActionRegistry;
+    private IdentityService identityService;
     private final ThreadPool threadPool = new TestThreadPool(RestSendToExtensionActionTests.class.getSimpleName());
 
     @Before
@@ -121,6 +120,7 @@ public void setup() throws Exception {
             new IdentityService(Settings.EMPTY, new ArrayList<>()),
             new ExtensionsManager(Set.of())
         );
+        identityService = new IdentityService(Settings.EMPTY, new ArrayList<>());
         dynamicActionRegistry = actionModule.getDynamicActionRegistry();
     }
 
@@ -142,7 +142,8 @@ public void testRestSendToExtensionAction() throws Exception {
             registerRestActionRequest,
             discoveryExtensionNode,
             transportService,
-            dynamicActionRegistry
+            dynamicActionRegistry,
+            identityService
         );
 
         assertEquals("send_to_extension_action", restSendToExtensionAction.getName());
@@ -174,7 +175,8 @@ public void testRestSendToExtensionActionWithNamedRoute() throws Exception {
             registerRestActionRequest,
             discoveryExtensionNode,
             transportService,
-            dynamicActionRegistry
+            dynamicActionRegistry,
+            identityService
         );
 
         assertEquals("send_to_extension_action", restSendToExtensionAction.getName());
@@ -219,7 +221,8 @@ public void testRestSendToExtensionActionWithNamedRouteAndLegacyActionName() thr
             registerRestActionRequest,
             discoveryExtensionNode,
             transportService,
-            dynamicActionRegistry
+            dynamicActionRegistry,
+            identityService
         );
 
         assertEquals("send_to_extension_action", restSendToExtensionAction.getName());
@@ -271,7 +274,7 @@ public void testRestSendToExtensionActionWithoutUniqueNameShouldFail() {
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -283,7 +286,7 @@ public void testRestSendToExtensionMultipleNamedRoutesWithSameName() throws Exce
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -295,7 +298,7 @@ public void testRestSendToExtensionMultipleNamedRoutesWithSameLegacyActionName()
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -307,7 +310,7 @@ public void testRestSendToExtensionMultipleRoutesWithSameMethodAndPath() throws
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -319,7 +322,7 @@ public void testRestSendToExtensionMultipleRoutesWithSameMethodAndPathWithDiffer
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -331,7 +334,7 @@ public void testRestSendToExtensionMultipleRoutesWithSameMethodAndPathWithPathPa
         );
 
         try {
-            new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry);
+            new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService);
         } catch (IllegalArgumentException e) {
             fail("IllegalArgumentException should not be thrown for different paths");
         }
@@ -353,7 +356,7 @@ public void testRestSendToExtensionWithNamedRouteCollidingWithDynamicTransportAc
 
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -367,7 +370,7 @@ public void testRestSendToExtensionWithNamedRouteCollidingWithNativeTransportAct
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -381,7 +384,8 @@ public void testRestSendToExtensionActionFilterHeaders() throws Exception {
             registerRestActionRequest,
             discoveryExtensionNode,
             transportService,
-            dynamicActionRegistry
+            dynamicActionRegistry,
+            identityService
         );
 
         Map<String, List<String>> headers = new HashMap<>();
@@ -407,7 +411,7 @@ public void testRestSendToExtensionActionBadMethod() throws Exception {
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -419,7 +423,7 @@ public void testRestSendToExtensionActionBadDeprecatedMethod() throws Exception
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -431,7 +435,7 @@ public void testRestSendToExtensionActionMissingUri() throws Exception {
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 
@@ -443,7 +447,7 @@ public void testRestSendToExtensionActionMissingDeprecatedUri() throws Exception
         );
         expectThrows(
             IllegalArgumentException.class,
-            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry)
+            () -> new RestSendToExtensionAction(registerRestActionRequest, discoveryExtensionNode, transportService, dynamicActionRegistry, identityService)
         );
     }
 }