From 4b33c599251db2475e09cd1c3582188aa830c3e2 Mon Sep 17 00:00:00 2001
From: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Date: Wed, 18 Oct 2023 09:39:08 -0400
Subject: [PATCH] OnBehalfOf claims take second duration (#10664)

OnBehalfOf claims take second duration

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Siddhant Deshmukh <deshsid@amazon.com>
---
 CHANGELOG.md                                  |  2 +-
 .../opensearch/identity/tokens/AuthToken.java |  1 +
 .../identity/tokens/OnBehalfOfClaims.java     | 55 +++----------------
 3 files changed, 9 insertions(+), 49 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ef02fab00a96..42389ae394de7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,7 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Allow mmap to use new JDK-19 preview APIs in Apache Lucene 9.4+ ([#5151](https://github.com/opensearch-project/OpenSearch/pull/5151))
 - Add events correlation engine plugin ([#6854](https://github.com/opensearch-project/OpenSearch/issues/6854))
 - Introduce new dynamic cluster setting to control slice computation for concurrent segment search ([#9107](https://github.com/opensearch-project/OpenSearch/pull/9107))
-- Implement on behalf of token passing for extensions ([#8679](https://github.com/opensearch-project/OpenSearch/pull/8679))
+- Implement on behalf of token passing for extensions ([#8679](https://github.com/opensearch-project/OpenSearch/pull/8679), [#10664](https://github.com/opensearch-project/OpenSearch/pull/10664))
 - Provide service accounts tokens to extensions ([#9618](https://github.com/opensearch-project/OpenSearch/pull/9618))
 - Configurable merge policy for index with an option to choose from LogByteSize and Tiered merge policy ([#9992](https://github.com/opensearch-project/OpenSearch/pull/9992))
 - Add search query categorizor ([#10255](https://github.com/opensearch-project/OpenSearch/pull/10255))
diff --git a/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java b/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
index c929e7421b3d8..88bb855a6e70d 100644
--- a/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
+++ b/server/src/main/java/org/opensearch/identity/tokens/AuthToken.java
@@ -16,4 +16,5 @@
 public interface AuthToken {
 
     String asAuthHeaderValue();
+
 }
diff --git a/server/src/main/java/org/opensearch/identity/tokens/OnBehalfOfClaims.java b/server/src/main/java/org/opensearch/identity/tokens/OnBehalfOfClaims.java
index 3fef248ee6d3a..00e50a59e9486 100644
--- a/server/src/main/java/org/opensearch/identity/tokens/OnBehalfOfClaims.java
+++ b/server/src/main/java/org/opensearch/identity/tokens/OnBehalfOfClaims.java
@@ -14,46 +14,17 @@
 public class OnBehalfOfClaims {
 
     private final String audience;
-    private final String subject;
-    private final Long expiration;
-    private final Long not_before;
-    private final Long issued_at;
+    private final Long expiration_seconds;
 
     /**
      * Constructor for OnBehalfOfClaims
      * @param aud the Audience for the token
-     * @param subject the subject of the token
-     * @param expiration the expiration time in seconds for the token
-     * @param not_before the not_before time in seconds for the token
-     * @param issued_at the issued_at time in seconds for the token
-     */
-    public OnBehalfOfClaims(String aud, String subject, Long expiration, Long not_before, Long issued_at) {
-        this.audience = aud;
-        this.subject = subject;
-        this.expiration = expiration;
-        this.not_before = not_before;
-        this.issued_at = issued_at;
-    }
-
-    /**
-     * A constructor that sets a default issued at time of the current time
-     * @param aud the Audience for the token
-     * @param subject the subject of the token
-     * @param expiration the expiration time in seconds for the token
-     * @param not_before the not_before time in seconds for the token
-     */
-    public OnBehalfOfClaims(String aud, String subject, Long expiration, Long not_before) {
-        this(aud, subject, expiration, not_before, System.currentTimeMillis() / 1000);
-    }
+     * @param expiration_seconds the length of time in seconds the token is valid
 
-    /**
-     * A constructor which sets a default not before time of the current time
-     * @param aud the Audience for the token
-     * @param subject the subject of the token
-     * @param expiration the expiration time in seconds for the token
      */
-    public OnBehalfOfClaims(String aud, String subject, Long expiration) {
-        this(aud, subject, expiration, System.currentTimeMillis() / 1000);
+    public OnBehalfOfClaims(String aud, Long expiration_seconds) {
+        this.audience = aud;
+        this.expiration_seconds = expiration_seconds;
     }
 
     /**
@@ -62,26 +33,14 @@ public OnBehalfOfClaims(String aud, String subject, Long expiration) {
      * @param subject the subject of the token
      */
     public OnBehalfOfClaims(String aud, String subject) {
-        this(aud, subject, System.currentTimeMillis() / 1000 + 300);
+        this(aud, 300L);
     }
 
     public String getAudience() {
         return audience;
     }
 
-    public String getSubject() {
-        return subject;
-    }
-
     public Long getExpiration() {
-        return expiration;
-    }
-
-    public Long getNot_before() {
-        return not_before;
-    }
-
-    public Long getIssued_at() {
-        return issued_at;
+        return expiration_seconds;
     }
 }