diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index c21b0d1230..9b06e15c5d 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -89,8 +89,6 @@ public class SecurityRestFilter { private static final String HEALTH_SUFFIX = "health"; private static final String WHO_AM_I_SUFFIX = "whoami"; - private static final String ON_BEHALF_OF_SUFFIX = "onbehalfof"; - private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)"; private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); @@ -260,17 +258,6 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha ); } } - - if (HTTPHelper.containsOBOToken(request)) { - if (request.method() == Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix)) { - final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException(); - log.error(exception.toString()); - auditLog.logBadHeaders(request); - channel.sendResponse(new BytesRestResponse(channel, RestStatus.FORBIDDEN, exception)); - return true; - } - } - return false; } diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index c789dca6ab..e055c0a754 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -17,6 +17,7 @@ import java.util.List; import java.util.Map.Entry; import java.util.Objects; +import java.util.regex.Matcher; import java.util.regex.Pattern; import java.util.stream.Collectors; @@ -28,6 +29,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; import org.opensearch.SpecialPermission; import org.opensearch.common.settings.Settings; @@ -36,11 +38,19 @@ import org.opensearch.rest.RestRequest; import org.opensearch.security.auth.HTTPAuthenticator; import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil; +import org.opensearch.security.ssl.util.ExceptionUtils; import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.util.keyUtil; +import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX; +import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX; + public class OnBehalfOfAuthenticator implements HTTPAuthenticator { + private static final String REGEX_PATH_PREFIX = "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/" + "(.*)"; + private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); + private static final String ON_BEHALF_OF_SUFFIX = "onbehalfof"; + protected final Logger log = LogManager.getLogger(this.getClass()); private static final Pattern BEARER = Pattern.compile("^\\s*Bearer\\s.*", Pattern.CASE_INSENSITIVE); @@ -194,6 +204,14 @@ private AuthCredentials extractCredentials0(final RestRequest request) { final AuthCredentials ac = new AuthCredentials(subject, roles, backendRoles).markComplete(); + Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); + final String suffix = matcher.matches() ? matcher.group(2) : null; + if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix)) { + final OpenSearchException exception = ExceptionUtils.invalidUsageOfOBOTokenException(); + log.error(exception.toString()); + return null; + } + for (Entry claim : claims.entrySet()) { ac.addAttribute("attr.jwt." + claim.getKey(), String.valueOf(claim.getValue())); } diff --git a/src/main/java/org/opensearch/security/support/HTTPHelper.java b/src/main/java/org/opensearch/security/support/HTTPHelper.java index b18bad83e6..c3b191f770 100644 --- a/src/main/java/org/opensearch/security/support/HTTPHelper.java +++ b/src/main/java/org/opensearch/security/support/HTTPHelper.java @@ -31,9 +31,6 @@ import java.util.List; import java.util.Map; -import io.jsonwebtoken.Claims; -import io.jsonwebtoken.Jws; -import io.jsonwebtoken.Jwts; import org.apache.logging.log4j.Logger; import org.opensearch.rest.RestRequest; @@ -103,40 +100,4 @@ public static boolean containsBadHeader(final RestRequest request) { return false; } - - public static boolean containsOBOToken(final RestRequest request) { - final Map> headers; - - if (request != null && (headers = request.getHeaders()) != null) { - List authHeaders = headers.get("Authorization"); - if (authHeaders != null && !authHeaders.isEmpty()) { - // Iterate through the list of 'Authorization' headers, checking each for the 'Bearer' prefix. - for (String authHeader : authHeaders) { - if (authHeader != null && authHeader.startsWith("Bearer ")) { - // Header found, extract the token to verify it's an OBO token. - String token = authHeader.substring("Bearer ".length()); - if (isOBOToken(token)) { - return true; - } - } - } - } - } - - return false; - } - - private static boolean isOBOToken(String token) { - String tokenIdentifierClaimKey = "typ"; - String tokenIdentifier = "obo"; - - Jws claimsJws = Jwts.parserBuilder().build().parseClaimsJws(token); - Claims claims = claimsJws.getBody(); - - if (claims.containsKey(tokenIdentifierClaimKey) && tokenIdentifier.equals(claims.get(tokenIdentifierClaimKey))) { - return true; - } - return false; - } - }