[Backport 2.x] Backport Service Accounts into 2.x

src/integrationTest/java/org/opensearch/security/DefaultConfigurationTests.java

@@ -68,7 +68,7 @@ public void shouldLoadDefaultConfiguration() {
             Awaitility.await().alias("Load default configuration").until(() -> client.getAuthInfo().getStatusCode(), equalTo(200));
         }
         try (TestRestClient client = cluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
-            client.assertCorrectCredentials(ADMIN_USER_NAME);
+            client.confirmCorrectCredentials(ADMIN_USER_NAME);
             HttpResponse response = client.get("/_plugins/_security/api/internalusers");
             response.assertStatusCode(200);
             Map<String, Object> users = response.getBodyAs(Map.class);

src/integrationTest/java/org/opensearch/security/SecurityConfigurationTests.java

@@ -97,10 +97,10 @@ public void shouldCreateUserViaRestApi_success() {
             assertThat(httpResponse.getStatusCode(), equalTo(201));
         }
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
-            client.assertCorrectCredentials(USER_ADMIN.getName());
+            client.confirmCorrectCredentials(USER_ADMIN.getName());
         }
         try (TestRestClient client = cluster.getRestClient(ADDITIONAL_USER_1, ADDITIONAL_PASSWORD_1)) {
-            client.assertCorrectCredentials(ADDITIONAL_USER_1);
+            client.confirmCorrectCredentials(ADDITIONAL_USER_1);
         }
     }
 
@@ -160,10 +160,10 @@ public void shouldCreateUserViaRestApiWhenAdminIsAuthenticatedViaCertificate_pos
             httpResponse.assertStatusCode(201);
         }
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
-            client.assertCorrectCredentials(USER_ADMIN.getName());
+            client.confirmCorrectCredentials(USER_ADMIN.getName());
         }
         try (TestRestClient client = cluster.getRestClient(ADDITIONAL_USER_2, ADDITIONAL_PASSWORD_2)) {
-            client.assertCorrectCredentials(ADDITIONAL_USER_2);
+            client.confirmCorrectCredentials(ADDITIONAL_USER_2);
         }
     }
 
@@ -189,10 +189,10 @@ public void shouldStillWorkAfterUpdateOfSecurityConfig() {
         cluster.updateUserConfiguration(users);
 
         try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) {
-            client.assertCorrectCredentials(USER_ADMIN.getName());
+            client.confirmCorrectCredentials(USER_ADMIN.getName());
         }
         try (TestRestClient client = cluster.getRestClient(newUser)) {
-            client.assertCorrectCredentials(newUser.getName());
+            client.confirmCorrectCredentials(newUser.getName());
         }
     }
 

src/integrationTest/java/org/opensearch/security/http/CertificateAuthenticationTest.java

@@ -89,7 +89,7 @@ public void shouldAuthenticateUserWithCertificate_positiveUserSpoke() {
         CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_BRIDGE, USER_SPOCK);
         try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) {
 
-            client.assertCorrectCredentials(USER_SPOCK);
+            client.confirmCorrectCredentials(USER_SPOCK);
         }
     }
 
@@ -98,7 +98,7 @@ public void shouldAuthenticateUserWithCertificate_positiveUserKirk() {
         CertificateData userSpockCertificate = TEST_CERTIFICATES.issueUserCertificate(BACKEND_ROLE_BRIDGE, USER_KIRK);
         try (TestRestClient client = cluster.getRestClient(userSpockCertificate)) {
 
-            client.assertCorrectCredentials(USER_KIRK);
+            client.confirmCorrectCredentials(USER_KIRK);
         }
     }
 

src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java

@@ -11,28 +11,27 @@
 
 package org.opensearch.security.http;
 
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Base64;
-import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.stream.Collectors;
 
-import javax.crypto.SecretKey;
-
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import org.apache.http.Header;
 import org.apache.http.HttpStatus;
 import org.apache.http.message.BasicHeader;
-import org.junit.Assert;
-import io.jsonwebtoken.security.Keys;
 
+import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-
+import org.opensearch.common.xcontent.XContentFactory;
+import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil;
 import org.opensearch.test.framework.OnBehalfOfConfig;
 import org.opensearch.test.framework.RolesMapping;
@@ -42,12 +41,12 @@
 import org.opensearch.test.framework.cluster.TestRestClient;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.aMapWithSize;
-import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.hasKey;
-import static org.junit.Assert.assertTrue;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.contains;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
 import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ROLES_ENABLED;
 import static org.opensearch.test.framework.TestSecurityConfig.AuthcDomain.AUTHC_HTTPBASIC_INTERNAL;
 import static org.opensearch.test.framework.TestSecurityConfig.Role.ALL_ACCESS;
@@ -60,13 +59,19 @@ public class OnBehalfOfJwtAuthenticationTest {
 
     static final TestSecurityConfig.User ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS);
 
+    private static final String CREATE_OBO_TOKEN_PATH = "_plugins/_security/api/generateonbehalfoftoken";
     private static Boolean oboEnabled = true;
     private static final String signingKey = Base64.getEncoder()
         .encodeToString(
             "jwt signing key for an on behalf of token authentication backend for testing of OBO authentication".getBytes(
                 StandardCharsets.UTF_8
             )
         );
+    private static final String alternativeSigningKey = Base64.getEncoder()
+        .encodeToString(
+            "alternativeSigningKeyalternativeSigningKeyalternativeSigningKeyalternativeSigningKey".getBytes(StandardCharsets.UTF_8)
+        );
+
     private static final String encryptionKey = Base64.getEncoder().encodeToString("encryptionKey".getBytes(StandardCharsets.UTF_8));
     public static final String ADMIN_USER_NAME = "admin";
     public static final String OBO_USER_NAME_WITH_PERM = "obo_user";
@@ -110,18 +115,36 @@ public class OnBehalfOfJwtAuthenticationTest {
     protected final static TestSecurityConfig.User HOST_MAPPING_OBO_USER = new TestSecurityConfig.User(OBO_USER_NAME_WITH_HOST_MAPPING)
         .roles(HOST_MAPPING_ROLE, ROLE_WITH_OBO_PERM);
 
+    private static OnBehalfOfConfig defaultOnBehalfOfConfig() {
+        return new OnBehalfOfConfig().oboEnabled(oboEnabled).signingKey(signingKey).encryptionKey(encryptionKey);
+    }
+
     @ClassRule
     public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE)
         .anonymousAuth(false)
         .users(ADMIN_USER, OBO_USER, OBO_USER_NO_PERM, HOST_MAPPING_OBO_USER)
         .nodeSettings(
-            Map.of(SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, true, SECURITY_RESTAPI_ROLES_ENABLED, List.of("user_admin__all_access"))
+            Map.of(
+                SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX,
+                true,
+                SECURITY_RESTAPI_ROLES_ENABLED,
+                ADMIN_USER.getRoleNames(),
+                SECURITY_RESTAPI_ADMIN_ENABLED,
+                true,
+                "plugins.security.unsupported.restapi.allow_securityconfig_modification",
+                true
+            )
         )
         .authc(AUTHC_HTTPBASIC_INTERNAL)
         .rolesMapping(new RolesMapping(HOST_MAPPING_ROLE).hostIPs(HOST_MAPPING_IP))
-        .onBehalfOf(new OnBehalfOfConfig().oboEnabled(oboEnabled).signingKey(signingKey).encryptionKey(encryptionKey))
+        .onBehalfOf(defaultOnBehalfOfConfig())
         .build();
 
+    @Before
+    public void before() {
+        patchOnBehalfOfConfig(defaultOnBehalfOfConfig());
+    }
+
     @Test
     public void shouldAuthenticateWithOBOTokenEndPoint() {
         String oboToken = generateOboToken(ADMIN_USER_NAME, DEFAULT_PASSWORD);
@@ -143,7 +166,7 @@ public void shouldNotAuthenticateForUsingOBOTokenToAccessOBOEndpoint() {
         Header adminOboAuthHeader = new BasicHeader("Authorization", "Bearer " + oboToken);
 
         try (TestRestClient client = cluster.getRestClient(adminOboAuthHeader)) {
-            TestRestClient.HttpResponse response = client.getOnBehalfOfToken(OBO_DESCRIPTION, adminOboAuthHeader);
+            TestRestClient.HttpResponse response = client.postJson(CREATE_OBO_TOKEN_PATH, OBO_DESCRIPTION);
             response.assertStatusCode(HttpStatus.SC_UNAUTHORIZED);
         }
     }
@@ -154,7 +177,7 @@ public void shouldNotAuthenticateForUsingOBOTokenToAccessAccountEndpoint() {
         Header adminOboAuthHeader = new BasicHeader("Authorization", "Bearer " + oboToken);
 
         try (TestRestClient client = cluster.getRestClient(adminOboAuthHeader)) {
-            TestRestClient.HttpResponse response = client.changeInternalUserPassword(CURRENT_AND_NEW_PASSWORDS, adminOboAuthHeader);
+            TestRestClient.HttpResponse response = client.putJson("_plugins/_security/api/account", CURRENT_AND_NEW_PASSWORDS);
             response.assertStatusCode(HttpStatus.SC_UNAUTHORIZED);
         }
     }
@@ -177,54 +200,84 @@ public void shouldNotAuthenticateForNonAdminUserWithoutOBOPermission() {
     public void shouldNotIncludeRolesFromHostMappingInOBOToken() {
         String oboToken = generateOboToken(OBO_USER_NAME_WITH_HOST_MAPPING, DEFAULT_PASSWORD);
 
-        SecretKey key = Keys.hmacShaKeyFor(Base64.getDecoder().decode(signingKey));
-
-        Claims claims = Jwts.parser().verifyWith(key).build().parseSignedClaims(oboToken).getPayload();
+        Claims claims = Jwts.parser().setSigningKey(Base64.getDecoder().decode(signingKey)).build().parseClaimsJws(oboToken).getBody();
 
         Object er = claims.get("er");
         EncryptionDecryptionUtil encryptionDecryptionUtil = new EncryptionDecryptionUtil(encryptionKey);
         String rolesClaim = encryptionDecryptionUtil.decrypt(er.toString());
-        List<String> roles = Arrays.stream(rolesClaim.split(","))
-            .map(String::trim)
-            .filter(s -> !s.isEmpty())
-            .collect(Collectors.toUnmodifiableList());
+        Set<String> roles = Arrays.stream(rolesClaim.split(",")).map(String::trim).filter(s -> !s.isEmpty()).collect(Collectors.toSet());
 
-        Assert.assertFalse(roles.contains("host_mapping_role"));
+        assertThat(roles, equalTo(HOST_MAPPING_OBO_USER.getRoleNames()));
+        assertThat(roles, not(contains("host_mapping_role")));
     }
 
     @Test
     public void shouldNotAuthenticateWithInvalidDurationSeconds() {
         try (TestRestClient client = cluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
-            client.assertCorrectCredentials(ADMIN_USER_NAME);
+            client.confirmCorrectCredentials(ADMIN_USER_NAME);
             TestRestClient.HttpResponse response = client.postJson(OBO_ENDPOINT_PREFIX, OBO_DESCRIPTION_WITH_INVALID_DURATIONSECONDS);
             response.assertStatusCode(HttpStatus.SC_BAD_REQUEST);
-            Map<String, Object> oboEndPointResponse = (Map<String, Object>) response.getBodyAs(Map.class);
-            assertTrue(oboEndPointResponse.containsValue("durationSeconds must be an integer."));
+            assertThat(response.getTextFromJsonBody("/error"), equalTo("durationSeconds must be a number."));
         }
     }
 
     @Test
     public void shouldNotAuthenticateWithInvalidAPIParameter() {
         try (TestRestClient client = cluster.getRestClient(ADMIN_USER_NAME, DEFAULT_PASSWORD)) {
-            client.assertCorrectCredentials(ADMIN_USER_NAME);
+            client.confirmCorrectCredentials(ADMIN_USER_NAME);
             TestRestClient.HttpResponse response = client.postJson(OBO_ENDPOINT_PREFIX, OBO_DESCRIPTION_WITH_INVALID_PARAMETERS);
             response.assertStatusCode(HttpStatus.SC_BAD_REQUEST);
-            Map<String, Object> oboEndPointResponse = (Map<String, Object>) response.getBodyAs(Map.class);
-            assertTrue(oboEndPointResponse.containsValue("Unrecognized parameter: invalidParameter"));
+            assertThat(response.getTextFromJsonBody("/error"), equalTo("Unrecognized parameter: invalidParameter"));
         }
     }
 
+    @Test
+    public void shouldNotAllowTokenWhenOboIsDisabled() {
+        final String oboToken = generateOboToken(OBO_USER_NAME_WITH_PERM, DEFAULT_PASSWORD);
+        final Header oboHeader = new BasicHeader("Authorization", "Bearer " + oboToken);
+        authenticateWithOboToken(oboHeader, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_OK);
+
+        // Disable OBO via config and see that the authenticator doesn't authorize
+        patchOnBehalfOfConfig(defaultOnBehalfOfConfig().oboEnabled(false));
+        authenticateWithOboToken(oboHeader, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_UNAUTHORIZED);
+
+        // Reenable OBO via config and see that the authenticator is working again
+        patchOnBehalfOfConfig(defaultOnBehalfOfConfig().oboEnabled(true));
+        authenticateWithOboToken(oboHeader, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_OK);
+    }
+
+    @Test
+    public void oboSigningCheckChangeIsDetected() {
+        final String oboTokenOrignalKey = generateOboToken(OBO_USER_NAME_WITH_PERM, DEFAULT_PASSWORD);
+        final Header oboHeaderOriginalKey = new BasicHeader("Authorization", "Bearer " + oboTokenOrignalKey);
+        authenticateWithOboToken(oboHeaderOriginalKey, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_OK);
+
+        // Change the signing key
+        patchOnBehalfOfConfig(defaultOnBehalfOfConfig().signingKey(alternativeSigningKey));
+
+        // Original key should no longer work
+        authenticateWithOboToken(oboHeaderOriginalKey, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_UNAUTHORIZED);
+
+        // Generate new key, check that it is valid
+        final String oboTokenOtherKey = generateOboToken(OBO_USER_NAME_WITH_PERM, DEFAULT_PASSWORD);
+        final Header oboHeaderOtherKey = new BasicHeader("Authorization", "Bearer " + oboTokenOtherKey);
+        authenticateWithOboToken(oboHeaderOtherKey, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_OK);
+
+        // Change back to the original signing key and the original key still works, and the new key doesn't
+        patchOnBehalfOfConfig(defaultOnBehalfOfConfig());
+        authenticateWithOboToken(oboHeaderOriginalKey, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_OK);
+        authenticateWithOboToken(oboHeaderOtherKey, OBO_USER_NAME_WITH_PERM, HttpStatus.SC_UNAUTHORIZED);
+    }
+
     private String generateOboToken(String username, String password) {
         try (TestRestClient client = cluster.getRestClient(username, password)) {
-            client.assertCorrectCredentials(username);
+            client.confirmCorrectCredentials(username);
             TestRestClient.HttpResponse response = client.postJson(OBO_ENDPOINT_PREFIX, OBO_TOKEN_REASON);
             response.assertStatusCode(HttpStatus.SC_OK);
-            Map<String, Object> oboEndPointResponse = (Map<String, Object>) response.getBodyAs(Map.class);
-            assertThat(
-                oboEndPointResponse,
-                allOf(aMapWithSize(3), hasKey("user"), hasKey("authenticationToken"), hasKey("durationSeconds"))
-            );
-            return oboEndPointResponse.get("authenticationToken").toString();
+            assertThat(response.getTextFromJsonBody("/user"), notNullValue());
+            assertThat(response.getTextFromJsonBody("/authenticationToken"), notNullValue());
+            assertThat(response.getTextFromJsonBody("/durationSeconds"), notNullValue());
+            return response.getTextFromJsonBody("/authenticationToken").toString();
         }
     }
 
@@ -239,4 +292,19 @@ private void authenticateWithOboToken(Header authHeader, String expectedUsername
             }
         }
     }
+
+    private void patchOnBehalfOfConfig(final OnBehalfOfConfig oboConfig) {
+        try (final TestRestClient adminClient = cluster.getRestClient(cluster.getAdminCertificate())) {
+            final XContentBuilder configBuilder = XContentFactory.jsonBuilder();
+            configBuilder.value(oboConfig);
+
+            final String patchBody = "[{ \"op\": \"replace\", \"path\": \"/config/dynamic/on_behalf_of\", \"value\":"
+                + configBuilder.toString()
+                + "}]";
+            final var response = adminClient.patch("_plugins/_security/api/securityconfig", patchBody);
+            response.assertStatusCode(HttpStatus.SC_OK);
+        } catch (final IOException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
 }