Skip to content

Commit

Permalink
Refactor the OBO Authenticator part2
Browse files Browse the repository at this point in the history 
Signed-off-by: Ryan Liang <jiallian@amazon.com>
  • Loading branch information
@RyanL1997
RyanL1997 committed Aug 22, 2023
1 parent e52c5ce commit 9ce36dc
Showing 1 changed file with 36 additions and 29 deletions.
65 changes: 36 additions & 29 deletions src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
import java.util.Arrays;
import java.util.List;
import java.util.Map.Entry;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
Expand Down Expand Up @@ -136,7 +135,7 @@ public AuthCredentials run() {

private AuthCredentials extractCredentials0(final RestRequest request) {
if (!oboEnabled) {
log.error("On-behalf-of authentication has been disabled");
log.error("On-behalf-of authentication is disabled");
return null;
}

Expand All @@ -145,53 +144,33 @@ private AuthCredentials extractCredentials0(final RestRequest request) {
return null;
}

String jwtToken = request.header(HttpHeaders.AUTHORIZATION);

if (jwtToken == null || jwtToken.length() == 0) {
if (log.isDebugEnabled()) {
log.debug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
}
String jwtToken = extractJwtFromHeader(request);
if (jwtToken == null) {
return null;
}

if (!BEARER.matcher(jwtToken).matches()) {
jwtToken = null;
}

if (jwtToken != null && Pattern.compile(BEARER_PREFIX).matcher(jwtToken.toLowerCase()).find()) {
jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());
} else {
if (log.isDebugEnabled()) {
log.debug("No Bearer scheme found in header");
}
}

if (jwtToken == null) {
if (!isAllowedRequest(request)) {
return null;
}

try {
if (!isAllowedRequest(request)) {
return null;
}

final Claims claims = jwtParser.parseClaimsJws(jwtToken).getBody();

final String subject = claims.getSubject();
if (Objects.isNull(subject)) {
if (subject == null) {
log.error("Valid jwt on behalf of token with no subject");
return null;
}

final String audience = claims.getAudience();
if (Objects.isNull(audience)) {
if (audience == null) {
log.error("Valid jwt on behalf of token with no audience");
return null;
}

final String issuer = claims.getIssuer();
if (!issuer.equals(clusterName)) {
log.error("This issuer of this OBO does not match the current cluster identifier");
log.error("The issuer of this OBO does not match the current cluster identifier");
return null;
}

Expand All @@ -208,13 +187,41 @@ private AuthCredentials extractCredentials0(final RestRequest request) {

} catch (WeakKeyException e) {
log.error("Cannot authenticate user with JWT because of ", e);
return null;
} catch (Exception e) {
if (log.isDebugEnabled()) {
log.debug("Invalid or expired JWT token.", e);
}
}

return null;
}

private String extractJwtFromHeader(RestRequest request) {
String jwtToken = request.header(HttpHeaders.AUTHORIZATION);

if (jwtToken == null || jwtToken.isEmpty()) {
logDebug("No JWT token found in '{}' header", HttpHeaders.AUTHORIZATION);
return null;
}

if (!BEARER.matcher(jwtToken).matches()) {
return null;
}

if (jwtToken.toLowerCase().contains(BEARER_PREFIX)) {
jwtToken = jwtToken.substring(jwtToken.toLowerCase().indexOf(BEARER_PREFIX) + BEARER_PREFIX.length());
} else {
logDebug("No Bearer scheme found in header");
return null;
}

return jwtToken;
}

private void logDebug(String message, Object... args) {
if (log.isDebugEnabled()) {
log.debug(message, args);
}
}

public Boolean isAllowedRequest(final RestRequest request) {
Expand Down

0 comments on commit 9ce36dc

Please sign in to comment.