Skip to content

Commit

Permalink
Separate UserSubject and PluginSubject
Browse files Browse the repository at this point in the history
Signed-off-by: Craig Perkins <[email protected]>
  • Loading branch information
cwperks committed Aug 16, 2024
1 parent 55834df commit 7374479
Show file tree
Hide file tree
Showing 13 changed files with 51 additions and 46 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import org.opensearch.env.Environment;
import org.opensearch.env.NodeEnvironment;
import org.opensearch.identity.PluginSubject;
import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.TokenManager;
import org.opensearch.plugins.IdentityPlugin;
import org.opensearch.plugins.Plugin;
Expand Down Expand Up @@ -86,7 +86,7 @@ public Collection<Object> createComponents(
* @return The current subject
*/
@Override
public Subject getSubject() {
public UserSubject getUserSubject() {
return new ShiroSubject(authTokenHandler, SecurityUtils.getSubject());
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
package org.opensearch.identity.shiro;

import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.AuthToken;

import java.security.Principal;
Expand All @@ -19,7 +20,7 @@
*
* @opensearch.experimental
*/
public class ShiroSubject implements Subject {
public class ShiroSubject implements UserSubject {
private final ShiroTokenManager authTokenHandler;
private final org.apache.shiro.subject.Subject shiroSubject;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ public String executor() {
Map<String, List<String>> filteredHeaders = filterHeaders(headers, allowList, denyList);

TokenManager tokenManager = identityService.getTokenManager();
Subject subject = this.identityService.getSubject();
Subject subject = this.identityService.getUserSubject();
OnBehalfOfClaims claims = new OnBehalfOfClaims(discoveryExtensionNode.getId(), subject.getPrincipal().getName());

transportService.sendRequest(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,10 @@ public IdentityService(final Settings settings, final ThreadPool threadPool, fin
}

/**
* Gets the current Subject
* Gets the current UserSubject
*/
public Subject getSubject() {
return identityPlugin.getSubject();
public UserSubject getUserSubject() {
return identityPlugin.getUserSubject();
}

/**
Expand Down
19 changes: 1 addition & 18 deletions server/src/main/java/org/opensearch/identity/PluginSubject.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,10 @@

import org.opensearch.common.annotation.ExperimentalApi;

import java.security.Principal;
import java.util.concurrent.Callable;

/**
* Similar to {@link Subject}, but represents a plugin executing actions
*
* @opensearch.experimental
*/
@ExperimentalApi
public interface PluginSubject {

/**
* Get the application-wide uniquely identifying principal
* */
Principal getPrincipal();

/**
* runAs allows the caller to run a callable function as this subject
*/
default <T> T runAs(Callable<T> callable) throws Exception {
callable.call();
return null;
};
}
public interface PluginSubject extends Subject {}
10 changes: 0 additions & 10 deletions server/src/main/java/org/opensearch/identity/Subject.java
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
package org.opensearch.identity;

import org.opensearch.common.annotation.ExperimentalApi;
import org.opensearch.identity.tokens.AuthToken;

import java.security.Principal;
import java.util.concurrent.Callable;
Expand All @@ -24,15 +23,6 @@ public interface Subject {
* */
Principal getPrincipal();

/**
* Authenticate via an auth token
* throws UnsupportedAuthenticationMethod
* throws InvalidAuthenticationToken
* throws SubjectNotFound
* throws SubjectDisabled
*/
void authenticate(final AuthToken token);

/**
* runAs allows the caller to run a callable function as this subject
*/
Expand Down
29 changes: 29 additions & 0 deletions server/src/main/java/org/opensearch/identity/UserSubject.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*/

package org.opensearch.identity;

import org.opensearch.common.annotation.ExperimentalApi;
import org.opensearch.identity.tokens.AuthToken;

/**
* An instance of a subject representing a User. UserSubjects must pass credentials for authentication.
*
* @opensearch.experimental
*/
@ExperimentalApi
public interface UserSubject extends Subject {
/**
* Authenticate via an auth token
* throws UnsupportedAuthenticationMethod
* throws InvalidAuthenticationToken
* throws SubjectNotFound
* throws SubjectDisabled
*/
void authenticate(final AuthToken token);
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
package org.opensearch.identity.noop;

import org.opensearch.identity.PluginSubject;
import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.TokenManager;
import org.opensearch.plugins.IdentityPlugin;
import org.opensearch.plugins.Plugin;
Expand All @@ -35,7 +35,7 @@ public NoopIdentityPlugin(ThreadPool threadPool) {
* @return Must never return null
*/
@Override
public Subject getSubject() {
public UserSubject getUserSubject() {
return new NoopSubject();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

import org.opensearch.identity.NamedPrincipal;
import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.AuthToken;

import java.security.Principal;
Expand All @@ -22,7 +23,7 @@
*
* @opensearch.internal
*/
public class NoopSubject implements Subject {
public class NoopSubject implements UserSubject {

@Override
public Principal getPrincipal() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

import org.opensearch.common.annotation.ExperimentalApi;
import org.opensearch.identity.PluginSubject;
import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.TokenManager;

/**
Expand All @@ -22,10 +22,11 @@
public interface IdentityPlugin {

/**
* Get the current subject.
* Get the current user subject.
*
* @return Should never return null
* */
Subject getSubject();
UserSubject getUserSubject();

/**
* Get the Identity Plugin's token manager implementation
Expand Down
4 changes: 2 additions & 2 deletions server/src/main/java/org/opensearch/rest/RestController.java
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
import org.opensearch.http.HttpChunk;
import org.opensearch.http.HttpServerTransport;
import org.opensearch.identity.IdentityService;
import org.opensearch.identity.Subject;
import org.opensearch.identity.UserSubject;
import org.opensearch.identity.tokens.AuthToken;
import org.opensearch.identity.tokens.RestTokenExtractor;
import org.opensearch.usage.UsageService;
Expand Down Expand Up @@ -593,7 +593,7 @@ private boolean handleAuthenticateUser(final RestRequest request, final RestChan
// Authentication did not fail so return true. Authorization is handled at the action level.
return true;
}
final Subject currentSubject = identityService.getSubject();
final UserSubject currentSubject = identityService.getUserSubject();
currentSubject.authenticate(token);
logger.debug("Logged in as user " + currentSubject);
} catch (final Exception e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ public void testSingleIdentityPluginSucceeds() {
IdentityPlugin identityPlugin1 = new NoopIdentityPlugin(threadPool);
List<IdentityPlugin> pluginList1 = List.of(identityPlugin1);
IdentityService identityService1 = new IdentityService(Settings.EMPTY, threadPool, pluginList1);
assertTrue(identityService1.getSubject().getPrincipal().getName().equalsIgnoreCase("Unauthenticated"));
assertTrue(identityService1.getUserSubject().getPrincipal().getName().equalsIgnoreCase("Unauthenticated"));
assertThat(identityService1.getTokenManager(), is(instanceOf(NoopTokenManager.class)));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,10 @@ public void setUp() throws Exception {
extensionTokenProcessor = "placeholder_extension_token_processor";
identityService = new IdentityService(Settings.EMPTY, mock(ThreadPool.class), List.of());
TokenManager tokenManager = identityService.getTokenManager();
Subject subject = this.identityService.getSubject();
Subject subject = this.identityService.getUserSubject();
OnBehalfOfClaims claims = new OnBehalfOfClaims("testID", subject.getPrincipal().getName());
expectedRequestIssuerIdentity = identityService.getTokenManager()
.issueOnBehalfOfToken(identityService.getSubject(), claims)
.issueOnBehalfOfToken(identityService.getUserSubject(), claims)
.asAuthHeaderValue();
}

Expand Down

0 comments on commit 7374479

Please sign in to comment.