From 808fe31f640a3543e358ff11365f3d76ae2385c1 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 18:58:02 -0400 Subject: [PATCH 1/3] Fixes authtoken endpoint Signed-off-by: Darshit Chanpura --- .../InternalUsersRestApiIntegrationTest.java | 12 +++++++++++ .../dlic/rest/api/InternalUsersApiAction.java | 6 +++--- .../opensearch/security/user/UserService.java | 20 ++++++++----------- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java index 1ea18c4363..18769949fe 100644 --- a/src/integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/InternalUsersRestApiIntegrationTest.java @@ -440,6 +440,18 @@ void assertFilterByUsers(final HttpResponse response, final boolean hasServiceUs assertThat(response.getBody(), response.bodyAsJsonNode().has(NEW_USER), is(hasInternalUser)); } + @Test + public void verifyPOSTOnlyForAuthTokenEndpoint() throws Exception { + withUser(ADMIN_USER_NAME, client -> { + badRequest(() -> client.post(apiPath(ADMIN_USER_NAME, "authtoken"))); + ok(() -> client.post(apiPath(SERVICE_ACCOUNT_USER, "authtoken"))); + /* + should be notImplement but the call doesn't reach {@link org.opensearch.security.dlic.rest.api.InternalUsersApiAction#withAuthTokenPath(RestRequest)} + */ + methodNotAllowed(() -> client.post(apiPath("randomPath"))); + }); + } + @Test public void userApiWithDotsInName() throws Exception { withUser(ADMIN_USER_NAME, client -> { diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java index 0f4330fb79..3a16028b54 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java @@ -160,10 +160,10 @@ protected final UserFilterType filterParam(final RestRequest request) { ValidationResult withAuthTokenPath(final RestRequest request) throws IOException { return endpointValidator.withRequiredEntityName(nameParam(request)).map(username -> { // Handle auth token fetching - if (!(request.uri().contains("/internalusers/" + username + "/authtoken") && request.uri().endsWith("/authtoken"))) { - return ValidationResult.error(RestStatus.NOT_IMPLEMENTED, methodNotImplementedMessage(request.method())); + if (request.uri().contains("/internalusers/" + username + "/authtoken") && request.uri().endsWith("/authtoken")) { + return ValidationResult.success(username); } - return ValidationResult.success(username); + return ValidationResult.error(RestStatus.NOT_IMPLEMENTED, methodNotImplementedMessage(request.method())); }); } diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java index 449c496c37..16e1433015 100644 --- a/src/main/java/org/opensearch/security/user/UserService.java +++ b/src/main/java/org/opensearch/security/user/UserService.java @@ -27,7 +27,6 @@ import com.google.common.collect.ImmutableList; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.node.ObjectNode; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -243,13 +242,10 @@ public static String generatePassword() { CharacterRule lowercaseCharacterRule = new CharacterRule(EnglishCharacterData.LowerCase, 1); CharacterRule uppercaseCharacterRule = new CharacterRule(EnglishCharacterData.UpperCase, 1); CharacterRule numericCharacterRule = new CharacterRule(EnglishCharacterData.Digit, 1); - CharacterRule specialCharacterRule = new CharacterRule(EnglishCharacterData.Special, 1); + // CharacterRule specialCharacterRule = new CharacterRule(EnglishCharacterData.Special, 1); - List rules = Arrays.asList( - lowercaseCharacterRule, - uppercaseCharacterRule, - numericCharacterRule, - specialCharacterRule + List rules = Arrays.asList(lowercaseCharacterRule, uppercaseCharacterRule, numericCharacterRule + // specialCharacterRule ); PasswordGenerator passwordGenerator = new PasswordGenerator(); @@ -275,17 +271,17 @@ public AuthToken generateAuthToken(String accountName) throws IOException { String authToken = null; try { - final ObjectMapper mapper = DefaultObjectMapper.objectMapper; - JsonNode accountDetails = mapper.readTree(internalUsersConfiguration.getCEntry(accountName).toString()); + final var accountEntry = DefaultObjectMapper.writeValueAsString(internalUsersConfiguration.getCEntry(accountName), false); + JsonNode accountDetails = DefaultObjectMapper.readTree(accountEntry); final ObjectNode contentAsNode = (ObjectNode) accountDetails; SecurityJsonNode securityJsonNode = new SecurityJsonNode(contentAsNode); - Optional.ofNullable(securityJsonNode.get("service")) + Optional.ofNullable(securityJsonNode.get("attributes").get("service")) .map(SecurityJsonNode::asString) .filter("true"::equalsIgnoreCase) .orElseThrow(() -> new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE)); - Optional.ofNullable(securityJsonNode.get("enabled")) + Optional.ofNullable(securityJsonNode.get("attributes").get("enabled")) .map(SecurityJsonNode::asString) .filter("true"::equalsIgnoreCase) .orElseThrow(() -> new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE)); @@ -306,7 +302,7 @@ public AuthToken generateAuthToken(String accountName) throws IOException { saveAndUpdateConfigs(getUserConfigName().toString(), client, CType.INTERNALUSERS, internalUsersConfiguration); authToken = Base64.getUrlEncoder().encodeToString((accountName + ":" + plainTextPassword).getBytes(StandardCharsets.UTF_8)); - return new BasicAuthToken(authToken); + return new BasicAuthToken("Basic " + authToken); } catch (JsonProcessingException ex) { throw new UserServiceException(FAILED_ACCOUNT_RETRIEVAL_MESSAGE); From 5ab017a91281a430cc112dd79e5c4bfc08b6fb2c Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 19:13:16 -0400 Subject: [PATCH 2/3] Removes commented code Signed-off-by: Darshit Chanpura --- src/main/java/org/opensearch/security/user/UserService.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java index 16e1433015..f380fdb328 100644 --- a/src/main/java/org/opensearch/security/user/UserService.java +++ b/src/main/java/org/opensearch/security/user/UserService.java @@ -242,11 +242,8 @@ public static String generatePassword() { CharacterRule lowercaseCharacterRule = new CharacterRule(EnglishCharacterData.LowerCase, 1); CharacterRule uppercaseCharacterRule = new CharacterRule(EnglishCharacterData.UpperCase, 1); CharacterRule numericCharacterRule = new CharacterRule(EnglishCharacterData.Digit, 1); - // CharacterRule specialCharacterRule = new CharacterRule(EnglishCharacterData.Special, 1); - List rules = Arrays.asList(lowercaseCharacterRule, uppercaseCharacterRule, numericCharacterRule - // specialCharacterRule - ); + List rules = Arrays.asList(lowercaseCharacterRule, uppercaseCharacterRule, numericCharacterRule); PasswordGenerator passwordGenerator = new PasswordGenerator(); Random random = Randomness.get(); From cc26b94ca84b562ae75ed8e2958a343831682042 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 8 Aug 2024 20:17:33 -0400 Subject: [PATCH 3/3] Fixes timeout param for certificates api and add tests Signed-off-by: Darshit Chanpura --- .../api/CertificatesRestApiIntegrationTest.java | 11 +++++++++++ .../security/dlic/rest/api/CertificatesApiAction.java | 1 + 2 files changed, 12 insertions(+) diff --git a/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java b/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java index ebac5b80a5..8a69406bff 100644 --- a/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java +++ b/src/integrationTest/java/org/opensearch/security/api/CertificatesRestApiIntegrationTest.java @@ -90,6 +90,17 @@ public void availableForRestAdmin() throws Exception { withUser(REST_API_ADMIN_SSL_INFO, this::verifySSLCertsInfo); } + @Test + public void timeoutTest() throws Exception { + withUser(REST_ADMIN_USER, this::verifyTimeoutRequest); + } + + private void verifyTimeoutRequest(final TestRestClient client) throws Exception { + TestRestClient.HttpResponse response = ok(() -> client.get(sslCertsPath() + "?timeout=0")); + final var body = response.bodyAsJsonNode(); + assertThat(body.get("nodes").size(), is(0)); + } + private void verifySSLCertsInfo(final TestRestClient client) throws Exception { assertSSLCertsInfo( localCluster.nodes(), diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java index ea045c3aef..e1cd51e95d 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/CertificatesApiAction.java @@ -71,6 +71,7 @@ protected CType getConfigType() { protected void consumeParameters(RestRequest request) { request.param("nodeId"); request.param("cert_type"); + request.param("timeout"); } private void securitySSLCertsRequestHandlers(RequestHandler.RequestHandlersBuilder requestHandlersBuilder) {