Basic permissions checking from Subject

Adds capability for subject to check if a permission is allowed or not and creates a mechanism for actions to describe the permissinos associated with them. Signed-off-by: Peter Nied <[email protected]>
opensearch-project · Nov 4, 2022 · 014adb4 · 014adb4
1 parent 1559e5e
commit 014adb4
Show file tree

Hide file tree

Showing 9 changed files with 98 additions and 1 deletion.
diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.authn;
+
+import java.io.IOException;
+import java.util.Objects;
+
+public class Permission {
+    private final String[] permissionChunks; 
+
+    public Permission(final String permission) {
+        this.permissionChunks = permission.split("\\.");
+    }
+
+    public boolean matches(final String permissionRequired) {
+        Objects.nonNull(permissionRequired);
+
+        final Permission required = new Permission(permissionRequired);
+        for(int i = 0; i < this.permissionChunks.length; i++) {
+            if (!this.permissionChunks[i].equals(required.permissionChunks[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+}
diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
@@ -6,6 +6,7 @@
 package org.opensearch.authn;
 
 import java.security.Principal;
+import java.util.List;
 
 /**
  * An individual, process, or device that causes information to flow among objects or change to the system state.
@@ -30,4 +31,10 @@ public interface Subject {
      */
     public void login(final AuthenticationToken token);
 
+    /**
+     * The subject will confirm if it has the permissions that are checked against, if it has those permissions it returns null, otherwise it returns the exception.
+     * Note; this method not throw the exception
+     * */
+    public UnauthorizedException checkPermission(List<String> permissions);
+
 }
diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/UnauthorizedException.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/UnauthorizedException.java
@@ -0,0 +1,18 @@
+package org.opensearch.authn;
+
+import org.opensearch.authn.Subject;
+import org.opensearch.authn.Permission;
+
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+public class UnauthorizedException extends RuntimeException {
+    public UnauthorizedException(final String message) {
+        super(message);
+    }
+}
diff --git a/server/src/main/java/org/opensearch/action/ActionRequest.java b/server/src/main/java/org/opensearch/action/ActionRequest.java
@@ -34,9 +34,11 @@
 
 import org.opensearch.common.io.stream.StreamInput;
 import org.opensearch.common.io.stream.StreamOutput;
+import org.opensearch.authn.Permission;
 import org.opensearch.transport.TransportRequest;
 
 import java.io.IOException;
+import java.util.List;
 
 /**
  * Base action request implemented by plugins.
@@ -65,6 +67,12 @@ public boolean getShouldStoreResult() {
         return false;
     }
 
+    /** What permissions are required for this request */
+    public List<String> requiredPermissions() {
+        // Default behavior is not to require any permissions
+        return List.of();
+    }
+
     @Override
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);

diff --git a/server/src/main/java/org/opensearch/action/ActionType.java b/server/src/main/java/org/opensearch/action/ActionType.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.action;
 
+import java.util.List;
+
 import org.opensearch.common.io.stream.Writeable;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.transport.TransportRequestOptions;

diff --git a/server/src/main/java/org/opensearch/action/admin/indices/create/CreateIndexAction.java b/server/src/main/java/org/opensearch/action/admin/indices/create/CreateIndexAction.java
@@ -32,6 +32,8 @@
 
 package org.opensearch.action.admin.indices.create;
 
+import java.util.List;
+
 import org.opensearch.action.ActionType;
 
 /**
@@ -47,5 +49,4 @@ public class CreateIndexAction extends ActionType<CreateIndexResponse> {
     private CreateIndexAction() {
         super(NAME, CreateIndexResponse::new);
     }
-
 }
diff --git a/server/src/main/java/org/opensearch/action/admin/indices/create/CreateIndexRequest.java b/server/src/main/java/org/opensearch/action/admin/indices/create/CreateIndexRequest.java
@@ -65,6 +65,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.List;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
 import static org.opensearch.common.settings.Settings.Builder.EMPTY_SETTINGS;
@@ -154,6 +155,14 @@ public ActionRequestValidationException validate() {
         return validationException;
     }
 
+    @Override
+    public List<String> requiredPermissions() {
+        return List.of(
+            "opensearch.engine.index.create",
+            "opensearch.engine.index.create." + this.index
+        );
+    }
+
     @Override
     public String[] indices() {
         return new String[] { index };

diff --git a/server/src/main/java/org/opensearch/action/support/TransportAction.java b/server/src/main/java/org/opensearch/action/support/TransportAction.java
@@ -41,12 +41,17 @@
 import org.opensearch.common.lease.Releasable;
 import org.opensearch.common.lease.Releasables;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.identity.Identity;
+import org.opensearch.authn.Subject;
+import org.opensearch.authn.Permission;
+import org.opensearch.authn.UnauthorizedException;
 import org.opensearch.tasks.Task;
 import org.opensearch.tasks.TaskCancelledException;
 import org.opensearch.tasks.TaskId;
 import org.opensearch.tasks.TaskListener;
 import org.opensearch.tasks.TaskManager;
 
+import java.util.List;
 import java.util.concurrent.atomic.AtomicInteger;
 
 /**
@@ -180,6 +185,14 @@ public final void execute(Task task, Request request, ActionListener<Response> l
             return;
         }
 
+        final Subject currentSubject = Identity.getAuthManager().getSubject();
+        final UnauthorizedException unauthorizedException = currentSubject.checkPermission(request.requiredPermissions());
+        if (unauthorizedException != null) {
+            listener.onFailure(unauthorizedException);
+            return;
+        }
+
+
         if (task != null && request.getShouldStoreResult()) {
             listener = new TaskResultStoringActionListener<>(taskManager, task, listener);
         }

diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java b/server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
@@ -7,10 +7,14 @@
 
 import java.security.Principal;
 import java.util.Objects;
+import java.util.stream.Collectors;
+import java.util.List;
 
 import org.opensearch.authn.Subject;
 import org.opensearch.authn.AuthenticationToken;
 import org.opensearch.authn.Principals;
+import org.opensearch.authn.Permission;
+import org.opensearch.authn.UnauthorizedException;
 
 /**
  * Implementation of subject that is always authenticated
@@ -48,4 +52,10 @@ public String toString() {
     public void login(final AuthenticationToken token) {
         // Noop subject is always logged in, and all authentication tokens are accepted
     }
+
+    @Override
+    public UnauthorizedException checkPermission(final List<String> permissions) {
+        System.err.println("Check for permission: " + permissions.stream().collect(Collectors.joining(", ")));
+        return null;
+    }
 }