opensearch-project · peternied · Jan 3, 2023 · Dec 21, 2022 · Dec 21, 2022 · Dec 22, 2022
@@ -17,3 +17,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Identity] User operations: create update delete ([#4741](https://github.com/opensearch-project/OpenSearch/pull/4741))
 - [Identity] Adds Basic Auth mechanism via Internal IdP ([#4798](https://github.com/opensearch-project/OpenSearch/pull/4798))
 - [Identity] Introduce Identity Module ([#5583](https://github.com/opensearch-project/OpenSearch/pull/5583))
+- [Identity] Adds Bearer Auth mechanism via internal token handling ([#5611](https://github.com/opensearch-project/OpenSearch/pull/5611))
@@ -12,6 +12,7 @@
 apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
 
+
 dependencies {
   implementation "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
   implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:${versions.jackson}"
@@ -27,13 +28,13 @@ dependencies {
   implementation 'commons-logging:commons-logging:1.2'
   implementation 'commons-lang:commons-lang:2.6'
 
-  implementation('org.apache.cxf:cxf-rt-rs-security-jose:3.4.5') {
+  api ('org.apache.cxf:cxf-rt-rs-security-jose:3.4.5') {
     exclude(group: 'jakarta.activation', module: 'jakarta.activation-api')
   }
 
-  runtimeOnly 'org.apache.cxf:cxf-core:3.4.5'
-  implementation 'org.apache.cxf:cxf-rt-rs-json-basic:3.4.5'
-  runtimeOnly 'org.apache.cxf:cxf-rt-security:3.4.5'
+  api 'org.apache.cxf:cxf-core:3.4.5'
+  api 'org.apache.cxf:cxf-rt-rs-json-basic:3.4.5'
+  api 'org.apache.cxf:cxf-rt-security:3.4.5'
 
   // logging
   implementation "org.apache.logging.log4j:log4j-api:${versions.log4j}"

@@ -10,6 +10,8 @@
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.opensearch.authn.tokens.BasicAuthToken;
+import org.opensearch.authn.tokens.BearerAuthToken;
+import org.apache.shiro.authc.BearerToken;
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
@@ -34,6 +36,9 @@ public static AuthenticationToken extractShiroAuthToken(org.opensearch.authn.tok
         if (authenticationToken instanceof BasicAuthToken) {
             authToken = handleBasicAuth((BasicAuthToken) authenticationToken);
         }
+        if (authenticationToken instanceof BearerAuthToken) {
+            authToken = handleBearerAuth((BearerAuthToken) authenticationToken);
+        }
         // TODO: check for other type of HeaderTokens
         return authToken;
     }
@@ -73,4 +78,10 @@ private static AuthenticationToken handleBasicAuth(final BasicAuthToken token) {
 
         return new UsernamePasswordToken(username, password);
     }
+
+    private static AuthenticationToken handleBearerAuth(final BearerAuthToken token) {
+
+        String encodedJWT = token.getHeaderValue().substring("Bearer".length()).trim();
+        return new BearerToken(encodedJWT);
+    }
 }
@@ -8,7 +8,6 @@
 import java.security.Principal;
 import java.util.Objects;
 
-import org.apache.shiro.SecurityUtils;
 import org.opensearch.authn.AuthenticationTokenHandler;
 import org.opensearch.authn.tokens.AuthenticationToken;
 import org.opensearch.authn.Subject;
@@ -64,9 +63,10 @@ public String toString() {
      * Logs the user in via authenticating the user against current Shiro realm
      */
     public void login(AuthenticationToken authenticationToken) {
+
         org.apache.shiro.authc.AuthenticationToken authToken = AuthenticationTokenHandler.extractShiroAuthToken(authenticationToken);
+
         // Login via shiro realm.
-        SecurityUtils.getSecurityManager().authenticate(authToken);
-        // shiroSubject.login(authToken);
+        shiroSubject.login(authToken);
     }
 }
@@ -76,7 +76,6 @@ public static String createJwt(Map<String, String> claims) {
                     + JwtUtils.claimsToJson(jwt.getClaims())
             );
         }
-
         return encodedJwt;
     }
 }
@@ -86,7 +86,7 @@ private static JwsSignatureVerifier getInitializedSignatureVerifier(JsonWebKey k
         }
     }
 
-    private static void validateClaims(JwtToken jwt) throws BadCredentialsException, JwtException {
+    private static void validateClaims(JwtToken jwt) {
         JwtClaims claims = jwt.getClaims();
 
         if (claims != null) {

@@ -8,9 +8,11 @@
 
 package org.opensearch.authn.realm;
 
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.BearerToken;
 import org.apache.shiro.authc.CredentialsException;
 import org.apache.shiro.authc.IncorrectCredentialsException;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
@@ -20,6 +22,8 @@
 
 import org.opensearch.authn.StringPrincipal;
 import org.opensearch.authn.User;
+import org.opensearch.authn.jwt.BadCredentialsException;
+import org.opensearch.authn.jwt.JwtVerifier;
 
 import java.util.Objects;
 import java.util.concurrent.ConcurrentMap;
@@ -89,11 +93,28 @@ public User getInternalUser(String principalIdentifier) throws UnknownAccountExc
         return userRecord;
     }
 
+    // TODO: Revisit this
+    // This was overridden to support all kinds of AuthTokens
+    @Override
+    public boolean supports(AuthenticationToken token) {
+        return true;
+    }
+
+    @Override
+    protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
+        if (token instanceof BearerToken) {
+            // TODO: Check if this is correct
+            // Token has previously been verified at doGetAuthenticationInfo
+            // no auth required as bearer token is assumed to have correct credentials
+        } else if (token instanceof UsernamePasswordToken) {
+            super.assertCredentialsMatch(token, info); // continue as normal for basic-auth token
+        }
+    }
+
     @Override
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
         if (token instanceof UsernamePasswordToken) {
             String username = ((UsernamePasswordToken) token).getUsername();
-            final char[] password = ((UsernamePasswordToken) token).getPassword();
             // Look up the user by the provide username
             User userRecord = getInternalUser(username);
             // Check for other things, like a locked account, expired password, etc.
@@ -107,7 +128,7 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
             boolean successfulAuthentication = getCredentialsMatcher().doCredentialsMatch(token, sai);
 
             if (successfulAuthentication) {
-                // Check for anything else that might prevent login (expired password, locked account, etc
+                // Check for anything else that might prevent login (expired password, locked account, etc.)
                 // if (other problems) {
                 // throw new CredentialsException(); // Or something more specific
                 // }
@@ -117,6 +138,20 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
                 // Bad password
                 throw new IncorrectCredentialsException(INCORRECT_CREDENTIALS_MESSAGE);
             }
+        } else if (token instanceof BearerToken) {
+            JwtToken jwtToken;
+
+            // Verify the validity of JWT token
+            try {
+                jwtToken = JwtVerifier.getVerifiedJwtToken(((BearerToken) token).getToken());
+            } catch (BadCredentialsException e) {
+                throw new IncorrectCredentialsException(e.getMessage()); // Invalid Token
+            }
+
+            String subject = jwtToken.getClaims().getSubject();
+
+            // We need to extract the subject here to create an identity subject that can be utilized across the realm
+            return new SimpleAuthenticationInfo(subject, null, realmName);
         }
         // Don't know what to do with this token
         throw new CredentialsException();

@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.authn.tokens;
+
+/**
+ * Bearer Authentication Tokens consisting of a JWT signed with a private key
+ */
+public class BearerAuthToken extends HttpHeaderToken {
+
+    private String headerValue;
+
+    public BearerAuthToken(String headerValue) {
+        this.headerValue = headerValue;
+    }
+
+    @Override
+    public String getHeaderValue() {
+        return headerValue;
+    }
+}
@@ -19,7 +19,6 @@ public class AuthenticationTokenHandlerTests extends OpenSearchTestCase {
 
     public void testShouldExtractBasicAuthTokenSuccessfully() {
 
-        // The auth header that is part of the request
         String authHeader = "Basic YWRtaW46YWRtaW4="; // admin:admin
 
         AuthenticationToken authToken = new BasicAuthToken(authHeader);

@@ -17,8 +17,9 @@ opensearchplugin {
 }
 
 dependencies {
+
   api project(':libs:opensearch-core')
-  api project(':sandbox:libs:opensearch-authn')
+  implementation project(':sandbox:libs:opensearch-authn')
 
   testImplementation project(path: ':modules:transport-netty4') // for http
   testImplementation project(path: ':plugins:transport-nio') // for http
@@ -32,10 +33,10 @@ dependencies {
  * We have to disable setting the number of available processors as tests in the same JVM randomize processors and will step on each
  * other if we allow them to set the number of available processors as it's set-once in Netty.
  */
-test {
-  systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
-}
+  test {
+    systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
+  }
 
-internalClusterTest {
-  systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
-}
+  internalClusterTest {
+    systemProperty 'opensearch.set.netty.runtime.available.processors', 'false'
+  }
@@ -16,6 +16,7 @@
 import org.opensearch.authn.jwt.JwtVendor;
 import org.opensearch.authn.tokens.AuthenticationToken;
 import org.opensearch.authn.tokens.BasicAuthToken;
+import org.opensearch.authn.tokens.BearerAuthToken;
 import org.opensearch.authn.tokens.HttpHeaderToken;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.common.settings.Settings;
@@ -32,7 +33,6 @@
 import java.time.Instant;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
 
@@ -80,19 +80,16 @@ private boolean checkAndAuthenticateRequest(RestRequest request, RestChannel cha
             jwtClaims.put("sub", "subject");
             jwtClaims.put("iat", Instant.now().toString());
             String encodedJwt = JwtVendor.createJwt(jwtClaims);
-            String requestInfo = String.format(
-                Locale.ROOT,
-                "(nodeName=%s, requestId=%s, path=%s, jwtClaims=%s checkAndAuthenticateRequest)",
-                client.getLocalNodeId(),
-                request.getRequestId(),
-                request.getRequestId(),
-                jwtClaims
-            );
-            if (log.isDebugEnabled()) {
-                log.debug(requestInfo);
-                String logMsg = String.format(Locale.ROOT, "Created internal access token %s", encodedJwt);
-                log.debug("{} {}", requestInfo, logMsg);
-            }
+            String prefix = "(nodeName="
+                + client.getLocalNodeId()
+                + ", requestId="
+                + request.getRequestId()
+                + ", path="
+                + request.path()
+                + ", jwtClaims="
+                + jwtClaims
+                + " checkAndAuthenticateRequest)";
+            log.info(prefix + " Created internal access token " + encodedJwt);
             threadContext.putHeader(ThreadContextConstants.OPENSEARCH_AUTHENTICATION_TOKEN_HEADER, encodedJwt);
         }
         return true;
@@ -155,6 +152,7 @@ private boolean authenticate(RestRequest request, RestChannel channel) throws IO
      */
     static AuthenticationToken tokenType(String authHeader) {
         if (authHeader.contains("Basic")) return new BasicAuthToken(authHeader);
+        if (authHeader.contains("Bearer")) return new BearerAuthToken(authHeader);
         // support other type of header tokens
         return null;
     }