opensearch-project · stephen-crawford · Mar 27, 2023 · Mar 27, 2023 · Mar 27, 2023 · Mar 28, 2023
@@ -175,6 +175,7 @@
 import org.opensearch.security.transport.DefaultInterClusterRequestEvaluator;
 import org.opensearch.security.transport.InterClusterRequestEvaluator;
 import org.opensearch.security.transport.SecurityInterceptor;
+import org.opensearch.security.user.SecurityInternalUserProvider;
 import org.opensearch.security.user.User;
 import org.opensearch.security.user.UserService;
 import org.opensearch.tasks.Task;
@@ -821,6 +822,8 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
 
         userService = new UserService(cs, cr, settings, localClient);
 
+        SecurityInternalUserProvider securityInternalUserProvider = new SecurityInternalUserProvider(userService);
+
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
 
@@ -878,7 +881,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
         components.add(si);
         components.add(dcf);
         components.add(userService);
-
+        components.add(securityInternalUserProvider);
 
         return components;
 

@@ -50,17 +50,19 @@
 
 public class InternalUsersApiAction extends PatchableResourceApiAction {
     static final List<String> RESTRICTED_FROM_USERNAME = ImmutableList.of(
-        ":" // Not allowed in basic auth, see https://stackoverflow.com/a/33391003/533057
+            ":" // Not allowed in basic auth, see https://stackoverflow.com/a/33391003/533057
     );
 
     private static final List<Route> routes = addRoutesPrefix(ImmutableList.of(
             new Route(Method.GET, "/user/{name}"),
             new Route(Method.GET, "/user/"),
+            new Route(Method.GET, "/user/{name}/authtoken"),
             new Route(Method.DELETE, "/user/{name}"),
             new Route(Method.PUT, "/user/{name}"),
 
             // corrected mapping, introduced in OpenSearch Security
             new Route(Method.GET, "/internalusers/{name}"),
+            new Route(Method.GET, "/internalusers/{name}/authtoken"),
             new Route(Method.GET, "/internalusers/"),
             new Route(Method.DELETE, "/internalusers/{name}"),
             new Route(Method.PUT, "/internalusers/{name}"),
@@ -144,8 +146,10 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
             throw new IOException(ex);
         }
 
+
         saveAndUpdateConfigs(this.securityIndexName,client, CType.INTERNALUSERS, internalUsersConfiguration, new OnSucessActionListener<IndexResponse>(channel) {
 
+
             @Override
             public void onResponse(IndexResponse response) {
                 if (userExisted) {
@@ -158,6 +162,55 @@ public void onResponse(IndexResponse response) {
         });
     }
 
+    @Override
+    protected void handleGet(final RestChannel channel, RestRequest request, Client client, final JsonNode content) throws IOException{
+
+        final String username = request.param("name");
+
+        final SecurityDynamicConfiguration<?> internalUsersConfiguration = load(getConfigName(), true);
+        filter(internalUsersConfiguration);
+
+        // no specific resource requested, return complete config
+        if (username == null || username.length() == 0) {
+
+            successResponse(channel, internalUsersConfiguration);
+            return;
+        }
+
+        final boolean userExisted = internalUsersConfiguration.exists(username);
+
+        if (!userExisted) {
+            notFound(channel, "Resource '" + username + "' not found.");
+            return;
+        }
+
+        String authToken = "";
+        try {
+            if (request.uri().contains("/internalusers/" + username + "/authtoken")) {
+
+                authToken = userService.generateAuthToken(username);
+            } else {
+
+                internalUsersConfiguration.removeOthers(username);
+                successResponse(channel, internalUsersConfiguration);
+                return;
+            }
+        }  catch (UserServiceException ex) {
+            badRequestResponse(channel, ex.getMessage());
+            return;
+        }
+        catch (IOException ex) {
+            throw new IOException(ex);
+        }
+
+        if (!authToken.isEmpty()) {
+            createdResponse(channel, "'" + username + "' authtoken updated generated "  + authToken);
+        } else {
+            badRequestResponse(channel, "'" + username + "' authtoken failed to be created.");
+        }
+    }
+
+
     @Override
     protected void filter(SecurityDynamicConfiguration<?> builder) {
         super.filter(builder);
@@ -193,6 +246,10 @@ protected AbstractConfigurationValidator postProcessApplyPatchResult(RestChannel
         return null;
     }
 
+    public InternalUsersApiAction getAction(){
+        return this;
+    }
+
     @Override
     protected String getResourceName() {
         return "user";

@@ -0,0 +1,20 @@
+package org.opensearch.security.user;
+
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.io.IOException;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+
+/**
+ * This interface will be defined in core following these changes. For now this is used for testing in the Security Plugin.
+ *
+ */
+public interface InternalUserProvider {
+
+    public void putInternalUser(String userInfo) throws java.io.IOException;
+
+    public SecurityDynamicConfiguration<?> getInternalUser(String userInfo);
+
+    public void removeInternalUser(String userInfo);
+
+    public String getInternalUserAuthToken(String userInfo) throws IOException;
+}
@@ -0,0 +1,60 @@
+package org.opensearch.security.user;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.io.IOException;
+import org.opensearch.common.inject.Inject;
+import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+
+public class SecurityInternalUserProvider implements InternalUserProvider{
+
+    UserService userService;
+
+    @Inject
+    public SecurityInternalUserProvider(UserService userService) {
+        this.userService = userService;
+    }
+
+    @Override
+    public void putInternalUser(String userInfo) throws IOException {
+
+        JsonNode content = DefaultObjectMapper.readTree(userInfo);
+        final ObjectNode contentAsNode = (ObjectNode) content;
+
+        SecurityDynamicConfiguration<?> internalUsersConfiguration = userService.createOrUpdateAccount(contentAsNode);
+        userService.saveAndUpdateConfigs(userService.getUserConfigName().toString(), userService.client, CType.INTERNALUSERS, internalUsersConfiguration);
+    }
+
+    @Override
+    public SecurityDynamicConfiguration<?> getInternalUser(String username) {
+
+        final SecurityDynamicConfiguration<?> internalUsersConfiguration = userService.load(userService.getUserConfigName(), true);
+
+        // no specific resource requested, return complete config
+        if (username == null || username.length() == 0) {
+            return internalUsersConfiguration;
+        }
+
+        final boolean userExisted = internalUsersConfiguration.exists(username);
+
+        if (!userExisted) {
+            throw new UserServiceException("Failed to retrieve requested internal user.");
+        }
+
+        internalUsersConfiguration.removeOthers(username);
+        return internalUsersConfiguration;
+    }
+
+    @Override
+    public void removeInternalUser(String username) {
+        final SecurityDynamicConfiguration<?> internalUsersConfiguration = userService.load(userService.getUserConfigName(), true);
+        internalUsersConfiguration.remove(username);
+    }
+
+    @Override
+    public String getInternalUserAuthToken(String username) throws IOException {
+        return userService.generateAuthToken(username);
+    }
+}