From 54bca2ac83a193af0773ca57b8c2daed1d821d66 Mon Sep 17 00:00:00 2001
From: Ryan Liang <jiallian@amazon.com>
Date: Tue, 22 Aug 2023 17:36:05 -0700
Subject: [PATCH] Refactor the obo endpoint

Signed-off-by: Ryan Liang <jiallian@amazon.com>
---
 .../http/OnBehalfOfJwtAuthenticationTest.java   |  7 +++++--
 .../onbehalf/CreateOnBehalfOfTokenAction.java   | 17 +++++++++--------
 .../security/support/ConfigConstants.java       |  3 ---
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
index 63c419c2ef..5dc9532f1f 100644
--- a/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
+++ b/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java
@@ -147,8 +147,11 @@ private String generateOboToken(String username, String password) {
             TestRestClient.HttpResponse response = client.postJson(OBO_ENDPOINT_PREFIX, OBO_TOKEN_REASON);
             response.assertStatusCode(200);
             Map<String, Object> oboEndPointResponse = response.getBodyAs(Map.class);
-            assertThat(oboEndPointResponse, allOf(aMapWithSize(3), hasKey("user"), hasKey("onBehalfOfToken"), hasKey("duration")));
-            return oboEndPointResponse.get("onBehalfOfToken").toString();
+            assertThat(
+                oboEndPointResponse,
+                allOf(aMapWithSize(3), hasKey("user"), hasKey("authenticationToken"), hasKey("durationSeconds"))
+            );
+            return oboEndPointResponse.get("authenticationToken").toString();
         }
     }
 
diff --git a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
index 70b9c6cce2..15936eb4b7 100644
--- a/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
+++ b/src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java
@@ -41,8 +41,6 @@
 
 import static org.opensearch.rest.RestRequest.Method.POST;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
-import static org.opensearch.security.support.ConfigConstants.OBO_DEFAULT_EXPIRY_SECONDS;
-import static org.opensearch.security.support.ConfigConstants.OBO_MAX_EXPIRY_SECONDS;
 
 public class CreateOnBehalfOfTokenAction extends BaseRestHandler {
 
@@ -59,6 +57,9 @@ public class CreateOnBehalfOfTokenAction extends BaseRestHandler {
 
     private DynamicConfigModel dcm;
 
+    public static final Integer OBO_DEFAULT_EXPIRY_SECONDS = 5 * 60;
+    public static final Integer OBO_MAX_EXPIRY_SECONDS = 10 * 60;
+
     @Subscribe
     public void onConfigModelChanged(ConfigModel configModel) {
         this.configModel = configModel;
@@ -128,15 +129,15 @@ public void accept(RestChannel channel) throws Exception {
                     final Map<String, Object> requestBody = request.contentOrSourceParamParser().map();
                     final String description = (String) requestBody.getOrDefault("description", null);
 
-                    final Integer tokenDuration = Optional.ofNullable(requestBody.get("duration"))
+                    final Integer tokenDuration = Optional.ofNullable(requestBody.get("durationSeconds"))
                         .map(value -> (String) value)
                         .map(Integer::parseInt)
-                        .map(value -> Math.min(value, OBO_MAX_EXPIRY_SECONDS)) // Max duration is 10 minutes
-                        .orElse(OBO_DEFAULT_EXPIRY_SECONDS); // Fallback to default of 5 minutes;
+                        .map(value -> Math.min(value, OBO_MAX_EXPIRY_SECONDS)) // Max duration seconds are 600
+                        .orElse(OBO_DEFAULT_EXPIRY_SECONDS); // Fallback to default
 
                     final String service = (String) requestBody.getOrDefault("service", "self-issued");
                     final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-                    Set<String> mappedRoles = mapRoles(user, null);
+                    Set<String> mappedRoles = mapRoles(user, /*Do not include host based mappings*/ null);
 
                     builder.startObject();
                     builder.field("user", user.getName());
@@ -149,8 +150,8 @@ public void accept(RestChannel channel) throws Exception {
                         mappedRoles.stream().collect(Collectors.toList()),
                         user.getRoles().stream().collect(Collectors.toList())
                     );
-                    builder.field("onBehalfOfToken", token);
-                    builder.field("duration", tokenDuration);
+                    builder.field("authenticationToken", token);
+                    builder.field("durationSeconds", tokenDuration);
                     builder.endObject();
 
                     response = new BytesRestResponse(RestStatus.OK, builder);
diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
index c855133907..61962a61f7 100644
--- a/src/main/java/org/opensearch/security/support/ConfigConstants.java
+++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -321,9 +321,6 @@ public enum RolesMappingResolution {
     public static final String TENANCY_GLOBAL_TENANT_DEFAULT_NAME = "";
 
     // On-behalf-of endpoints settings
-    public static final Integer OBO_DEFAULT_EXPIRY_SECONDS = 5 * 60;
-    public static final Integer OBO_MAX_EXPIRY_SECONDS = 10 * 60;
-
     // CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
     public static final String EXTENSIONS_BWC_PLUGIN_MODE = "bwcPluginMode";
     public static final boolean EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT = false;