[Extensions] Generate auth tokens for service accounts

build.gradle

@@ -75,16 +75,16 @@ licenseFile = rootProject.file('LICENSE.txt')
 noticeFile = rootProject.file('NOTICE.txt')
 
 spotless {
-  java {
-    // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
-    importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
-    targetExclude('src/integrationTest/**')
-  }
-  format("integrationTest", JavaExtension) {
-      target('src/integrationTest/java/**/*.java')
-      importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
-      indentWithTabs(4)
-  }
+    java {
+        // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
+        importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+        targetExclude('src/integrationTest/**')
+    }
+    format("integrationTest", JavaExtension) {
+        target('src/integrationTest/java/**/*.java')
+        importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+        indentWithTabs(4)
+    }
 }
 
 spotbugs {
@@ -135,17 +135,17 @@ test {
     }
     jacoco {
         excludes = [
-            "com.sun.jndi.dns.*",
-            "com.sun.security.sasl.gsskerb.*",
-            "java.sql.*",
-            "javax.script.*",
-            "org.jcp.xml.dsig.internal.dom.*",
-            "sun.nio.cs.ext.*",
-            "sun.security.ec.*",
-            "sun.security.jgss.*",
-            "sun.security.pkcs11.*",
-            "sun.security.smartcardio.*",
-            "sun.util.resources.provider.*"
+                "com.sun.jndi.dns.*",
+                "com.sun.security.sasl.gsskerb.*",
+                "java.sql.*",
+                "javax.script.*",
+                "org.jcp.xml.dsig.internal.dom.*",
+                "sun.nio.cs.ext.*",
+                "sun.security.ec.*",
+                "sun.security.jgss.*",
+                "sun.security.pkcs11.*",
+                "sun.security.smartcardio.*",
+                "sun.util.resources.provider.*"
         ]
     }
 }
@@ -159,17 +159,17 @@ task opensslTest(type: Test) {
     }
     jacoco {
         excludes = [
-            "com.sun.jndi.dns.*",
-            "com.sun.security.sasl.gsskerb.*",
-            "java.sql.*",
-            "javax.script.*",
-            "org.jcp.xml.dsig.internal.dom.*",
-            "sun.nio.cs.ext.*",
-            "sun.security.ec.*",
-            "sun.security.jgss.*",
-            "sun.security.pkcs11.*",
-            "sun.security.smartcardio.*",
-            "sun.util.resources.provider.*"
+                "com.sun.jndi.dns.*",
+                "com.sun.security.sasl.gsskerb.*",
+                "java.sql.*",
+                "javax.script.*",
+                "org.jcp.xml.dsig.internal.dom.*",
+                "sun.nio.cs.ext.*",
+                "sun.security.ec.*",
+                "sun.security.jgss.*",
+                "sun.security.pkcs11.*",
+                "sun.security.smartcardio.*",
+                "sun.util.resources.provider.*"
         ]
     }
 }

src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java

@@ -31,12 +31,14 @@
 import org.opensearch.rest.RestController;
 import org.opensearch.rest.RestRequest;
 import org.opensearch.rest.RestRequest.Method;
+import org.opensearch.security.DefaultObjectMapper;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.configuration.AdminDNs;
 import org.opensearch.security.configuration.ConfigurationRepository;
 import org.opensearch.security.dlic.rest.validation.AbstractConfigurationValidator;
 import org.opensearch.security.dlic.rest.validation.InternalUsersValidator;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
+import org.opensearch.security.securityconf.Hashed;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
 import org.opensearch.security.ssl.transport.PrincipalExtractor;
@@ -50,18 +52,20 @@
 
 public class InternalUsersApiAction extends PatchableResourceApiAction {
     static final List<String> RESTRICTED_FROM_USERNAME = ImmutableList.of(
-        ":" // Not allowed in basic auth, see https://stackoverflow.com/a/33391003/533057
+            ":" // Not allowed in basic auth, see https://stackoverflow.com/a/33391003/533057
     );
 
     private static final List<Route> routes = addRoutesPrefix(ImmutableList.of(
             new Route(Method.GET, "/user/{name}"),
             new Route(Method.GET, "/user/"),
+            new Route(Method.POST, "/user/{name}/authtoken"),
             new Route(Method.DELETE, "/user/{name}"),
             new Route(Method.PUT, "/user/{name}"),
 
             // corrected mapping, introduced in OpenSearch Security
             new Route(Method.GET, "/internalusers/{name}"),
             new Route(Method.GET, "/internalusers/"),
+            new Route(Method.POST, "/internalusers/{name}/authtoken"),
             new Route(Method.DELETE, "/internalusers/{name}"),
             new Route(Method.PUT, "/internalusers/{name}"),
             new Route(Method.PATCH, "/internalusers/"),
@@ -127,8 +131,8 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
         // changes
 
         try {
-            if (request.hasParam("owner")) {
-                ((ObjectNode) content).put("owner", request.param("owner"));
+            if (request.hasParam("isService")) {
+                ((ObjectNode) content).put("isService", request.param("isService"));
             }
             if (request.hasParam("isEnabled")) {
                 ((ObjectNode) content).put("isEnabled", request.param("isEnabled"));
@@ -144,8 +148,28 @@ protected void handlePut(RestChannel channel, final RestRequest request, final C
             throw new IOException(ex);
         }
 
+        // for existing users, hash is optional
+        if (userExisted && securityJsonNode.get("hash").asString() == null) {
+            // sanity check, this should usually not happen
+            final String hash = ((Hashed) internalUsersConfiguration.getCEntry(username)).getHash();
+            if (hash == null || hash.length() == 0) {
+                internalErrorResponse(channel,
+                        "Existing user " + username + " has no password, and no new password or hash was specified.");
+                return;
+            }
+            contentAsNode.put("hash", hash);
+        }
+
+        internalUsersConfiguration.remove(username);
+
+        // checks complete, create or update the user
+        Object userData = DefaultObjectMapper.readTree(contentAsNode,  internalUsersConfiguration.getImplementingClass());
+        internalUsersConfiguration.putCObject(username, userData);
+
+
         saveAndUpdateConfigs(this.securityIndexName,client, CType.INTERNALUSERS, internalUsersConfiguration, new OnSucessActionListener<IndexResponse>(channel) {
 
+
             @Override
             public void onResponse(IndexResponse response) {
                 if (userExisted) {
@@ -158,6 +182,63 @@ public void onResponse(IndexResponse response) {
         });
     }
 
+    /**
+     * Overrides the GET request functionality to allow for the special case of requesting an auth token.
+     *
+     * @param channel The channel the request is coming through
+     * @param request The request itself
+     * @param client The client executing the request
+     * @param content The content of the request parsed into a node
+     * @throws IOException when parsing of configuration files fails (should not happen)
+     */
+    @Override
+    protected void handlePost(final RestChannel channel, RestRequest request, Client client, final JsonNode content) throws IOException{
+
+        final String username = request.param("name");
+
+        final SecurityDynamicConfiguration<?> internalUsersConfiguration = load(getConfigName(), true);
+        filter(internalUsersConfiguration); // Hides hashes
+
+        // no specific resource requested
+        if (username == null || username.length() == 0) {
+
+            notImplemented(channel, Method.POST);
+            return;
+        }
+
+        final boolean userExisted = internalUsersConfiguration.exists(username);
+
+        if (!userExisted) {
+            notFound(channel, "Resource '" + username + "' not found.");
+            return;
+        }
+
+        String authToken = "";
+        try {
+            if (request.uri().contains("/internalusers/" + username + "/authtoken") && request.uri().endsWith("/authtoken")) {  // Handle auth token fetching
+
+                authToken = userService.generateAuthToken(username);
+            } else { // Not an auth token request
+
+                notImplemented(channel, Method.POST);
+                return;
+            }
+        }  catch (UserServiceException ex) {
+            badRequestResponse(channel, ex.getMessage());
+            return;
+        }
+        catch (IOException ex) {
+            throw new IOException(ex);
+        }
+
+        if (!authToken.isEmpty()) {
+            createdResponse(channel, "'" + username + "' authtoken generated "  + authToken);
+        } else {
+            badRequestResponse(channel, "'" + username + "' authtoken failed to be created.");
+        }
+    }
+
+
     @Override
     protected void filter(SecurityDynamicConfiguration<?> builder) {
         super.filter(builder);

src/main/java/org/opensearch/security/securityconf/impl/v7/InternalUserV7.java

@@ -44,6 +44,8 @@ public class InternalUserV7 implements Hideable, Hashed, StaticDefinable {
         private String hash;
         private boolean reserved;
         private boolean hidden;
+        private boolean isService;
+        private boolean isEnabled;
         @JsonProperty(value = "static")
         private boolean _static;
         private List<String> backend_roles = Collections.emptyList();
@@ -58,7 +60,20 @@ private InternalUserV7(String hash, boolean reserved, boolean hidden, List<Strin
             this.hidden = hidden;
             this.backend_roles = backend_roles;
             this.attributes = attributes;
-        }
+            this.isEnabled = true;
+            this.isService = false;
+        }
+
+    private InternalUserV7(String hash, boolean reserved, boolean hidden, List<String> backend_roles, Map<String, String> attributes, Boolean isEnabled, Boolean isService) {
+        super();
+        this.hash = hash;
+        this.reserved = reserved;
+        this.hidden = hidden;
+        this.backend_roles = backend_roles;
+        this.attributes = attributes;
+        this.isEnabled = isEnabled;
+        this.isService = isService;
+    }
 
         public InternalUserV7() {
             super();
@@ -80,7 +95,6 @@ public String getHash() {
         public void setHash(String hash) {
             this.hash = hash;
         }
-
 
 
         public boolean isHidden() {
@@ -114,9 +128,17 @@ public void setAttributes(Map<String, String> attributes) {
             this.attributes = attributes;
         }
 
+        public boolean getIsEnabled() {
+            return this.isEnabled;
+        }
+
+        public boolean getIsService() {
+            return this.isService;
+        }
+
         @Override
         public String toString() {
-            return "InternalUserV7 [hash=" + hash + ", reserved=" + reserved + ", hidden=" + hidden + ", _static=" + _static + ", backend_roles="
+            return "InternalUserV7 [hash=" + hash + ", isEnabled=" + isEnabled + ", isService=" + isService + ", reserved=" + reserved + ", hidden=" + hidden + ", _static=" + _static + ", backend_roles="
                     + backend_roles + ", attributes=" + attributes + ", description=" + description + "]";
         }
 
@@ -134,6 +156,14 @@ public void setDescription(String description) {
             this.description = description;
         }
 
+        public void setIsEnabled(boolean isEnabled) {
+            this.isEnabled = isEnabled;
+        }
+
+        public void setIsService(boolean isService) {
+            this.isService = isService;
+        }
+
         public boolean isReserved() {
             return reserved;
         }