[Extensions] Generate auth tokens for service accounts

build.gradle

@@ -75,16 +75,16 @@ licenseFile = rootProject.file('LICENSE.txt')
 noticeFile = rootProject.file('NOTICE.txt')
 
 spotless {
-  java {
-    // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
-    importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
-    targetExclude('src/integrationTest/**')
-  }
-  format("integrationTest", JavaExtension) {
-      target('src/integrationTest/java/**/*.java')
-      importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
-      indentWithTabs(4)
-  }
+    java {
+        // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports
+        importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+        targetExclude('src/integrationTest/**')
+    }
+    format("integrationTest", JavaExtension) {
+        target('src/integrationTest/java/**/*.java')
+        importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#')
+        indentWithTabs(4)
+    }
 }
 
 spotbugs {
@@ -135,17 +135,17 @@ test {
     }
     jacoco {
         excludes = [
-            "com.sun.jndi.dns.*",
-            "com.sun.security.sasl.gsskerb.*",
-            "java.sql.*",
-            "javax.script.*",
-            "org.jcp.xml.dsig.internal.dom.*",
-            "sun.nio.cs.ext.*",
-            "sun.security.ec.*",
-            "sun.security.jgss.*",
-            "sun.security.pkcs11.*",
-            "sun.security.smartcardio.*",
-            "sun.util.resources.provider.*"
+                "com.sun.jndi.dns.*",
+                "com.sun.security.sasl.gsskerb.*",
+                "java.sql.*",
+                "javax.script.*",
+                "org.jcp.xml.dsig.internal.dom.*",
+                "sun.nio.cs.ext.*",
+                "sun.security.ec.*",
+                "sun.security.jgss.*",
+                "sun.security.pkcs11.*",
+                "sun.security.smartcardio.*",
+                "sun.util.resources.provider.*"
         ]
     }
 }
@@ -159,17 +159,17 @@ task opensslTest(type: Test) {
     }
     jacoco {
         excludes = [
-            "com.sun.jndi.dns.*",
-            "com.sun.security.sasl.gsskerb.*",
-            "java.sql.*",
-            "javax.script.*",
-            "org.jcp.xml.dsig.internal.dom.*",
-            "sun.nio.cs.ext.*",
-            "sun.security.ec.*",
-            "sun.security.jgss.*",
-            "sun.security.pkcs11.*",
-            "sun.security.smartcardio.*",
-            "sun.util.resources.provider.*"
+                "com.sun.jndi.dns.*",
+                "com.sun.security.sasl.gsskerb.*",
+                "java.sql.*",
+                "javax.script.*",
+                "org.jcp.xml.dsig.internal.dom.*",
+                "sun.nio.cs.ext.*",
+                "sun.security.ec.*",
+                "sun.security.jgss.*",
+                "sun.security.pkcs11.*",
+                "sun.security.smartcardio.*",
+                "sun.util.resources.provider.*"
         ]
     }
 }

src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java

@@ -58,14 +58,14 @@ public class InternalUsersApiAction extends PatchableResourceApiAction {
     private static final List<Route> routes = addRoutesPrefix(ImmutableList.of(
             new Route(Method.GET, "/user/{name}"),
             new Route(Method.GET, "/user/"),
-            new Route(Method.GET, "/user/{name}/authtoken"),
+            new Route(Method.POST, "/user/{name}/authtoken"),
             new Route(Method.DELETE, "/user/{name}"),
             new Route(Method.PUT, "/user/{name}"),
 
             // corrected mapping, introduced in OpenSearch Security
             new Route(Method.GET, "/internalusers/{name}"),
-            new Route(Method.GET, "/internalusers/{name}/authtoken"),
             new Route(Method.GET, "/internalusers/"),
+            new Route(Method.POST, "/internalusers/{name}/authtoken"),
             new Route(Method.DELETE, "/internalusers/{name}"),
             new Route(Method.PUT, "/internalusers/{name}"),
             new Route(Method.PATCH, "/internalusers/"),
@@ -192,17 +192,17 @@ public void onResponse(IndexResponse response) {
      * @throws IOException when parsing of configuration files fails (should not happen)
      */
     @Override
-    protected void handleGet(final RestChannel channel, RestRequest request, Client client, final JsonNode content) throws IOException{
+    protected void handlePost(final RestChannel channel, RestRequest request, Client client, final JsonNode content) throws IOException{
 
         final String username = request.param("name");
 
         final SecurityDynamicConfiguration<?> internalUsersConfiguration = load(getConfigName(), true);
         filter(internalUsersConfiguration); // Hides hashes
 
-        // no specific resource requested, return complete internal user store
+        // no specific resource requested
         if (username == null || username.length() == 0) {
 
-            successResponse(channel, internalUsersConfiguration);
+            notImplemented(channel, Method.POST);
             return;
         }
 
@@ -218,10 +218,9 @@ protected void handleGet(final RestChannel channel, RestRequest request, Client
             if (request.uri().contains("/internalusers/" + username + "/authtoken") && request.uri().endsWith("/authtoken")) {  // Handle auth token fetching
 
                 authToken = userService.generateAuthToken(username);
-            } else { // Not an auth token request so just get the target user
+            } else { // Not an auth token request
 
-                internalUsersConfiguration.removeOthers(username);
-                successResponse(channel, internalUsersConfiguration);
+                notImplemented(channel, Method.POST);
                 return;
             }
         }  catch (UserServiceException ex) {

src/main/java/org/opensearch/security/user/UserService.java

@@ -16,12 +16,11 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
-import java.util.Objects;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.common.collect.ImmutableList;
 import org.apache.logging.log4j.LogManager;
@@ -121,7 +120,9 @@ public SecurityDynamicConfiguration<?> createOrUpdateAccount(ObjectNode contentA
             throw new UserServiceException(NO_ACCOUNT_NAME_MESSAGE);
         }
 
-        if (!securityJsonNode.get("attributes").get("isService").isNull() && securityJsonNode.get("attributes").get("isService").asString().equalsIgnoreCase("true"))
+        SecurityJsonNode attributeNode = securityJsonNode.get("attributes");
+
+            if (!attributeNode.get("isService").isNull() && attributeNode.get("isService").asString().equalsIgnoreCase("true"))
         { // If this is a service account
             verifyServiceAccount(securityJsonNode, accountName);
             String password = generatePassword();
@@ -150,7 +151,7 @@ public SecurityDynamicConfiguration<?> createOrUpdateAccount(ObjectNode contentA
             contentAsNode.remove("password");
         }
 
-        if (!securityJsonNode.get("attributes").get("isEnabled").isNull()) {
+        if (!attributeNode.get("isEnabled").isNull()) {
             contentAsNode.put("isEnabled", securityJsonNode.get("isEnabled").asString());
         }
 
@@ -220,22 +221,16 @@ public String generateAuthToken(String accountName) throws IOException {
 
         String authToken = null;
         try {
-            ObjectMapper mapper = new ObjectMapper();
+            DefaultObjectMapper mapper = new DefaultObjectMapper();
             JsonNode accountDetails = mapper.readTree(internalUsersConfiguration.getCEntry(accountName).toString());
             final ObjectNode contentAsNode = (ObjectNode) accountDetails;
             SecurityJsonNode securityJsonNode = new SecurityJsonNode(contentAsNode);
 
-            if (securityJsonNode.get("isService").isNull()) { // If this is not a service account
-                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
-            }
-            if (Objects.requireNonNull(securityJsonNode.get("isService").asString()).equalsIgnoreCase("false")) { // If this is not a service account
-                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
-            }
-            if (securityJsonNode.get("isEnabled").isNull()) { // If there is no enabled flag
-                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
+            if (Optional.of(securityJsonNode.get("isService").asString().equalsIgnoreCase("false")).orElseThrow(() -> {throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);})) {
+                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE); // If the account is not a service account
             }
-            if (Objects.requireNonNull(securityJsonNode.get("isEnabled").asString()).equalsIgnoreCase("false")) { // If the service account is not active
-                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
+            if (Optional.of(securityJsonNode.get("isEnabled").asString().equalsIgnoreCase("false")).orElseThrow(() -> {throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);})) {
+                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE); // If the service account is not active
             }
 
             // Generate a new password for the account and store the hash of it

src/test/java/org/opensearch/security/dlic/rest/api/UserApiTest.java

@@ -44,6 +44,8 @@ protected String getEndpointPrefix() {
     }
 
 
+    final int USER_SETTING_SIZE = 9 * 19; // Lines per account entry * number of accounts
+
     private static final String ENABLED_SERVICE_ACCOUNT_BODY  =  "{"
             + " \"attributes\": { \"isService\": \"true\", "
             + "\"isEnabled\": \"true\"}"
@@ -87,7 +89,7 @@ public void testSecurityRoles() throws Exception {
                 .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString());
         Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
         response = rh.executePatchRequest(ENDPOINT + "/internalusers", "[{ \"op\": \"add\", \"path\": \"/newuser\", \"value\": {\"password\": \"newuser\", \"opendistro_security_roles\": [\"opendistro_security_all_access\"] } }]", new Header[0]);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
 
@@ -137,7 +139,7 @@ public void testUserApi() throws Exception {
         HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString());
         Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
         verifyGet();
         verifyPut();
         verifyPatch(true);
@@ -417,7 +419,7 @@ private void verifyAuthToken(final boolean sendAdminCert, Header... restAdminHea
         response = rh.executeGetRequest(ENDPOINT + "/internalusers/happyServiceLive", restAdminHeader);
         Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
 
-        response = rh.executeGetRequest(ENDPOINT + "/internalusers/happyServiceLive/authtoken",
+        response = rh.executePostRequest(ENDPOINT + "/internalusers/happyServiceLive/authtoken",
                 ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode());
         String tokenFromResponse = response.getBody();
@@ -433,7 +435,7 @@ private void verifyAuthToken(final boolean sendAdminCert, Header... restAdminHea
                 DISABLED_SERVICE_ACCOUNT_BODY, restAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_CREATED, response.getStatusCode());
 
-        response = rh.executeGetRequest(ENDPOINT + "/internalusers/happyServiceDead/authtoken",
+        response = rh.executePostRequest(ENDPOINT + "/internalusers/happyServiceDead/authtoken",
                 ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
 
@@ -444,7 +446,7 @@ private void verifyAuthToken(final boolean sendAdminCert, Header... restAdminHea
                 ENABLED_NOT_SERVICE_ACCOUNT_BODY, restAdminHeader);
         Assert.assertEquals(HttpStatus.SC_CREATED, response.getStatusCode());
 
-        response = rh.executeGetRequest(ENDPOINT + "/internalusers/user_is_owner_1/authtoken",
+        response = rh.executePostRequest(ENDPOINT + "/internalusers/user_is_owner_1/authtoken",
                 ENABLED_SERVICE_ACCOUNT_BODY, restAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_BAD_REQUEST, response.getStatusCode());
 
@@ -535,7 +537,7 @@ public void testUserApiWithRestAdminPermissions() throws Exception {
         HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString(), restApiAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
         verifyGet(restApiAdminHeader);
         verifyPut(restApiAdminHeader);
         verifyPatch(false, restApiAdminHeader);
@@ -553,7 +555,7 @@ public void testUserApiWithRestInternalUsersAdminPermissions() throws Exception
         HttpResponse response = rh.executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString(), restApiInternalUsersAdminHeader);
         Assert.assertEquals(response.getBody(), HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
         verifyGet(restApiInternalUsersAdminHeader);
         verifyPut(restApiInternalUsersAdminHeader);
         verifyPatch(false, restApiInternalUsersAdminHeader);
@@ -582,7 +584,7 @@ public void testPasswordRules() throws Exception {
                 .executeGetRequest("_plugins/_security/api/" + CType.INTERNALUSERS.toLCString());
         Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
 
         addUserWithPassword("tooshoort", "", HttpStatus.SC_BAD_REQUEST);
         addUserWithPassword("tooshoort", "123", HttpStatus.SC_BAD_REQUEST);
@@ -662,7 +664,7 @@ public void testUserApiWithDots() throws Exception {
                 .executeGetRequest(ENDPOINT + "/" + CType.INTERNALUSERS.toLCString());
         Assert.assertEquals(HttpStatus.SC_OK, response.getStatusCode());
         Settings settings = Settings.builder().loadFromSource(response.getBody(), XContentType.JSON).build();
-        Assert.assertEquals(171, settings.size());
+        Assert.assertEquals(USER_SETTING_SIZE, settings.size());
 
         addUserWithPassword(".my.dotuser0", "$2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m",
                 HttpStatus.SC_CREATED);