Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement IdentityPlugin in Security plugin #3538

Merged
merged 22 commits into from
Nov 1, 2023

Conversation

stephen-crawford
Copy link
Contributor

Description

This change implements the IdentityPlugin interface inside the Security Plugin codebase.
This change adds the methods getSubject and getTokenManager. It also adds a new class SecurityTokenManager which handles the issuance of Service Account tokens and OBO tokens. This is done by having the token manager wrap the appropriate methods inside the UserService (for service accounts) and JwtVendor (for OBO tokens).

Issues Resolved

This issue addresses the final check box for: #3176

Testing

This change adds tests for issuing the tokens using the SecurityTokenManager. The other functionality has already been tested by the supporting classes.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@stephen-crawford
Copy link
Contributor Author

Blocked by: opensearch-project/OpenSearch#10614

@codecov
Copy link

codecov bot commented Oct 17, 2023

Codecov Report

Merging #3538 (67d14b4) into main (d10475c) will increase coverage by 5.60%.
The diff coverage is 1.63%.

❗ Current head 67d14b4 differs from pull request most recent head 5cdaa04. Consider uploading reports for the commit 5cdaa04 to get more accurate results

Impacted file tree graph

@@            Coverage Diff            @@
##             main   #3538      +/-   ##
=========================================
+ Coverage        0   5.60%   +5.60%     
- Complexity      0     238     +238     
=========================================
  Files           0     283     +283     
  Lines           0   20661   +20661     
  Branches        0    3395    +3395     
=========================================
+ Hits            0    1159    +1159     
- Misses          0   19312   +19312     
- Partials        0     190     +190     
Files Coverage Δ
.../opensearch/security/OpenSearchSecurityPlugin.java 10.97% <16.66%> (ø)
.../opensearch/security/identity/SecuritySubject.java 10.00% <10.00%> (ø)
...y/action/onbehalf/CreateOnBehalfOfTokenAction.java 0.00% <0.00%> (ø)
...search/security/identity/SecurityTokenManager.java 0.00% <0.00%> (ø)

... and 279 files with indirect coverage changes

@stephen-crawford
Copy link
Contributor Author

stephen-crawford commented Oct 17, 2023

Need to make this change: opensearch-project/OpenSearch#10664

We don't want people to have to provide absolute times in JSON form. Right now we are running into an issue like this where the calculated time expects a Second value to be provided in the case of a JSON is used to request the token settings. But then it auto-propagates the fields with a millisecond absolute time value.

We want our times to be in similar magnitude not way out of scale like this:

Max expiry time is: 1697562174
Provided expiry time is: 300

Or running into issues with conversion like this:

Max expiry time is: 1697562174
Provided expiry time is: 1697561874

stephen-crawford and others added 7 commits October 18, 2023 14:34
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
….java

Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@peternied peternied marked this pull request as ready for review October 30, 2023 15:51
@peternied
Copy link
Member

Design/refactoring is done so I'm marking this change ready for review as there were changes from the original version of this change.

In the meanwhile, I'll be adding & cleaning up the tests.

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
peternied
peternied previously approved these changes Oct 30, 2023
@peternied
Copy link
Member

Thanks @cwperks & @DarshitChanpura I've responded to all feedback and resolved all threads - let me know what you think.

- Added test case to verify when OBO is disabled the correct response is
  recieved
- Added test case where the signing key is rotated
- Patched up a bug where insufficent signing key complexity would only be
  caught when decrypting, but not configuring cluster.

Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have one more question around backend_roles, but otherwise this PR looks good to me.

Copy link
Contributor Author

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good just a few comments but otherwise seems all set!

@peternied
Copy link
Member

@cwperks @DarshitChanpura Anything holding up approval of this PR?

@peternied peternied merged commit 4676452 into opensearch-project:main Nov 1, 2023
56 checks passed
@peternied peternied deleted the ServiceAccounts branch November 1, 2023 16:04
@peternied peternied added the backport 2.x backport to 2.x branch label Nov 1, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3538-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 467645241d42c8ae02166c4d41d3e7aa5edafdc7
# Push it to GitHub
git push --set-upstream origin backport/backport-3538-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3538-to-2.x.

RyanL1997 pushed a commit to RyanL1997/security that referenced this pull request Nov 2, 2023
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants