Skip to content

Commit

Permalink
Add logic to return to user the token and store an encrypted version …
Browse files Browse the repository at this point in the history 
…in the index

Signed-off-by: Derek Ho <[email protected]>
  • Loading branch information
@derek-ho
derek-ho committed Dec 17, 2024
1 parent ae4e8f8 commit 3a2e483
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 7 deletions.
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ private RestChannelConsumer handlePost(RestRequest request, NodeClient client) {
);

builder.startObject();
builder.field("token", token);
builder.field("Api Token: ", token);
builder.endObject();

response = new BytesRestResponse(RestStatus.OK, builder);
Expand Down
9 changes: 6 additions & 3 deletions src/main/java/org/opensearch/security/action/apitokens/ApiTokenRepository.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.collect.Tuple;
import org.opensearch.index.IndexNotFoundException;
import org.opensearch.security.authtoken.jwt.ExpiringBearerAuthToken;
import org.opensearch.security.identity.SecurityTokenManager;
Expand All @@ -39,9 +40,11 @@ public String createApiToken(
// TODO: Implement logic of creating JTI to match against during authc/z
// TODO: Add validation on whether user is creating a token with a subset of their permissions
ApiToken apiToken = new ApiToken(name, clusterPermissions, indexPermissions, expiration);
ExpiringBearerAuthToken token = securityTokenManager.issueApiToken(apiToken);
apiToken.setJti(token.getCompleteToken());
return apiTokenIndexHandler.indexTokenMetadata(apiToken);
Tuple<ExpiringBearerAuthToken, String> token = securityTokenManager.issueApiToken(apiToken);
apiToken.setJti(token.v2());
apiTokenIndexHandler.indexTokenMetadata(apiToken);

return token.v1().getCompleteToken();
}

public void deleteApiToken(String name) throws ApiTokenException, IndexNotFoundException {
Expand Down
7 changes: 5 additions & 2 deletions src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ public ExpiringBearerAuthToken createJwt(
}

@SuppressWarnings("removal")
public ExpiringBearerAuthToken createJwt(
public Tuple<ExpiringBearerAuthToken, String> createJwt(
final String issuer,
final String subject,
final String audience,
Expand Down Expand Up @@ -199,6 +199,9 @@ public ExpiringBearerAuthToken createJwt(
);
}

return new ExpiringBearerAuthToken(signedJwt.serialize(), subject, expiryTime);
return Tuple.tuple(
new ExpiringBearerAuthToken(signedJwt.serialize(), subject, expiryTime),
encryptionDecryptionUtil.encrypt(signedJwt.serialize())
);
}
}
3 changes: 2 additions & 1 deletion src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@

import org.opensearch.OpenSearchSecurityException;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.collect.Tuple;
import org.opensearch.common.settings.Settings;
import org.opensearch.core.common.transport.TransportAddress;
import org.opensearch.identity.Subject;
Expand Down Expand Up @@ -140,7 +141,7 @@ public ExpiringBearerAuthToken issueOnBehalfOfToken(final Subject subject, final
}
}

public ExpiringBearerAuthToken issueApiToken(final ApiToken apiToken) {
public Tuple<ExpiringBearerAuthToken, String> issueApiToken(final ApiToken apiToken) {
final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
if (user == null) {
throw new OpenSearchSecurityException("Unsupported user to generate Api Token");
Expand Down

0 comments on commit 3a2e483

Please sign in to comment.