First shot at an immutable user object

Author: nibix

src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java

@@ -1040,8 +1040,7 @@ static SecurityDynamicConfiguration<RoleV7> createRoles(int numberOfRoles, int n
     }
 
     static PrivilegesEvaluationContext ctx(String... roles) {
-        User user = new User("test_user");
-        user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
         return new PrivilegesEvaluationContext(
             user,
             ImmutableSet.copyOf(roles),
@@ -1055,8 +1054,7 @@ static PrivilegesEvaluationContext ctx(String... roles) {
     }
 
     static PrivilegesEvaluationContext ctxByUsername(String username) {
-        User user = new User(username);
-        user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
+        User user = new User(username).withAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
         return new PrivilegesEvaluationContext(
             user,
             ImmutableSet.of(),

src/integrationTest/java/org/opensearch/security/privileges/IndexPatternTest.java

@@ -234,10 +234,7 @@ public void equals() {
     private static PrivilegesEvaluationContext ctx() {
         IndexNameExpressionResolver indexNameExpressionResolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
         IndexResolverReplacer indexResolverReplacer = new IndexResolverReplacer(indexNameExpressionResolver, () -> CLUSTER_STATE, null);
-        User user = new User("test_user");
-        user.addAttributes(ImmutableMap.of("attrs.a11", "a11"));
-        user.addAttributes(ImmutableMap.of("attrs.year", "year"));
-
+        User user = new User("test_user").withAttributes(ImmutableMap.of("attrs.a11", "a11", "attrs.year", "year"));
         return new PrivilegesEvaluationContext(
             user,
             ImmutableSet.of(),

src/integrationTest/java/org/opensearch/security/privileges/dlsfls/DocumentPrivilegesTest.java

@@ -1191,9 +1191,7 @@ UserSpec attribute(String name, String value) {
         }
 
         User buildUser() {
-            User user = new User("test_user_" + description);
-            user.addAttributes(this.attributes);
-            return user;
+            return new User("test_user_" + description).withAttributes(this.attributes);
         }
 
         @Override

src/integrationTest/java/org/opensearch/security/user/UserTest.java

@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.user;
+
+import java.util.Arrays;
+
+import com.google.common.collect.ImmutableMap;
+import org.junit.Test;
+
+import org.opensearch.security.support.Base64JDKHelper;
+
+import static org.junit.Assert.*;
+
+public class UserTest {
+    @Test
+    public void serialization() {
+        User user = new User("serialization_test_user").withRoles(Arrays.asList("br1", "br2", "br3"))
+            .withSecurityRoles(Arrays.asList("sr1", "sr2"))
+            .withAttributes(ImmutableMap.of("a", "v_a", "b", "v_b"));
+
+        System.out.println(Base64JDKHelper.serializeObject(user));
+    }
+
+    @Test
+    public void deserializationFrom2_19() {
+        // The following base64 string was produced by the following code on OpenSearch 2.19
+        // User user = new User("serialization_test_user");
+        // user.addRoles(Arrays.asList("br1", "br2", "br3"));
+        // user.addSecurityRoles(Arrays.asList("sr1", "sr2"));
+        // user.addAttributes(ImmutableMap.of("a", "v_a", "b", "v_b"));
+        // System.out.println(Base64JDKHelper.serializeObject(user));
+        String serialized =
+            "rO0ABXNyACFvcmcub3BlbnNlYXJjaC5zZWN1cml0eS51c2VyLlVzZXKzqL2T65dH3AIABloACmlzSW5qZWN0ZWRMAAphdHRyaWJ1dGVzdAAPTGphdmEvdXRpbC9NYXA7TAAEbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAD3JlcXVlc3RlZFRlbmFudHEAfgACTAAFcm9sZXN0AA9MamF2YS91dGlsL1NldDtMAA1zZWN1cml0eVJvbGVzcQB+AAN4cABzcgAlamF2YS51dGlsLkNvbGxlY3Rpb25zJFN5bmNocm9uaXplZE1hcBtz+QlLSzl7AwACTAABbXEAfgABTAAFbXV0ZXh0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAN3CAAAAAQAAAACdAABYXQAA3ZfYXQAAWJ0AAN2X2J4cQB+AAd4dAAXc2VyaWFsaXphdGlvbl90ZXN0X3VzZXJwc3IAJWphdmEudXRpbC5Db2xsZWN0aW9ucyRTeW5jaHJvbml6ZWRTZXQGw8J5Au7fPAIAAHhyACxqYXZhLnV0aWwuQ29sbGVjdGlvbnMkU3luY2hyb25pemVkQ29sbGVjdGlvbiph+E0JnJm1AwACTAABY3QAFkxqYXZhL3V0aWwvQ29sbGVjdGlvbjtMAAVtdXRleHEAfgAGeHBzcgARamF2YS51dGlsLkhhc2hTZXS6RIWVlri3NAMAAHhwdwwAAAAQP0AAAAAAAAN0AANicjF0AANicjN0AANicjJ4cQB+ABJ4c3EAfgAPc3EAfgATdwwAAAAQP0AAAAAAAAJ0AANzcjJ0AANzcjF4cQB+ABh4";
+
+        User user = User.fromSerializedBase64(serialized);
+        assertEquals(
+            new User("serialization_test_user").withRoles(Arrays.asList("br1", "br2", "br3"))
+                .withSecurityRoles(Arrays.asList("sr1", "sr2"))
+                .withAttributes(ImmutableMap.of("a", "v_a", "b", "v_b")),
+            user
+        );
+    }
+}

src/main/java/com/amazon/dlic/auth/ldap/LdapUser.java

@@ -44,6 +44,7 @@ public LdapUser(
         this.originalUsername = originalUsername;
         this.userEntry = userEntry;
         Map<String, String> attributes = getCustomAttributesMap();
+        // TODO
         attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
     }
 

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthenticationBackend.java

@@ -19,6 +19,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.UUID;
 
@@ -29,6 +30,7 @@
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auth.AuthenticationBackend;
+import org.opensearch.security.auth.ImpersonationBackend;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
@@ -46,7 +48,7 @@
 
 import static org.opensearch.security.setting.DeprecatedSettings.checkForDeprecatedSetting;
 
-public class LDAPAuthenticationBackend implements AuthenticationBackend {
+public class LDAPAuthenticationBackend implements AuthenticationBackend, ImpersonationBackend {
 
     static final int ZERO_PLACEHOLDER = 0;
     static final String DEFAULT_USERBASE = "";
@@ -160,7 +162,7 @@ public String getType() {
     }
 
     @Override
-    public boolean exists(final User user) {
+    public Optional<User> impersonate(User user) {
         Connection ldapConnection = null;
         String userName = user.getName();
 
@@ -178,19 +180,19 @@ public boolean exists(final User user) {
                 this.returnAttributes,
                 this.shouldFollowReferrals
             );
-            boolean exists = userEntry != null;
 
-            if (exists) {
-                user.addAttributes(
-                    LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)
+            if (userEntry != null) {
+                return Optional.of(
+                    user.withAttributes(
+                        LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher)
+                    )
                 );
+            } else {
+                return Optional.empty();
             }
-
-            return exists;
-
         } catch (final Exception e) {
-            log.warn("User {} does not exist due to ", userName, e);
-            return false;
+            log.warn("User {} does not exist due to exception", userName, e);
+            return Optional.empty();
         } finally {
             Utils.unbindAndCloseSilently(ldapConnection);
         }

src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java

@@ -686,10 +686,10 @@ private static void configureSSL(final ConnectionConfig config, final Settings s
     }
 
     @Override
-    public void fillRoles(final User user, final AuthCredentials optionalAuthCreds) throws OpenSearchSecurityException {
+    public User addRoles(User user, AuthCredentials credentials) throws OpenSearchSecurityException {
 
         if (user == null) {
-            return;
+            return user;
         }
 
         String authenticatedUser;
@@ -738,12 +738,13 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
             if (isDebugEnabled) {
                 log.debug("Skipped search roles of user {}/{}", authenticatedUser, originalUserName);
             }
-            return;
+            return user;
         }
 
         Connection connection = null;
 
         try {
+            Set<String> additionalRoles = new HashSet<>();
 
             if (entry == null || dn == null) {
 
@@ -969,7 +970,7 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
                             log.debug("Role was excluded or empty, attribute: '{}' for entry: {}", roleName, roleLdapName);
                         }
                     } else {
-                        user.addRole(role);
+                        additionalRoles.add(role);
                     }
                 }
 
@@ -983,16 +984,14 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
                             log.debug("Role was excluded or empty, attribute: '{}' for entry: {}", roleName, roleLdapName);
                         }
                     } else {
-                        user.addRole(role);
+                        additionalRoles.add(role);
                     }
                 }
 
             }
 
             // add all non-LDAP roles from user attributes to the final set of backend roles
-            for (String nonLdapRoleName : nonLdapRoles) {
-                user.addRole(nonLdapRoleName);
-            }
+            additionalRoles.addAll(nonLdapRoles);
 
             if (isDebugEnabled) {
                 log.debug("Roles for {} -> {}", user.getName(), user.getRoles());
@@ -1002,6 +1001,8 @@ public void fillRoles(final User user, final AuthCredentials optionalAuthCreds)
                 log.trace("returned user: {}", user);
             }
 
+            return user.withRoles(additionalRoles);
+
         } catch (final Exception e) {
             if (isDebugEnabled) {
                 log.debug("Unable to fill user roles due to ", e);

src/main/java/com/amazon/dlic/auth/ldap2/LDAPAuthenticationBackend2.java

@@ -19,6 +19,7 @@
 import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.Optional;
 import java.util.UUID;
 
 import org.apache.logging.log4j.LogManager;
@@ -29,6 +30,7 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.auth.AuthenticationBackend;
 import org.opensearch.security.auth.Destroyable;
+import org.opensearch.security.auth.ImpersonationBackend;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.user.User;
@@ -47,7 +49,7 @@
 import org.ldaptive.ReturnAttributes;
 import org.ldaptive.pool.ConnectionPool;
 
-public class LDAPAuthenticationBackend2 implements AuthenticationBackend, Destroyable {
+public class LDAPAuthenticationBackend2 implements AuthenticationBackend, ImpersonationBackend, Destroyable {
 
     protected static final Logger log = LogManager.getLogger(LDAPAuthenticationBackend2.class);
 
@@ -189,50 +191,42 @@ public String getType() {
 
     @SuppressWarnings("removal")
     @Override
-    public boolean exists(final User user) {
+    public Optional<User> impersonate(User user) {
         final SecurityManager sm = System.getSecurityManager();
 
         if (sm != null) {
             sm.checkPermission(new SpecialPermission());
         }
 
-        return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
-            @Override
-            public Boolean run() {
-                return exists0(user);
-            }
-        });
-
-    }
-
-    private boolean exists0(final User user) {
-        Connection ldapConnection = null;
-        String userName = user.getName();
-
-        if (user instanceof LdapUser) {
-            userName = ((LdapUser) user).getUserEntry().getDn();
-        }
-
-        try {
-            ldapConnection = this.connectionFactory.getConnection();
-            ldapConnection.open();
-            LdapEntry userEntry = this.userSearcher.exists(ldapConnection, userName, this.returnAttributes, this.shouldFollowReferrals);
-
-            boolean exists = userEntry != null;
+        return AccessController.doPrivileged((PrivilegedAction<Optional<User>>) () -> {
+            Connection ldapConnection = null;
+            String userName = user.getName();
 
-            if (exists) {
-                user.addAttributes(
-                    LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)
-                );
+            if (user instanceof LdapUser) {
+                userName = ((LdapUser) user).getUserEntry().getDn();
             }
 
-            return exists;
-        } catch (final Exception e) {
-            log.warn("User {} does not exist due to exception", userName, e);
-            return false;
-        } finally {
-            Utils.unbindAndCloseSilently(ldapConnection);
-        }
+            try {
+                ldapConnection = this.connectionFactory.getConnection();
+                ldapConnection.open();
+                LdapEntry userEntry = this.userSearcher.exists(ldapConnection, userName, this.returnAttributes, this.shouldFollowReferrals);
+
+                if (userEntry != null) {
+                    return Optional.of(
+                        user.withAttributes(
+                            LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher)
+                        )
+                    );
+                } else {
+                    return Optional.empty();
+                }
+            } catch (final Exception e) {
+                log.warn("User {} does not exist due to exception", userName, e);
+                return Optional.empty();
+            } finally {
+                Utils.unbindAndCloseSilently(ldapConnection);
+            }
+        });
     }
 
     @SuppressWarnings("removal")