opensearch-project · derek-ho · Dec 24, 2024 · Dec 24, 2024 · Dec 26, 2024 · Dec 26, 2024
@@ -39,7 +39,6 @@
 import org.opensearch.core.common.unit.ByteSizeUnit;
 import org.opensearch.core.common.unit.ByteSizeValue;
 import org.opensearch.security.action.apitokens.ApiToken;
-import org.opensearch.security.action.apitokens.ApiTokenRepository;
 import org.opensearch.security.action.apitokens.Permissions;
 import org.opensearch.security.resolver.IndexResolverReplacer;
 import org.opensearch.security.securityconf.FlattenedActionGroups;
@@ -50,9 +49,8 @@
 import org.opensearch.security.user.User;
 import org.opensearch.security.util.MockIndexMetadataBuilder;
 
-import org.mockito.Mockito;
-
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.opensearch.security.privileges.ActionPrivilegesTest.IndexPrivileges.IndicesAndAliases.resolved;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isAllowed;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isForbidden;
 import static org.opensearch.security.privileges.PrivilegeEvaluatorResponseMatcher.isPartiallyOk;
@@ -342,6 +340,7 @@ public void apiToken_succeedsWithActionGroupsExapnded() throws Exception {
                 "apitoken:" + token,
                 new Permissions(List.of("CLUSTER_ALL"), List.of())
             );
+
             // Explicit succeeds
             assertThat(subject.hasExplicitClusterPrivilege(context, "cluster:whatever"), isAllowed());
             // Not explicit succeeds
@@ -1152,7 +1151,6 @@ static RoleBasedPrivilegesEvaluationContext ctx(String... roles) {
     static RoleBasedPrivilegesEvaluationContext ctxWithUserName(String userName, String... roles) {
         User user = new User(userName);
         user.addAttributes(ImmutableMap.of("attrs.dept_no", "a11"));
-        ApiTokenRepository mockRepository = Mockito.mock(ApiTokenRepository.class);
         return new RoleBasedPrivilegesEvaluationContext(
             user,
             ImmutableSet.copyOf(roles),

@@ -259,7 +259,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
     private volatile UserService userService;
     private volatile RestLayerPrivilegesEvaluator restLayerEvaluator;
     private volatile ConfigurationRepository cr;
-    private volatile ApiTokenRepository ar;
+    private volatile ApiTokenRepository apiTokenRepository;
     private volatile AdminDNs adminDns;
     private volatile ClusterService cs;
     private volatile AtomicReference<DiscoveryNode> localNode = new AtomicReference<>();
@@ -649,7 +649,19 @@ public List<RestHandler> getRestHandlers(
                     )
                 );
                 handlers.add(new CreateOnBehalfOfTokenAction(tokenManager));
-                handlers.add(new ApiTokenAction(ar));
+                handlers.add(
+                    new ApiTokenAction(
+                        Objects.requireNonNull(threadPool),
+                        cr,
+                        evaluator,
+                        settings,
+                        adminDns,
+                        auditLog,
+                        configPath,
+                        principalExtractor,
+                        apiTokenRepository
+                    )
+                );
                 handlers.addAll(
                     SecurityRestApiActions.getHandler(
                         settings,
@@ -1111,7 +1123,7 @@ public Collection<Object> createComponents(
         final XFFResolver xffResolver = new XFFResolver(threadPool);
         backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);
         tokenManager = new SecurityTokenManager(cs, threadPool, userService);
-        ar = new ApiTokenRepository(localClient, clusterService, tokenManager);
+        apiTokenRepository = new ApiTokenRepository(localClient, clusterService, tokenManager);
 
         final CompatConfig compatConfig = new CompatConfig(environment, transportPassiveAuthSetting);
 
@@ -1128,7 +1140,7 @@ public Collection<Object> createComponents(
             cih,
             irr,
             namedXContentRegistry.get(),
-            ar
+            apiTokenRepository
         );
 
         dlsFlsBaseContext = new DlsFlsBaseContext(evaluator, threadPool.getThreadContext(), adminDns);
@@ -1170,7 +1182,7 @@ public Collection<Object> createComponents(
             configPath,
             compatConfig
         );
-        dcf = new DynamicConfigFactory(cr, settings, configPath, localClient, threadPool, cih, passwordHasher, ar);
+        dcf = new DynamicConfigFactory(cr, settings, configPath, localClient, threadPool, cih, passwordHasher, apiTokenRepository);
         dcf.registerDCFListener(backendRegistry);
         dcf.registerDCFListener(compatConfig);
         dcf.registerDCFListener(irr);
@@ -1220,7 +1232,7 @@ public Collection<Object> createComponents(
         components.add(dcf);
         components.add(userService);
         components.add(passwordHasher);
-        components.add(ar);
+        components.add(apiTokenRepository);
 
         components.add(sslSettingsManager);
         if (isSslCertReloadEnabled(settings) && sslCertificatesHotReloadEnabled(settings)) {
@@ -2143,7 +2155,11 @@ public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings sett
             ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX
         );
         final SystemIndexDescriptor systemIndexDescriptor = new SystemIndexDescriptor(indexPattern, "Security index");
-        return Collections.singletonList(systemIndexDescriptor);
+        final SystemIndexDescriptor apiTokenSystemIndexDescriptor = new SystemIndexDescriptor(
+            ConfigConstants.OPENSEARCH_API_TOKENS_INDEX,
+            "Security API token index"
+        );
+        return List.of(systemIndexDescriptor, apiTokenSystemIndexDescriptor);
     }
 
     @Override

@@ -12,26 +12,53 @@
 package org.opensearch.security.action.apitokens;
 
 import java.io.IOException;
+import java.nio.file.Path;
 import java.time.Instant;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
 
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import org.opensearch.OpenSearchException;
 import org.opensearch.client.node.NodeClient;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.common.transport.TransportAddress;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.rest.BaseRestHandler;
 import org.opensearch.rest.BytesRestResponse;
 import org.opensearch.rest.RestChannel;
-import org.opensearch.rest.RestHandler;
 import org.opensearch.rest.RestRequest;
+import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.configuration.AdminDNs;
+import org.opensearch.security.configuration.ConfigurationRepository;
+import org.opensearch.security.dlic.rest.api.Endpoint;
+import org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator;
+import org.opensearch.security.dlic.rest.api.RestApiPrivilegesEvaluator;
+import org.opensearch.security.dlic.rest.api.SecurityApiDependencies;
+import org.opensearch.security.dlic.rest.support.Utils;
+import org.opensearch.security.privileges.PrivilegesEvaluator;
+import org.opensearch.security.securityconf.DynamicConfigFactory;
+import org.opensearch.security.securityconf.FlattenedActionGroups;
+import org.opensearch.security.securityconf.impl.CType;
+import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
+import org.opensearch.security.securityconf.impl.v7.ActionGroupsV7;
+import org.opensearch.security.securityconf.impl.v7.RoleV7;
+import org.opensearch.security.ssl.transport.PrincipalExtractor;
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.WildcardMatcher;
+import org.opensearch.security.user.User;
+import org.opensearch.threadpool.ThreadPool;
 
 import static org.opensearch.rest.RestRequest.Method.DELETE;
 import static org.opensearch.rest.RestRequest.Method.GET;
@@ -44,23 +71,51 @@
 import static org.opensearch.security.action.apitokens.ApiToken.INDEX_PERMISSIONS_FIELD;
 import static org.opensearch.security.action.apitokens.ApiToken.NAME_FIELD;
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
+import static org.opensearch.security.support.ConfigConstants.SECURITY_RESTAPI_ADMIN_ENABLED;
 import static org.opensearch.security.util.ParsingUtils.safeMapList;
 import static org.opensearch.security.util.ParsingUtils.safeStringList;
 
 public class ApiTokenAction extends BaseRestHandler {
-    private ApiTokenRepository apiTokenRepository;
+    private final ApiTokenRepository apiTokenRepository;
     public Logger log = LogManager.getLogger(this.getClass());
+    private final ThreadPool threadPool;
+    private final ConfigurationRepository configurationRepository;
+    private final PrivilegesEvaluator privilegesEvaluator;
+    private final SecurityApiDependencies securityApiDependencies;
 
-    private static final List<RestHandler.Route> ROUTES = addRoutesPrefix(
-        ImmutableList.of(
-            new RestHandler.Route(POST, "/apitokens"),
-            new RestHandler.Route(DELETE, "/apitokens"),
-            new RestHandler.Route(GET, "/apitokens")
-        )
+    private static final List<Route> ROUTES = addRoutesPrefix(
+        ImmutableList.of(new Route(POST, "/apitokens"), new Route(DELETE, "/apitokens"), new Route(GET, "/apitokens"))
     );
 
-    public ApiTokenAction(ApiTokenRepository apiTokenRepository) {
+    public ApiTokenAction(
+        ThreadPool threadpool,
+        ConfigurationRepository configurationRepository,
+        PrivilegesEvaluator privilegesEvaluator,
+        Settings settings,
+        AdminDNs adminDns,
+        AuditLog auditLog,
+        Path configPath,
+        PrincipalExtractor principalExtractor,
+        ApiTokenRepository apiTokenRepository
+    ) {
         this.apiTokenRepository = apiTokenRepository;
+        this.threadPool = threadpool;
+        this.configurationRepository = configurationRepository;
+        this.privilegesEvaluator = privilegesEvaluator;
+        this.securityApiDependencies = new SecurityApiDependencies(
+            adminDns,
+            configurationRepository,
+            privilegesEvaluator,
+            new RestApiPrivilegesEvaluator(settings, adminDns, privilegesEvaluator, principalExtractor, configPath, threadPool),
+            new RestApiAdminPrivilegesEvaluator(
+                threadPool.getThreadContext(),
+                privilegesEvaluator,
+                adminDns,
+                settings.getAsBoolean(SECURITY_RESTAPI_ADMIN_ENABLED, false)
+            ),
+            auditLog,
+            settings
+        );
     }
 
     @Override
@@ -69,22 +124,28 @@
     }
 
     @Override
-    public List<RestHandler.Route> routes() {
+    public List<Route> routes() {
         return ROUTES;
     }
 
     @Override
     protected RestChannelConsumer prepareRequest(final RestRequest request, final NodeClient client) throws IOException {
-        // TODO: Authorize this API properly
-        switch (request.method()) {
-            case POST:
-                return handlePost(request, client);
-            case DELETE:
-                return handleDelete(request, client);
-            case GET:
-                return handleGet(request, client);
-            default:
-                throw new IllegalArgumentException(request.method() + " not supported");
+        authorizeSecurityAccess(request);
+        return doPrepareRequest(request, client);
+    }
+
+    RestChannelConsumer doPrepareRequest(RestRequest request, NodeClient client) {
+        final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(client.threadPool().getThreadContext());
+        try (final ThreadContext.StoredContext ctx = client.threadPool().getThreadContext().stashContext()) {
+            client.threadPool()
+                .getThreadContext()
+                .putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, originalUserAndRemoteAddress.getLeft());
+            return switch (request.method()) {
+                case POST -> handlePost(request, client);
+                case DELETE -> handleDelete(request, client);
+                case GET -> handleGet(request, client);
+                default -> throw new IllegalArgumentException(request.method() + " not supported");
+            };
         }
     }
 
@@ -119,15 +180,15 @@
 
     private RestChannelConsumer handlePost(RestRequest request, NodeClient client) {
         return channel -> {
-            final XContentBuilder builder = channel.newBuilder();
-            BytesRestResponse response;
             try {
                 final Map<String, Object> requestBody = request.contentOrSourceParamParser().map();
                 validateRequestParameters(requestBody);
 
                 List<String> clusterPermissions = extractClusterPermissions(requestBody);
                 List<ApiToken.IndexPermission> indexPermissions = extractIndexPermissions(requestBody);
 
+                validateUserPermissions(clusterPermissions, indexPermissions);
+
                 String token = apiTokenRepository.createApiToken(
                     (String) requestBody.get(NAME_FIELD),
                     clusterPermissions,
@@ -245,8 +306,6 @@
 
     private RestChannelConsumer handleDelete(RestRequest request, NodeClient client) {
         return channel -> {
-            final XContentBuilder builder = channel.newBuilder();
-            BytesRestResponse response;
             try {
                 final Map<String, Object> requestBody = request.contentOrSourceParamParser().map();
 
@@ -295,4 +354,99 @@
         }
     }
 
+    /**
+     *  Validates that the user has the required permissions to create an API token (must be a subset of their own permissions)
+     * */
+    @SuppressWarnings("unchecked")
+    void validateUserPermissions(List<String> clusterPermissions, List<ApiToken.IndexPermission> indexPermissions) {
+        final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        final TransportAddress caller = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
+        final Set<String> roles = privilegesEvaluator.mapRoles(user, caller);
+
+        // Early return conditions
+        if (roles.isEmpty()) {
+            throw new OpenSearchException("User does not have any roles");
+        } else if (roles.contains("all_access")) {
+            // all_access == *
+            return;
+        }
+
+        // Verify user has all requested cluster permissions
+        final SecurityDynamicConfiguration<ActionGroupsV7> actionGroupsConfiguraiton = (SecurityDynamicConfiguration<ActionGroupsV7>) load(
+            CType.ACTIONGROUPS
+        );
+        FlattenedActionGroups flattenedActionGroups = new FlattenedActionGroups(actionGroupsConfiguraiton);
+        final SecurityDynamicConfiguration<?> rolesConfiguration = load(CType.ROLES);
+        ImmutableSet<String> resolvedClusterPermissions = flattenedActionGroups.resolve(clusterPermissions);
+        Set<String> clusterPermissionsWithoutActionGroups = resolvedClusterPermissions.stream()
+            .filter(permission -> !actionGroupsConfiguraiton.getCEntries().containsKey(permission))
+            .collect(Collectors.toSet());
+
+        // Load all roles the user has access to, remove permissions that
+        for (String role : roles) {
+            RoleV7 roleV7 = (RoleV7) rolesConfiguration.getCEntry(role);
+            ImmutableSet<String> expandedRoleClusterPermissions = flattenedActionGroups.resolve(roleV7.getCluster_permissions());
+            for (String clusterPermission : expandedRoleClusterPermissions) {
+                WildcardMatcher matcher = WildcardMatcher.from(clusterPermission);
+                clusterPermissionsWithoutActionGroups.removeIf(matcher);
+            }
+        }
+
+        if (!clusterPermissionsWithoutActionGroups.isEmpty()) {
+            throw new OpenSearchException("User does not have all requested cluster permissions");
+        }
+
+        // Verify user has all requested index permissions
+        for (ApiToken.IndexPermission requestedPermission : indexPermissions) {
+            // First, flatten/resolve any action groups into the underlying actions and remove action group names (which may not exact
+            // match)
+            Set<String> resolvedActions = new HashSet<>(flattenedActionGroups.resolve(requestedPermission.getAllowedActions()));
+            resolvedActions.removeIf(permission -> actionGroupsConfiguraiton.getCEntries().containsKey(permission));
+
+            // For each index pattern in the requested permission
+            for (String requestedPattern : requestedPermission.getIndexPatterns()) {
+
+                Set<String> actionsForIndexPattern = new HashSet<>(resolvedActions);
+
+                // Check each role the user has
+                for (String roleName : roles) {
+                    RoleV7 role = (RoleV7) rolesConfiguration.getCEntry(roleName);
+                    if (role == null || role.getIndex_permissions() == null) continue;
+
+                    // Check each index permission block in the role
+                    for (RoleV7.Index indexPermission : role.getIndex_permissions()) {
+                        List<String> rolePatterns = indexPermission.getIndex_patterns();
+                        List<String> roleIndexPerms = indexPermission.getAllowed_actions();
+
+                        // Check if this role's pattern covers the requested pattern
+                        if (WildcardMatcher.from(rolePatterns).test(requestedPattern)) {
+                            // Get resolved actions for this role's index permissions
+                            Set<String> roleActions = flattenedActionGroups.resolve(roleIndexPerms);
+                            WildcardMatcher matcher = WildcardMatcher.from(roleActions);
+
+                            actionsForIndexPattern.removeIf(matcher);
+                        }
+                    }
+                }
+
+                // After checking all roles, verify if all requested actions were covered
+                if (!actionsForIndexPattern.isEmpty()) {
+                    throw new OpenSearchException("User does not have sufficient permissions for index pattern: " + requestedPattern);
+                }
+            }
+        }
+    }
+
+    private SecurityDynamicConfiguration<?> load(final CType<?> config) {
+        SecurityDynamicConfiguration<?> loaded = configurationRepository.getConfiguration(config);
+        return DynamicConfigFactory.addStatics(loaded);
+    }
+
+    protected void authorizeSecurityAccess(RestRequest request) throws IOException {
+        // Check if user has security API access
+        if (!(securityApiDependencies.restApiAdminPrivilegesEvaluator().isCurrentUserAdminFor(Endpoint.APITOKENS)
+            || securityApiDependencies.restApiPrivilegesEvaluator().checkAccessPermissions(request, Endpoint.APITOKENS) == null)) {
+            throw new SecurityException("User does not have required security API access");
+        }
+    }
 }