opensearch-project · peternied · Jun 6, 2023 · May 5, 2023 · May 8, 2023 · May 15, 2023
@@ -90,6 +90,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add descending order search optimization through reverse segment read. ([#7244](https://github.com/opensearch-project/OpenSearch/pull/7244))
 - Adds ExtensionsManager.lookupExtensionSettingsById ([#7466](https://github.com/opensearch-project/OpenSearch/pull/7466))
 - SegRep with Remote: Add hook for publishing checkpoint notifications after segment upload to remote store ([#7394](https://github.com/opensearch-project/OpenSearch/pull/7394))
+- Add TokenManager Interface ([#7452](https://github.com/opensearch-project/OpenSearch/pull/7452))
 
 ### Dependencies
 - Bump `com.netflix.nebula:gradle-info-plugin` from 12.0.0 to 12.1.3 (#7564)

@@ -26,7 +26,7 @@ public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin
     private Logger log = LogManager.getLogger(this.getClass());
 
     private final Settings settings;
-    private final AuthTokenHandler authTokenHandler;
+    private final ShiroTokenHandler authTokenHandler;
 
     /**
      * Create a new instance of the Shiro Identity Plugin
@@ -35,7 +35,7 @@ public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin
      */
     public ShiroIdentityPlugin(final Settings settings) {
         this.settings = settings;
-        authTokenHandler = new AuthTokenHandler();
+        authTokenHandler = new ShiroTokenHandler();
 
         SecurityManager securityManager = new ShiroSecurityManager();
         SecurityUtils.setSecurityManager(securityManager);

@@ -20,7 +20,7 @@
  * @opensearch.experimental
  */
 public class ShiroSubject implements Subject {
-    private final AuthTokenHandler authTokenHandler;
+    private final ShiroTokenHandler authTokenHandler;
     private final org.apache.shiro.subject.Subject shiroSubject;
 
     /**
@@ -29,7 +29,7 @@ public class ShiroSubject implements Subject {
      * @param authTokenHandler Used to extract auth header info
      * @param subject The specific subject being authc/z'd
      */
-    public ShiroSubject(final AuthTokenHandler authTokenHandler, final org.apache.shiro.subject.Subject subject) {
+    public ShiroSubject(final ShiroTokenHandler authTokenHandler, final org.apache.shiro.subject.Subject subject) {
         this.authTokenHandler = Objects.requireNonNull(authTokenHandler);
         this.shiroSubject = Objects.requireNonNull(subject);
     }

diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroTokenHandler.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroTokenHandler.java
@@ -0,0 +1,94 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.shiro;
+
+import java.util.Base64;
+import java.util.Optional;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.tokens.BasicAuthToken;
+import org.opensearch.identity.tokens.TokenManager;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+/**
+ * Extracts Shiro's {@link AuthenticationToken} from different types of auth headers
+ *
+ * @opensearch.experimental
+ */
+class ShiroTokenHandler implements TokenManager {
+
+    /**
+     * Translates into shiro auth token from the given header token
+     * @param authenticationToken the token from which to translate
+     * @return An optional of the shiro auth token for login
+     */
+    public Optional<AuthenticationToken> translateAuthToken(org.opensearch.identity.tokens.AuthToken authenticationToken) {
+        if (authenticationToken instanceof BasicAuthToken) {
+            final BasicAuthToken basicAuthToken = (BasicAuthToken) authenticationToken;
+            return Optional.of(new UsernamePasswordToken(basicAuthToken.getUser(), basicAuthToken.getPassword()));
+        }
+
+        return Optional.empty();
+    }
+
+    @Override
+    public AuthToken generateToken() {
+
+        Subject subject = new ShiroSubject(this, SecurityUtils.getSubject());
+        final byte[] rawEncoded = Base64.getEncoder().encode((subject.getPrincipal().getName() + ":" + generatePassword()).getBytes(UTF_8));
+        final String usernamePassword = new String(rawEncoded, UTF_8);
+        final String header = "Basic " + usernamePassword;
+
+        return new BasicAuthToken(header);
+    }
+
+    @Override
+    public boolean validateToken(AuthToken token) {
+        if (token instanceof BasicAuthToken) {
+            final BasicAuthToken basicAuthToken = (BasicAuthToken) token;
+            if (basicAuthToken.getUser().equals(SecurityUtils.getSubject()) && basicAuthToken.getPassword().equals(generatePassword())) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public String getTokenInfo(AuthToken token) {
+        if (token instanceof BasicAuthToken) {
+            final BasicAuthToken basicAuthToken = (BasicAuthToken) token;
+            return basicAuthToken.toString();
+        }
+        throw new UnsupportedAuthenticationToken();
+    }
+
+    @Override
+    public void revokeToken(AuthToken token) {
+        if (token instanceof BasicAuthToken) {
+            final BasicAuthToken basicAuthToken = (BasicAuthToken) token;
+            basicAuthToken.revoke();
+            return;
+        }
+        throw new UnsupportedAuthenticationToken();
+    }
+
+    @Override
+    public void resetToken(AuthToken token) {
+
+    }
+
+    public String generatePassword() {
+        return "superSecurePassword1!";
+    }
+
+}
@@ -10,7 +10,9 @@
 
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.UsernamePasswordToken;
+import org.opensearch.identity.tokens.AuthToken;
 import org.opensearch.identity.tokens.BasicAuthToken;
+import org.opensearch.identity.tokens.NoopToken;
 import org.opensearch.test.OpenSearchTestCase;
 import org.junit.Before;
 
@@ -23,11 +25,11 @@
 
 public class AuthTokenHandlerTests extends OpenSearchTestCase {
 
-    private AuthTokenHandler authTokenHandler;
+    private ShiroTokenHandler authTokenHandler;
 
     @Before
     public void testSetup() {
-        authTokenHandler = new AuthTokenHandler();
+        authTokenHandler = new ShiroTokenHandler();
     }
 
     public void testShouldExtractBasicAuthTokenSuccessfully() {
@@ -59,4 +61,33 @@ public void testShouldReturnNullWhenExtractingNullToken() {
 
         assertThat(translatedToken.isEmpty(), is(true));
     }
+
+    public void testShouldRevokeTokenSuccessfully() {
+        final BasicAuthToken authToken = new BasicAuthToken("Basic dGVzdDp0ZTpzdA==");
+        assertTrue(authToken.toString().equals("Basic auth token with user=test, password=te:st"));
+        authTokenHandler.revokeToken(authToken);
+        assert (authToken.toString().equals("Basic auth token with user=, password="));
+    }
+
+    public void testShouldFailWhenRevokeToken() {
+        final NoopToken authToken = new NoopToken();
+        assert (authToken.getTokenIdentifier().equals("Noop"));
+        assertThrows(UnsupportedAuthenticationToken.class, () -> authTokenHandler.revokeToken(authToken));
+    }
+
+    public void testShouldGetTokenInfoSuccessfully() {
+        final BasicAuthToken authToken = new BasicAuthToken("Basic dGVzdDp0ZTpzdA==");
+        assert (authToken.toString().equals(authTokenHandler.getTokenInfo(authToken)));
+    }
+
+    public void testShouldFailGetTokenInfo() {
+        final NoopToken authToken = new NoopToken();
+        assert (authToken.getTokenIdentifier().equals("Noop"));
+        assertThrows(UnsupportedAuthenticationToken.class, () -> authTokenHandler.getTokenInfo(authToken));
+    }
+
+    public void testShouldFailValidateToken() {
+        final AuthToken authToken = new NoopToken();
+        assertFalse(authTokenHandler.validateToken(authToken));
+    }
 }
@@ -25,13 +25,13 @@
 public class ShiroSubjectTests extends OpenSearchTestCase {
 
     private org.apache.shiro.subject.Subject shiroSubject;
-    private AuthTokenHandler authTokenHandler;
+    private ShiroTokenHandler authTokenHandler;
     private ShiroSubject subject;
 
     @Before
     public void setup() {
         shiroSubject = mock(org.apache.shiro.subject.Subject.class);
-        authTokenHandler = mock(AuthTokenHandler.class);
+        authTokenHandler = mock(ShiroTokenHandler.class);
         subject = new ShiroSubject(authTokenHandler, shiroSubject);
     }
 

@@ -0,0 +1,72 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.noop;
+
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.tokens.NoopToken;
+import org.opensearch.identity.tokens.TokenManager;
+
+/**
+ * This class represents a Noop Token Manager
+ */
+public class NoopTokenManager implements TokenManager {
+
+    /**
+     * Generate a new Noop Token
+     * @return a new Noop Token
+     */
+    @Override
+    public AuthToken generateToken() {
+        return new NoopToken();
+    }
+
+    /**
+     * Validate a token
+     * @param token The token to be validated
+     * @return If the token is a Noop Token, then pass with True; otherwise fail with False.
+     */
+    @Override
+    public boolean validateToken(AuthToken token) {
+        if (token instanceof NoopToken) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Get token info, there should not be any token info so just return whether the token is a NoopToken
+     * @param token The auth token to be parsed
+     * @return A String stating the token is a NoopToken or is not a NopToken
+     */
+    @Override
+    public String getTokenInfo(AuthToken token) {
+        if (token instanceof NoopToken) {
+            return "Token is NoopToken";
+        }
+        return "Token is not a NoopToken";
+    }
+
+    /**
+     * Revoking a Noop Token should not do anything
+     * @param token The Auth Token to be revoked
+     */
+    @Override
+    public void revokeToken(AuthToken token) {
+
+    }
+
+    /**
+     * Refreshing a NoopToken also not do anything
+     * @param token The token to be refreshed
+     */
+    @Override
+    public void resetToken(AuthToken token) {
+
+    }
+}
@@ -16,13 +16,13 @@
  */
 public final class BasicAuthToken implements AuthToken {
 
-    public final static String TOKEN_IDENIFIER = "Basic";
+    public final static String TOKEN_IDENTIFIER = "Basic";
 
     private String user;
     private String password;
 
     public BasicAuthToken(final String headerValue) {
-        final String base64Encoded = headerValue.substring(TOKEN_IDENIFIER.length()).trim();
+        final String base64Encoded = headerValue.substring(TOKEN_IDENTIFIER.length()).trim();
         final byte[] rawDecoded = Base64.getDecoder().decode(base64Encoded);
         final String usernamepassword = new String(rawDecoded, StandardCharsets.UTF_8);
 
@@ -41,4 +41,14 @@ public String getUser() {
     public String getPassword() {
         return password;
     }
+
+    @Override
+    public String toString() {
+        return "Basic auth token with user=" + user + ", password=" + password;
+    }
+
+    public void revoke() {
+        this.password = "";
+        this.user = "";
+    }
 }
diff --git a/server/src/main/java/org/opensearch/identity/tokens/NoopToken.java b/server/src/main/java/org/opensearch/identity/tokens/NoopToken.java
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.identity.tokens;
+
+/**
+ * A NoopToken is a pass-through AuthToken
+ */
+public class NoopToken implements AuthToken {
+    public final static String TOKEN_IDENTIFIER = "Noop";
+
+    /**
+     * Returns the TokenIdentifier of Noop
+     * @return The token identifier "Noop"
+     */
+    public String getTokenIdentifier() {
+        return TOKEN_IDENTIFIER;
+    }
+
+}
@@ -40,7 +40,7 @@ public static AuthToken extractToken(final RestRequest request) {
         if (authHeaderValue.isPresent()) {
             final String authHeaderValueStr = authHeaderValue.get();
 
-            if (authHeaderValueStr.startsWith(BasicAuthToken.TOKEN_IDENIFIER)) {
+            if (authHeaderValueStr.startsWith(BasicAuthToken.TOKEN_IDENTIFIER)) {
                 return new BasicAuthToken(authHeaderValueStr);
             } else {
                 if (logger.isDebugEnabled()) {