Flip the boolean logic of roleSecurityMode

Signed-off-by: Ryan Liang <[email protected]>

src/main/java/org/opensearch/security/action/onbehalf/CreateOnBehalfOfTokenAction.java

@@ -137,7 +137,7 @@ public void accept(RestChannel channel) throws Exception {
 
                     final Boolean roleSecurityMode = Optional.ofNullable(requestBody.get("roleSecurityMode"))
                         .map(value -> (Boolean) value)
-                        .orElse(false); // Default to false if null
+                        .orElse(true); // Default to false if null
 
                     final String service = (String) requestBody.getOrDefault("service", "self-issued");
                     final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);

src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java

@@ -140,7 +140,7 @@ public String createJwt(
             throw new Exception("Roles cannot be null");
         }
 
-        if (roleSecruityMode && backendRoles != null) {
+        if (!roleSecruityMode && backendRoles != null) {
             String listOfBackendRoles = String.join(",", backendRoles);
             jwtClaims.setProperty("br", listOfBackendRoles);
         }

src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java

@@ -67,7 +67,7 @@ public void testCreateJwtWithRoles() throws Exception {
         Long expectedExp = currentTime.getAsLong() + expirySeconds;
 
         JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
-        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false);
+        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true);
 
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
         JwtToken jwt = jwtConsumer.getJwtToken();
@@ -104,7 +104,7 @@ public void testCreateJwtWithRoleSecurityMode() throws Exception {
         Long expectedExp = currentTime.getAsLong() + expirySeconds;
 
         JwtVendor jwtVendor = new JwtVendor(settings, Optional.of(currentTime));
-        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, true);
+        String encodedJwt = jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, backendRoles, false);
 
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(encodedJwt);
         JwtToken jwt = jwtConsumer.getJwtToken();
@@ -134,7 +134,7 @@ public void testCreateJwtWithBadExpiry() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
+                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), true);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
@@ -154,7 +154,7 @@ public void testCreateJwtWithBadEncryptionKey() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
+                new JwtVendor(settings, Optional.empty()).createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), true);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
@@ -175,7 +175,7 @@ public void testCreateJwtWithBadRoles() {
 
         Throwable exception = Assert.assertThrows(RuntimeException.class, () -> {
             try {
-                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), false);
+                jwtVendor.createJwt(issuer, subject, audience, expirySeconds, roles, List.of(), true);
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }