opensearch-project#2616 preliminary implementation of getTokenManager…

… for extensions backwards compatibility using BWC_PLUGIN_MODE extension setting

Signed-off-by: Sam <[email protected]>

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -98,6 +98,8 @@
 import org.opensearch.extensions.ExtensionsManager;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
+import org.opensearch.identity.Subject;
+import org.opensearch.identity.tokens.TokenManager;
 import org.opensearch.index.Index;
 import org.opensearch.index.IndexModule;
 import org.opensearch.index.cache.query.QueryCache;
@@ -106,6 +108,7 @@
 import org.opensearch.indices.breaker.CircuitBreakerService;
 import org.opensearch.plugins.ClusterPlugin;
 import org.opensearch.plugins.ExtensionAwarePlugin;
+import org.opensearch.plugins.IdentityPlugin;
 import org.opensearch.plugins.MapperPlugin;
 import org.opensearch.repositories.RepositoriesService;
 import org.opensearch.rest.RestController;
@@ -127,6 +130,7 @@
 import org.opensearch.security.auditlog.config.AuditConfig.Filter.FilterEntries;
 import org.opensearch.security.auditlog.impl.AuditLogImpl;
 import org.opensearch.security.auth.BackendRegistry;
+import org.opensearch.security.auth.SecurityTokenManager;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl;
 import org.opensearch.security.configuration.AdminDNs;
@@ -192,7 +196,12 @@
 import org.opensearch.watcher.ResourceWatcherService;
 // CS-ENFORCE-SINGLE
 
-public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin, ExtensionAwarePlugin {
+public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
+    implements
+        ClusterPlugin,
+        MapperPlugin,
+        ExtensionAwarePlugin,
+        IdentityPlugin {
 
     private static final String KEYWORD = ".keyword";
     private static final Logger actionTrace = LogManager.getLogger("opendistro_security_action_trace");
@@ -1103,9 +1112,14 @@ public Settings additionalSettings() {
     public List<Setting<?>> getExtensionSettings() {
         List<Setting<?>> extentionSettings = new ArrayList<Setting<?>>();
 
-        extentionSettings.add(Setting.boolSetting(ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE, ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT, Property.ExtensionScope, Property.Final));
-        extentionSettings.add(Setting.listSetting(ConfigConstants.EXTENSIONS_DISTIGUISHED_NAMES, ConfigConstants.EXTENSIONS_DISTINGUISHED_NAMES_DEFAULT, Function.identity(), Property.ExtensionScope, Property.Final));
-
+        extentionSettings.add(
+            Setting.boolSetting(
+                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE,
+                ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT,
+                Property.ExtensionScope,
+                Property.Final
+            )
+        );
         return extentionSettings;
     }
 
@@ -1887,6 +1901,22 @@ private static String handleKeyword(final String field) {
         return field;
     }
 
+    @Override
+    public Subject getSubject() {
+        return null;
+    }
+
+    @Override
+    public TokenManager getTokenManager() {
+        return new SecurityTokenManager(
+            threadPool.getThreadContext(),
+            threadPool,
+            new XFFResolver(threadPool),
+            auditLog,
+            settings
+        );
+    }
+
     public static class GuiceHolder implements LifecycleComponent {
 
         private static RepositoriesService repositoriesService;

src/main/java/org/opensearch/security/auth/SecurityTokenManager.java

@@ -0,0 +1,72 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.security.auth;
+
+import org.greenrobot.eventbus.Subscribe;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.common.transport.TransportAddress;
+import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.common.util.set.Sets;
+import org.opensearch.identity.tokens.AuthToken;
+import org.opensearch.identity.tokens.BasicAuthToken;
+import org.opensearch.identity.tokens.TokenManager;
+import org.opensearch.security.auditlog.AuditLog;
+import org.opensearch.security.http.XFFResolver;
+import org.opensearch.security.securityconf.ConfigModel;
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.user.User;
+import org.opensearch.threadpool.ThreadPool;
+
+import java.util.*;
+
+public class SecurityTokenManager implements TokenManager {
+
+    Boolean extensionBwcCompatMode;
+    User user;
+    ConfigModel configModel;
+    Set<String> mappedRoles;
+    UserInjector userInjector;
+
+    @Subscribe
+    public void onConfigModelChanged(ConfigModel configModel) {
+        this.configModel = configModel;
+    }
+
+    public SecurityTokenManager(
+        ThreadContext threadContext,
+        ThreadPool threadPool,
+        final XFFResolver xffResolver,
+        AuditLog auditLog,
+        Settings settings
+    ) {
+        this.userInjector = new UserInjector(settings, threadPool, auditLog, xffResolver);
+        this.extensionBwcCompatMode = settings.getAsBoolean(ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE, ConfigConstants.EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT);
+        this.user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        if (user == null) {
+            user = userInjector.getInjectedUser();
+        }
+        final TransportAddress caller = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS);
+        this.mappedRoles = configModel.mapSecurityRoles(user, caller);
+    }
+
+    @Override
+    public AuthToken issueToken(String audience) {
+
+        if (extensionBwcCompatMode) {
+            StringJoiner joiner = new StringJoiner("|");
+            joiner.add(user.getName());
+            joiner.add(String.join(",", user.getRoles()));
+            joiner.add(String.join(",", Sets.union(user.getSecurityRoles(), mappedRoles)));
+
+            return new BasicAuthToken(joiner.toString() + "This is the Token including the encrypted backend roles");
+        } else {
+            return new BasicAuthToken("This is standard Token without the roles");
+        }
+    }
+}

src/main/java/org/opensearch/security/support/ConfigConstants.java

@@ -324,8 +324,6 @@ public enum RolesMappingResolution {
     public static final String EXTENSIONS_SETTING = "extensions";
     public static final String EXTENSIONS_BWC_PLUGIN_MODE = "bwcPluginMode";
     public static final boolean EXTENSIONS_BWC_PLUGIN_MODE_DEFAULT = false;
-    public static final String EXTENSIONS_DISTIGUISHED_NAMES = "extensionDistinguishedNames";
-    public static final List<String> EXTENSIONS_DISTINGUISHED_NAMES_DEFAULT = Collections.emptyList();
 
     public static Set<String> getSettingAsSet(
         final Settings settings,