opensearch-project · DarshitChanpura · Oct 24, 2023 · Aug 25, 2023 · Sep 26, 2023 · Sep 26, 2023
@@ -18,6 +18,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Base64;
 import java.util.Date;
 import java.util.List;
 import java.util.Optional;
@@ -31,12 +32,14 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.OctetSequenceKey;
+import com.nimbusds.jose.util.ByteUtils;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 import com.onelogin.saml2.authn.SamlResponse;
@@ -60,10 +63,11 @@
 import org.opensearch.rest.RestRequest.Method;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.security.DefaultObjectMapper;
-import org.opensearch.security.authtoken.jwt.JwtVendor;
 import org.opensearch.security.dlic.rest.api.AuthTokenProcessorAction;
 import org.opensearch.security.filter.SecurityResponse;
 
+import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
+
 class AuthTokenProcessorHandler {
     private static final Logger log = LogManager.getLogger(AuthTokenProcessorHandler.class);
     private static final Logger token_log = LogManager.getLogger("com.amazon.dlic.auth.http.saml.Token");
@@ -117,6 +121,18 @@
         this.jwsHeader = this.createJwsHeaderFromSettings();
     }
 
+    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
+        int requiredSecretLength;
+        try {
+            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
+        // padding the signing key with 0s to meet the minimum required length
+        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
+    }
+
     @SuppressWarnings("removal")
     Optional<SecurityResponse> handle(RestRequest restRequest) throws Exception {
         try {
@@ -247,9 +263,10 @@
     }
 
     JWK createJwkFromSettings(Settings settings, Settings jwtSettings) throws Exception {
-        String exchangeKey = JwtVendor.padSecret(settings.get("exchange_key"), JWSAlgorithm.HS512);
+        String exchangeKey = settings.get("exchange_key");
 
         if (!Strings.isNullOrEmpty(exchangeKey)) {
+            exchangeKey = padSecret(new String(Base64.getDecoder().decode(exchangeKey)), JWSAlgorithm.HS512);
 
             return new OctetSequenceKey.Builder(exchangeKey.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
@@ -263,7 +280,7 @@
                 );
             }
 
-            String k = JwtVendor.padSecret(jwkSettings.get("k"), JWSAlgorithm.HS512);
+            String k = padSecret(new String(Base64.getDecoder().decode(jwkSettings.get("k"))), JWSAlgorithm.HS512);
 
             return new OctetSequenceKey.Builder(k.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
@@ -277,7 +294,7 @@
            .claim(this.jwtSubjectKey, this.extractSubject(samlResponse));

        if (this.samlSubjectKey != null) {
            jwtClaimsBuilder.claim("saml_ni", samlResponse.getNameId());
        }
        if (samlResponse.getNameIdFormat() != null) {
            jwtClaimsBuilder.claim("saml_nif", SamlNameIdFormat.getByUri(samlResponse.getNameIdFormat()).getShortName());
@@ -301,7 +318,7 @@
        String encodedJwt = jwt.serialize();

        if (token_log.isDebugEnabled()) {
            token_log.debug("Created JWT: " + encodedJwt + "\n" + jwt.getHeader().toString() + "\n" + jwt.getJWTClaimsSet().toString());
        }

        return encodedJwt;
@@ -311,10 +328,10 @@
        DateTime sessionNotOnOrAfter = samlResponse.getSessionNotOnOrAfter();

        if (this.expiryBaseValue == ExpiryBaseValue.NOW) {
            return System.currentTimeMillis() + this.expiryOffset * 1000;
        } else if (this.expiryBaseValue == ExpiryBaseValue.SESSION) {
            if (sessionNotOnOrAfter != null) {
                return sessionNotOnOrAfter.getMillis() + this.expiryOffset * 1000;
            } else {
                throw new Exception("Error while determining JWT expiration time: SamlResponse did not contain sessionNotOnOrAfter value");
            }
@@ -322,7 +339,7 @@
            // AUTO

            if (sessionNotOnOrAfter != null) {
                return sessionNotOnOrAfter.getMillis();
            } else {
                return System.currentTimeMillis() + (this.expiryOffset > 0 ? this.expiryOffset * 1000 : 60 * 60_000);
            }

@@ -19,8 +19,6 @@
 import java.util.function.LongSupplier;
 
 import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.ByteUtils;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -39,7 +37,6 @@
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
 
-import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
 import static org.opensearch.security.util.AuthTokenUtils.isKeyNull;
 
 public class JwtVendor {
@@ -91,10 +88,10 @@
                );
            }

            String signingKey = jwkSettings.get("k");
            key = new OctetSequenceKey.Builder(Base64.getDecoder().decode(signingKey)).algorithm(JWSAlgorithm.HS512)
                .keyUse(KeyUse.SIGNATURE)
                .build();
        }

        try {
@@ -104,18 +101,6 @@
         }
     }
 
-    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
-        int requiredSecretLength;
-        try {
-            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
-        } catch (JOSEException e) {
-            throw new RuntimeException(e);
-        }
-        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
-        // padding the signing key with 0s to meet the minimum required length
-        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
-    }
-
     public String createJwt(
         String issuer,
         String subject,

@@ -111,6 +111,65 @@ public void testInvalid() throws Exception {
         Assert.assertNull(credentials);
     }
 
+    @Test
+    public void testParsePrevGeneratedJwt() {
+        String jwsToken =
+            "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2OTgxNTE4ODQsImV4cCI6MTY5ODE1NTQ4NCwic3ViIjoiaG9yc3QiLCJzYW1sX25pZiI6InUiLCJzYW1sX3NpIjoiTU9DS1NBTUxfMyIsInJvbGVzIjpudWxsfQ.E_MP8wVVu1P7_RATtjhnCvPft2gQTFdY5NlmRTCsrjdDXTUfxkswktWCB_k_wXDKCuNukNlSL2FSo3EV2VtUEQ";
+        Settings settings = Settings.builder()
+            .put(
+                "signing_key",
+                BaseEncoding.base64()
+                    .encode(
+                        "thisIsSecretThatIsVeryHardToCrackItsPracticallyImpossibleToDothisIsSecretThatIsVeryHardToCrackItsPracticallyImpossibleToDo"
+                            .getBytes(StandardCharsets.UTF_8)
+                    )
+            )
+            .build();
+
+        HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
+        Map<String, String> headers = new HashMap<String, String>();
+        headers.put("Authorization", "Bearer " + jwsToken);
+
+        AuthCredentials credentials = jwtAuth.extractCredentials(
+            new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
+            null
+        );
+
+        Assert.assertNotNull(credentials);
+        Assert.assertEquals("horst", credentials.getUsername());
+        Assert.assertEquals(0, credentials.getBackendRoles().size());
+        Assert.assertEquals(5, credentials.getAttributes().size());
+        Assert.assertEquals("1698151884", credentials.getAttributes().get("attr.jwt.nbf"));
+        Assert.assertEquals("1698155484", credentials.getAttributes().get("attr.jwt.exp"));
+    }
+
+    @Test
+    public void testFailToParsePrevGeneratedJwt() {
+        String jwsToken =
+            "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2OTgxNTE4ODQsImV4cCI6MTY5ODE1NTQ4NCwic3ViIjoiaG9yc3QiLCJzYW1sX25pZiI6InUiLCJzYW1sX3NpIjoiTU9DS1NBTUxfMyIsInJvbGVzIjpudWxsfQ.E_MP8wVVu1P7_RATtjhnCvPft2gQTFdY5NlmRTCsrjdDXTUfxkswktWCB_k_wXDKCuNukNlSL2FSo3EV2VtUEQ";
+        Settings settings = Settings.builder()
+            .put(
+                "signing_key",
+                BaseEncoding.base64()
+                    .encode(
+                        "additionalDatathisIsSecretThatIsVeryHardToCrackItsPracticallyImpossibleToDothisIsSecretThatIsVeryHardToCrackItsPracticallyImpossibleToDo"
+                            .getBytes(StandardCharsets.UTF_8)
+                    )
+            )
+            .build();
+
+        HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
+        Map<String, String> headers = new HashMap<String, String>();
+        headers.put("Authorization", "Bearer " + jwsToken);
+
+        AuthCredentials credentials = jwtAuth.extractCredentials(
+            new FakeRestRequest(headers, new HashMap<String, String>()).asSecurityRequest(),
+            null
+        );
+
+        Assert.assertNull(credentials);
+    }
+
     @Test
     public void testBearer() throws Exception {