Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds JTI and expiration field support for API Tokens #4967

Merged
merged 35 commits into from
Dec 20, 2024
Merged

Adds JTI and expiration field support for API Tokens #4967

merged 35 commits into from
Dec 20, 2024

Conversation

derek-ho
Copy link
Collaborator

@derek-ho derek-ho commented Dec 13, 2024
edited
Loading

Description

This change adds support for expiration field (to be used to determine validity of api tokens), as well as support for generating the JTI that represents the token. To generate the JTI the existing securityTokenManager's jwtvendor logic was re-used, and new Api tokens specific dynamic config model settings were added.

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    Enhancement
  • Why these changes are required?
    Support vending the token itself and expiration
  • What is the old behavior before changes and new behavior after changes?
    Return dummy jti, no support for expiration

Issues Resolved

[List any issues this PR will resolve]

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@derek-ho
Add api token action to handle creation of api token index
0a708f9 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
spotless apply and checkstyle
3a16424 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Stash context
064ffa4 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add TODO comments
65532ca 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Remove dynamic changes for now
a56163d 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add a indexmanager to handle document creation
72f2838 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Clean up
6bfc31c 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Refactor to use repository model
0b1da6d 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Implement simple functionality for get and delete APIs as well
77e18d9 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Clean up and add basic test
6464a8c 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add comprehensive tests and clean up indexing and getting to xcontent
784809c 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add ignore unknown properties
11880ec 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
@JsonCreator
ade56be 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Json property mode
e504960 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Fix fragment issue
58478d4 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add support for cluster and index creation parsing
0c43e9d 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add tests for validation functions
1468c9c 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Cleanup according to PR feedback
725c3f8 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Cleanup using constants for better refactorability
16c1615 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
General cleanup
dad767b 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add to dynamic config model and expiration
98d3847 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho derek-ho changed the title Adds Authcz suport for api tokens Adds JTI and expiration field support for API Tokens Dec 17, 2024
DarshitChanpura
DarshitChanpura reviewed Dec 19, 2024
View reviewed changes
src/main/java/org/opensearch/security/action/apitokens/ApiToken.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/action/apitokens/ApiToken.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/action/apitokens/ApiToken.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/action/apitokens/ApiTokenRepository.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java Show resolved Hide resolved
src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java Outdated Show resolved Hide resolved
src/main/java/org/opensearch/security/securityconf/impl/v7/ConfigV7.java Outdated Show resolved Hide resolved
src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java Outdated Show resolved Hide resolved
@derek-ho
PR review
2287742 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
PR cleanup
98301f8 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Add test for signing key too short
b84d2cf 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho
Remove file from PR
af1de45 
Signed-off-by: Derek Ho <[email protected]>
@derek-ho derek-ho merged commit dacdae5 into opensearch-project:feature/api-tokens Dec 20, 2024
38 checks passed
@derek-ho derek-ho deleted the authcz branch December 20, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks left review comments

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@peternied peternied Awaiting requested review from peternied peternied is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@derek-ho @cwperks @DarshitChanpura