honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-18 10:54:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove unnecessary details logged for OIDC (#48746) (#49031)

Browse Source 
This commit removes unnecessary details logged for
OIDC.

Co-Authored-By: Ioannis Kakavas <ikakavas@protonmail.com>
This commit is contained in:
Ioannis Kakavas 2019-11-13 13:43:56 +02:00 committed by GitHub
parent 2dfa0133d5
commit 4405042900
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java
View File

@ -79,6 +79,7 @@ import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.util.concurrent.EsExecutors; import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ListenableFuture; import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.watcher.FileChangesListener; import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher; import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.watcher.ResourceWatcherService;
@ -514,29 +515,31 @@ public class OpenIdConnectAuthenticator {
return; return;
} }
final Charset encoding = encodingHeader == null ? StandardCharsets.UTF_8 : Charsets.toCharset(encodingHeader.getValue()); final Charset encoding = encodingHeader == null ? StandardCharsets.UTF_8 : Charsets.toCharset(encodingHeader.getValue());
final String json = EntityUtils.toString(entity, encoding); final RestStatus responseStatus = RestStatus.fromCode(httpResponse.getStatusLine().getStatusCode());
if (LOGGER.isTraceEnabled()) { if (RestStatus.OK != responseStatus) {
LOGGER.trace("Received Token Response from OP with status [{}] and content [{}] ", final String json = EntityUtils.toString(entity, encoding);
httpResponse.getStatusLine().getStatusCode(), json); LOGGER.warn("Received Token Response from OP with status [{}] and content [{}]", responseStatus, json);
} if (RestStatus.BAD_REQUEST == responseStatus) {
final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(JSONObjectUtils.parse(json)); final TokenErrorResponse tokenErrorResponse = TokenErrorResponse.parse(JSONObjectUtils.parse(json));
if (oidcTokenResponse.indicatesSuccess() == false) { tokensListener.onFailure(
TokenErrorResponse errorResponse = oidcTokenResponse.toErrorResponse(); new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]",
tokensListener.onFailure( tokenErrorResponse.getErrorObject().getCode(), tokenErrorResponse.getErrorObject().getDescription()));
new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]", } else {
errorResponse.getErrorObject().getCode(), errorResponse.getErrorObject().getDescription())); tokensListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token"));
}
} else { } else {
OIDCTokenResponse successResponse = oidcTokenResponse.toSuccessResponse(); final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(
final OIDCTokens oidcTokens = successResponse.getOIDCTokens(); JSONObjectUtils.parse(EntityUtils.toString(entity, encoding)));
final OIDCTokens oidcTokens = oidcTokenResponse.getOIDCTokens();
final AccessToken accessToken = oidcTokens.getAccessToken(); final AccessToken accessToken = oidcTokens.getAccessToken();
final JWT idToken = oidcTokens.getIDToken(); final JWT idToken = oidcTokens.getIDToken();
if (LOGGER.isTraceEnabled()) { if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Successfully exchanged code for ID Token: [{}] and Access Token [{}]", LOGGER.trace("Successfully exchanged code for ID Token [{}] and Access Token [{}]", idToken,
idToken, accessToken); truncateToken(accessToken.toString()));
} }
if (idToken == null) { if (idToken == null) {
tokensListener.onFailure(new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of" + tokensListener.onFailure(
" the JWT failed.")); new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of the JWT failed."));
return; return;
} }
tokensListener.onResponse(new Tuple<>(accessToken, idToken)); tokensListener.onResponse(new Tuple<>(accessToken, idToken));
@ -548,6 +551,13 @@ public class OpenIdConnectAuthenticator {
} }
} }
private static String truncateToken(String input) {
if (Strings.hasText(input) == false || input.length() <= 4) {
return input;
}
return input.substring(0, 2) + "***" + input.substring(input.length() - 2);
}
/** /**
* Creates a {@link CloseableHttpAsyncClient} that uses a {@link PoolingNHttpClientConnectionManager} * Creates a {@link CloseableHttpAsyncClient} that uses a {@link PoolingNHttpClientConnectionManager}
*/ */