Remove unnecessary details logged for OIDC (#48746) (#49031)

This commit removes unnecessary details logged for
OIDC.

Co-Authored-By: Ioannis Kakavas <ikakavas@protonmail.com>
This commit is contained in:
Ioannis Kakavas 2019-11-13 13:43:56 +02:00 committed by GitHub
parent 2dfa0133d5
commit 4405042900
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 17 deletions

View File

@ -79,6 +79,7 @@ import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
@ -514,29 +515,31 @@ public class OpenIdConnectAuthenticator {
return;
}
final Charset encoding = encodingHeader == null ? StandardCharsets.UTF_8 : Charsets.toCharset(encodingHeader.getValue());
final RestStatus responseStatus = RestStatus.fromCode(httpResponse.getStatusLine().getStatusCode());
if (RestStatus.OK != responseStatus) {
final String json = EntityUtils.toString(entity, encoding);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Received Token Response from OP with status [{}] and content [{}] ",
httpResponse.getStatusLine().getStatusCode(), json);
}
final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(JSONObjectUtils.parse(json));
if (oidcTokenResponse.indicatesSuccess() == false) {
TokenErrorResponse errorResponse = oidcTokenResponse.toErrorResponse();
LOGGER.warn("Received Token Response from OP with status [{}] and content [{}]", responseStatus, json);
if (RestStatus.BAD_REQUEST == responseStatus) {
final TokenErrorResponse tokenErrorResponse = TokenErrorResponse.parse(JSONObjectUtils.parse(json));
tokensListener.onFailure(
new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]",
errorResponse.getErrorObject().getCode(), errorResponse.getErrorObject().getDescription()));
tokenErrorResponse.getErrorObject().getCode(), tokenErrorResponse.getErrorObject().getDescription()));
} else {
OIDCTokenResponse successResponse = oidcTokenResponse.toSuccessResponse();
final OIDCTokens oidcTokens = successResponse.getOIDCTokens();
tokensListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token"));
}
} else {
final OIDCTokenResponse oidcTokenResponse = OIDCTokenResponse.parse(
JSONObjectUtils.parse(EntityUtils.toString(entity, encoding)));
final OIDCTokens oidcTokens = oidcTokenResponse.getOIDCTokens();
final AccessToken accessToken = oidcTokens.getAccessToken();
final JWT idToken = oidcTokens.getIDToken();
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Successfully exchanged code for ID Token: [{}] and Access Token [{}]",
idToken, accessToken);
LOGGER.trace("Successfully exchanged code for ID Token [{}] and Access Token [{}]", idToken,
truncateToken(accessToken.toString()));
}
if (idToken == null) {
tokensListener.onFailure(new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of" +
" the JWT failed."));
tokensListener.onFailure(
new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of the JWT failed."));
return;
}
tokensListener.onResponse(new Tuple<>(accessToken, idToken));
@ -548,6 +551,13 @@ public class OpenIdConnectAuthenticator {
}
}
private static String truncateToken(String input) {
if (Strings.hasText(input) == false || input.length() <= 4) {
return input;
}
return input.substring(0, 2) + "***" + input.substring(input.length() - 2);
}
/**
* Creates a {@link CloseableHttpAsyncClient} that uses a {@link PoolingNHttpClientConnectionManager}
*/