Update user parsing to include custom attributes

build.gradle

@@ -92,12 +92,12 @@ dependencies {
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
     testImplementation "org.jetbrains.kotlin:kotlin-test:${kotlin_version}"
     testImplementation "org.mockito:mockito-core:3.10.0"
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.2'
+    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.4'
     testImplementation 'org.mockito:mockito-junit-jupiter:3.10.0'
     testImplementation "com.nhaarman.mockitokotlin2:mockito-kotlin:2.2.0"
     testImplementation "com.cronutils:cron-utils:9.1.6"
     testImplementation "commons-validator:commons-validator:1.7"
-    testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.2'
+    testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.11.4'
 
     ktlint "com.pinterest:ktlint:0.47.1"
 }

src/main/java/org/opensearch/commons/ConfigConstants.java

@@ -52,6 +52,7 @@ private static Setting<SecureString> createFallbackInsecureSetting(String key) {
         );
     public static final String OPENSEARCH_SECURITY_INJECTED_ROLES = "opendistro_security_injected_roles";
     public static final String INJECTED_USER = "injected_user";
+    public static final String INJECTED_USER_CUSTOM_ATTRIBUTES = "injected_user_custom_attributes";
     public static final String OPENSEARCH_SECURITY_USE_INJECTED_USER_FOR_PLUGINS = "plugins.security_use_injected_user_for_plugins";
     public static final String OPENSEARCH_SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled";
     public static final String OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN = "plugins.security.authcz.admin_dn";

src/main/java/org/opensearch/commons/InjectSecurity.java

@@ -6,6 +6,7 @@
 package org.opensearch.commons;
 
 import static org.opensearch.commons.ConfigConstants.INJECTED_USER;
+import static org.opensearch.commons.ConfigConstants.INJECTED_USER_CUSTOM_ATTRIBUTES;
 import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_INJECTED_ROLES;
 import static org.opensearch.commons.ConfigConstants.OPENSEARCH_SECURITY_USE_INJECTED_USER_FOR_PLUGINS;
 import static org.opensearch.commons.authuser.Utils.escapePipe;
@@ -155,7 +156,15 @@ public void injectUserInfo(final User user) {
         if (!Strings.isNullOrEmpty(requestedTenant)) {
             joiner.add(escapePipe(requestedTenant));
         }
+
         threadContext.putTransient(ConfigConstants.OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString());
+
+        if (threadContext.getTransient(INJECTED_USER_CUSTOM_ATTRIBUTES) == null) {
+            threadContext.putTransient(INJECTED_USER_CUSTOM_ATTRIBUTES, user.getCustomAttributes());
+            log.debug("{}, InjectSecurity - inject user custom attributes: {}", Thread.currentThread().getName(), id);
+        } else {
+            log.error("{}, InjectSecurity - most likely thread context corruption : {}", Thread.currentThread().getName(), id);
+        }
     }
 
     /**

src/main/java/org/opensearch/commons/authuser/User.java

@@ -12,9 +12,12 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.TreeMap;
+import java.util.stream.Collectors;
 
 import org.apache.hc.core5.http.ParseException;
 import org.apache.hc.core5.http.io.entity.EntityUtils;
@@ -26,6 +29,7 @@
 import org.opensearch.common.xcontent.XContentHelper;
 import org.opensearch.common.xcontent.json.JsonXContent;
 import org.opensearch.commons.ConfigConstants;
+import org.opensearch.commons.authuser.util.Base64Helper;
 import org.opensearch.core.common.Strings;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
@@ -45,13 +49,14 @@ final public class User implements Writeable, ToXContent {
     public static final String BACKEND_ROLES_FIELD = "backend_roles";
     public static final String ROLES_FIELD = "roles";
     public static final String CUSTOM_ATTRIBUTE_NAMES_FIELD = "custom_attribute_names";
+    public static final String CUSTOM_ATTRIBUTES_FIELD = "custom_attributes";
     public static final String REQUESTED_TENANT_FIELD = "user_requested_tenant";
     public static final String REQUESTED_TENANT_ACCESS = "user_requested_tenant_access";
 
     private final String name;
     private final List<String> backendRoles;
     private final List<String> roles;
-    private final List<String> customAttNames;
+    private final Map<String, String> customAttributes;
     @Nullable
     private final String requestedTenant;
     @Nullable
@@ -61,16 +66,25 @@ public User() {
         name = "";
         backendRoles = new ArrayList<>();
         roles = new ArrayList<>();
-        customAttNames = new ArrayList<>();
+        customAttributes = new HashMap<>();
         requestedTenant = null;
         requestedTenantAccess = null;
     }
 
+    public User(final String name, final List<String> backendRoles, List<String> roles, Map<String, String> customAttributes) {
+        this.name = name;
+        this.backendRoles = backendRoles;
+        this.roles = roles;
+        this.customAttributes = customAttributes;
+        this.requestedTenant = null;
+        this.requestedTenantAccess = null;
+    }
+
     public User(final String name, final List<String> backendRoles, List<String> roles, List<String> customAttNames) {
         this.name = name;
         this.backendRoles = backendRoles;
         this.roles = roles;
-        this.customAttNames = customAttNames;
+        this.customAttributes = this.convertCustomAttributeNamesToMap(customAttNames);
         this.requestedTenant = null;
         this.requestedTenantAccess = null;
     }
@@ -79,13 +93,13 @@ public User(
         final String name,
         final List<String> backendRoles,
         final List<String> roles,
-        final List<String> customAttNames,
+        final Map<String, String> customAttributes,
         @Nullable final String requestedTenant
     ) {
         this.name = name;
         this.backendRoles = backendRoles;
         this.roles = roles;
-        this.customAttNames = customAttNames;
+        this.customAttributes = customAttributes;
         this.requestedTenant = requestedTenant;
         this.requestedTenantAccess = null;
     }
@@ -94,14 +108,14 @@ public User(
         final String name,
         final List<String> backendRoles,
         final List<String> roles,
-        final List<String> customAttNames,
+        final Map<String, String> customAttributes,
         @Nullable final String requestedTenant,
         @Nullable final String requestedTenantAccess
     ) {
         this.name = name;
         this.backendRoles = backendRoles;
         this.roles = roles;
-        this.customAttNames = customAttNames;
+        this.customAttributes = customAttributes;
         this.requestedTenant = requestedTenant;
         this.requestedTenantAccess = requestedTenantAccess;
     }
@@ -125,7 +139,16 @@ public User(String json) {
         name = (String) mapValue.get("user_name");
         backendRoles = (List<String>) mapValue.get("backend_roles");
         roles = (List<String>) mapValue.get("roles");
-        customAttNames = (List<String>) mapValue.get("custom_attribute_names");
+
+        Map<String, String> customAttributesFromJson = (Map<String, String>) mapValue.get("custom_attributes");
+        List<String> customAttNames = (List<String>) mapValue.get("custom_attribute_names");
+
+        if (customAttributesFromJson != null) {
+            customAttributes = customAttributesFromJson;
+        } else {
+            customAttributes = this.convertCustomAttributeNamesToMap(customAttNames);
+        }
+
         requestedTenant = (String) mapValue.getOrDefault("user_requested_tenant", null);
         requestedTenantAccess = (String) mapValue.getOrDefault("user_requested_tenant_access", null);
     }
@@ -134,7 +157,12 @@ public User(StreamInput in) throws IOException {
         name = in.readString();
         backendRoles = in.readStringList();
         roles = in.readStringList();
-        customAttNames = in.readStringList();
+        if (in.getVersion().onOrAfter(Version.V_3_2_0)) {
+            customAttributes = in.readMap(StreamInput::readString, StreamInput::readString);
+        } else {
+            List<String> customAttNames = in.readStringList();
+            customAttributes = this.convertCustomAttributeNamesToMap(customAttNames);
+        }
         requestedTenant = in.readOptionalString();
         if (in.getVersion().onOrAfter(Version.V_3_2_0)) {
             requestedTenantAccess = in.readOptionalString();
@@ -147,7 +175,7 @@ public static User parse(XContentParser parser) throws IOException {
         String name = "";
         List<String> backendRoles = new ArrayList<>();
         List<String> roles = new ArrayList<>();
-        List<String> customAttNames = new ArrayList<>();
+        Map<String, String> customAttributes = new HashMap<>();
         String requestedTenant = null;
         String requestedTenantAccess = null;
 
@@ -171,10 +199,19 @@ public static User parse(XContentParser parser) throws IOException {
                         roles.add(parser.text());
                     }
                     break;
+                case CUSTOM_ATTRIBUTES_FIELD:
+                    ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.currentToken(), parser);
+                    while (parser.nextToken() != XContentParser.Token.END_OBJECT) {
+                        String attrName = parser.currentName();
+                        parser.nextToken();
+                        String attrValue = parser.text();
+                        customAttributes.put(attrName, attrValue);
+                    }
+                    break;
                 case CUSTOM_ATTRIBUTE_NAMES_FIELD:
                     ensureExpectedToken(XContentParser.Token.START_ARRAY, parser.currentToken(), parser);
                     while (parser.nextToken() != XContentParser.Token.END_ARRAY) {
-                        customAttNames.add(parser.text());
+                        customAttributes.put(parser.text(), null);
                     }
                     break;
                 case REQUESTED_TENANT_FIELD:
@@ -187,14 +224,16 @@ public static User parse(XContentParser parser) throws IOException {
                     break;
             }
         }
-        return new User(name, backendRoles, roles, customAttNames, requestedTenant, requestedTenantAccess);
+
+        return new User(name, backendRoles, roles, customAttributes, requestedTenant, requestedTenantAccess);
     }
 
     /**
-     * User String format must be pipe separated as : user_name|backendrole1,backendrole2|roles1,role2
+     * User String format must be pipe separated as : user_name|backendrole1,backendrole2|roles1,role2|tenant|tenantAccess|base64-encoded(serialized(custom atttributes))
      * @param userString
      * @return
      */
+    @SuppressWarnings("unchecked")
     public static User parse(final String userString) {
         if (Strings.isNullOrEmpty(userString)) {
             return null;
@@ -212,6 +251,7 @@ public static User parse(final String userString) {
         List<String> roles = new ArrayList<>();
         String requestedTenant = null;
         String requestedTenantAccess = null;
+        Map<String, String> customAttributes = new HashMap<>();
 
         if ((strs.length > 1) && !Strings.isNullOrEmpty(strs[1])) {
             backendRoles.addAll(Arrays.stream(strs[1].split(",")).map(Utils::unescapePipe).toList());
@@ -225,7 +265,11 @@ public static User parse(final String userString) {
         if ((strs.length > 4) && !Strings.isNullOrEmpty(strs[4])) {
             requestedTenantAccess = strs[4].trim();
         }
-        return new User(userName, backendRoles, roles, Arrays.asList(), requestedTenant, requestedTenantAccess);
+        if ((strs.length > 5) && !Strings.isNullOrEmpty(strs[5])) {
+            customAttributes = (Map<String, String>) Base64Helper.deserializeObject(strs[5]);
+        }
+
+        return new User(userName, backendRoles, roles, customAttributes, requestedTenant, requestedTenantAccess);
     }
 
     @Override
@@ -235,9 +279,15 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
             .field(NAME_FIELD, name)
             .field(BACKEND_ROLES_FIELD, backendRoles)
             .field(ROLES_FIELD, roles)
-            .field(CUSTOM_ATTRIBUTE_NAMES_FIELD, customAttNames)
             .field(REQUESTED_TENANT_FIELD, requestedTenant)
             .field(REQUESTED_TENANT_ACCESS, requestedTenantAccess);
+
+        if (customAttributes.size() > 0) {
+            builder.field(CUSTOM_ATTRIBUTES_FIELD, customAttributes);
+        } else {
+            builder.field(CUSTOM_ATTRIBUTE_NAMES_FIELD, new ArrayList<>());
+        }
+
         return builder.endObject();
     }
 
@@ -246,7 +296,12 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeString(name);
         out.writeStringCollection(backendRoles);
         out.writeStringCollection(roles);
-        out.writeStringCollection(customAttNames);
+        if (out.getVersion().onOrAfter(Version.V_3_2_0)) {
+            out.writeMap(customAttributes, StreamOutput::writeString, StreamOutput::writeString);
+        } else {
+            List<String> customAttributeNames = new ArrayList<>(customAttributes.keySet());
+            out.writeStringCollection(customAttributeNames);
+        }
         out.writeOptionalString(requestedTenant);
         if (out.getVersion().onOrAfter(Version.V_3_2_0)) {
             out.writeOptionalString(requestedTenantAccess);
@@ -259,7 +314,9 @@ public String toString() {
         builder.add(NAME_FIELD, name);
         builder.add(BACKEND_ROLES_FIELD, backendRoles);
         builder.add(ROLES_FIELD, roles);
-        builder.add(CUSTOM_ATTRIBUTE_NAMES_FIELD, customAttNames);
+        TreeMap<String, String> sortedCustomAttributes = new TreeMap<>();
+        sortedCustomAttributes.putAll(customAttributes);
+        builder.add(CUSTOM_ATTRIBUTES_FIELD, sortedCustomAttributes);
         builder.add(REQUESTED_TENANT_FIELD, requestedTenant);
         builder.add(REQUESTED_TENANT_ACCESS, requestedTenantAccess);
         return builder.toString();
@@ -274,7 +331,7 @@ public boolean equals(Object obj) {
         return this.name.equals(that.name)
             && this.getBackendRoles().equals(that.backendRoles)
             && this.getRoles().equals(that.roles)
-            && this.getCustomAttNames().equals(that.customAttNames)
+            && this.getCustomAttributes().equals(that.customAttributes)
             && (Objects.equals(this.requestedTenant, that.requestedTenant))
             && (Objects.equals(this.requestedTenantAccess, that.requestedTenantAccess));
     }
@@ -291,8 +348,12 @@ public List<String> getRoles() {
         return roles;
     }
 
+    public Map<String, String> getCustomAttributes() {
+        return customAttributes;
+    }
+
     public List<String> getCustomAttNames() {
-        return customAttNames;
+        return this.getCustomAttributeNamesFromMap(this.customAttributes);
     }
 
     @Nullable
@@ -312,4 +373,13 @@ public boolean isAdminDn(Settings settings) {
         List<String> adminDns = settings.getAsList(ConfigConstants.OPENSEARCH_SECURITY_AUTHCZ_ADMIN_DN, Collections.emptyList());
         return adminDns.contains(this.name);
     }
+
+    private Map<String, String> convertCustomAttributeNamesToMap(List<String> customAttNames) {
+        return customAttNames.stream().collect(Collectors.toMap(key -> key, key -> "null"));
+    }
+
+    private List<String> getCustomAttributeNamesFromMap(Map<String, String> customAttributes) {
+        List<String> customAttNames = new ArrayList<>(this.customAttributes.keySet());
+        return customAttNames;
+    }
 }