fix authToken

iigonin · bennygoerzig · KarstenSchnitter · iigonin · commit 30e4a98e7fb2 · 2026-01-22T18:12:08.000+01:00
Signed-off-by: Igonin &lt;iigonin@sternad.de&gt;
Co-authored-by: Benny Goerzig &lt;benny.goerzig@sap.com&gt;
Co-authored-by: Karsten Schnitter &lt;k.schnitter@sap.com&gt;
Co-authored-by: Kai Sternad &lt;k.sternad@sternad.de&gt;
diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/InternalUsersApiAction.java
@@ -338,6 +338,8 @@ public Map<String, RequestContentValidator.DataType> allowedKeys() {
                             .put("opendistro_security_roles", DataType.ARRAY)
                             .put("hash", DataType.STRING)
                             .put("password", DataType.STRING)
+                            .put("service", DataType.BOOLEAN)
+                            .put("enabled", DataType.BOOLEAN)
                             .build();
                     }
                 });
diff --git a/src/main/java/org/opensearch/security/securityconf/impl/v7/InternalUserV7.java b/src/main/java/org/opensearch/security/securityconf/impl/v7/InternalUserV7.java
@@ -127,11 +127,11 @@ public void setAttributes(Map<String, String> attributes) {
         this.attributes = attributes;
     }
 
-    public boolean enabled() {
+    public boolean isEnabled() {
         return this.enabled;
     }
 
-    public boolean service() {
+    public boolean isService() {
         return this.service;
     }
 
diff --git a/src/main/java/org/opensearch/security/user/UserService.java b/src/main/java/org/opensearch/security/user/UserService.java
@@ -155,18 +155,24 @@ public SecurityDynamicConfiguration<?> createOrUpdateAccount(ObjectNode contentA
             throw new UserServiceException(NO_ACCOUNT_NAME_MESSAGE);
         }
 
-        SecurityJsonNode attributeNode = securityJsonNode.get("attributes");
+        // Read service flag from top level (boolean)
+        SecurityJsonNode serviceNode = securityJsonNode.get("service");
+        boolean isServiceAccount = !serviceNode.isNull() && Boolean.parseBoolean(serviceNode.asString());
 
-        if (!attributeNode.get("service").isNull() && attributeNode.get("service").asString().equalsIgnoreCase("true")) { // If this is a
-                                                                                                                          // service account
+        if (isServiceAccount) {
             verifyServiceAccount(securityJsonNode, accountName);
             String password = generatePassword();
             contentAsNode.put("hash", passwordHasher.hash(password.toCharArray()));
-            contentAsNode.put("service", "true");
+            contentAsNode.put("service", true);
         } else {
-            contentAsNode.put("service", "false");
+            contentAsNode.put("service", false);
         }
 
+        // Read enabled flag from top level (boolean), default to true
+        SecurityJsonNode enabledNode = securityJsonNode.get("enabled");
+        boolean isEnabled = enabledNode.isNull() || Boolean.parseBoolean(enabledNode.asString());
+        contentAsNode.put("enabled", isEnabled);
+
         securityJsonNode = new SecurityJsonNode(contentAsNode);
         final var foundRestrictedContents = restrictedFromUsername(accountName);
         if (foundRestrictedContents.isPresent()) {
@@ -185,10 +191,6 @@ public SecurityDynamicConfiguration<?> createOrUpdateAccount(ObjectNode contentA
             contentAsNode.remove("password");
         }
 
-        if (!attributeNode.get("enabled").isNull()) {
-            contentAsNode.put("enabled", securityJsonNode.get("enabled").asString());
-        }
-
         final boolean userExisted = internalUsersConfiguration.exists(accountName);
 
         // sanity checks, hash is mandatory for newly created users
@@ -273,21 +275,23 @@ public AuthToken generateAuthToken(String accountName) throws IOException {
             final ObjectNode contentAsNode = (ObjectNode) accountDetails;
             SecurityJsonNode securityJsonNode = new SecurityJsonNode(contentAsNode);
 
-            Optional.ofNullable(securityJsonNode.get("attributes").get("service"))
-                .map(SecurityJsonNode::asString)
-                .filter("true"::equalsIgnoreCase)
-                .orElseThrow(() -> new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE));
+            var serviceNode = securityJsonNode.get("service");
+            boolean isService = !serviceNode.isNull() && Boolean.parseBoolean(serviceNode.asString());
+            if (!isService) {
+                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
+            }
 
-            Optional.ofNullable(securityJsonNode.get("attributes").get("enabled"))
-                .map(SecurityJsonNode::asString)
-                .filter("true"::equalsIgnoreCase)
-                .orElseThrow(() -> new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE));
+            var enabledNode = securityJsonNode.get("enabled");
+            boolean isEnabled = enabledNode.isNull() || Boolean.parseBoolean(enabledNode.asString());
+            if (!isEnabled) {
+                throw new UserServiceException(AUTH_TOKEN_GENERATION_MESSAGE);
+            }
 
             // Generate a new password for the account and store the hash of it
             String plainTextPassword = generatePassword();
             contentAsNode.put("hash", passwordHasher.hash(plainTextPassword.toCharArray()));
-            contentAsNode.put("enabled", "true");
-            contentAsNode.put("service", "true");
+            contentAsNode.put("enabled", true);
+            contentAsNode.put("service", true);
 
             // Update the internal user associated with the auth token
             internalUsersConfiguration.remove(accountName);
@@ -296,7 +300,8 @@ public AuthToken generateAuthToken(String accountName) throws IOException {
                 accountName,
                 DefaultObjectMapper.readTree(contentAsNode, internalUsersConfiguration.getImplementingClass())
             );
-            saveAndUpdateConfigs(getUserConfigName().toString(), client, CType.INTERNALUSERS, internalUsersConfiguration);
+            saveAndUpdateConfigs(securityIndex, client, CType.INTERNALUSERS, internalUsersConfiguration);
+            configurationRepository.reloadConfiguration(java.util.Set.of(CType.INTERNALUSERS), null);
 
             authToken = Base64.getUrlEncoder().encodeToString((accountName + ":" + plainTextPassword).getBytes(StandardCharsets.UTF_8));
             return new BasicAuthToken("Basic " + authToken);

Original file line number	Diff line number	Diff line change
`@@ -338,6 +338,8 @@ public Map<String, RequestContentValidator.DataType> allowedKeys() {`
`338`	`338`	`.put("opendistro_security_roles", DataType.ARRAY)`
`339`	`339`	`.put("hash", DataType.STRING)`
`340`	`340`	`.put("password", DataType.STRING)`
	`341`	`+ .put("service", DataType.BOOLEAN)`
	`342`	`+ .put("enabled", DataType.BOOLEAN)`
`341`	`343`	`.build();`
`342`	`344`	`}`
`343`	`345`	`});`
Original file line number	Diff line number	Diff line change
`@@ -127,11 +127,11 @@ public void setAttributes(Map<String, String> attributes) {`
`127`	`127`	`this.attributes = attributes;`
`128`	`128`	`}`
`129`	`129`
`130`		`- public boolean enabled() {`
	`130`	`+ public boolean isEnabled() {`
`131`	`131`	`return this.enabled;`
`132`	`132`	`}`
`133`	`133`
`134`		`- public boolean service() {`
	`134`	`+ public boolean isService() {`
`135`	`135`	`return this.service;`
`136`	`136`	`}`
`137`	`137`