Add generic way to define sensitive url params on http authenticator

Signed-off-by: Craig Perkins <cwperx@amazon.com>

Author: cwperks

src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java

@@ -15,9 +15,11 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Optional;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 import org.apache.http.HttpStatus;
@@ -194,8 +196,12 @@ public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest
         );
     }
 
-    public String getJwtUrlParameter() {
-        return jwtUrlParameter;
+    @Override
+    public Set<String> getSensitiveUrlParams() {
+        if (jwtUrlParameter != null) {
+            return Set.of(jwtUrlParameter);
+        }
+        return Collections.emptySet();
     }
 
     @Override

src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java

@@ -78,7 +78,6 @@
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportRequest;
 
-import com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator;
 import com.flipkart.zjsonpatch.JsonDiff;
 import org.greenrobot.eventbus.Subscribe;
 
@@ -946,12 +945,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
         SortedSet<AuthDomain> authDomains = Collections.unmodifiableSortedSet(dcm.getRestAuthDomains());
         ignoredUrlParams.clear();
         for (AuthDomain authDomain : authDomains) {
-            if ("jwt".equals(authDomain.getHttpAuthenticator().getType())) {
-                HTTPJwtAuthenticator jwtAuthenticator = (HTTPJwtAuthenticator) authDomain.getHttpAuthenticator();
-                if (jwtAuthenticator.getJwtUrlParameter() != null) {
-                    ignoredUrlParams.add(jwtAuthenticator.getJwtUrlParameter());
-                }
-            }
+            ignoredUrlParams.addAll(authDomain.getHttpAuthenticator().getSensitiveUrlParams());
         }
     }
 }

src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java

@@ -26,7 +26,9 @@
 
 package org.opensearch.security.auth;
 
+import java.util.Collections;
 import java.util.Optional;
+import java.util.Set;
 
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.common.util.concurrent.ThreadContext;
@@ -92,4 +94,14 @@ public interface HTTPAuthenticator {
     default boolean supportsImpersonation() {
         return true;
     }
+
+    /**
+     * Returns a set of URL parameters this authenticator supports that are considered sensitive
+     * and should be redacted in the audit logs
+     *
+     * @return The set of URL parameters considered sensitive for this authenticator.
+     */
+    default Set<String> getSensitiveUrlParams() {
+        return Collections.emptySet();
+    }
 }