Adds user validation for threat intel transport layer classes and sta…

…shes the thread context for all system index interactions (#1207) Signed-off-by: Surya Sashank Nistala <[email protected]> (cherry picked from commit 1cb59d9) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Jul 31, 2024 · 17ef7de · 17ef7de
1 parent 1545a02
commit 17ef7de
Show file tree

Hide file tree

Showing 12 changed files with 66 additions and 5 deletions.
diff --git a/...nsearch/securityanalytics/threatIntel/transport/TransportDeleteTIFSourceConfigAction.java b/...nsearch/securityanalytics/threatIntel/transport/TransportDeleteTIFSourceConfigAction.java
@@ -2,34 +2,57 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.commons.authuser.User;
 import org.opensearch.core.action.ActionListener;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
 import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigRequest;
 import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigResponse;
 import org.opensearch.securityanalytics.threatIntel.service.SATIFSourceConfigManagementService;
 import org.opensearch.securityanalytics.transport.SecureTransportAction;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 import org.opensearch.tasks.Task;
+import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
 
 public class TransportDeleteTIFSourceConfigAction extends HandledTransportAction<SADeleteTIFSourceConfigRequest, SADeleteTIFSourceConfigResponse> implements SecureTransportAction {
 
     private static final Logger log = LogManager.getLogger(TransportDeleteTIFSourceConfigAction.class);
 
+    private final Settings settings;
+    private final ThreadPool threadPool;
+    private volatile Boolean filterByEnabled;
     private final SATIFSourceConfigManagementService saTifConfigService;
 
     @Inject
     public TransportDeleteTIFSourceConfigAction(TransportService transportService,
                                                 ActionFilters actionFilters,
+                                                Settings settings,
+                                                final ThreadPool threadPool,
                                                 final SATIFSourceConfigManagementService saTifConfigService) {
         super(SADeleteTIFSourceConfigAction.NAME, transportService, actionFilters, SADeleteTIFSourceConfigRequest::new);
+        this.settings = settings;
+        this.threadPool = threadPool;
+        this.filterByEnabled = SecurityAnalyticsSettings.FILTER_BY_BACKEND_ROLES.get(this.settings);
         this.saTifConfigService = saTifConfigService;
     }
 
     @Override
     protected void doExecute(Task task, SADeleteTIFSourceConfigRequest request, ActionListener<SADeleteTIFSourceConfigResponse> actionListener) {
+        User user = readUserFromThreadContext(this.threadPool);
+        String validateBackendRoleMessage = validateUserBackendRoles(user, this.filterByEnabled);
+        if (!"".equals(validateBackendRoleMessage)) {
+            actionListener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
+            return;
+        }
+        this.threadPool.getThreadContext().stashContext();
+
         saTifConfigService.deleteTIFSourceConfig(request.getId(), ActionListener.wrap(
                 response -> actionListener.onResponse(
                         new SADeleteTIFSourceConfigResponse(

diff --git a/...org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java b/...org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java
@@ -90,6 +90,8 @@ protected void doExecute(Task task, GetIocFindingsRequest request, ActionListene
             actionListener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
+
         Table tableProp = request.getTable();
         FieldSortBuilder sortBuilder = SortBuilders
                 .fieldSort(tableProp.getSortString())

diff --git a/...opensearch/securityanalytics/threatIntel/transport/TransportGetTIFSourceConfigAction.java b/...opensearch/securityanalytics/threatIntel/transport/TransportGetTIFSourceConfigAction.java
@@ -60,7 +60,6 @@ protected void doExecute(Task task, SAGetTIFSourceConfigRequest request, ActionL
             actionListener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
-
         this.threadPool.getThreadContext().stashContext();
 
         saTifConfigService.getTIFSourceConfig(request.getId(), ActionListener.wrap(

diff --git a/...ensearch/securityanalytics/threatIntel/transport/TransportIndexTIFSourceConfigAction.java b/...ensearch/securityanalytics/threatIntel/transport/TransportIndexTIFSourceConfigAction.java
@@ -82,6 +82,8 @@ protected void doExecute(final Task task, final SAIndexTIFSourceConfigRequest re
             listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
+
         retrieveLockAndCreateTIFConfig(request, listener, user);
     }
 

diff --git a/...java/org/opensearch/securityanalytics/threatIntel/transport/TransportPutTIFJobAction.java b/...java/org/opensearch/securityanalytics/threatIntel/transport/TransportPutTIFJobAction.java
@@ -15,10 +15,13 @@
 import org.opensearch.action.support.HandledTransportAction;
 import org.opensearch.action.support.master.AcknowledgedResponse;
 import org.opensearch.common.inject.Inject;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.commons.authuser.User;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.index.engine.VersionConflictEngineException;
 import org.opensearch.jobscheduler.spi.LockModel;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
 import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
 import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobRequest;
 import org.opensearch.securityanalytics.threatIntel.action.ThreatIntelIndicesResponse;
@@ -27,6 +30,7 @@
 import org.opensearch.securityanalytics.threatIntel.model.TIFJobParameter;
 import org.opensearch.securityanalytics.threatIntel.service.TIFJobParameterService;
 import org.opensearch.securityanalytics.threatIntel.service.TIFJobUpdateService;
+import org.opensearch.securityanalytics.transport.SecureTransportAction;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.TransportService;
@@ -40,13 +44,16 @@
 /**
  * Transport action to create job to fetch threat intel feed data and save IoCs
  */
-public class TransportPutTIFJobAction extends HandledTransportAction<PutTIFJobRequest, AcknowledgedResponse> {
+public class TransportPutTIFJobAction extends HandledTransportAction<PutTIFJobRequest, AcknowledgedResponse> implements SecureTransportAction {
     // TODO refactor this into a service class that creates feed updation job. This is not necessary to be a transport action
     private static final Logger log = LogManager.getLogger(TransportPutTIFJobAction.class);
 
     private final TIFJobParameterService tifJobParameterService;
     private final TIFJobUpdateService tifJobUpdateService;
     private final TIFLockService lockService;
+    private final Settings settings;
+    private final ThreadPool threadPool;
+    private volatile Boolean filterByEnabled;
 
     /**
      * Default constructor
@@ -64,16 +71,29 @@ public TransportPutTIFJobAction(
             final ThreadPool threadPool,
             final TIFJobParameterService tifJobParameterService,
             final TIFJobUpdateService tifJobUpdateService,
-            final TIFLockService lockService
+            final TIFLockService lockService,
+            Settings settings
     ) {
         super(PutTIFJobAction.NAME, transportService, actionFilters, PutTIFJobRequest::new);
         this.tifJobParameterService = tifJobParameterService;
         this.tifJobUpdateService = tifJobUpdateService;
         this.lockService = lockService;
+        this.threadPool = threadPool;
+        this.settings = settings;
+        this.filterByEnabled = SecurityAnalyticsSettings.FILTER_BY_BACKEND_ROLES.get(this.settings);
     }
 
     @Override
     protected void doExecute(final Task task, final PutTIFJobRequest request, final ActionListener<AcknowledgedResponse> listener) {
+        User user = readUserFromThreadContext(this.threadPool);
+
+        String validateBackendRoleMessage = validateUserBackendRoles(user, this.filterByEnabled);
+        if (!"".equals(validateBackendRoleMessage)) {
+            listener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
+            return;
+        }
+        this.threadPool.getThreadContext().stashContext();
+
         try {
             lockService.acquireLock(request.getName(), LOCK_DURATION_IN_SECONDS, ActionListener.wrap(lock -> {
                 if (lock == null) {

diff --git a/...search/securityanalytics/threatIntel/transport/TransportRefreshTIFSourceConfigAction.java b/...search/securityanalytics/threatIntel/transport/TransportRefreshTIFSourceConfigAction.java
@@ -60,6 +60,7 @@ protected void doExecute(Task task, SARefreshTIFSourceConfigRequest request, Act
             actionListener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
 
         saTifSourceConfigManagementService.refreshTIFSourceConfig(request.getId(), user, ActionListener.wrap(
                 r -> actionListener.onResponse(

diff --git a/...search/securityanalytics/threatIntel/transport/TransportSearchTIFSourceConfigsAction.java b/...search/securityanalytics/threatIntel/transport/TransportSearchTIFSourceConfigsAction.java
@@ -66,8 +66,8 @@ protected void doExecute(Task task, SASearchTIFSourceConfigsRequest request, Act
             actionListener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
-
         this.threadPool.getThreadContext().stashContext(); // stash context to make calls as admin client
+
         StepListener<Void> defaultTifConfigsLoadedListener;
         try {
             defaultTifConfigsLoadedListener = new StepListener<>();

diff --git a/...urityanalytics/threatIntel/transport/monitor/TransportDeleteThreatIntelMonitorAction.java b/...urityanalytics/threatIntel/transport/monitor/TransportDeleteThreatIntelMonitorAction.java
@@ -61,6 +61,8 @@ protected void doExecute(Task task, DeleteThreatIntelMonitorRequest request, Act
             listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
+
         AlertingPluginInterface.INSTANCE.deleteMonitor((NodeClient) client,
                 new DeleteMonitorRequest(request.getMonitorId(), WriteRequest.RefreshPolicy.IMMEDIATE),
                 listener);

diff --git a/.../securityanalytics/threatIntel/transport/monitor/TransportGetThreatIntelAlertsAction.java b/.../securityanalytics/threatIntel/transport/monitor/TransportGetThreatIntelAlertsAction.java
@@ -102,6 +102,8 @@ protected void doExecute(Task task, GetThreatIntelAlertsRequest request, ActionL
             listener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
+
         //fetch monitors and search
         SearchRequest threatIntelMonitorsSearchRequest = new SearchRequest();
         threatIntelMonitorsSearchRequest.indices(".opendistro-alerting-config");

diff --git a/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java
@@ -107,6 +107,8 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
                 listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
                 return;
             }
+            this.threadPool.getThreadContext().stashContext();
+
             if(request.getMethod().equals(RestRequest.Method.PUT)) {
                 indexMonitor(request, listener, user);
                 return;

diff --git a/...urityanalytics/threatIntel/transport/monitor/TransportSearchThreatIntelMonitorAction.java b/...urityanalytics/threatIntel/transport/monitor/TransportSearchThreatIntelMonitorAction.java
@@ -1,5 +1,6 @@
 package org.opensearch.securityanalytics.threatIntel.transport.monitor;
 
+import org.opensearch.OpenSearchStatusException;
 import org.opensearch.action.search.SearchResponse;
 import org.opensearch.action.support.ActionFilters;
 import org.opensearch.action.support.HandledTransportAction;
@@ -17,6 +18,7 @@
 import org.opensearch.commons.authuser.User;
 import org.opensearch.core.action.ActionListener;
 import org.opensearch.core.common.bytes.BytesReference;
+import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.core.xcontent.XContentBuilder;
 import org.opensearch.core.xcontent.XContentParser;
@@ -70,7 +72,11 @@ protected void doExecute(Task task, SearchThreatIntelMonitorRequest request, Act
 //            log.info("Filtering result by: {}", user.getBackendRoles());
 //            addFilter(user, request.searchRequest().source(), "detector.user.backend_roles.keyword");
 //        } // TODO
-
+        String validateBackendRoleMessage = validateUserBackendRoles(user, this.filterByEnabled);
+        if (!"".equals(validateBackendRoleMessage)) {
+            listener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
+            return;
+        }
         this.threadPool.getThreadContext().stashContext();
 
         //TODO change search request to fetch threat intel monitors

diff --git a/...yanalytics/threatIntel/transport/monitor/TransportUpdateThreatIntelAlertStatusAction.java b/...yanalytics/threatIntel/transport/monitor/TransportUpdateThreatIntelAlertStatusAction.java
@@ -96,6 +96,8 @@ protected void doExecute(Task task, UpdateThreatIntelAlertStatusRequest request,
             listener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
             return;
         }
+        this.threadPool.getThreadContext().stashContext();
+
         //fetch monitors and search
         SearchRequest threatIntelMonitorsSearchRequest = new SearchRequest();
         threatIntelMonitorsSearchRequest.indices(".opendistro-alerting-config");
-Original file line number
+Diff line change
@@ Expand Up @@
                 actionListener.onFailure(new OpenSearchStatusException("Do not have permissions to resource", RestStatus.FORBIDDEN));
                 return;
             }
             this.threadPool.getThreadContext().stashContext();
             saTifConfigService.getTIFSourceConfig(request.getId(), ActionListener.wrap(
@@ Expand Down @@