Skip to content

Commit

Permalink
Fix spotless
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Nied <[email protected]>
  • Loading branch information
peternied committed Oct 4, 2023
1 parent 33aa863 commit 0c5a97d
Show file tree
Hide file tree
Showing 23 changed files with 50 additions and 68 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@
import org.opensearch.core.rest.RestStatus;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.user.AuthCredentials;

Expand Down Expand Up @@ -241,11 +240,9 @@ public String[] extractRoles(JwtClaims claims) {

@Override
public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials authCredentials) {
return Optional.of(new SecurityResponse(
HttpStatus.SC_UNAUTHORIZED,
Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""),
""
));
return Optional.of(
new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), "")
);
}

public String getRequiredAudience() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.user.AuthCredentials;
import org.opensearch.security.util.KeyUtils;
Expand Down Expand Up @@ -175,11 +174,9 @@ private AuthCredentials extractCredentials0(final SecurityRequest request) {

@Override
public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest channel, AuthCredentials creds) {
return Optional.of(new SecurityResponse(
HttpStatus.SC_UNAUTHORIZED,
Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""),
""
));
return Optional.of(
new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), "")
);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@
import org.opensearch.env.Environment;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.user.AuthCredentials;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@
import org.opensearch.security.auth.Destroyable;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityRequetChannelUnsupported;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.filter.OpenSearchRequestChannel;
Expand Down Expand Up @@ -200,11 +199,9 @@ public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest
}

final Saml2Settings saml2Settings = this.saml2SettingsProvider.getCached();
return Optional.of(new SecurityResponse(
HttpStatus.SC_UNAUTHORIZED,
Map.of("WWW-Authenticate", getWwwAuthenticateHeader(saml2Settings)),
""
));
return Optional.of(
new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", getWwwAuthenticateHeader(saml2Settings)), "")
);
} catch (Exception e) {
log.error("Error in reRequestAuthentication()", e);
return Optional.empty();
Expand Down
24 changes: 13 additions & 11 deletions src/main/java/org/opensearch/security/auth/BackendRegistry.java
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,7 @@
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.common.settings.Settings;
import org.opensearch.core.common.transport.TransportAddress;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.rest.BytesRestResponse;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.auth.blocking.ClientBlockRegistry;
import org.opensearch.security.auth.internal.NoOpAuthenticationBackend;
Expand Down Expand Up @@ -221,7 +219,9 @@ public boolean authenticate(final SecurityRequestChannel request) {

if (!isInitialized()) {
log.error("Not yet initialized (you may need to run securityadmin)");
request.completeWithResponse(new SecurityResponse(HttpStatus.SC_SERVICE_UNAVAILABLE, null, "OpenSearch Security not initialized."));
request.completeWithResponse(
new SecurityResponse(HttpStatus.SC_SERVICE_UNAVAILABLE, null, "OpenSearch Security not initialized.")
);
return false;
}

Expand Down Expand Up @@ -350,11 +350,13 @@ public boolean authenticate(final SecurityRequestChannel request) {
if (adminDns.isAdmin(authenticatedUser)) {
log.error("Cannot authenticate rest user because admin user is not permitted to login via HTTP");
auditLog.logFailedLogin(authenticatedUser.getName(), true, null, request);
request.completeWithResponse(new SecurityResponse(
HttpStatus.SC_FORBIDDEN,
null,
"Cannot authenticate user because admin user is not permitted to login via HTTP"
));
request.completeWithResponse(
new SecurityResponse(
HttpStatus.SC_FORBIDDEN,
null,
"Cannot authenticate user because admin user is not permitted to login via HTTP"
)
);
return false;
}

Expand Down Expand Up @@ -397,7 +399,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
}
return true;
}

Optional<SecurityResponse> challengeResponse = Optional.empty();

if (firstChallengingHttpAuthenticator != null) {
Expand Down Expand Up @@ -592,15 +594,15 @@ private User impersonate(final SecurityRequestChannel request, final User origin
}

if (adminDns.isAdminDN(impersonatedUserHeader)) {

throw new OpenSearchSecurityException(
"It is not allowed to impersonate as an adminuser '" + impersonatedUserHeader + "'",
RestStatus.FORBIDDEN
);
}

if (!adminDns.isRestImpersonationAllowed(originalUser.getName(), impersonatedUserHeader)) {

throw new OpenSearchSecurityException(
"'" + originalUser.getName() + "' is not allowed to impersonate as '" + impersonatedUserHeader + "'",
RestStatus.FORBIDDEN
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.rest.RestRequest;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.user.AuthCredentials;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@
import org.opensearch.security.dlic.rest.validation.EndpointValidator;
import org.opensearch.security.dlic.rest.validation.RequestContentValidator;
import org.opensearch.security.dlic.rest.validation.ValidationResult;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityRequestFactory;
import org.opensearch.security.securityconf.DynamicConfigFactory;
import org.opensearch.security.securityconf.impl.CType;
Expand Down Expand Up @@ -373,7 +372,7 @@ protected final ValidationResult<SecurityDynamicConfiguration<?>> loadConfigurat
) {
final var configuration = load(cType, logComplianceEvent);
if (configuration.getSeqNo() < 0) {

return ValidationResult.error(
RestStatus.FORBIDDEN,
forbiddenMessage(
Expand Down Expand Up @@ -414,19 +413,19 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() {

@Override
public ValidationResult<SecurityConfiguration> onConfigDelete(SecurityConfiguration securityConfiguration) throws IOException {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
}

@Override
public ValidationResult<SecurityConfiguration> onConfigLoad(SecurityConfiguration securityConfiguration) throws IOException {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
}

@Override
public ValidationResult<SecurityConfiguration> onConfigChange(SecurityConfiguration securityConfiguration) throws IOException {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
}

Expand Down Expand Up @@ -564,7 +563,7 @@ protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClie
securityApiDependencies.auditLog().logGrantedPrivileges(userName, SecurityRequestFactory.from(request));
}

final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(threadPool.getThreadContext());
final var originalUserAndRemoteAddress = Utils.userAndRemoteAddressFrom(threadPool.getThreadContext());
final Object originalOrigin = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN);

return channel -> threadPool.generic().submit(() -> {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() {
public ValidationResult<SecurityConfiguration> isAllowedToChangeImmutableEntity(SecurityConfiguration securityConfiguration)
throws IOException {
if (STATIC_OPENSEARCH_YML_NODES_DN.equals(securityConfiguration.entityName())) {

return ValidationResult.error(
RestStatus.FORBIDDEN,
forbiddenMessage("Resource '" + STATIC_OPENSEARCH_YML_NODES_DN + "' is read-only.")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public static void response(RestChannel channel, RestStatus status, String messa
public static void response(final RestChannel channel, final RestStatus status, final ToXContent toXContent) {
try (final var builder = channel.newBuilder()) {
toXContent.toXContent(builder, ToXContent.EMPTY_PARAMS);

channel.sendResponse(new BytesRestResponse(status, builder));
} catch (final IOException ioe) {
throw ExceptionsHelper.convertToOpenSearchException(ioe);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ default boolean isCurrentUserAdmin() {

default ValidationResult<String> withRequiredEntityName(final String entityName) {
if (entityName == null) {

return ValidationResult.error(RestStatus.BAD_REQUEST, badRequestMessage("No " + resourceName() + " specified."));
}
return ValidationResult.success(entityName);
Expand Down Expand Up @@ -105,7 +105,7 @@ default ValidationResult<SecurityConfiguration> entityStatic(final SecurityConfi
final var configuration = securityConfiguration.configuration();
final var entityName = securityConfiguration.entityName();
if (configuration.isStatic(entityName)) {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Resource '" + entityName + "' is static."));
}
return ValidationResult.success(securityConfiguration);
Expand All @@ -124,7 +124,7 @@ default ValidationResult<SecurityConfiguration> entityHidden(final SecurityConfi
final var configuration = securityConfiguration.configuration();
final var entityName = securityConfiguration.entityName();
if (configuration.isHidden(entityName)) {

return ValidationResult.error(RestStatus.NOT_FOUND, notFoundMessage("Resource '" + entityName + "' is not available."));
}
return ValidationResult.success(securityConfiguration);
Expand Down Expand Up @@ -152,7 +152,7 @@ default ValidationResult<SecurityConfiguration> isAllowedToChangeEntityWithRestA
final var configuration = securityConfiguration.configuration();
final var existingEntity = configuration.getCEntry(securityConfiguration.entityName());
if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(existingEntity)) {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
}
} else {
Expand All @@ -162,7 +162,7 @@ default ValidationResult<SecurityConfiguration> isAllowedToChangeEntityWithRestA
configuration.getImplementingClass()
);
if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(configEntityContent)) {

return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied"));
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
package org.opensearch.security.filter;

import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;

import org.apache.logging.log4j.LogManager;
Expand Down Expand Up @@ -29,7 +28,7 @@ public boolean hasCompleted() {

@Override
public boolean completeWithResponse(final SecurityResponse response) {

if (underlyingChannel == null) {
throw new UnsupportedOperationException("Channel was not defined");
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -464,7 +464,7 @@ public void onFailure(Exception e) {
: String.format("no permissions for %s and %s", pres.getMissingPrivileges(), user);
}
log.debug(err);

listener.onFailure(new OpenSearchSecurityException(err, RestStatus.FORBIDDEN));
}
} catch (OpenSearchException e) {
Expand Down Expand Up @@ -515,7 +515,7 @@ private boolean checkImmutableIndices(Object request, ActionListener listener) {
|| request instanceof IndicesAliasesRequest;

if (isModifyIndexRequest && isRequestIndexImmutable(request)) {

listener.onFailure(new OpenSearchSecurityException("Index is immutable", RestStatus.FORBIDDEN));
return true;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ private void authorizeRequest(RestHandler original, SecurityRequestChannel reque
err = String.format("no permissions for %s and %s", pres.getMissingPrivileges(), user);
}
log.debug(err);

request.completeWithResponse(new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, null, err));
return;
}
Expand All @@ -220,7 +220,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
final OpenSearchException exception = ExceptionUtils.createBadHeaderException();
log.error(exception.toString());
auditLog.logBadHeaders(requestChannel);

requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
return;
}
Expand All @@ -229,7 +229,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
final OpenSearchException exception = ExceptionUtils.createBadHeaderException();
log.error(exception.toString());
auditLog.logBadHeaders(requestChannel);

requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
return;
}
Expand All @@ -250,7 +250,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
} catch (SSLPeerUnverifiedException e) {
log.error("No ssl info", e);
auditLog.logSSLException(requestChannel, e);

requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, null));
return;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.support.HTTPHelper;
import org.opensearch.security.user.AuthCredentials;
Expand Down Expand Up @@ -68,11 +67,9 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T

@Override
public Optional<SecurityResponse> reRequestAuthentication(final SecurityRequest request, AuthCredentials creds) {
return Optional.of(new SecurityResponse(
HttpStatus.SC_UNAUTHORIZED,
Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""),
""
));
return Optional.of(
new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), "")
);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@
import org.opensearch.core.common.Strings;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.user.AuthCredentials;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@
import org.opensearch.core.common.Strings;
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.support.ConfigConstants;
import org.opensearch.security.user.AuthCredentials;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@
import org.opensearch.security.auth.HTTPAuthenticator;
import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestChannel;
import org.opensearch.security.filter.SecurityResponse;
import org.opensearch.security.ssl.util.ExceptionUtils;
import org.opensearch.security.user.AuthCredentials;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli
SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor);

if (sslInfo == null) {

channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, ""));
return;
}
Expand All @@ -90,7 +90,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli

// only allowed for admins
if (user == null || !adminDns.isAdmin(user)) {

channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, ""));
return;
} else {
Expand Down
Loading

0 comments on commit 0c5a97d

Please sign in to comment.