diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java index d9e6a2225d..8da4b13d4c 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java @@ -132,7 +132,6 @@ protected void save(final AuditMessage msg) { @Override public void logFailedLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequest request) { - new Exception("&&& logFailedLogin").printStackTrace(); if (enabled) { super.logFailedLogin(effectiveUser, securityAdmin, initiatingUser, request); } @@ -140,7 +139,6 @@ public void logFailedLogin(String effectiveUser, boolean securityAdmin, String i @Override public void logSucceededLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequest request) { - new Exception("&&& logSucceededLogin").printStackTrace(); if (enabled) { super.logSucceededLogin(effectiveUser, securityAdmin, initiatingUser, request); } diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 9b5ef9cdca..4dd22da6a8 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -592,7 +592,7 @@ private User impersonate(final SecurityRequestChannel request, final User origin } if (adminDns.isAdminDN(impersonatedUserHeader)) { - System.out.println("@607 - impersonate, 403"); + throw new OpenSearchSecurityException( "It is not allowed to impersonate as an adminuser '" + impersonatedUserHeader + "'", RestStatus.FORBIDDEN @@ -600,7 +600,7 @@ private User impersonate(final SecurityRequestChannel request, final User origin } if (!adminDns.isRestImpersonationAllowed(originalUser.getName(), impersonatedUserHeader)) { - System.out.println("@615 - impersonate, 403"); + throw new OpenSearchSecurityException( "'" + originalUser.getName() + "' is not allowed to impersonate as '" + impersonatedUserHeader + "'", RestStatus.FORBIDDEN diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java index 7733e81741..111eb609dc 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java @@ -373,7 +373,7 @@ protected final ValidationResult> loadConfigurat ) { final var configuration = load(cType, logComplianceEvent); if (configuration.getSeqNo() < 0) { - System.out.println("@374 - abstract API action, 403"); + return ValidationResult.error( RestStatus.FORBIDDEN, forbiddenMessage( @@ -414,19 +414,19 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { @Override public ValidationResult onConfigDelete(SecurityConfiguration securityConfiguration) throws IOException { - System.out.println("@415 - abstract API action, 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } @Override public ValidationResult onConfigLoad(SecurityConfiguration securityConfiguration) throws IOException { - System.out.println("@421 - abstract API action, 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } @Override public ValidationResult onConfigChange(SecurityConfiguration securityConfiguration) throws IOException { - System.out.println("@427 - abstract API action, 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java index 19b7006d8d..b691d96fb3 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/NodesDnApiAction.java @@ -139,7 +139,7 @@ public RestApiAdminPrivilegesEvaluator restApiAdminPrivilegesEvaluator() { public ValidationResult isAllowedToChangeImmutableEntity(SecurityConfiguration securityConfiguration) throws IOException { if (STATIC_OPENSEARCH_YML_NODES_DN.equals(securityConfiguration.entityName())) { - System.out.println("@142 - nodes dn API action, 403"); + return ValidationResult.error( RestStatus.FORBIDDEN, forbiddenMessage("Resource '" + STATIC_OPENSEARCH_YML_NODES_DN + "' is read-only.") diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java b/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java index 796e04b5b6..0a0edee6e4 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/Responses.java @@ -73,7 +73,7 @@ public static void response(RestChannel channel, RestStatus status, String messa public static void response(final RestChannel channel, final RestStatus status, final ToXContent toXContent) { try (final var builder = channel.newBuilder()) { toXContent.toXContent(builder, ToXContent.EMPTY_PARAMS); - System.out.println("@76 - responses " + status.getStatus()); + channel.sendResponse(new BytesRestResponse(status, builder)); } catch (final IOException ioe) { throw ExceptionsHelper.convertToOpenSearchException(ioe); diff --git a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java index 7ff2af6dda..c03342630e 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/validation/EndpointValidator.java @@ -55,7 +55,7 @@ default boolean isCurrentUserAdmin() { default ValidationResult withRequiredEntityName(final String entityName) { if (entityName == null) { - System.out.println("@152 - Endpoint validator 400"); + return ValidationResult.error(RestStatus.BAD_REQUEST, badRequestMessage("No " + resourceName() + " specified.")); } return ValidationResult.success(entityName); @@ -105,7 +105,7 @@ default ValidationResult entityStatic(final SecurityConfi final var configuration = securityConfiguration.configuration(); final var entityName = securityConfiguration.entityName(); if (configuration.isStatic(entityName)) { - System.out.println("@107 - Endpoint validator 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Resource '" + entityName + "' is static.")); } return ValidationResult.success(securityConfiguration); @@ -115,11 +115,6 @@ default ValidationResult entityReserved(final SecurityCon final var configuration = securityConfiguration.configuration(); final var entityName = securityConfiguration.entityName(); if (configuration.isReserved(entityName)) { - System.out.println("@117 - Endpoint validator 403"); - // TODO: Remove - new Exception("&&& entityReserved denied calling stack trace").printStackTrace(); - - return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Resource '" + entityName + "' is reserved.")); } return ValidationResult.success(securityConfiguration); @@ -129,7 +124,7 @@ default ValidationResult entityHidden(final SecurityConfi final var configuration = securityConfiguration.configuration(); final var entityName = securityConfiguration.entityName(); if (configuration.isHidden(entityName)) { - System.out.println("@152 - Endpoint validator 404"); + return ValidationResult.error(RestStatus.NOT_FOUND, notFoundMessage("Resource '" + entityName + "' is not available.")); } return ValidationResult.success(securityConfiguration); @@ -157,7 +152,7 @@ default ValidationResult isAllowedToChangeEntityWithRestA final var configuration = securityConfiguration.configuration(); final var existingEntity = configuration.getCEntry(securityConfiguration.entityName()); if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(existingEntity)) { - System.out.println("@152 - Endpoint validator 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } } else { @@ -167,7 +162,7 @@ default ValidationResult isAllowedToChangeEntityWithRestA configuration.getImplementingClass() ); if (restApiAdminPrivilegesEvaluator().containsRestApiAdminPermissions(configEntityContent)) { - System.out.println("@162 - Endpoint validator 403"); + return ValidationResult.error(RestStatus.FORBIDDEN, forbiddenMessage("Access denied")); } } diff --git a/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java b/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java index a0629ae591..5230167acb 100644 --- a/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java +++ b/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java @@ -29,10 +29,7 @@ public boolean hasCompleted() { @Override public boolean completeWithResponse(final SecurityResponse response) { - System.out.println("@32 - completeWithResponse" + response.getStatus()); - // TODO: Remove - new Exception("&&& completeWithResponse calling stack trace").printStackTrace(); - + if (underlyingChannel == null) { throw new UnsupportedOperationException("Channel was not defined"); } diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 34e45ffeda..523acad108 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -464,7 +464,7 @@ public void onFailure(Exception e) { : String.format("no permissions for %s and %s", pres.getMissingPrivileges(), user); } log.debug(err); - System.out.println("@467 - apply0, 403"); + listener.onFailure(new OpenSearchSecurityException(err, RestStatus.FORBIDDEN)); } } catch (OpenSearchException e) { @@ -515,7 +515,7 @@ private boolean checkImmutableIndices(Object request, ActionListener listener) { || request instanceof IndicesAliasesRequest; if (isModifyIndexRequest && isRequestIndexImmutable(request)) { - System.out.println("@517 - checkImmutableIndices, 403"); + listener.onFailure(new OpenSearchSecurityException("Index is immutable", RestStatus.FORBIDDEN)); return true; } diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index 63f1bf8312..29b91b655d 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -206,7 +206,7 @@ private void authorizeRequest(RestHandler original, SecurityRequestChannel reque err = String.format("no permissions for %s and %s", pres.getMissingPrivileges(), user); } log.debug(err); - System.out.println("@206 - authorizeRequest 401"); + request.completeWithResponse(new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, null, err)); return; } @@ -220,7 +220,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); log.error(exception.toString()); auditLog.logBadHeaders(requestChannel); - System.out.println("@220 - checkAndAuthenticateRequest 403"); + requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString())); return; } @@ -229,7 +229,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); log.error(exception.toString()); auditLog.logBadHeaders(requestChannel); - System.out.println("@229 - checkAndAuthenticateRequest 403"); + requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString())); return; } @@ -250,7 +250,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t } catch (SSLPeerUnverifiedException e) { log.error("No ssl info", e); auditLog.logSSLException(requestChannel, e); - System.out.println("@250 - authorizeRequest 403"); + requestChannel.completeWithResponse(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, null)); return; } diff --git a/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java b/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java index d9a25a8c3d..0739497724 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java @@ -81,7 +81,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); if (sslInfo == null) { - System.out.println("@84 - update config action 403"); + channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, "")); return; } @@ -90,7 +90,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli // only allowed for admins if (user == null || !adminDns.isAdmin(user)) { - System.out.println("@93 - update config action 403"); + channel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, "")); return; } else { diff --git a/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java b/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java index d947c5c708..885ae2bbc6 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java @@ -103,7 +103,7 @@ public void accept(RestChannel channel) throws Exception { SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); if (sslInfo == null) { - System.out.println("@104 - who am i action, 403"); + response = new BytesRestResponse(RestStatus.FORBIDDEN, "No security data"); } else { diff --git a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java index d43f1c2e6e..d6ba8aa0f2 100644 --- a/src/main/java/org/opensearch/security/rest/TenantInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/TenantInfoAction.java @@ -114,7 +114,7 @@ public void accept(RestChannel channel) throws Exception { // only allowed for admins or the kibanaserveruser if (!isAuthorized()) { - System.out.println("@117 - tenant info action, 403"); + response = new BytesRestResponse(RestStatus.FORBIDDEN, ""); } else { diff --git a/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java index 9ab023719a..c4ac02d218 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/AllowlistingSettings.java @@ -110,7 +110,7 @@ private boolean requestIsAllowlisted(RestRequest request) { public boolean checkRequestIsAllowed(RestRequest request, RestChannel channel, NodeClient client) throws IOException { // if allowlisting is enabled but the request is not allowlisted, then return false, otherwise true. if (this.enabled && !requestIsAllowlisted(request)) { - System.out.println("@113 - checkRequestIsAllowed 403"); + channel.sendResponse( new BytesRestResponse( RestStatus.FORBIDDEN, diff --git a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java b/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java index 4e6bcaf688..c9bb99fdea 100644 --- a/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java +++ b/src/main/java/org/opensearch/security/securityconf/impl/WhitelistingSettings.java @@ -111,7 +111,7 @@ private boolean requestIsWhitelisted(RestRequest request) { public boolean checkRequestIsAllowed(RestRequest request, RestChannel channel, NodeClient client) throws IOException { // if whitelisting is enabled but the request is not whitelisted, then return false, otherwise true. if (this.enabled && !requestIsWhitelisted(request)) { - System.out.println("@114 - checkRequestIsAllowed 403"); + channel.sendResponse( new BytesRestResponse( RestStatus.FORBIDDEN,