From 9844df9ba058ade6158c41c194a7997f182aaf35 Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Mon, 2 Oct 2023 15:31:04 +0000 Subject: [PATCH] Mild switch to RequestChannel Signed-off-by: Peter Nied --- .../jwt/AbstractHTTPJwtAuthenticator.java | 20 +++--- .../auth/http/jwt/HTTPJwtAuthenticator.java | 22 +++--- .../kerberos/HTTPSpnegoAuthenticator.java | 38 +++++------ .../auth/http/saml/HTTPSamlAuthenticator.java | 36 ++++++---- .../security/auditlog/AuditLog.java | 14 ++-- .../auditlog/AuditLogSslExceptionHandler.java | 4 +- .../security/auditlog/NullAuditLog.java | 14 ++-- .../auditlog/impl/AbstractAuditLog.java | 16 ++--- .../security/auditlog/impl/AuditLogImpl.java | 14 ++-- .../security/auditlog/impl/AuditMessage.java | 4 +- .../security/auth/BackendRegistry.java | 34 +++++----- .../security/auth/HTTPAuthenticator.java | 9 ++- .../security/auth/UserInjector.java | 4 +- .../dlic/rest/api/AbstractApiAction.java | 4 +- .../rest/api/RestApiPrivilegesEvaluator.java | 4 +- ...quest.java => SecurityRequestChannel.java} | 13 ++-- .../filter/SecurityRequestFactory.java | 68 +++++++++++++++---- .../security/filter/SecurityRestFilter.java | 9 +-- .../security/http/HTTPBasicAuthenticator.java | 16 +++-- .../http/HTTPClientCertAuthenticator.java | 6 +- .../security/http/HTTPProxyAuthenticator.java | 7 +- .../http/OnBehalfOfAuthenticator.java | 13 ++-- .../security/http/RemoteIpDetector.java | 4 +- .../opensearch/security/http/XFFResolver.java | 4 +- .../proxy/HTTPExtendedProxyAuthenticator.java | 7 +- .../rest/SecurityConfigUpdateAction.java | 4 +- .../security/rest/SecurityWhoAmIAction.java | 4 +- .../security/ssl/SslExceptionHandler.java | 4 +- .../ssl/http/netty/ValidatingDispatcher.java | 4 +- .../ssl/rest/SecuritySSLInfoAction.java | 4 +- .../security/ssl/util/SSLRequestHelper.java | 4 +- .../security/support/HTTPHelper.java | 4 +- .../auditlog/helper/MockRestRequest.java | 4 +- .../security/auditlog/impl/AuditlogTest.java | 4 +- .../cache/DummyHTTPAuthenticator.java | 4 +- .../HTTPExtendedProxyAuthenticatorTest.java | 4 +- .../security/util/FakeRestRequest.java | 4 +- 37 files changed, 246 insertions(+), 186 deletions(-) rename src/main/java/org/opensearch/security/filter/{SecurityRequest.java => SecurityRequestChannel.java} (74%) diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java index 33a031a228..15e5d9546d 100644 --- a/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java @@ -15,6 +15,7 @@ import java.security.AccessController; import java.security.PrivilegedAction; import java.util.Collection; +import java.util.Map; import java.util.Map.Entry; import java.util.regex.Pattern; @@ -22,6 +23,7 @@ import org.apache.cxf.rs.security.jose.jwt.JwtClaims; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.hc.core5.http.HttpHeaders; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -39,7 +41,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.core.rest.RestStatus; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; public abstract class AbstractHTTPJwtAuthenticator implements HTTPAuthenticator { @@ -83,7 +85,7 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) { @Override @SuppressWarnings("removal") - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) throws OpenSearchSecurityException { final SecurityManager sm = System.getSecurityManager(); @@ -101,7 +103,7 @@ public AuthCredentials run() { return creds; } - private AuthCredentials extractCredentials0(final SecurityRequest request) throws OpenSearchSecurityException { + private AuthCredentials extractCredentials0(final SecurityRequestChannel request) throws OpenSearchSecurityException { String jwtString = getJwtTokenString(request); @@ -142,7 +144,7 @@ private AuthCredentials extractCredentials0(final SecurityRequest request) throw } - protected String getJwtTokenString(SecurityRequest request) { + protected String getJwtTokenString(SecurityRequestChannel request) { String jwtToken = request.header(jwtHeaderName); if (isDefaultAuthHeader && jwtToken != null && BASIC.matcher(jwtToken).matches()) { jwtToken = null; @@ -237,11 +239,11 @@ public String[] extractRoles(JwtClaims claims) { protected abstract KeyProvider initKeyProvider(Settings settings, Path configPath) throws Exception; @Override - public boolean reRequestAuthentication(RestChannel channel, AuthCredentials authCredentials) { - final BytesRestResponse wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, ""); - wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""); - channel.sendResponse(wwwAuthenticateResponse); - return true; + public boolean reRequestAuthentication(final SecurityRequestChannel request, AuthCredentials authCredentials) { + return request.completeWithResponse( + HttpStatus.SC_UNAUTHORIZED, + Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), + ""); } public String getRequiredAudience() { diff --git a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java index 2b13dea63e..2c60e96c48 100644 --- a/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java @@ -15,6 +15,7 @@ import java.security.AccessController; import java.security.PrivilegedAction; import java.util.Collection; +import java.util.Map; import java.util.Map.Entry; import java.util.regex.Pattern; @@ -23,6 +24,7 @@ import io.jsonwebtoken.JwtParserBuilder; import io.jsonwebtoken.security.WeakKeyException; import org.apache.hc.core5.http.HttpHeaders; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -34,7 +36,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.core.rest.RestStatus; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.util.KeyUtils; @@ -84,7 +86,7 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) { @Override @SuppressWarnings("removal") - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) throws OpenSearchSecurityException { final SecurityManager sm = System.getSecurityManager(); @@ -102,7 +104,7 @@ public AuthCredentials run() { return creds; } - private AuthCredentials extractCredentials0(final SecurityRequest request) { + private AuthCredentials extractCredentials0(final SecurityRequestChannel request) { if (jwtParser == null) { log.error("Missing Signing Key. JWT authentication will not work"); return null; @@ -172,11 +174,11 @@ private AuthCredentials extractCredentials0(final SecurityRequest request) { } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { - final BytesRestResponse wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, ""); - wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""); - channel.sendResponse(wwwAuthenticateResponse); - return true; + public boolean reRequestAuthentication(final SecurityRequestChannel channel, AuthCredentials creds) { + return channel.completeWithResponse( + HttpStatus.SC_UNAUTHORIZED, + Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), + ""); } @Override @@ -184,7 +186,7 @@ public String getType() { return "jwt"; } - protected String extractSubject(final Claims claims, final SecurityRequest request) { + protected String extractSubject(final Claims claims, final SecurityRequestChannel request) { String subject = claims.getSubject(); if (subjectKey != null) { // try to get roles from claims, first as Object to avoid having to catch the ExpectedTypeException @@ -208,7 +210,7 @@ protected String extractSubject(final Claims claims, final SecurityRequest reque } @SuppressWarnings("unchecked") - protected String[] extractRoles(final Claims claims, final SecurityRequest request) { + protected String[] extractRoles(final Claims claims, final SecurityRequestChannel request) { // no roles key specified if (rolesKey == null) { return new String[0]; diff --git a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java index af822e9c43..bf3002146a 100644 --- a/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/kerberos/HTTPSpnegoAuthenticator.java @@ -22,13 +22,17 @@ import java.security.PrivilegedExceptionAction; import java.util.Base64; import java.util.Collections; +import java.util.HashMap; import java.util.HashSet; +import java.util.Map; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import com.google.common.base.Strings; + +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.ietf.jgss.GSSContext; @@ -52,12 +56,11 @@ import org.opensearch.rest.RestChannel; import org.opensearch.core.rest.RestStatus; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; public class HTTPSpnegoAuthenticator implements HTTPAuthenticator { - private static final String EMPTY_STRING = ""; private static final Oid[] KRB_OIDS = new Oid[] { KrbConstants.SPNEGO, KrbConstants.KRB5MECH }; protected final Logger log = LogManager.getLogger(this.getClass()); @@ -171,7 +174,7 @@ public Void run() { @Override @SuppressWarnings("removal") - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) { + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext threadContext) { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { @@ -188,7 +191,7 @@ public AuthCredentials run() { return creds; } - private AuthCredentials extractCredentials0(final SecurityRequest request) { + private AuthCredentials extractCredentials0(final SecurityRequestChannel request) { if (acceptorPrincipal == null || acceptorKeyTabPath == null) { log.error("Missing acceptor principal or keytab configuration. Kerberos authentication will not work"); @@ -280,27 +283,24 @@ public GSSCredential run() throws GSSException { } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { - - final BytesRestResponse wwwAuthenticateResponse; - XContentBuilder response = getNegotiateResponseBody(); - - if (response != null) { - wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, response); - } else { - wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, EMPTY_STRING); + public boolean reRequestAuthentication(final SecurityRequestChannel request, AuthCredentials creds) { + String responseBody = ""; + final String negotiateResponseBody = getNegotiateResponseBody(); + if (negotiateResponseBody != null) { + responseBody = negotiateResponseBody; } + final Map headers = new HashMap<>(); if (creds == null || creds.getNativeCredentials() == null) { - wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Negotiate"); + headers.put("WWW-Authenticate", "Negotiate"); } else { - wwwAuthenticateResponse.addHeader( + headers.put( "WWW-Authenticate", "Negotiate " + Base64.getEncoder().encodeToString((byte[]) creds.getNativeCredentials()) ); } - channel.sendResponse(wwwAuthenticateResponse); - return true; + + return request.completeWithResponse(HttpStatus.SC_UNAUTHORIZED, headers, responseBody); } @Override @@ -372,7 +372,7 @@ private static String getUsernameFromGSSContext(final GSSContext gssContext, fin return null; } - private XContentBuilder getNegotiateResponseBody() { + private String getNegotiateResponseBody() { try { XContentBuilder negotiateResponseBody = XContentFactory.jsonBuilder(); negotiateResponseBody.startObject(); @@ -384,7 +384,7 @@ private XContentBuilder getNegotiateResponseBody() { negotiateResponseBody.endObject(); negotiateResponseBody.endObject(); negotiateResponseBody.endObject(); - return negotiateResponseBody; + return negotiateResponseBody.toString(); } catch (Exception ex) { log.error("Can't construct response body", ex); return null; diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index 27a7dd10f7..b8be0c5051 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -18,6 +18,7 @@ import java.security.PrivateKey; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -35,6 +36,7 @@ import net.shibboleth.utilities.java.support.xml.BasicParserPool; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensaml.core.config.InitializationException; @@ -61,7 +63,8 @@ import org.opensearch.core.rest.RestStatus; import org.opensearch.security.auth.Destroyable; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; +import org.opensearch.security.filter.SecurityRequestFactory.SecurityRestRequest; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.PemKeyReader; import org.opensearch.security.user.AuthCredentials; @@ -150,7 +153,7 @@ public HTTPSamlAuthenticator(final Settings settings, final Path configPath) { } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext threadContext) throws OpenSearchSecurityException { Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); final String suffix = matcher.matches() ? matcher.group(2) : null; @@ -173,23 +176,28 @@ public String getType() { } @Override - public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) { + public boolean reRequestAuthentication(final SecurityRequestChannel request, final AuthCredentials authCredentials) { try { - RestRequest restRequest = restChannel.request(); - Matcher matcher = PATTERN_PATH_PREFIX.matcher(restRequest.path()); + Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); final String suffix = matcher.matches() ? matcher.group(2) : null; - if (API_AUTHTOKEN_SUFFIX.equals(suffix) && this.authTokenProcessorHandler.handle(restRequest, restChannel)) { - return true; + + if (request instanceof SecurityRestRequest) { + final SecurityRestRequest securityRequestChannel = (SecurityRestRequest)request; + final RestRequest restRequest = securityRequestChannel.breakEncapulation().v1(); + final RestChannel channel = securityRequestChannel.breakEncapulation().v2(); + // TODO: This codebase REQUIRES the body of the request, seems like we need to escape the SecurityRequestChannel + if (API_AUTHTOKEN_SUFFIX.equals(suffix) && this.authTokenProcessorHandler.handle(restRequest, channel)) { + return true; + } + } else { + // If the request is not SecurityRestRequest type, we could not read the body to process the response, this + // means were are in a potential exit early flow + return false; } Saml2Settings saml2Settings = this.saml2SettingsProvider.getCached(); - BytesRestResponse authenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, ""); - - authenticateResponse.addHeader("WWW-Authenticate", getWwwAuthenticateHeader(saml2Settings)); - - restChannel.sendResponse(authenticateResponse); - return true; + return request.completeWithResponse(HttpStatus.SC_UNAUTHORIZED, Map.of("WWW-Authenticate", getWwwAuthenticateHeader(saml2Settings)), ""); } catch (Exception e) { log.error("Error in reRequestAuthentication()", e); return false; @@ -400,7 +408,7 @@ String buildLogoutUrl(AuthCredentials authCredentials) { } - private void initLogoutUrl(SecurityRequest restRequest, ThreadContext threadContext, AuthCredentials authCredentials) { + private void initLogoutUrl(SecurityRequestChannel restRequest, ThreadContext threadContext, AuthCredentials authCredentials) { threadContext.putTransient(ConfigConstants.SSO_LOGOUT_URL, buildLogoutUrl(authCredentials)); } diff --git a/src/main/java/org/opensearch/security/auditlog/AuditLog.java b/src/main/java/org/opensearch/security/auditlog/AuditLog.java index 997b9e4b87..d861af14bd 100644 --- a/src/main/java/org/opensearch/security/auditlog/AuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/AuditLog.java @@ -37,21 +37,21 @@ import org.opensearch.core.index.shard.ShardId; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.compliance.ComplianceConfig; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.tasks.Task; import org.opensearch.transport.TransportRequest; public interface AuditLog extends Closeable { // login - void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request); + void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request); - void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request); + void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request); // privs - void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequest request); + void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequestChannel request); - void logGrantedPrivileges(String effectiveUser, SecurityRequest request); + void logGrantedPrivileges(String effectiveUser, SecurityRequestChannel request); void logMissingPrivileges(String privilege, TransportRequest request, Task task); @@ -63,13 +63,13 @@ public interface AuditLog extends Closeable { // spoof void logBadHeaders(TransportRequest request, String action, Task task); - void logBadHeaders(SecurityRequest request); + void logBadHeaders(SecurityRequestChannel request); void logSecurityIndexAttempt(TransportRequest request, String action, Task task); void logSSLException(TransportRequest request, Throwable t, String action, Task task); - void logSSLException(SecurityRequest request, Throwable t); + void logSSLException(SecurityRequestChannel request, Throwable t); void logDocumentRead(String index, String id, ShardId shardId, Map fieldNameValues); diff --git a/src/main/java/org/opensearch/security/auditlog/AuditLogSslExceptionHandler.java b/src/main/java/org/opensearch/security/auditlog/AuditLogSslExceptionHandler.java index a794be3a2c..df96400f96 100644 --- a/src/main/java/org/opensearch/security/auditlog/AuditLogSslExceptionHandler.java +++ b/src/main/java/org/opensearch/security/auditlog/AuditLogSslExceptionHandler.java @@ -27,7 +27,7 @@ package org.opensearch.security.auditlog; import org.opensearch.OpenSearchException; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.ssl.SslExceptionHandler; import org.opensearch.tasks.Task; import org.opensearch.transport.TransportRequest; @@ -42,7 +42,7 @@ public AuditLogSslExceptionHandler(final AuditLog auditLog) { } @Override - public void logError(Throwable t, SecurityRequest request, int type) { + public void logError(Throwable t, SecurityRequestChannel request, int type) { switch (type) { case 0: auditLog.logSSLException(request, t); diff --git a/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java b/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java index 1ac4492a94..440a2eafd5 100644 --- a/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/NullAuditLog.java @@ -37,7 +37,7 @@ import org.opensearch.core.index.shard.ShardId; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.compliance.ComplianceConfig; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.tasks.Task; import org.opensearch.transport.TransportRequest; @@ -49,12 +49,12 @@ public void close() throws IOException { } @Override - public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request) { + public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request) { // noop, intentionally left empty } @Override - public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request) { + public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request) { // noop, intentionally left empty } @@ -79,7 +79,7 @@ public void logBadHeaders(TransportRequest request, String action, Task task) { } @Override - public void logBadHeaders(SecurityRequest request) { + public void logBadHeaders(SecurityRequestChannel request) { // noop, intentionally left empty } @@ -94,17 +94,17 @@ public void logSSLException(TransportRequest request, Throwable t, String action } @Override - public void logSSLException(SecurityRequest request, Throwable t) { + public void logSSLException(SecurityRequestChannel request, Throwable t) { // noop, intentionally left empty } @Override - public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequest request) { + public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequestChannel request) { // noop, intentionally left empty } @Override - public void logGrantedPrivileges(String effectiveUser, SecurityRequest request) { + public void logGrantedPrivileges(String effectiveUser, SecurityRequestChannel request) { // noop, intentionally left empty } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java index 2813f82e98..a3983c11e3 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AbstractAuditLog.java @@ -65,7 +65,7 @@ import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.compliance.ComplianceConfig; import org.opensearch.security.dlic.rest.support.Utils; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.Base64Helper; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.User; @@ -139,7 +139,7 @@ public ComplianceConfig getComplianceConfig() { } @Override - public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request) { + public void logFailedLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request) { if (!checkRestFilter(AuditCategory.FAILED_LOGIN, effectiveUser, request)) { return; @@ -157,7 +157,7 @@ public void logFailedLogin(String effectiveUser, boolean securityadmin, String i } @Override - public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequest request) { + public void logSucceededLogin(String effectiveUser, boolean securityadmin, String initiatingUser, SecurityRequestChannel request) { if (!checkRestFilter(AuditCategory.AUTHENTICATED, effectiveUser, request)) { return; @@ -174,7 +174,7 @@ public void logSucceededLogin(String effectiveUser, boolean securityadmin, Strin } @Override - public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequest request) { + public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequestChannel request) { if (!checkRestFilter(AuditCategory.MISSING_PRIVILEGES, effectiveUser, request)) { return; } @@ -189,7 +189,7 @@ public void logMissingPrivileges(String privilege, String effectiveUser, Securit } @Override - public void logGrantedPrivileges(String effectiveUser, SecurityRequest request) { + public void logGrantedPrivileges(String effectiveUser, SecurityRequestChannel request) { if (!checkRestFilter(AuditCategory.GRANTED_PRIVILEGES, effectiveUser, request)) { return; } @@ -348,7 +348,7 @@ public void logBadHeaders(TransportRequest request, String action, Task task) { } @Override - public void logBadHeaders(SecurityRequest request) { + public void logBadHeaders(SecurityRequestChannel request) { if (!checkRestFilter(AuditCategory.BAD_HEADERS, getUser(), request)) { return; @@ -437,7 +437,7 @@ public void logSSLException(TransportRequest request, Throwable t, String action } @Override - public void logSSLException(SecurityRequest request, Throwable t) { + public void logSSLException(SecurityRequestChannel request, Throwable t) { if (!checkRestFilter(AuditCategory.SSL_EXCEPTION, getUser(), request)) { return; @@ -896,7 +896,7 @@ private boolean checkComplianceFilter( } @VisibleForTesting - boolean checkRestFilter(final AuditCategory category, final String effectiveUser, SecurityRequest request) { + boolean checkRestFilter(final AuditCategory category, final String effectiveUser, SecurityRequestChannel request) { final boolean isTraceEnabled = log.isTraceEnabled(); if (isTraceEnabled) { log.trace( diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java index 8da4b13d4c..1677ebb86a 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditLogImpl.java @@ -33,7 +33,7 @@ import org.opensearch.core.index.shard.ShardId; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.auditlog.routing.AuditMessageRouter; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.tasks.Task; import org.opensearch.threadpool.ThreadPool; import org.opensearch.transport.TransportRequest; @@ -131,28 +131,28 @@ protected void save(final AuditMessage msg) { } @Override - public void logFailedLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequest request) { + public void logFailedLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequestChannel request) { if (enabled) { super.logFailedLogin(effectiveUser, securityAdmin, initiatingUser, request); } } @Override - public void logSucceededLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequest request) { + public void logSucceededLogin(String effectiveUser, boolean securityAdmin, String initiatingUser, SecurityRequestChannel request) { if (enabled) { super.logSucceededLogin(effectiveUser, securityAdmin, initiatingUser, request); } } @Override - public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequest request) { + public void logMissingPrivileges(String privilege, String effectiveUser, SecurityRequestChannel request) { if (enabled) { super.logMissingPrivileges(privilege, effectiveUser, request); } } @Override - public void logGrantedPrivileges(String effectiveUser, SecurityRequest request) { + public void logGrantedPrivileges(String effectiveUser, SecurityRequestChannel request) { if (enabled) { super.logGrantedPrivileges(effectiveUser, request); } @@ -187,7 +187,7 @@ public void logBadHeaders(TransportRequest request, String action, Task task) { } @Override - public void logBadHeaders(SecurityRequest request) { + public void logBadHeaders(SecurityRequestChannel request) { if (enabled) { super.logBadHeaders(request); } @@ -208,7 +208,7 @@ public void logSSLException(TransportRequest request, Throwable t, String action } @Override - public void logSSLException(SecurityRequest request, Throwable t) { + public void logSSLException(SecurityRequestChannel request, Throwable t) { if (enabled) { super.logSSLException(request, t); } diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index b4f35ef90f..983f841cad 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -48,7 +48,7 @@ import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.dlic.rest.support.Utils; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.support.WildcardMatcher; @@ -370,7 +370,7 @@ void addRestMethod(final RestRequest.Method method) { } } - void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter filter) { + void addRestRequestInfo(final SecurityRequestChannel request, final AuditConfig.Filter filter) { if (request != null) { final String path = request.path().toString(); addPath(path); diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index cdfa74655c..9aaac7751e 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -43,6 +43,8 @@ import com.google.common.cache.RemovalListener; import com.google.common.cache.RemovalNotification; import com.google.common.collect.Multimap; + +import org.apache.hc.core5.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.greenrobot.eventbus.Subscribe; @@ -57,7 +59,7 @@ import org.opensearch.security.auth.blocking.ClientBlockRegistry; import org.opensearch.security.auth.internal.NoOpAuthenticationBackend; import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.http.OnBehalfOfAuthenticator; import org.opensearch.security.http.XFFResolver; import org.opensearch.security.securityconf.DynamicConfigModel; @@ -184,7 +186,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { * @return The authenticated user, null means another roundtrip * @throws OpenSearchSecurityException */ - public boolean authenticate(final SecurityRequest request, final ThreadContext _DO_NOT_USE) { + public boolean authenticate(final SecurityRequestChannel request, final ThreadContext _DO_NOT_USE) { final boolean isDebugEnabled = log.isDebugEnabled(); final boolean isBlockedBasedOnAddress = request.getRemoteAddress() .map(InetSocketAddress::getAddress) @@ -195,7 +197,7 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ log.debug("Rejecting REST request because of blocked address: {}", request.getRemoteAddress().orElse(null)); } - request.getRestChannel().sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED, "Authentication finally failed")); + request.completeWithResponse(HttpStatus.SC_UNAUTHORIZED, null, "Authentication finally failed"); return false; } @@ -216,8 +218,7 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ if (!isInitialized()) { log.error("Not yet initialized (you may need to run securityadmin)"); - request.getRestChannel() - .sendResponse(new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE, "OpenSearch Security not initialized.")); + request.completeWithResponse(HttpStatus.SC_SERVICE_UNAVAILABLE, null, "OpenSearch Security not initialized."); return false; } @@ -283,12 +284,11 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ continue; } - if (authDomain.isChallenge() && httpAuthenticator.reRequestAuthentication(request.getRestChannel(), null)) { + if (authDomain.isChallenge() && httpAuthenticator.reRequestAuthentication(request, null)) { auditLog.logFailedLogin("", false, null, request); if (isTraceEnabled) { log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'"); } - return false; } else { // no reRequest possible if (isTraceEnabled) { @@ -300,7 +300,7 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ org.apache.logging.log4j.ThreadContext.put("user", ac.getUsername()); if (!ac.isComplete()) { // credentials found in request but we need another client challenge - if (httpAuthenticator.reRequestAuthentication(request.getRestChannel(), ac)) { + if (httpAuthenticator.reRequestAuthentication(request, ac)) { // auditLog.logFailedLogin(ac.getUsername()+" ", request); --noauditlog return false; } else { @@ -339,12 +339,10 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ if (adminDns.isAdmin(authenticatedUser)) { log.error("Cannot authenticate rest user because admin user is not permitted to login via HTTP"); auditLog.logFailedLogin(authenticatedUser.getName(), true, null, request); - request.getRestChannel() - .sendResponse( - new BytesRestResponse( - RestStatus.FORBIDDEN, - "Cannot authenticate user because admin user is not permitted to login via HTTP" - ) + request.completeWithResponse( + HttpStatus.SC_FORBIDDEN, + null, + "Cannot authenticate user because admin user is not permitted to login via HTTP" ); return false; } @@ -395,7 +393,7 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ log.debug("Rerequest with {}", firstChallengingHttpAuthenticator.getClass()); } - if (firstChallengingHttpAuthenticator.reRequestAuthentication(request.getRestChannel(), null)) { + if (firstChallengingHttpAuthenticator.reRequestAuthentication(request, null)) { if (isDebugEnabled) { log.debug("Rerequest {} failed", firstChallengingHttpAuthenticator.getClass()); } @@ -419,14 +417,14 @@ public boolean authenticate(final SecurityRequest request, final ThreadContext _ notifyIpAuthFailureListeners(request, authCredenetials); - request.getRestChannel().sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED, "Authentication finally failed")); + request.completeWithResponse(org.apache.http.HttpStatus.SC_UNAUTHORIZED, null, "Authentication finally failed"); return false; } return authenticated; } - private void notifyIpAuthFailureListeners(SecurityRequest request, AuthCredentials authCredentials) { + private void notifyIpAuthFailureListeners(SecurityRequestChannel request, AuthCredentials authCredentials) { notifyIpAuthFailureListeners(request.getRemoteAddress().map(InetSocketAddress::getAddress).orElse(null), authCredentials, request); } @@ -574,7 +572,7 @@ public User call() throws Exception { } } - private User impersonate(final SecurityRequest request, final User originalUser) throws OpenSearchSecurityException { + private User impersonate(final SecurityRequestChannel request, final User originalUser) throws OpenSearchSecurityException { final String impersonatedUserHeader = request.header("opendistro_security_impersonate_as"); diff --git a/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java b/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java index 1ddc006445..4946982396 100644 --- a/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java +++ b/src/main/java/org/opensearch/security/auth/HTTPAuthenticator.java @@ -28,9 +28,8 @@ import org.opensearch.OpenSearchSecurityException; import org.opensearch.common.util.concurrent.ThreadContext; -import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; /** @@ -68,7 +67,7 @@ public interface HTTPAuthenticator { * If the authentication flow needs another roundtrip with the request originator do not mark it as complete. * @throws OpenSearchSecurityException */ - AuthCredentials extractCredentials(SecurityRequest request, ThreadContext context) throws OpenSearchSecurityException; + AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) throws OpenSearchSecurityException; /** * If the {@code extractCredentials()} call was not successful or the authentication flow needs another roundtrip this method @@ -77,10 +76,10 @@ public interface HTTPAuthenticator { * If the custom HTTP authenticator does support re-request authentication or supports authentication flows with multiple roundtrips * then the response should be sent (through the channel) and true must be returned. * - * @param channel The rest channel to sent back the response via {@code channel.sendResponse()} + * @param channel The channel to sent back the response * @param credentials The credentials from the prior authentication attempt * @return false if re-request is not supported/necessary, true otherwise. * If true is returned {@code channel.sendResponse()} must be called so that the request completes. */ - boolean reRequestAuthentication(final RestChannel channel, AuthCredentials credentials); + boolean reRequestAuthentication(final SecurityRequestChannel channel, AuthCredentials credentials); } diff --git a/src/main/java/org/opensearch/security/auth/UserInjector.java b/src/main/java/org/opensearch/security/auth/UserInjector.java index 79b84fe237..57bc86e270 100644 --- a/src/main/java/org/opensearch/security/auth/UserInjector.java +++ b/src/main/java/org/opensearch/security/auth/UserInjector.java @@ -39,7 +39,7 @@ import org.opensearch.common.settings.Settings; import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.security.auditlog.AuditLog; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.http.XFFResolver; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.SecurityUtils; @@ -172,7 +172,7 @@ public InjectedUser getInjectedUser() { return injectedUser; } - boolean injectUser(SecurityRequest request) { + boolean injectUser(SecurityRequestChannel request) { InjectedUser injectedUser = getInjectedUser(); if (injectedUser == null) { return false; diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java index 5f0ea37ac3..1e374ca303 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/AbstractApiAction.java @@ -49,7 +49,7 @@ import org.opensearch.security.dlic.rest.validation.EndpointValidator; import org.opensearch.security.dlic.rest.validation.RequestContentValidator; import org.opensearch.security.dlic.rest.validation.ValidationResult; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.securityconf.DynamicConfigFactory; import org.opensearch.security.securityconf.impl.CType; @@ -538,7 +538,7 @@ public void onFailure(Exception e) { protected final RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { // Fix channel ordering - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, null); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, null); // consume all parameters first so we can return a correct HTTP status, // not 400 diff --git a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java index 45a9920443..4a427245a6 100644 --- a/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java @@ -35,7 +35,7 @@ import org.opensearch.rest.RestRequest.Method; import org.opensearch.security.configuration.AdminDNs; import org.opensearch.security.dlic.rest.support.Utils; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.privileges.PrivilegesEvaluator; import org.opensearch.security.ssl.transport.PrincipalExtractor; @@ -449,7 +449,7 @@ private String checkAdminCertBasedAccessPermissions(RestRequest request) throws // Certificate based access, Check if we have an admin TLS certificate // TODO: Doesn't seem like the channel is needed here, but need to make sure this works correctly. - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, null); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, null); SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); if (sslInfo == null) { diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequest.java b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java similarity index 74% rename from src/main/java/org/opensearch/security/filter/SecurityRequest.java rename to src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java index 69d2e0be4d..1059226a40 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRequest.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java @@ -8,18 +8,22 @@ import javax.net.ssl.SSLEngine; -import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; -public interface SecurityRequest { +/** + * When a request is recieved by the security plugin this governs getting information about the request as well as a way to complet + */ +public interface SecurityRequestChannel { + + public boolean hasCompleted(); + + public boolean completeWithResponse(final int statusCode, final Map headers, final String body); public Map> getHeaders(); public SSLEngine getSSLEngine(); - public RestChannel getRestChannel(); - public String path(); public Method method(); @@ -37,5 +41,6 @@ default public String header(final String headerName) { return headersMap.map(headers -> headers.get(headerName)).map(List::stream).flatMap(Stream::findFirst).orElse(null); } + public Map params(); } diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java b/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java index 72727ff3bc..ebf9358f8b 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java @@ -4,9 +4,13 @@ import java.util.List; import java.util.Map; import java.util.Optional; +import java.util.concurrent.atomic.AtomicBoolean; import javax.net.ssl.SSLEngine; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.opensearch.common.collect.Tuple; import org.opensearch.http.netty4.Netty4HttpChannel; import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; @@ -16,15 +20,19 @@ public class SecurityRequestFactory { - public static SecurityRequest from() { + public static SecurityRequestChannel from() { return null; } - public static SecurityRequest from(final RestRequest request, final RestChannel channel) { + public static SecurityRequestChannel from(final RestRequest request, final RestChannel channel) { return new SecurityRestRequest(request, channel); } - protected static class SecurityRestRequest implements SecurityRequest { + public static class SecurityRestRequest implements SecurityRequestChannel { + + private final Logger log = LogManager.getLogger(SecurityRestRequest.class); + + private AtomicBoolean hasCompleted = new AtomicBoolean(false); private final RestRequest underlyingRequest; private final RestChannel underlyingChannel; @@ -55,11 +63,6 @@ public SSLEngine getSSLEngine() { return sslhandler != null ? sslhandler.engine() : null; } - @Override - public RestChannel getRestChannel() { - return underlyingChannel; - } - @Override public String path() { return underlyingRequest.path(); @@ -94,9 +97,34 @@ public Optional asRestRequest() { public Map params() { return underlyingRequest.params(); } + + @Override + public boolean hasCompleted() { + return hasCompleted.get(); + } + + @Override + public boolean completeWithResponse(int statusCode, Map headers, String body) { + try { + underlyingChannel.sendResponse(null); + return true; + } catch (final Exception e){ + log.error("Error when attempting to send response", e); + throw new RuntimeException(e); + } finally { + hasCompleted.set(true); + } + } + + /** + * Breaks the encapustion of the interface to get access to the underlying RestRequest / RestChannel. + */ + public Tuple breakEncapulation() { + return Tuple.tuple(underlyingRequest, underlyingChannel); + } } - protected static class NettyRequest implements SecurityRequest { + protected static class NettyRequest implements SecurityRequestChannel { @Override public Map> getHeaders() { // TODO Auto-generated method stub @@ -109,11 +137,11 @@ public SSLEngine getSSLEngine() { throw new UnsupportedOperationException("Unimplemented method 'getSSLEngine'"); } - @Override - public RestChannel getRestChannel() { - // TODO Auto-generated method stub - throw new UnsupportedOperationException("Unimplemented method 'getRestChannel'"); - } + // @Override + // public RestChannel getRestChannel() { + // // TODO Auto-generated method stub + // throw new UnsupportedOperationException("Unimplemented method 'getRestChannel'"); + // } @Override public String path() { @@ -156,5 +184,17 @@ public Map params() { // TODO Auto-generated method stub throw new UnsupportedOperationException("Unimplemented method 'params'"); } + + @Override + public boolean hasCompleted() { + // TODO Auto-generated method stub + throw new UnsupportedOperationException("Unimplemented method 'hasCompleted'"); + } + + @Override + public boolean completeWithResponse(int statusCode, Map headers, String body) { + // TODO Auto-generated method stub + throw new UnsupportedOperationException("Unimplemented method 'completeWithResponse'"); + } } } diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index 2b7d101653..0bbc17840e 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -37,6 +37,7 @@ import javax.net.ssl.SSLPeerUnverifiedException; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.greenrobot.eventbus.Subscribe; @@ -132,7 +133,7 @@ public SecurityRestFilter( public RestHandler wrap(RestHandler original, AdminDNs adminDNs) { return (request, channel, client) -> { org.apache.logging.log4j.ThreadContext.clearAll(); - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, channel); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, channel); Optional failureResponse = checkAndAuthenticateRequest(securityRequest); if (failureResponse.isEmpty()) { final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); @@ -166,7 +167,7 @@ private boolean userIsSuperAdmin(User user, AdminDNs adminDNs) { return user != null && adminDNs.isAdmin(user); } - private boolean authorizeRequest(RestHandler original, SecurityRequest request, User user) { + private boolean authorizeRequest(RestHandler original, SecurityRequestChannel request, User user) { List restRoutes = original.routes(); Optional handler = restRoutes.stream() @@ -204,7 +205,7 @@ private boolean authorizeRequest(RestHandler original, SecurityRequest request, err = String.format("no permissions for %s and %s", pres.getMissingPrivileges(), user); } log.debug(err); - request.getRestChannel().sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED, err)); + request.completeWithResponse(HttpStatus.SC_UNAUTHORIZED, null, err); return false; } } @@ -219,7 +220,7 @@ public interface ResponseAction { } - public Optional checkAndAuthenticateRequest(SecurityRequest request) throws Exception { + public Optional checkAndAuthenticateRequest(SecurityRequestChannel request) throws Exception { threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.REST.toString()); if (HTTPHelper.containsBadHeader(request)) { diff --git a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java index ae393e5028..6c67050ecc 100644 --- a/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/HTTPBasicAuthenticator.java @@ -27,7 +27,9 @@ package org.opensearch.security.http; import java.nio.file.Path; +import java.util.Map; +import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -37,7 +39,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.core.rest.RestStatus; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.HTTPHelper; import org.opensearch.security.user.AuthCredentials; @@ -51,7 +53,7 @@ public HTTPBasicAuthenticator(final Settings settings, final Path configPath) { } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) { + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext threadContext) { final boolean forceLogin = Boolean.getBoolean(request.params().get("force_login")); @@ -65,11 +67,11 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { - final BytesRestResponse wwwAuthenticateResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "Unauthorized"); - wwwAuthenticateResponse.addHeader("WWW-Authenticate", "Basic realm=\"OpenSearch Security\""); - channel.sendResponse(wwwAuthenticateResponse); - return true; + public boolean reRequestAuthentication(final SecurityRequestChannel request, AuthCredentials creds) { + return request.completeWithResponse( + HttpStatus.SC_UNAUTHORIZED, + Map.of("WWW-Authenticate", "Bearer realm=\"OpenSearch Security\""), + ""); } @Override diff --git a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java index 03221e810b..5be9b23739 100644 --- a/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/HTTPClientCertAuthenticator.java @@ -43,7 +43,7 @@ import org.opensearch.core.common.Strings; import org.opensearch.rest.RestChannel; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.AuthCredentials; @@ -57,7 +57,7 @@ public HTTPClientCertAuthenticator(final Settings settings, final Path configPat } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) { + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext threadContext) { final String principal = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL); @@ -98,7 +98,7 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { + public boolean reRequestAuthentication(final SecurityRequestChannel response, AuthCredentials creds) { return false; } diff --git a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java index d835a6a081..c9c7309ce1 100644 --- a/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/HTTPProxyAuthenticator.java @@ -39,7 +39,7 @@ import org.opensearch.core.common.Strings; import org.opensearch.rest.RestChannel; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.AuthCredentials; @@ -56,7 +56,7 @@ public HTTPProxyAuthenticator(Settings settings, final Path configPath) { } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) { + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) { if (context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) != Boolean.TRUE) { throw new OpenSearchSecurityException("xff not done"); @@ -89,7 +89,8 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { + public boolean reRequestAuthentication(final +SecurityRequestChannel response, AuthCredentials creds) { return false; } diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java index 2a47853ec2..2033054c3e 100644 --- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java @@ -37,7 +37,7 @@ import org.opensearch.rest.RestRequest; import org.opensearch.security.auth.HTTPAuthenticator; import org.opensearch.security.authtoken.jwt.EncryptionDecryptionUtil; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.ssl.util.ExceptionUtils; import org.opensearch.security.user.AuthCredentials; import org.opensearch.security.util.KeyUtils; @@ -122,7 +122,7 @@ private String[] extractBackendRolesFromClaims(Claims claims) { @Override @SuppressWarnings("removal") - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) throws OpenSearchSecurityException { final SecurityManager sm = System.getSecurityManager(); @@ -140,7 +140,7 @@ public AuthCredentials run() { return creds; } - private AuthCredentials extractCredentials0(final SecurityRequest request) { + private AuthCredentials extractCredentials0(final SecurityRequestChannel request) { if (!oboEnabled) { log.error("On-behalf-of authentication is disabled"); return null; @@ -204,7 +204,7 @@ private AuthCredentials extractCredentials0(final SecurityRequest request) { return null; } - private String extractJwtFromHeader(SecurityRequest request) { + private String extractJwtFromHeader(SecurityRequestChannel request) { String jwtToken = request.header(HttpHeaders.AUTHORIZATION); if (jwtToken == null || jwtToken.isEmpty()) { @@ -232,7 +232,7 @@ private void logDebug(String message, Object... args) { } } - public Boolean isRequestAllowed(final SecurityRequest request) { + public Boolean isRequestAllowed(final SecurityRequestChannel request) { Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path()); final String suffix = matcher.matches() ? matcher.group(2) : null; if (request.method() == RestRequest.Method.POST && ON_BEHALF_OF_SUFFIX.equals(suffix) @@ -245,7 +245,8 @@ public Boolean isRequestAllowed(final SecurityRequest request) { } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { + public boolean reRequestAuthentication(final +SecurityRequestChannel response, AuthCredentials creds) { return false; } diff --git a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java index 7b76a82c42..2aba89f79b 100644 --- a/src/main/java/org/opensearch/security/http/RemoteIpDetector.java +++ b/src/main/java/org/opensearch/security/http/RemoteIpDetector.java @@ -53,7 +53,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.common.util.concurrent.ThreadContext; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.ConfigConstants; final class RemoteIpDetector { @@ -116,7 +116,7 @@ public String getRemoteIpHeader() { return remoteIpHeader; } - String detect(SecurityRequest request, ThreadContext threadContext) { + String detect(SecurityRequestChannel request, ThreadContext threadContext) { final String originalRemoteAddr = request.getRemoteAddress() .map(InetSocketAddress::getAddress) diff --git a/src/main/java/org/opensearch/security/http/XFFResolver.java b/src/main/java/org/opensearch/security/http/XFFResolver.java index 68fe0307cd..90e373a874 100644 --- a/src/main/java/org/opensearch/security/http/XFFResolver.java +++ b/src/main/java/org/opensearch/security/http/XFFResolver.java @@ -35,7 +35,7 @@ import org.opensearch.OpenSearchSecurityException; import org.opensearch.core.common.transport.TransportAddress; import org.opensearch.common.util.concurrent.ThreadContext; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.securityconf.DynamicConfigModel; import org.opensearch.security.support.ConfigConstants; import org.opensearch.threadpool.ThreadPool; @@ -52,7 +52,7 @@ public XFFResolver(final ThreadPool threadPool) { this.threadContext = threadPool.getThreadContext(); } - public TransportAddress resolve(final SecurityRequest request) throws OpenSearchSecurityException { + public TransportAddress resolve(final SecurityRequestChannel request) throws OpenSearchSecurityException { final boolean isTraceEnabled = log.isTraceEnabled(); if (isTraceEnabled) { log.trace("resolve {}", request.getRemoteAddress().orElse(null)); diff --git a/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java b/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java index 4231bf6c57..cd08b4ca95 100644 --- a/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java +++ b/src/main/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticator.java @@ -38,7 +38,7 @@ import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.core.common.Strings; import org.opensearch.rest.RestChannel; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.http.HTTPProxyAuthenticator; import org.opensearch.security.user.AuthCredentials; @@ -55,7 +55,7 @@ public HTTPExtendedProxyAuthenticator(Settings settings, final Path configPath) } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) { + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) { AuthCredentials credentials = super.extractCredentials(request, context); if (credentials == null) { return null; @@ -85,7 +85,8 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T } @Override - public boolean reRequestAuthentication(final RestChannel channel, AuthCredentials creds) { + public boolean reRequestAuthentication(final +SecurityRequestChannel response, AuthCredentials creds) { return false; } diff --git a/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java b/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java index 05f4d7ef20..c87e421f44 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityConfigUpdateAction.java @@ -29,7 +29,7 @@ import org.opensearch.security.action.configupdate.ConfigUpdateAction; import org.opensearch.security.action.configupdate.ConfigUpdateRequest; import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.util.SSLRequestHelper; @@ -76,7 +76,7 @@ protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient cli String[] configTypes = request.paramAsStringArrayOrEmptyIfAll("config_types"); // TODO: Need to re-write with a RestChannelConsumer - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, null); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, null); SSLRequestHelper.SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); if (sslInfo == null) { diff --git a/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java b/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java index a7f92f306b..bfc2b99a0e 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityWhoAmIAction.java @@ -32,7 +32,7 @@ import org.opensearch.rest.RestRequest; import org.opensearch.core.rest.RestStatus; import org.opensearch.security.configuration.AdminDNs; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.util.SSLRequestHelper; @@ -99,7 +99,7 @@ public void accept(RestChannel channel) throws Exception { BytesRestResponse response = null; try { - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, channel); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, channel); ; SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); diff --git a/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java b/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java index be120b2acd..73f4aceb4d 100644 --- a/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java +++ b/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java @@ -18,7 +18,7 @@ package org.opensearch.security.ssl; import org.opensearch.rest.RestRequest; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.tasks.Task; import org.opensearch.transport.TransportRequest; @@ -36,7 +36,7 @@ default void logError(Throwable t, final TransportRequest request, String action // no-op } - default void logError(Throwable t, SecurityRequest request, int type) { + default void logError(Throwable t, SecurityRequestChannel request, int type) { this.logError(t, request.asRestRequest().get(), type); } } diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java b/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java index af17607468..91126d6596 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java @@ -33,7 +33,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.core.rest.RestStatus; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.ssl.SslExceptionHandler; import org.opensearch.security.ssl.util.ExceptionUtils; @@ -85,7 +85,7 @@ protected void checkRequest(final RestRequest request, final RestChannel channel } try { - final SecurityRequest securityReqest = SecurityRequestFactory.from(request, channel); + final SecurityRequestChannel securityReqest = SecurityRequestFactory.from(request, channel); if (SSLRequestHelper.getSSLInfo(settings, configPath, securityReqest, null) == null) { logger.error("Not an SSL request"); throw new OpenSearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR); diff --git a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java index 982fea2d5d..863d1dbab2 100644 --- a/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java +++ b/src/main/java/org/opensearch/security/ssl/rest/SecuritySSLInfoAction.java @@ -39,7 +39,7 @@ import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; import org.opensearch.core.rest.RestStatus; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.ssl.SecurityKeyStore; import org.opensearch.security.ssl.transport.PrincipalExtractor; @@ -86,7 +86,7 @@ public void accept(RestChannel channel) throws Exception { BytesRestResponse response = null; try { - final SecurityRequest securityRequest = SecurityRequestFactory.from(request, channel); + final SecurityRequestChannel securityRequest = SecurityRequestFactory.from(request, channel); ; SSLInfo sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, securityRequest, principalExtractor); X509Certificate[] certs = sslInfo == null ? null : sslInfo.getX509Certs(); diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java index df92bfc703..3d896fe0b7 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLRequestHelper.java @@ -44,7 +44,7 @@ import org.opensearch.common.settings.Settings; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.env.Environment; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.ssl.transport.PrincipalExtractor; import org.opensearch.security.ssl.transport.PrincipalExtractor.Type; @@ -119,7 +119,7 @@ public String toString() { public static SSLInfo getSSLInfo( final Settings settings, final Path configPath, - final SecurityRequest request, + final SecurityRequestChannel request, PrincipalExtractor principalExtractor ) throws SSLPeerUnverifiedException { final SSLEngine engine = request.getSSLEngine(); diff --git a/src/main/java/org/opensearch/security/support/HTTPHelper.java b/src/main/java/org/opensearch/security/support/HTTPHelper.java index 10763ce35b..8e2de6daa6 100644 --- a/src/main/java/org/opensearch/security/support/HTTPHelper.java +++ b/src/main/java/org/opensearch/security/support/HTTPHelper.java @@ -33,7 +33,7 @@ import org.apache.logging.log4j.Logger; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; public class HTTPHelper { @@ -86,7 +86,7 @@ public static AuthCredentials extractCredentials(String authorizationHeader, Log } } - public static boolean containsBadHeader(final SecurityRequest request) { + public static boolean containsBadHeader(final SecurityRequestChannel request) { final Map> headers; diff --git a/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java b/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java index 2679457864..80c8fd7b17 100644 --- a/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java +++ b/src/test/java/org/opensearch/security/auditlog/helper/MockRestRequest.java @@ -16,7 +16,7 @@ import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.rest.RestRequest; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; public class MockRestRequest extends RestRequest { @@ -47,7 +47,7 @@ public BytesReference content() { return null; } - public SecurityRequest asSecurityRequest() { + public SecurityRequestChannel asSecurityRequest() { return SecurityRequestFactory.from(this, null); } } diff --git a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java index 1d31d3c425..935fb924a3 100644 --- a/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java +++ b/src/test/java/org/opensearch/security/auditlog/impl/AuditlogTest.java @@ -24,7 +24,7 @@ import org.opensearch.security.auditlog.AuditTestUtils; import org.opensearch.security.auditlog.helper.RetrySink; import org.opensearch.security.auditlog.integration.TestAuditlogImpl; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.test.AbstractSecurityUnitTest; import org.opensearch.transport.TransportRequest; @@ -132,7 +132,7 @@ public void testRestFilterEnabledCheck() { final Settings settings = Settings.builder().put(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, false).build(); final AbstractAuditLog al = AuditTestUtils.createAuditLog(settings, null, null, AbstractSecurityUnitTest.MOCK_POOL, null, cs); for (AuditCategory category : AuditCategory.values()) { - Assert.assertFalse(al.checkRestFilter(category, "user", mock(SecurityRequest.class))); + Assert.assertFalse(al.checkRestFilter(category, "user", mock(SecurityRequestChannel.class))); } } diff --git a/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java b/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java index 5651b25e8b..67bbc3879b 100644 --- a/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java +++ b/src/test/java/org/opensearch/security/cache/DummyHTTPAuthenticator.java @@ -18,7 +18,7 @@ import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.rest.RestChannel; import org.opensearch.security.auth.HTTPAuthenticator; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.user.AuthCredentials; public class DummyHTTPAuthenticator implements HTTPAuthenticator { @@ -33,7 +33,7 @@ public String getType() { } @Override - public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) + public AuthCredentials extractCredentials(final SecurityRequestChannel request, final ThreadContext context) throws OpenSearchSecurityException { count++; return new AuthCredentials("dummy").markComplete(); diff --git a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java index 5a71c7ff7e..f7a2011a68 100644 --- a/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java +++ b/src/test/java/org/opensearch/security/http/proxy/HTTPExtendedProxyAuthenticatorTest.java @@ -47,7 +47,7 @@ import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; import org.opensearch.core.rest.RestStatus; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.user.AuthCredentials; @@ -165,7 +165,7 @@ public boolean hasContent() { return false; } - public SecurityRequest asSecurityRequest() { + public SecurityRequestChannel asSecurityRequest() { return SecurityRequestFactory.from(this, null); } } diff --git a/src/test/java/org/opensearch/security/util/FakeRestRequest.java b/src/test/java/org/opensearch/security/util/FakeRestRequest.java index db7538bcdb..121ddf778e 100644 --- a/src/test/java/org/opensearch/security/util/FakeRestRequest.java +++ b/src/test/java/org/opensearch/security/util/FakeRestRequest.java @@ -18,7 +18,7 @@ import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.rest.RestRequest; -import org.opensearch.security.filter.SecurityRequest; +import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.security.filter.SecurityRequestFactory; public class FakeRestRequest extends RestRequest { @@ -119,7 +119,7 @@ private static Map> convert(Map headers) { return ret; } - public SecurityRequest asSecurityRequest() { + public SecurityRequestChannel asSecurityRequest() { return SecurityRequestFactory.from(this, null); } }