diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index 87ffbfe435..707a3c791f 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -186,8 +186,8 @@ public boolean reRequestAuthentication(final SecurityRequestChannel request, fin throw new SecurityRequetChannelUnsupported(); } else { final SecurityRestRequest securityRequestChannel = (SecurityRestRequest) request; - final RestRequest restRequest = securityRequestChannel.breakEncapulation().v1(); - final RestChannel channel = securityRequestChannel.breakEncapulation().v2(); + final RestRequest restRequest = securityRequestChannel.breakEncapsulation().v1(); + final RestChannel channel = securityRequestChannel.breakEncapsulation().v2(); if (this.authTokenProcessorHandler.handle(restRequest, channel)) { // The ACS response was accepted securityRequestChannel.markCompleted(); diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java index 983f841cad..488fbeff8e 100644 --- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java +++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java @@ -49,6 +49,7 @@ import org.opensearch.security.auditlog.config.AuditConfig; import org.opensearch.security.dlic.rest.support.Utils; import org.opensearch.security.filter.SecurityRequestChannel; +import org.opensearch.security.filter.SecurityRequestFactory.SecurityRestRequest; import org.opensearch.security.securityconf.impl.CType; import org.opensearch.security.support.WildcardMatcher; @@ -378,11 +379,23 @@ void addRestRequestInfo(final SecurityRequestChannel request, final AuditConfig. addRestParams(request.params()); addRestMethod(request.method()); - if (filter.shouldLogRequestBody() - && request.asRestRequest().isPresent() - && request.asRestRequest().get().hasContentOrSourceParam()) { + if (filter.shouldLogRequestBody()) { + + if (!(request instanceof SecurityRestRequest)) { + // The request body is only avaliable on some request sources + return; + } + + final SecurityRestRequest securityRestRequest = (SecurityRestRequest)request; + final RestRequest restRequest = securityRestRequest.breakEncapsulation().v1(); + + if (!(restRequest.hasContentOrSourceParam())) { + // If there is no content, don't attempt to save any body information + return; + } + try { - final Tuple xContentTuple = request.asRestRequest().get().contentOrSourceParam(); + final Tuple xContentTuple = restRequest.contentOrSourceParam(); final String requestBody = XContentHelper.convertToJson(xContentTuple.v2(), false, xContentTuple.v1()); if (path != null && requestBody != null diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java index e3b5839f5f..63dba6c76c 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRequestChannel.java @@ -8,7 +8,6 @@ import javax.net.ssl.SSLEngine; -import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; /** @@ -30,12 +29,8 @@ public interface SecurityRequestChannel { public Optional getRemoteAddress(); - public boolean sourcedFromNetty(); - public String uri(); - public Optional asRestRequest(); - default public String header(final String headerName) { final Optional>> headersMap = Optional.ofNullable(getHeaders()); return headersMap.map(headers -> headers.get(headerName)).map(List::stream).flatMap(Stream::findFirst).orElse(null); diff --git a/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java b/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java index e6a316a182..59dd0b7d63 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRequestFactory.java @@ -11,7 +11,9 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.common.collect.Tuple; +import org.opensearch.core.rest.RestStatus; import org.opensearch.http.netty4.Netty4HttpChannel; +import org.opensearch.rest.BytesRestResponse; import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; @@ -78,21 +80,16 @@ public Optional getRemoteAddress() { return Optional.ofNullable(this.underlyingRequest.getHttpChannel().getRemoteAddress()); } - @Override - public boolean sourcedFromNetty() { - return underlyingRequest.getHttpChannel() instanceof Netty4HttpChannel; - } + // @Override + // public boolean sourcedFromNetty() { + // return underlyingRequest.getHttpChannel() instanceof Netty4HttpChannel; + // } @Override public String uri() { return underlyingRequest.uri(); } - @Override - public Optional asRestRequest() { - return Optional.of(underlyingRequest); - } - @Override public Map params() { return underlyingRequest.params(); @@ -106,7 +103,10 @@ public boolean hasCompleted() { @Override public boolean completeWithResponse(int statusCode, Map headers, String body) { try { - underlyingChannel.sendResponse(null); + final BytesRestResponse restResponse = new BytesRestResponse(RestStatus.fromCode(statusCode), body); + headers.forEach(restResponse::addHeader); + underlyingChannel.sendResponse(restResponse); + return true; } catch (final Exception e) { log.error("Error when attempting to send response", e); @@ -119,7 +119,7 @@ public boolean completeWithResponse(int statusCode, Map headers, /** * Breaks the encapustion of the interface to get access to the underlying RestRequest / RestChannel. */ - public Tuple breakEncapulation() { + public Tuple breakEncapsulation() { return Tuple.tuple(underlyingRequest, underlyingChannel); } @@ -142,12 +142,6 @@ public SSLEngine getSSLEngine() { throw new UnsupportedOperationException("Unimplemented method 'getSSLEngine'"); } - // @Override - // public RestChannel getRestChannel() { - // // TODO Auto-generated method stub - // throw new UnsupportedOperationException("Unimplemented method 'getRestChannel'"); - // } - @Override public String path() { // TODO Auto-generated method stub @@ -166,24 +160,12 @@ public Optional getRemoteAddress() { throw new UnsupportedOperationException("Unimplemented method 'getRemoteAddress'"); } - @Override - public boolean sourcedFromNetty() { - // TODO Auto-generated method stub - throw new UnsupportedOperationException("Unimplemented method 'sourcedFromNetty'"); - } - @Override public String uri() { // TODO Auto-generated method stub throw new UnsupportedOperationException("Unimplemented method 'uri'"); } - @Override - public Optional asRestRequest() { - // TODO Auto-generated method stub - throw new UnsupportedOperationException("Unimplemented method 'asRestRequest'"); - } - @Override public Map params() { // TODO Auto-generated method stub diff --git a/src/main/java/org/opensearch/security/http/XFFResolver.java b/src/main/java/org/opensearch/security/http/XFFResolver.java index 90e373a874..47a5f7c3bc 100644 --- a/src/main/java/org/opensearch/security/http/XFFResolver.java +++ b/src/main/java/org/opensearch/security/http/XFFResolver.java @@ -34,8 +34,13 @@ import org.opensearch.OpenSearchSecurityException; import org.opensearch.core.common.transport.TransportAddress; +import org.opensearch.http.netty4.Netty4HttpChannel; +import org.opensearch.rest.RestChannel; +import org.opensearch.rest.RestRequest; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.security.filter.SecurityRequestChannel; +import org.opensearch.security.filter.SecurityRequestFactory.SecurityRestRequest; +import org.opensearch.security.filter.SecurityRequetChannelUnsupported; import org.opensearch.security.securityconf.DynamicConfigModel; import org.opensearch.security.support.ConfigConstants; import org.opensearch.threadpool.ThreadPool; @@ -58,7 +63,15 @@ public TransportAddress resolve(final SecurityRequestChannel request) throws Ope log.trace("resolve {}", request.getRemoteAddress().orElse(null)); } - if (enabled && request.getRemoteAddress().isPresent() && request.sourcedFromNetty()) { + boolean requestFromNetty = false; + if (request instanceof SecurityRestRequest) { + final SecurityRestRequest securityRequestChannel = (SecurityRestRequest) request; + final RestRequest restRequest = securityRequestChannel.breakEncapsulation().v1(); + + requestFromNetty = restRequest.getHttpChannel() instanceof Netty4HttpChannel; + } + + if (enabled && request.getRemoteAddress().isPresent() && requestFromNetty) { final InetSocketAddress remoteAddress = request.getRemoteAddress().get(); final InetSocketAddress isa = new InetSocketAddress(detector.detect(request, threadContext), remoteAddress.getPort()); diff --git a/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java b/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java index 73f4aceb4d..b274a2ecd3 100644 --- a/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java +++ b/src/main/java/org/opensearch/security/ssl/SslExceptionHandler.java @@ -17,14 +17,13 @@ package org.opensearch.security.ssl; -import org.opensearch.rest.RestRequest; import org.opensearch.security.filter.SecurityRequestChannel; import org.opensearch.tasks.Task; import org.opensearch.transport.TransportRequest; public interface SslExceptionHandler { - default void logError(Throwable t, RestRequest request, int type) { + default void logError(Throwable t, SecurityRequestChannel request, int type) { // no-op } @@ -35,8 +34,4 @@ default void logError(Throwable t, boolean isRest) { default void logError(Throwable t, final TransportRequest request, String action, Task task, int type) { // no-op } - - default void logError(Throwable t, SecurityRequestChannel request, int type) { - this.logError(t, request.asRestRequest().get(), type); - } } diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java b/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java index 91126d6596..dcd25c2837 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/ValidatingDispatcher.java @@ -66,17 +66,17 @@ public ValidatingDispatcher( @Override public void dispatchRequest(RestRequest request, RestChannel channel, ThreadContext threadContext) { - checkRequest(request, channel); + checkRequest(SecurityRequestFactory.from(request, channel)); originalDispatcher.dispatchRequest(request, channel, threadContext); } @Override public void dispatchBadRequest(RestChannel channel, ThreadContext threadContext, Throwable cause) { - checkRequest(channel.request(), channel); + checkRequest(SecurityRequestFactory.from(channel.request(), channel)); originalDispatcher.dispatchBadRequest(channel, threadContext, cause); } - protected void checkRequest(final RestRequest request, final RestChannel channel) { + protected void checkRequest(final SecurityRequestChannel request) { if (SSLRequestHelper.containsBadHeader(threadContext, "_opendistro_security_ssl_")) { final OpenSearchException exception = ExceptionUtils.createBadHeaderException(); @@ -85,8 +85,7 @@ protected void checkRequest(final RestRequest request, final RestChannel channel } try { - final SecurityRequestChannel securityReqest = SecurityRequestFactory.from(request, channel); - if (SSLRequestHelper.getSSLInfo(settings, configPath, securityReqest, null) == null) { + if (SSLRequestHelper.getSSLInfo(settings, configPath, request, null) == null) { logger.error("Not an SSL request"); throw new OpenSearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR); }