Skip to content

Commit

Permalink
Fix bug in authn/z stages of handler wrapper
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Nied <[email protected]>
  • Loading branch information
peternied committed Oct 3, 2023
1 parent 547218b commit d44d277
Showing 1 changed file with 22 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -129,23 +129,32 @@ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) {
return (request, channel, client) -> {
org.apache.logging.log4j.ThreadContext.clearAll();
final SecurityRequestChannel requestChannel = SecurityRequestFactory.from(request, channel);
checkAndAuthenticateRequest(requestChannel);
if (!requestChannel.hasCompleted()) {
final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
if (userIsSuperAdmin(user, adminDNs)) {
original.handleRequest(request, channel, client);
} else {

}

if (whitelistingSettings.checkRequestIsAllowed(request, channel, client)
&& allowlistingSettings.checkRequestIsAllowed(request, channel, client)) {
authorizeRequest(original, requestChannel, user);
}
// Authenticate request
checkAndAuthenticateRequest(requestChannel);
if (requestChannel.hasCompleted()) {
// Unable to authenticate the caller
return;
}

if (!(requestChannel.hasCompleted())) {
// Authorize Requset
final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
if (userIsSuperAdmin(user, adminDNs)) {
// Super admins are always authorized
original.handleRequest(request, channel, client);
return;
}

if (whitelistingSettings.checkRequestIsAllowed(request, channel, client)
&& allowlistingSettings.checkRequestIsAllowed(request, channel, client)) {
authorizeRequest(original, requestChannel, user);
if (requestChannel.hasCompleted()) {
// Caller was not authorized
return;
} else {
// Caller was authorized, forward the request to the handler
original.handleRequest(request, channel, client);
}
}
};
}
Expand Down

0 comments on commit d44d277

Please sign in to comment.