From d44d27722bec4ed0f67d1c11a8c74d1071b8c07f Mon Sep 17 00:00:00 2001 From: Peter Nied Date: Tue, 3 Oct 2023 14:08:33 +0000 Subject: [PATCH] Fix bug in authn/z stages of handler wrapper Signed-off-by: Peter Nied --- .../security/filter/SecurityRestFilter.java | 35 ++++++++++++------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java index 8ee11d5cd4..879ba4ce92 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java @@ -129,23 +129,32 @@ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) { return (request, channel, client) -> { org.apache.logging.log4j.ThreadContext.clearAll(); final SecurityRequestChannel requestChannel = SecurityRequestFactory.from(request, channel); - checkAndAuthenticateRequest(requestChannel); - if (!requestChannel.hasCompleted()) { - final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); - if (userIsSuperAdmin(user, adminDNs)) { - original.handleRequest(request, channel, client); - } else { - } - - if (whitelistingSettings.checkRequestIsAllowed(request, channel, client) - && allowlistingSettings.checkRequestIsAllowed(request, channel, client)) { - authorizeRequest(original, requestChannel, user); - } + // Authenticate request + checkAndAuthenticateRequest(requestChannel); + if (requestChannel.hasCompleted()) { + // Unable to authenticate the caller + return; } - if (!(requestChannel.hasCompleted())) { + // Authorize Requset + final User user = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + if (userIsSuperAdmin(user, adminDNs)) { + // Super admins are always authorized + original.handleRequest(request, channel, client); + return; + } + if (whitelistingSettings.checkRequestIsAllowed(request, channel, client) + && allowlistingSettings.checkRequestIsAllowed(request, channel, client)) { + authorizeRequest(original, requestChannel, user); + if (requestChannel.hasCompleted()) { + // Caller was not authorized + return; + } else { + // Caller was authorized, forward the request to the handler + original.handleRequest(request, channel, client); + } } }; }