From 7f3c50baac0f0c03713ace9506a5de65ef61c886 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 20 Mar 2024 21:44:04 -0400 Subject: [PATCH 01/10] Adds saml auth header to differentiate saml requests Signed-off-by: Darshit Chanpura --- .../security/auth/BackendRegistry.java | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 3ab9a2afc9..4cf5ed71e7 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -32,6 +32,7 @@ import java.util.Collections; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Optional; import java.util.Set; import java.util.SortedSet; @@ -286,7 +287,7 @@ public boolean authenticate(final SecurityRequestChannel request) { if (ac == null) { // no credentials found in request - if (anonymousAuthEnabled) { + if (anonymousAuthEnabled && isRequestForAnonymousLogin(request.params())) { continue; } @@ -386,19 +387,6 @@ public boolean authenticate(final SecurityRequestChannel request) { log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size()); } - if (authCredentials == null && anonymousAuthEnabled) { - final String tenant = resolveTenantFrom(request); - User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet(User.ANONYMOUS.getRoles()), null); - anonymousUser.setRequestedTenant(tenant); - - threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser); - auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request); - if (isDebugEnabled) { - log.debug("Anonymous User is authenticated"); - } - return true; - } - Optional challengeResponse = Optional.empty(); if (firstChallengingHttpAuthenticator != null) { @@ -415,6 +403,19 @@ public boolean authenticate(final SecurityRequestChannel request) { } } + if (authCredentials == null && anonymousAuthEnabled && isRequestForAnonymousLogin(request.params())) { + final String tenant = resolveTenantFrom(request); + User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet(User.ANONYMOUS.getRoles()), null); + anonymousUser.setRequestedTenant(tenant); + + threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser); + auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request); + if (isDebugEnabled) { + log.debug("Anonymous User is authenticated"); + } + return true; + } + log.warn( "Authentication finally failed for {} from {}", authCredentials == null ? null : authCredentials.getUsername(), @@ -432,6 +433,19 @@ public boolean authenticate(final SecurityRequestChannel request) { return authenticated; } + /** + * Checks if incoming auth request is from an anonymous user + * Defaults all requests to yes, to allow anonymous authentication to succeed + * @param params the query parameters passed in this request + * @return true if no params or `anonymous` were found, false otherwise + */ + private boolean isRequestForAnonymousLogin(Map params) { + if (params.containsKey("auth_request_type")) { + return params.get("auth_request_type").equals("anonymous"); + } + return true; + } + private String resolveTenantFrom(final SecurityRequest request) { return Optional.ofNullable(request.header("securitytenant")).orElse(request.header("security_tenant")); } From 03459a214433f9a275ed4a3de750372062542f4f Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 20 Mar 2024 23:08:08 -0400 Subject: [PATCH 02/10] Prevents auto login as anonymous upon failed authentication Signed-off-by: Darshit Chanpura --- .../security/auth/BackendRegistry.java | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 4cf5ed71e7..a7c52d971e 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -45,6 +45,7 @@ import com.google.common.cache.RemovalListener; import com.google.common.cache.RemovalNotification; import com.google.common.collect.Multimap; +import org.apache.http.HttpHeaders; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -403,7 +404,10 @@ public boolean authenticate(final SecurityRequestChannel request) { } } - if (authCredentials == null && anonymousAuthEnabled && isRequestForAnonymousLogin(request.params())) { + if (authCredentials == null + && anonymousAuthEnabled + && isRequestForAnonymousLogin(request.params()) + && checkIfRequestContainsBasicAuthHeader(request.getHeaders())) { final String tenant = resolveTenantFrom(request); User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet(User.ANONYMOUS.getRoles()), null); anonymousUser.setRequestedTenant(tenant); @@ -433,6 +437,16 @@ public boolean authenticate(final SecurityRequestChannel request) { return authenticated; } + /** + * Checks whether request contains Authorization header. If so return yes + * Solves: ... + * @param headers headers in the current request + * @return true if request contains `authorization` header, else return false + */ + private boolean checkIfRequestContainsBasicAuthHeader(Map> headers) { + return headers.containsKey(HttpHeaders.AUTHORIZATION); + } + /** * Checks if incoming auth request is from an anonymous user * Defaults all requests to yes, to allow anonymous authentication to succeed From 3aecdc6d57884f79bdbe0182c1e4ee89f295bd98 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Wed, 20 Mar 2024 23:36:21 -0400 Subject: [PATCH 03/10] Fixes an apocalyptic level typo Signed-off-by: Darshit Chanpura --- src/main/java/org/opensearch/security/auth/BackendRegistry.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index a7c52d971e..590bb60414 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -407,7 +407,7 @@ public boolean authenticate(final SecurityRequestChannel request) { if (authCredentials == null && anonymousAuthEnabled && isRequestForAnonymousLogin(request.params()) - && checkIfRequestContainsBasicAuthHeader(request.getHeaders())) { + && !checkIfRequestContainsBasicAuthHeader(request.getHeaders())) { final String tenant = resolveTenantFrom(request); User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet(User.ANONYMOUS.getRoles()), null); anonymousUser.setRequestedTenant(tenant); From 1113b649ba012e581285bdf26100c1a192bf9ddf Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 26 Mar 2024 13:25:19 -0400 Subject: [PATCH 04/10] Adds tests to verify the new check Signed-off-by: Darshit Chanpura --- .../http/BasicWithAnonymousAuthTests.java | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java new file mode 100644 index 0000000000..1145992abc --- /dev/null +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -0,0 +1,112 @@ +/* +* Copyright OpenSearch Contributors +* SPDX-License-Identifier: Apache-2.0 +* +* The OpenSearch Contributors require contributions made to +* this file be licensed under the Apache-2.0 license or a +* compatible open source license. +* +*/ +package org.opensearch.security.http; + +import java.util.Map; + +import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope; +import org.junit.ClassRule; +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.opensearch.test.framework.TestSecurityConfig.AuthcDomain; +import org.opensearch.test.framework.TestSecurityConfig.User; +import org.opensearch.test.framework.cluster.ClusterManager; +import org.opensearch.test.framework.cluster.LocalCluster; +import org.opensearch.test.framework.cluster.TestRestClient; +import org.opensearch.test.framework.cluster.TestRestClient.HttpResponse; + +import static org.apache.http.HttpStatus.SC_OK; +import static org.apache.http.HttpStatus.SC_UNAUTHORIZED; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.notNullValue; + +@RunWith(com.carrotsearch.randomizedtesting.RandomizedRunner.class) +@ThreadLeakScope(ThreadLeakScope.Scope.NONE) +public class BasicWithAnonymousAuthTests { + static final User TEST_USER = new User("test_user").password("s3cret"); + + public static final String CUSTOM_ATTRIBUTE_NAME = "superhero"; + static final User SUPER_USER = new User("super-user").password("super-password").attr(CUSTOM_ATTRIBUTE_NAME, "true"); + public static final String NOT_EXISTING_USER = "not-existing-user"; + public static final String INVALID_PASSWORD = "secret-password"; + + public static final AuthcDomain AUTHC_DOMAIN = new AuthcDomain("basic", 0).httpAuthenticatorWithChallenge("basic").backend("internal"); + + @ClassRule + public static final LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.SINGLENODE) + .anonymousAuth(true) + .authc(AUTHC_DOMAIN) + .users(TEST_USER, SUPER_USER) + .build(); + + /** No automatic login post anonymous auth request **/ + @Test + public void shouldRespondWith401WhenUserDoesNotExist() { + try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, INVALID_PASSWORD)) { + HttpResponse response = client.getAuthInfo(); + + assertThat(response, is(notNullValue())); + response.assertStatusCode(SC_UNAUTHORIZED); + } + } + + @Test + public void shouldRespondWith401WhenUserNameIsIncorrect() { + try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, TEST_USER.getPassword())) { + HttpResponse response = client.getAuthInfo(); + + assertThat(response, is(notNullValue())); + response.assertStatusCode(SC_UNAUTHORIZED); + } + } + + @Test + public void shouldRespondWith401WhenPasswordIsIncorrect() { + try (TestRestClient client = cluster.getRestClient(TEST_USER.getName(), INVALID_PASSWORD)) { + HttpResponse response = client.getAuthInfo(); + + assertThat(response, is(notNullValue())); + response.assertStatusCode(SC_UNAUTHORIZED); + } + } + + @Test + public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { + try (TestRestClient client = cluster.getRestClient()) { + + HttpResponse response = client.getAuthInfo(); + + assertThat(response, is(notNullValue())); + response.assertStatusCode(SC_OK); + + HttpResponse response2 = client.getAuthInfo(Map.of("auth_request_type", "anonymous")); + + assertThat(response2, is(notNullValue())); + response.assertStatusCode(SC_OK); + } + } + + @Test + public void testShouldAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLogin() { + try (TestRestClient client = cluster.getRestClient()) { + + HttpResponse response = client.getAuthInfo(Map.of("auth_request_type", "saml")); + + assertThat(response, is(notNullValue())); + response.assertStatusCode(SC_UNAUTHORIZED); + + // should contain a redirect link + assertThat(response.containHeader("WWW-Authenticate"), is(true)); + } + } + +} From 95e26117a71a5cecbe587b141030165b98feb8c9 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 26 Mar 2024 13:27:18 -0400 Subject: [PATCH 05/10] Adds a comment Signed-off-by: Darshit Chanpura --- .../opensearch/security/http/BasicWithAnonymousAuthTests.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java index 1145992abc..6409bb0d60 100644 --- a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -79,6 +79,7 @@ public void shouldRespondWith401WhenPasswordIsIncorrect() { } } + /** Test `?auth_request_type=""` param to authinfo request **/ @Test public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { try (TestRestClient client = cluster.getRestClient()) { From 87a65e2c8b6efb93925ecd22be8980695858db17 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 26 Mar 2024 14:59:13 -0400 Subject: [PATCH 06/10] Fixes a test Signed-off-by: Darshit Chanpura --- .../opensearch/security/http/BasicWithAnonymousAuthTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java index 6409bb0d60..bfc15d2c5f 100644 --- a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -92,7 +92,7 @@ public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { HttpResponse response2 = client.getAuthInfo(Map.of("auth_request_type", "anonymous")); assertThat(response2, is(notNullValue())); - response.assertStatusCode(SC_OK); + response2.assertStatusCode(SC_OK); } } From 244f1c5ff93afa7f4097c6eff514679875eab1c3 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Fri, 29 Mar 2024 15:37:13 -0400 Subject: [PATCH 07/10] Fixes typo Signed-off-by: Darshit Chanpura --- .../opensearch/security/http/BasicWithAnonymousAuthTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java index bfc15d2c5f..ecb9831a1e 100644 --- a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -97,7 +97,7 @@ public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { } @Test - public void testShouldAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLogin() { + public void testShouldNotAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLogin() { try (TestRestClient client = cluster.getRestClient()) { HttpResponse response = client.getAuthInfo(Map.of("auth_request_type", "saml")); From a8f25d80deece1620936f31d8bd753b750d9097b Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 2 Apr 2024 13:18:27 -0400 Subject: [PATCH 08/10] Renames url parameter Signed-off-by: Darshit Chanpura --- .../org/opensearch/security/auth/BackendRegistry.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 590bb60414..362c77c2f5 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -192,7 +192,7 @@ public void onDynamicConfigModelChanged(DynamicConfigModel dcm) { * @param request * @return The authenticated user, null means another roundtrip * @throws OpenSearchSecurityException - */ + */ public boolean authenticate(final SecurityRequestChannel request) { final boolean isDebugEnabled = log.isDebugEnabled(); final boolean isBlockedBasedOnAddress = request.getRemoteAddress() @@ -451,11 +451,12 @@ private boolean checkIfRequestContainsBasicAuthHeader(Map> * Checks if incoming auth request is from an anonymous user * Defaults all requests to yes, to allow anonymous authentication to succeed * @param params the query parameters passed in this request - * @return true if no params or `anonymous` were found, false otherwise + * @return false only if an explicit `auth_type` param is supplied and its value is not anonymous, + * otherwise returns true */ private boolean isRequestForAnonymousLogin(Map params) { - if (params.containsKey("auth_request_type")) { - return params.get("auth_request_type").equals("anonymous"); + if (params.containsKey("auth_type")) { + return params.get("auth_type").equals("anonymous"); } return true; } From 19a597c8494c05635f449c769803e62881488bd1 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Tue, 2 Apr 2024 13:29:39 -0400 Subject: [PATCH 09/10] Fixes integ tests Signed-off-by: Darshit Chanpura --- .../security/http/BasicWithAnonymousAuthTests.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java index ecb9831a1e..52ae7e8b47 100644 --- a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -79,7 +79,7 @@ public void shouldRespondWith401WhenPasswordIsIncorrect() { } } - /** Test `?auth_request_type=""` param to authinfo request **/ + /** Test `?auth_type=""` param to authinfo request **/ @Test public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { try (TestRestClient client = cluster.getRestClient()) { @@ -89,7 +89,7 @@ public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { assertThat(response, is(notNullValue())); response.assertStatusCode(SC_OK); - HttpResponse response2 = client.getAuthInfo(Map.of("auth_request_type", "anonymous")); + HttpResponse response2 = client.getAuthInfo(Map.of("auth_type", "anonymous")); assertThat(response2, is(notNullValue())); response2.assertStatusCode(SC_OK); @@ -100,7 +100,7 @@ public void testShouldAutomaticallyLoginAsAnonymousIfNoCredentialsArePassed() { public void testShouldNotAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLogin() { try (TestRestClient client = cluster.getRestClient()) { - HttpResponse response = client.getAuthInfo(Map.of("auth_request_type", "saml")); + HttpResponse response = client.getAuthInfo(Map.of("auth_type", "saml")); assertThat(response, is(notNullValue())); response.assertStatusCode(SC_UNAUTHORIZED); From b54b619a31b3db820cf8d215ba542db9c3fa7ed4 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Mon, 8 Apr 2024 14:49:48 -0400 Subject: [PATCH 10/10] Addresses PR comment and consumes auth_type param for authinfo request Signed-off-by: Darshit Chanpura --- .../http/BasicWithAnonymousAuthTests.java | 7 +++--- .../security/auth/BackendRegistry.java | 24 +++++-------------- .../security/rest/SecurityInfoAction.java | 3 +++ 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java index 52ae7e8b47..842d5c4dd5 100644 --- a/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java +++ b/src/integrationTest/java/org/opensearch/security/http/BasicWithAnonymousAuthTests.java @@ -50,7 +50,7 @@ public class BasicWithAnonymousAuthTests { /** No automatic login post anonymous auth request **/ @Test - public void shouldRespondWith401WhenUserDoesNotExist() { + public void testShouldRespondWith401WhenUserDoesNotExist() { try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, INVALID_PASSWORD)) { HttpResponse response = client.getAuthInfo(); @@ -60,7 +60,7 @@ public void shouldRespondWith401WhenUserDoesNotExist() { } @Test - public void shouldRespondWith401WhenUserNameIsIncorrect() { + public void testShouldRespondWith401WhenUserNameIsIncorrect() { try (TestRestClient client = cluster.getRestClient(NOT_EXISTING_USER, TEST_USER.getPassword())) { HttpResponse response = client.getAuthInfo(); @@ -70,7 +70,7 @@ public void shouldRespondWith401WhenUserNameIsIncorrect() { } @Test - public void shouldRespondWith401WhenPasswordIsIncorrect() { + public void testShouldRespondWith401WhenPasswordIsIncorrect() { try (TestRestClient client = cluster.getRestClient(TEST_USER.getName(), INVALID_PASSWORD)) { HttpResponse response = client.getAuthInfo(); @@ -109,5 +109,4 @@ public void testShouldNotAutomaticallyLoginAsAnonymousIfRequestIsNonAnonymousLog assertThat(response.containHeader("WWW-Authenticate"), is(true)); } } - } diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index 362c77c2f5..97c060be35 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -288,7 +288,7 @@ public boolean authenticate(final SecurityRequestChannel request) { if (ac == null) { // no credentials found in request - if (anonymousAuthEnabled && isRequestForAnonymousLogin(request.params())) { + if (anonymousAuthEnabled && isRequestForAnonymousLogin(request.params(), request.getHeaders())) { continue; } @@ -404,10 +404,7 @@ public boolean authenticate(final SecurityRequestChannel request) { } } - if (authCredentials == null - && anonymousAuthEnabled - && isRequestForAnonymousLogin(request.params()) - && !checkIfRequestContainsBasicAuthHeader(request.getHeaders())) { + if (authCredentials == null && anonymousAuthEnabled && isRequestForAnonymousLogin(request.params(), request.getHeaders())) { final String tenant = resolveTenantFrom(request); User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet(User.ANONYMOUS.getRoles()), null); anonymousUser.setRequestedTenant(tenant); @@ -437,28 +434,19 @@ && isRequestForAnonymousLogin(request.params()) return authenticated; } - /** - * Checks whether request contains Authorization header. If so return yes - * Solves: ... - * @param headers headers in the current request - * @return true if request contains `authorization` header, else return false - */ - private boolean checkIfRequestContainsBasicAuthHeader(Map> headers) { - return headers.containsKey(HttpHeaders.AUTHORIZATION); - } - /** * Checks if incoming auth request is from an anonymous user * Defaults all requests to yes, to allow anonymous authentication to succeed * @param params the query parameters passed in this request - * @return false only if an explicit `auth_type` param is supplied and its value is not anonymous, + * @return false only if an explicit `auth_type` param is supplied, and its value is not anonymous, OR + * if request contains no authorization headers * otherwise returns true */ - private boolean isRequestForAnonymousLogin(Map params) { + private boolean isRequestForAnonymousLogin(Map params, Map> headers) { if (params.containsKey("auth_type")) { return params.get("auth_type").equals("anonymous"); } - return true; + return !headers.containsKey(HttpHeaders.AUTHORIZATION); } private String resolveTenantFrom(final SecurityRequest request) { diff --git a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java index 469c7f81b4..94070649fa 100644 --- a/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java +++ b/src/main/java/org/opensearch/security/rest/SecurityInfoAction.java @@ -89,6 +89,9 @@ public List routes() { @Override protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { final boolean verbose = request.paramAsBoolean("verbose", false); + // need to consume `auth_type` param, without which a 500 is thrown on front-end + final String authType = request.param("auth_type", ""); + return new RestChannelConsumer() { @Override