Skip to content

Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails#4152

Merged
DarshitChanpura merged 12 commits intoopensearch-project:mainfrom
DarshitChanpura:saml-anony-bug-fix
Apr 9, 2024
Merged

Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails#4152
DarshitChanpura merged 12 commits intoopensearch-project:mainfrom
DarshitChanpura:saml-anony-bug-fix

Conversation

@DarshitChanpura
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura commented Mar 21, 2024
edited
Loading

Description

This PR fixes a bug where SAML and Anonymous auth cannot co-exist. At present, enabling SAML along with anonymous auth causes SAML Login to fail before it hits the IdP because both SAML and anonymous auth are wired to not have credentials on the first login attempt, causing the authn check against the auth domains to be skipped (see here). This, eventually, results in setting the default user as anonymous (see here) since anonymous auth is enabled.

This PR also resolves another bug involving anonymous auth where a user would be automatically logged in as anonymous user upon failed basic authentication if anonymous auth is enabled.

  • Category: Bug fix
  • Why these changes are required?
    • To allow SAML auth to work when anonymous auth is enabled
    • To prevent auto login as anonymous user upon failed basic authentication

Security-dashboards companion PR: opensearch-project/security-dashboards-plugin#1839

Issues Resolved

Testing

  • Automated

Check List

  • New functionality includes testing
    - [ ] New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

This was referenced Mar 21, 2024
Closed
Merged
@DarshitChanpura
Adds saml auth header to differentiate saml requests
7f3c50b 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Prevents auto login as anonymous upon failed authentication
03459a2 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura DarshitChanpura changed the title Adds saml auth header to differentiate saml requests Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails Mar 21, 2024
@DarshitChanpura
Fixes an apocalyptic level typo
3aecdc6 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 53.84615% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 66.20%. Comparing base (4e8297a) to head (4a6dff7).
Report is 4 commits behind head on main.

❗ Current head 4a6dff7 differs from pull request most recent head 5174654. Consider uploading reports for the commit 5174654 to get more accurate results

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #4152   +/-   ##
=======================================
  Coverage   66.19%   66.20%           
=======================================
  Files         301      301           
  Lines       21709    21712    +3     
  Branches     3505     3505           
=======================================
+ Hits        14371    14375    +4     
+ Misses       5580     5578    -2     
- Partials     1758     1759    +1
Files Coverage Δ
.../org/opensearch/security/auth/BackendRegistry.java 61.58% <53.84%> (-0.96%) ⬇️

... and 5 files with indirect coverage changes

@DarshitChanpura DarshitChanpura mentioned this pull request Mar 21, 2024
Closed
@DarshitChanpura DarshitChanpura marked this pull request as ready for review March 26, 2024 17:05
@DarshitChanpura
Adds tests to verify the new check
1113b64 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Adds a comment
95e2611 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Fixes a test
87a65e2 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
peternied
peternied reviewed Mar 26, 2024
View reviewed changes
derek-ho
derek-ho reviewed Mar 29, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@derek-ho derek-ho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have any concerns with the implementation of this change, since I think it preserves functionality, but trying to understand more about @peternied's concern with the headers

peternied
peternied previously approved these changes Mar 29, 2024
View reviewed changes
cwperks
cwperks reviewed Mar 29, 2024
View reviewed changes
@DarshitChanpura
Fixes typo
244f1c5 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
cwperks
cwperks previously approved these changes Apr 2, 2024
View reviewed changes
peternied
peternied suggested changes Apr 2, 2024
View reviewed changes
peternied
peternied previously approved these changes Apr 3, 2024
View reviewed changes
stephen-crawford
stephen-crawford previously approved these changes Apr 4, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@DarshitChanpura
Renames url parameter
a8f25d8 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Fixes integ tests
19a597c 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Addresses PR comment and consumes auth_type param for authinfo request
b54b619 
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
@DarshitChanpura
Copy link
Copy Markdown
Member Author

DarshitChanpura commented Apr 9, 2024
edited
Loading

All failures caused by:

java.lang.NoSuchMethodError: 'void org.opensearch.transport.TcpTransport.inboundMessage(org.opensearch.transport.TcpChannel, org.opensearch.transport.ProtocolInboundMessage)'

Root-cause is likely this upstream change: opensearch-project/OpenSearch#12967.

Update: This issue has been resolved.

stephen-crawford
stephen-crawford approved these changes Apr 9, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@DarshitChanpura DarshitChanpura merged commit d87ab3f into opensearch-project:main Apr 9, 2024
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 9, 2024
@github-actions
Adds saml auth header to differentiate saml requests and prevents aut…
b9a0638 
…o login as anonymous user when basic authentication fails (#4152)

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
(cherry picked from commit d87ab3f)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Apr 9, 2024
Merged
dlin2028 pushed a commit to dlin2028/security that referenced this pull request May 1, 2024
@DarshitChanpura @dlin2028
Adds saml auth header to differentiate saml requests and prevents aut…
e55f53d 
…o login as anonymous user when basic authentication fails (opensearch-project#4152)

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@derek-ho derek-ho derek-ho left review comments

@cwperks cwperks cwperks approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

+2 more reviewers

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@peternied peternied peternied left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DarshitChanpura @peternied @cwperks @derek-ho @stephen-crawford