From 1ff823f07256e6bbeaef558910a643fec0cc0037 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Tue, 2 May 2023 23:30:37 -0400 Subject: [PATCH] Identify extension Transport requests and permit handshake and extension registration actions (#2599) * Identify extension Transport requests and permit handshake and extension registration actions Signed-off-by: Craig Perkins --- .../security/OpenSearchSecurityPlugin.java | 8 +++++++- .../security/support/ConfigConstants.java | 2 ++ .../security/support/HeaderHelper.java | 4 ++++ .../transport/SecurityRequestHandler.java | 16 +++++++++++++--- 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 87ca878fc6..ed600af62b 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -94,6 +94,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.env.Environment; import org.opensearch.env.NodeEnvironment; +import org.opensearch.extensions.ExtensionsManager; import org.opensearch.http.HttpServerTransport; import org.opensearch.http.HttpServerTransport.Dispatcher; import org.opensearch.index.Index; @@ -1187,13 +1188,16 @@ public static class GuiceHolder implements LifecycleComponent { private static IndicesService indicesService; private static PitService pitService; + private static ExtensionsManager extensionsManager; + @Inject public GuiceHolder(final RepositoriesService repositoriesService, - final TransportService remoteClusterService, IndicesService indicesService, PitService pitService) { + final TransportService remoteClusterService, IndicesService indicesService, PitService pitService, ExtensionsManager extensionsManager) { GuiceHolder.repositoriesService = repositoriesService; GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService(); GuiceHolder.indicesService = indicesService; GuiceHolder.pitService = pitService; + GuiceHolder.extensionsManager = extensionsManager; } public static RepositoriesService getRepositoriesService() { @@ -1210,6 +1214,8 @@ public static IndicesService getIndicesService() { public static PitService getPitService() { return pitService; } + public static ExtensionsManager getExtensionsManager() { return extensionsManager; } + @Override public void close() { diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java index f81d89810b..fab88ecea9 100644 --- a/src/main/java/org/opensearch/security/support/ConfigConstants.java +++ b/src/main/java/org/opensearch/security/support/ConfigConstants.java @@ -97,6 +97,8 @@ public class ConfigConstants { public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request"; + public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_extension_request"; + /** * Set by the SSL plugin, this is the peer node certificate on the transport layer diff --git a/src/main/java/org/opensearch/security/support/HeaderHelper.java b/src/main/java/org/opensearch/security/support/HeaderHelper.java index e9ff50c6af..d679548c2b 100644 --- a/src/main/java/org/opensearch/security/support/HeaderHelper.java +++ b/src/main/java/org/opensearch/security/support/HeaderHelper.java @@ -44,6 +44,10 @@ public static boolean isDirectRequest(final ThreadContext context) { return "direct".equals(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE)) || context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE) == null; } + + public static boolean isExtensionRequest(final ThreadContext context) { + return context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST) == Boolean.TRUE; + } public static String getSafeFromHeader(final ThreadContext context, final String headerName) { diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java index d534e04f90..90fc8308ff 100644 --- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java +++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java @@ -41,7 +41,9 @@ import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.transport.TransportAddress; import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.extensions.ExtensionsManager; import org.opensearch.search.internal.ShardSearchRequest; +import org.opensearch.security.OpenSearchSecurityPlugin; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.auditlog.AuditLog.Origin; import org.opensearch.security.ssl.SslExceptionHandler; @@ -195,6 +197,7 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) { //also allow when issued from a remote cluster for cross cluster search if ( !HeaderHelper.isInterClusterRequest(getThreadContext()) && !HeaderHelper.isTrustedClusterRequest(getThreadContext()) + && !HeaderHelper.isExtensionRequest(getThreadContext()) && !task.getAction().equals("internal:transport/handshake") && (task.getAction().startsWith("internal:") || task.getAction().contains("["))) { @@ -216,14 +219,14 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) { transportChannel.sendResponse(ex); return; } else { - if(getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) { getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.TRANSPORT.toString()); } //network intercluster request or cross search cluster request if(HeaderHelper.isInterClusterRequest(getThreadContext()) - || HeaderHelper.isTrustedClusterRequest(getThreadContext())) { + || HeaderHelper.isTrustedClusterRequest(getThreadContext()) + || HeaderHelper.isExtensionRequest(getThreadContext())) { final String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER); final String injectedRolesHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_HEADER); @@ -256,7 +259,6 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) { } } else { - //this is a netty request from a non-server node (maybe also be internal: or a shard request) //and therefore issued by a transport client @@ -326,6 +328,14 @@ protected void addAdditionalContextValues(final String action, final TransportRe } } + String extensionUniqueId = getThreadContext().getHeader("extension_unique_id"); + if (extensionUniqueId != null) { + ExtensionsManager extManager = OpenSearchSecurityPlugin.GuiceHolder.getExtensionsManager(); + if (extManager.getExtensionIdMap().containsKey(extensionUniqueId)) { + getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST, Boolean.TRUE); + } + } + super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal); } }