Omit adding the osd-version header when the Fetch request is to an external origin

[AMoo-Miki]

Description

• Making fetch requests using core/public/http/fetch, an osd-version header is forcefully added, even to external requests. This change examines the destination and only adds the header to relative URLs and those that are to OSD itself.
• This change also adds osd-xsrf to calls that use osd-version incorrectly to satisfy XSRF protection

Issues Resolved

Fixes #3277

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[kavilla]

I think the failures since we utilized this for XRSF.

OpenSearch-Dashboards/src/core/server/http/lifecycle_handlers.ts

Line 57 in de06344

if (!isSafeMethod(request.route.method) && !hasVersionHeader && !hasXsrfHeader) {

tries to find a header and then it can't find it so it throws the error.

It might not be the proper way of handling XSRF but by removing it causes these errors to be thrown.

[AMoo-Miki]

OpenSearch-Dashboards/src/core/server/http/lifecycle_handlers.ts

Line 57 in de06344

if (!isSafeMethod(request.route.method) && !hasVersionHeader && !hasXsrfHeader) {

If it is a GET or OPTIONS call, in will not fail and also if it contains the osd-xsrf. 621bf0e suggests osd-version used to be used for XSRF prior to K5 and they never cared to clean the code up over the next 6 years. I have added osd-xsrf to any call that was using osd-version for XSRF protection.

[joshuarrrr]

@AMoo-Miki There are some snapshots that need updating.

[AMoo-Miki]

@AMoo-Miki There are some snapshots that need updating.

Oops; i thought i committed and pushed it... just did.

[kavilla]

I think looks good to me. Pulled it down working. It's also working with the basic settings for security plugin.

One thing I'm not able to completely test is if any functionality relied on the osd-version header being present just so the redirect can be attached to the request and not fail.

For example, on main:
This succeeds:

curl localhost:5601/hdn/api/status -ku 'admin:admin'

This succeeds:

curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:3.0.0

This succeeds:

curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:

This fails:

curl localhost:5601/hdn/api/status -ku 'admin:admin' -H osd-version:3.5.0

Which makes sense because the version mismatch. So if any functionality outside of what I tested relied on the osd-version and utilized the fetch call might be broken if the fetch was passed from one request to another.

So I don't know want to block it on something that I can't test especially if the value being not present still works for us. But I do believe we might want to mention in higher in the changelog.

Like something that mentions,

HTTP Fetch from Core OpenSearch Dashboards no longer default appends the osd-version.

[AMoo-Miki]

Rocky, this change makes sure osd-xsrf is used all over and only removed node-version when the call is to a destination outside of OSD; any call to OSD will have node-version.

[joshuarrrr]

@AMoo-Miki Is there a follow-up issue already created to keep track of these todos?

[joshuarrrr]

nit - todo comments should have issues opened to link to.