Identify extension Transport requests and permit handshake and extens…

…ion registration actions (opensearch-project#2599) * Identify extension Transport requests and permit handshake and extension registration actions Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Maciej Mierzwa <[email protected]>
MaciejMierzwa · Jun 13, 2023 · cb27206 · cb27206
1 parent a22a8f8
commit cb27206
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 4 deletions.
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -94,6 +94,7 @@
 import org.opensearch.core.xcontent.NamedXContentRegistry;
 import org.opensearch.env.Environment;
 import org.opensearch.env.NodeEnvironment;
+import org.opensearch.extensions.ExtensionsManager;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.HttpServerTransport.Dispatcher;
 import org.opensearch.index.Index;
@@ -1187,13 +1188,16 @@ public static class GuiceHolder implements LifecycleComponent {
         private static IndicesService indicesService;
         private static PitService pitService;
 
+        private static ExtensionsManager extensionsManager;
+
         @Inject
         public GuiceHolder(final RepositoriesService repositoriesService,
-                final TransportService remoteClusterService, IndicesService indicesService, PitService pitService) {
+                final TransportService remoteClusterService, IndicesService indicesService, PitService pitService, ExtensionsManager extensionsManager) {
             GuiceHolder.repositoriesService = repositoriesService;
             GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
             GuiceHolder.indicesService = indicesService;
             GuiceHolder.pitService = pitService;
+            GuiceHolder.extensionsManager = extensionsManager;
         }
 
         public static RepositoriesService getRepositoriesService() {
@@ -1210,6 +1214,8 @@ public static IndicesService getIndicesService() {
 
         public static PitService getPitService() { return pitService; }
 
+        public static ExtensionsManager getExtensionsManager() { return extensionsManager; }
+
 
         @Override
         public void close() {

diff --git a/src/main/java/org/opensearch/security/support/ConfigConstants.java b/src/main/java/org/opensearch/security/support/ConfigConstants.java
@@ -97,6 +97,8 @@ public class ConfigConstants {
 
     public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request";
 
+    public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_extension_request";
+
 
     /**
      * Set by the SSL plugin, this is the peer node certificate on the transport layer

diff --git a/src/main/java/org/opensearch/security/support/HeaderHelper.java b/src/main/java/org/opensearch/security/support/HeaderHelper.java
@@ -44,6 +44,10 @@ public static boolean isDirectRequest(final ThreadContext context) {
         return  "direct".equals(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE))
                   || context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE) == null;
     }
+
+    public static boolean isExtensionRequest(final ThreadContext context) {
+        return context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST) == Boolean.TRUE;
+    }
 
 
     public static String getSafeFromHeader(final ThreadContext context, final String headerName) {

diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
@@ -41,7 +41,9 @@
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.transport.TransportAddress;
 import org.opensearch.common.util.concurrent.ThreadContext;
+import org.opensearch.extensions.ExtensionsManager;
 import org.opensearch.search.internal.ShardSearchRequest;
+import org.opensearch.security.OpenSearchSecurityPlugin;
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.auditlog.AuditLog.Origin;
 import org.opensearch.security.ssl.SslExceptionHandler;
@@ -195,6 +197,7 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
             //also allow when issued from a remote cluster for cross cluster search
             if ( !HeaderHelper.isInterClusterRequest(getThreadContext())
                     && !HeaderHelper.isTrustedClusterRequest(getThreadContext())
+                    && !HeaderHelper.isExtensionRequest(getThreadContext())
                     && !task.getAction().equals("internal:transport/handshake")
                     && (task.getAction().startsWith("internal:") || task.getAction().contains("["))) {
 
@@ -216,14 +219,14 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
                 transportChannel.sendResponse(ex);
                 return;
             } else {
-
                 if(getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) {
                     getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.TRANSPORT.toString());
                 }
 
                 //network intercluster request or cross search cluster request
                 if(HeaderHelper.isInterClusterRequest(getThreadContext())
-                        || HeaderHelper.isTrustedClusterRequest(getThreadContext())) {
+                        || HeaderHelper.isTrustedClusterRequest(getThreadContext())
+                        || HeaderHelper.isExtensionRequest(getThreadContext())) {
 
                     final String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);
                     final String injectedRolesHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_HEADER);
@@ -256,7 +259,6 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
                     }
 
                 } else {
-
                     //this is a netty request from a non-server node (maybe also be internal: or a shard request)
                     //and therefore issued by a transport client
 
@@ -326,6 +328,14 @@ protected void addAdditionalContextValues(final String action, final TransportRe
             }
         }
 
+        String extensionUniqueId = getThreadContext().getHeader("extension_unique_id");
+        if (extensionUniqueId != null) {
+            ExtensionsManager extManager = OpenSearchSecurityPlugin.GuiceHolder.getExtensionsManager();
+            if (extManager.getExtensionIdMap().containsKey(extensionUniqueId)) {
+                getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST, Boolean.TRUE);
+            }
+        }
+
         super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal);
     }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -97,6 +97,8 @@ public class ConfigConstants { @@
         public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request";
+        public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_extension_request";
         /**
          * Set by the SSL plugin, this is the peer node certificate on the transport layer
@@ Expand Down @@