[SECURITY] Set Auth-scheme preference (elastic#33156)

Some browsers (eg. Firefox) behave differently when presented with multiple auth schemes in 'WWW-Authenticate' header. The expected behavior is that browser select the most secure auth-scheme before trying others, but Firefox selects the first presented auth scheme and tries the next ones sequentially. As the browser interpretation is something that we do not control, we can at least present the auth schemes in most to least secure order as the server's preference. This commit modifies the code to collect and sort the auth schemes presented by most to least secure. The priority of the auth schemes is fixed, the lower number denoting more secure auth-scheme. The current order of schemes based on the ES supported auth-scheme is [Negotiate, Bearer,Basic] and when we add future support for other schemes we will need to update the code. If need be we will make this configuration customizable in future. Unit test to verify the WWW-Authenticate header values are sorted by server preference as more secure to least secure auth schemes. Tested with Firefox, Chrome, Internet Explorer 11. Closes#32699
bizybot · Sep 6, 2018 · ee73bc2 · ee73bc2
1 parent 0d45752
commit ee73bc2
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 7 deletions.
diff --git a/...java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java b/...java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java
@@ -12,9 +12,11 @@
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.xpack.core.XPackField;
 
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import static org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError;
 
@@ -44,12 +46,42 @@ public DefaultAuthenticationFailureHandler() {
      *            be sent as failure response.
      * @see Realm#getAuthenticationFailureHeaders()
      */
-    public DefaultAuthenticationFailureHandler(Map<String, List<String>> failureResponseHeaders) {
+    public DefaultAuthenticationFailureHandler(final Map<String, List<String>> failureResponseHeaders) {
         if (failureResponseHeaders == null || failureResponseHeaders.isEmpty()) {
-            failureResponseHeaders = Collections.singletonMap("WWW-Authenticate",
+            this.defaultFailureResponseHeaders = Collections.singletonMap("WWW-Authenticate",
                     Collections.singletonList("Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\""));
+        } else {
+            this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders.entrySet().stream().collect(Collectors
+                    .toMap(entry -> entry.getKey(), entry -> {
+                        if (entry.getKey().equalsIgnoreCase("WWW-Authenticate")) {
+                            List<String> values = new ArrayList<>(entry.getValue());
+                            Collections.sort(values, (o1, o2) -> authSchemePriority(o1).compareTo(authSchemePriority(o2)));
+                            return Collections.unmodifiableList(values);
+                        } else {
+                            return Collections.unmodifiableList(entry.getValue());
+                        }
+                    })));
+        }
+    }
+
+    /**
+     * For given 'WWW-Authenticate' header value returns the priority based on
+     * the auth-scheme. Lower number denotes more secure and preferred
+     * auth-scheme than the higher number.
+     *
+     * @param headerValue string starting with auth-scheme name
+     * @return integer value denoting priority for given auth scheme.
+     */
+    private static Integer authSchemePriority(final String headerValue) {
+        if (headerValue.regionMatches(true, 0, "negotiate", 0, "negotiate".length())) {
+            return 0;
+        } else if (headerValue.regionMatches(true, 0, "bearer", 0, "bearer".length())) {
+            return 1;
+        } else if (headerValue.regionMatches(true, 0, "basic", 0, "basic".length())) {
+            return 2;
+        } else {
+            return 3;
         }
-        this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders);
     }
 
     @Override

diff --git a/...org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java b/...org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java
@@ -50,7 +50,7 @@ public void testAuthenticationRequired() {
         if (testDefault) {
             assertWWWAuthenticateWithSchemes(ese, basicAuthScheme);
         } else {
-            assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme);
+            assertWWWAuthenticateWithSchemes(ese, bearerAuthScheme, basicAuthScheme);
         }
     }
 
@@ -83,12 +83,12 @@ public void testExceptionProcessingRequest() {
                 assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
                 assertThat(ese, is(sameInstance(cause)));
                 if (withAuthenticateHeader == false) {
-                    assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
+                    assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
                 } else {
                     if (selectedScheme.contains("Negotiate ")) {
                         assertWWWAuthenticateWithSchemes(ese, selectedScheme);
                     } else {
-                        assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
+                        assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
                     }
                 }
                 assertThat(ese.getMessage(), equalTo("unauthorized"));
@@ -102,11 +102,30 @@ public void testExceptionProcessingRequest() {
             assertThat(ese, is(notNullValue()));
             assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
             assertThat(ese.getMessage(), equalTo("error attempting to authenticate request"));
-            assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
+            assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
         }
 
     }
 
+    public void testSortsWWWAuthenticateHeaderValues() {
+        final String basicAuthScheme = "Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"";
+        final String bearerAuthScheme = "Bearer realm=\"" + XPackField.SECURITY + "\"";
+        final String negotiateAuthScheme = randomFrom("Negotiate", "Negotiate Ijoijksdk");
+        final Map<String, List<String>> failureResponeHeaders = new HashMap<>();
+        final List<String> supportedSchemes = Arrays.asList(basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
+        Collections.shuffle(supportedSchemes, random());
+        failureResponeHeaders.put("WWW-Authenticate", supportedSchemes);
+        final DefaultAuthenticationFailureHandler failuerHandler = new DefaultAuthenticationFailureHandler(failureResponeHeaders);
+
+        final ElasticsearchSecurityException ese = failuerHandler.exceptionProcessingRequest(Mockito.mock(RestRequest.class), null,
+                new ThreadContext(Settings.builder().build()));
+
+        assertThat(ese, is(notNullValue()));
+        assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
+        assertThat(ese.getMessage(), equalTo("error attempting to authenticate request"));
+        assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
+    }
+
     private void assertWWWAuthenticateWithSchemes(final ElasticsearchSecurityException ese, final String... schemes) {
         assertThat(ese.getHeader("WWW-Authenticate").size(), is(schemes.length));
         assertThat(ese.getHeader("WWW-Authenticate"), contains(schemes));