Refactors reRequestAuthentication to call notifyIpAuthFailureListener before sending the response to the channel

[DarshitChanpura]

Description

• Category: Refactoring

Prior to this change, the ip auth failure listener was not called upon challengeAuthenticator check invocation, which caused AddressBasedRateLimiter to not be invoked. With this change AddressBasedRateLimiter will be invoked upon multiple wrong requests from an ip

Issues Resolved

• Resolves [FEATURE] Refactor BackendRegistry to notifyIpAuthFailureListeners before auditing Failed Login and HTTPChallenge authenticator check #2686

Testing

Integration Testing (Adds a new test to verify the change)

When cluster was setup with Basic http challenge:

Before:

java.lang.AssertionError: Expected status code is '401', but was '200'. Response body '{
  "user" : "User [name=simple-user-2, backend_roles=[], requestedTenant=null]",
  "user_name" : "simple-user-2",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.3:54025",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "user_simple-user-2__all_access"
  ],
  "tenants" : {
    "simple-user-2" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}
'.
Expected: <401>
     but: was <200>
	at __randomizedtesting.SeedInfo.seed([818958B6AA45DEE4:EB2D2AB7F1A10EE2]:0)
	at org.hamcrest.MatcherAssert.assertThat(MatcherAssert.java:20)
	at org.opensearch.test.framework.cluster.TestRestClient$HttpResponse.assertStatusCode(TestRestClient.java:432)
	at org.opensearch.security.IpBruteForceAttacksPreventionTests.shouldBlockIpAddress(IpBruteForceAttacksPreventionTests.java:91)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at com.carrotsearch.randomizedtesting.RandomizedRunner.invoke(RandomizedRunner.java:1758)
	at com.carrotsearch.randomizedtesting.RandomizedRunner$8.evaluate(RandomizedRunner.java:946)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:390)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:843)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl$3.evaluate(ThreadLeakControl.java:490)
	at com.carrotsearch.randomizedtesting.RandomizedRunner.runSingleTest(RandomizedRunner.java:955)
	at com.carrotsearch.randomizedtesting.RandomizedRunner$5.evaluate(RandomizedRunner.java:840)
	at com.carrotsearch.randomizedtesting.RandomizedRunner$6.evaluate(RandomizedRunner.java:891)
	at com.carrotsearch.randomizedtesting.RandomizedRunner$7.evaluate(RandomizedRunner.java:902)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at com.carrotsearch.randomizedtesting.rules.StatementAdapter.evaluate(StatementAdapter.java:36)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl$StatementRunner.run(ThreadLeakControl.java:390)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl.forkTimeoutingTask(ThreadLeakControl.java:843)
	at com.carrotsearch.randomizedtesting.ThreadLeakControl$2.evaluate(ThreadLeakControl.java:426)
	at com.carrotsearch.randomizedtesting.RandomizedRunner.runSuite(RandomizedRunner.java:716)
	at com.carrotsearch.randomizedtesting.RandomizedRunner.access$200(RandomizedRunner.java:138)
	at com.carrotsearch.randomizedtesting.RandomizedRunner$2.run(RandomizedRunner.java:637)

After:

BUILD SUCCESSFUL in 53s
6 actionable tasks: 6 executed

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Merging #3411 (9185eab) into main (ab891d0) will increase coverage by 0.04%.
Report is 1 commits behind head on main.
The diff coverage is 70.83%.

@@             Coverage Diff              @@
##               main    #3411      +/-   ##
============================================
+ Coverage     64.23%   64.27%   +0.04%     
  Complexity     3491     3491              
============================================
  Files           264      264              
  Lines         20152    20152              
  Branches       3363     3364       +1     
============================================
+ Hits          12944    12953       +9     
+ Misses         5527     5526       -1     
+ Partials       1681     1673       -8     

Files	Coverage Δ
...zon/dlic/auth/http/saml/HTTPSamlAuthenticator.java	69.02% <100.00%> (ø)
...ensearch/security/http/HTTPBasicAuthenticator.java	75.00% <100.00%> (-1.93%)	⬇️
...rch/security/http/HTTPClientCertAuthenticator.java	88.57% <100.00%> (ø)
...ity/http/proxy/HTTPExtendedProxyAuthenticator.java	84.00% <ø> (+3.23%)	⬆️
...ic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	59.09% <0.00%> (+0.66%)	⬆️
...mazon/dlic/auth/http/jwt/HTTPJwtAuthenticator.java	81.72% <0.00%> (+0.86%)	⬆️
...dlic/auth/http/saml/AuthTokenProcessorHandler.java	46.40% <83.33%> (-0.08%)	⬇️
...ensearch/security/http/HTTPProxyAuthenticator.java	72.00% <0.00%> (ø)
...nsearch/security/http/OnBehalfOfAuthenticator.java	67.64% <0.00%> (ø)
...ic/auth/http/kerberos/HTTPSpnegoAuthenticator.java	0.00% <0.00%> (ø)
... and 1 more

... and 3 files with indirect coverage changes

[cwperks]

Thank you @DarshitChanpura. Overall this looks like a really good change to me and I really like reducing the number of channel.sendResponses because I really think there should just be a single place for that call.

The SAML flow is pretty confusing, but that pre-exists this PR.

[DarshitChanpura]

Thank you @DarshitChanpura. Overall this looks like a really good change to me and I really like reducing the number of channel.sendResponses because I really think there should just be a single place for that call.

The SAML flow is pretty confusing, but that pre-exists this PR.

Completely agree. SAML auth flow is slightly confusing and was tricky to navigate with the fix.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3411-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 7924da13a57ecbf3352d84e6d020012723b81fa1
# Push it to GitHub
git push --set-upstream origin backport/backport-3411-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-3411-to-2.x.