Skip to content

Commit

Permalink
Identify extension Transport requests and permit handshake and extens…
Browse files Browse the repository at this point in the history
…ion registration actions (opensearch-project#2599)

* Identify extension Transport requests and permit handshake and extension registration actions

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Sam <[email protected]>
  • Loading branch information
cwperks authored and samuelcostae committed Jun 19, 2023
1 parent 7c8f379 commit 9006558
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.env.Environment;
import org.opensearch.env.NodeEnvironment;
import org.opensearch.extensions.ExtensionsManager;
import org.opensearch.http.HttpServerTransport;
import org.opensearch.http.HttpServerTransport.Dispatcher;
import org.opensearch.index.Index;
Expand Down Expand Up @@ -1187,13 +1188,16 @@ public static class GuiceHolder implements LifecycleComponent {
private static IndicesService indicesService;
private static PitService pitService;

private static ExtensionsManager extensionsManager;

@Inject
public GuiceHolder(final RepositoriesService repositoriesService,
final TransportService remoteClusterService, IndicesService indicesService, PitService pitService) {
final TransportService remoteClusterService, IndicesService indicesService, PitService pitService, ExtensionsManager extensionsManager) {
GuiceHolder.repositoriesService = repositoriesService;
GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
GuiceHolder.indicesService = indicesService;
GuiceHolder.pitService = pitService;
GuiceHolder.extensionsManager = extensionsManager;
}

public static RepositoriesService getRepositoriesService() {
Expand All @@ -1210,6 +1214,8 @@ public static IndicesService getIndicesService() {

public static PitService getPitService() { return pitService; }

public static ExtensionsManager getExtensionsManager() { return extensionsManager; }


@Override
public void close() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ public class ConfigConstants {

public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_trustedcluster_request";

public static final String OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST = OPENDISTRO_SECURITY_CONFIG_PREFIX+"ssl_transport_extension_request";


/**
* Set by the SSL plugin, this is the peer node certificate on the transport layer
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ public static boolean isDirectRequest(final ThreadContext context) {
return "direct".equals(context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE))
|| context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE) == null;
}

public static boolean isExtensionRequest(final ThreadContext context) {
return context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST) == Boolean.TRUE;
}


public static String getSafeFromHeader(final ThreadContext context, final String headerName) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.transport.TransportAddress;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.extensions.ExtensionsManager;
import org.opensearch.search.internal.ShardSearchRequest;
import org.opensearch.security.OpenSearchSecurityPlugin;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.auditlog.AuditLog.Origin;
import org.opensearch.security.ssl.SslExceptionHandler;
Expand Down Expand Up @@ -195,6 +197,7 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
//also allow when issued from a remote cluster for cross cluster search
if ( !HeaderHelper.isInterClusterRequest(getThreadContext())
&& !HeaderHelper.isTrustedClusterRequest(getThreadContext())
&& !HeaderHelper.isExtensionRequest(getThreadContext())
&& !task.getAction().equals("internal:transport/handshake")
&& (task.getAction().startsWith("internal:") || task.getAction().contains("["))) {

Expand All @@ -216,14 +219,14 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
transportChannel.sendResponse(ex);
return;
} else {

if(getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) {
getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, Origin.TRANSPORT.toString());
}

//network intercluster request or cross search cluster request
if(HeaderHelper.isInterClusterRequest(getThreadContext())
|| HeaderHelper.isTrustedClusterRequest(getThreadContext())) {
|| HeaderHelper.isTrustedClusterRequest(getThreadContext())
|| HeaderHelper.isExtensionRequest(getThreadContext())) {

final String userHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_USER_HEADER);
final String injectedRolesHeader = getThreadContext().getHeader(ConfigConstants.OPENDISTRO_SECURITY_INJECTED_ROLES_HEADER);
Expand Down Expand Up @@ -256,7 +259,6 @@ else if(!Strings.isNullOrEmpty(injectedUserHeader)) {
}

} else {

//this is a netty request from a non-server node (maybe also be internal: or a shard request)
//and therefore issued by a transport client

Expand Down Expand Up @@ -326,6 +328,14 @@ protected void addAdditionalContextValues(final String action, final TransportRe
}
}

String extensionUniqueId = getThreadContext().getHeader("extension_unique_id");
if (extensionUniqueId != null) {
ExtensionsManager extManager = OpenSearchSecurityPlugin.GuiceHolder.getExtensionsManager();
if (extManager.getExtensionIdMap().containsKey(extensionUniqueId)) {
getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_EXTENSION_REQUEST, Boolean.TRUE);
}
}

super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal);
}
}

0 comments on commit 9006558

Please sign in to comment.