Adds a check to only skip authentication for anonymous requests when …

…anonymous-auth is enabled Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura · Mar 6, 2024 · d7af7eb · d7af7eb
1 parent 548e218
commit d7af7eb
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -286,7 +286,9 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
             if (ac == null) {
                 // no credentials found in request
-                if (anonymousAuthEnabled) {
+                if (anonymousAuthEnabled && checkIfRequestIsForAnonymousLogin(request.header("_auth_request_type_"))) {
+                    log.info(httpAuthenticator.getClass().getName());
+                    log.info("Skipped {} because anonymous auth is enabled", authDomain.getBackend().getClass());
                     continue;
                 }
 
@@ -386,7 +388,12 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
             }
 
-            if (authCredentials == null && anonymousAuthEnabled) {
+            log.info(request.uri());
+            log.info(request.getHeaders());
+            if (authCredentials == null
+                && anonymousAuthEnabled
+                && checkIfRequestIsForAnonymousLogin(request.header("_auth_request_type_"))) {
+                // TODO why do we automatically assume anonymous user ??
                 final String tenant = resolveTenantFrom(request);
                 User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
                 anonymousUser.setRequestedTenant(tenant);
@@ -396,6 +403,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 if (isDebugEnabled) {
                     log.debug("Anonymous User is authenticated");
                 }
+                log.info("Anonymous User is authenticated");
                 return true;
             }
 
@@ -432,6 +440,10 @@ public boolean authenticate(final SecurityRequestChannel request) {
         return authenticated;
     }
 
+    private boolean checkIfRequestIsForAnonymousLogin(String authLoginType) {
+        return authLoginType != null && authLoginType.equalsIgnoreCase("anonymous");
+    }
+
     private String resolveTenantFrom(final SecurityRequest request) {
         return Optional.ofNullable(request.header("securitytenant")).orElse(request.header("security_tenant"));
     }