From d7af7eb99d0d79b478891ca3e15259e0f0d5262d Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Tue, 5 Mar 2024 22:24:56 -0500
Subject: [PATCH] Adds a check to only skip authentication for anonymous
 requests when anonymous-auth is enabled

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 .../security/auth/BackendRegistry.java           | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index 3ab9a2afc9..8e03c9bea4 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -286,7 +286,9 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
             if (ac == null) {
                 // no credentials found in request
-                if (anonymousAuthEnabled) {
+                if (anonymousAuthEnabled && checkIfRequestIsForAnonymousLogin(request.header("_auth_request_type_"))) {
+                    log.info(httpAuthenticator.getClass().getName());
+                    log.info("Skipped {} because anonymous auth is enabled", authDomain.getBackend().getClass());
                     continue;
                 }
 
@@ -386,7 +388,12 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
             }
 
-            if (authCredentials == null && anonymousAuthEnabled) {
+            log.info(request.uri());
+            log.info(request.getHeaders());
+            if (authCredentials == null
+                && anonymousAuthEnabled
+                && checkIfRequestIsForAnonymousLogin(request.header("_auth_request_type_"))) {
+                // TODO why do we automatically assume anonymous user ??
                 final String tenant = resolveTenantFrom(request);
                 User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
                 anonymousUser.setRequestedTenant(tenant);
@@ -396,6 +403,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 if (isDebugEnabled) {
                     log.debug("Anonymous User is authenticated");
                 }
+                log.info("Anonymous User is authenticated");
                 return true;
             }
 
@@ -432,6 +440,10 @@ public boolean authenticate(final SecurityRequestChannel request) {
         return authenticated;
     }
 
+    private boolean checkIfRequestIsForAnonymousLogin(String authLoginType) {
+        return authLoginType != null && authLoginType.equalsIgnoreCase("anonymous");
+    }
+
     private String resolveTenantFrom(final SecurityRequest request) {
         return Optional.ofNullable(request.header("securitytenant")).orElse(request.header("security_tenant"));
     }