Passthrough if sslOnly

Signed-off-by: Craig Perkins <[email protected]>

build.gradle

@@ -424,8 +424,10 @@ configurations {
             force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}"
             force "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
             force "io.netty:netty-buffer:${versions.netty}"
+            force "io.netty:netty-codec:${versions.netty}"
             force "io.netty:netty-common:${versions.netty}"
             force "io.netty:netty-handler:${versions.netty}"
+            force "io.netty:netty-resolver:${versions.netty}"
             force "io.netty:netty-transport:${versions.netty}"
             force "io.netty:netty-transport-native-unix-common:${versions.netty}"
             force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4

src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java

@@ -92,6 +92,6 @@ protected void initChannel(Channel ch) throws Exception {
 
     @Override
     protected ChannelInboundHandlerAdapter createHeaderVerifier() {
-        return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings);
+        return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings, settings);
     }
 }

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -97,7 +97,7 @@ public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPl
     );
     public static final boolean OPENSSL_SUPPORTED = (PlatformDependent.javaVersion() < 12) && USE_NETTY_DEFAULT_ALLOCATOR;
     protected final Logger log = LogManager.getLogger(this.getClass());
-    protected static final String CLIENT_TYPE = "client.type";
+    public static final String CLIENT_TYPE = "client.type";
     protected final boolean client;
     protected final boolean httpSSLEnabled;
     protected final boolean transportSSLEnabled;

src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java

@@ -25,6 +25,9 @@
 import org.opensearch.security.filter.SecurityRestFilter;
 import org.opensearch.security.http.InterceptingRestChannel;
 import org.opensearch.threadpool.ThreadPool;
+import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
+import org.opensearch.common.settings.Settings;
 
 import java.util.regex.Matcher;
 
@@ -40,24 +43,38 @@ public class Netty4HttpRequestHeaderVerifier extends SimpleChannelInboundHandler
     private final ThreadPool threadPool;
     private final NamedXContentRegistry xContentRegistry;
     private final HttpHandlingSettings handlingSettings;
+    private final Settings settings;
+    private final boolean passthrough;
 
     public Netty4HttpRequestHeaderVerifier(
         SecurityRestFilter restFilter,
         NamedXContentRegistry xContentRegistry,
         ThreadPool threadPool,
-        HttpHandlingSettings handlingSettings
+        HttpHandlingSettings handlingSettings,
+        Settings settings
     ) {
         this.restFilter = restFilter;
         this.xContentRegistry = xContentRegistry;
         this.threadPool = threadPool;
         this.handlingSettings = handlingSettings;
+        this.settings = settings;
+
+        boolean sslOnly = settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false);
+        boolean disabled = settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false);
+        boolean client = !"node".equals(settings.get(OpenSearchSecuritySSLPlugin.CLIENT_TYPE));
+        this.passthrough = client || disabled || sslOnly;
     }
 
     @Override
     public void channelRead0(ChannelHandlerContext ctx, DefaultHttpRequest msg) throws Exception {
         // DefaultHttpRequest should always be first and contain headers
         ReferenceCountUtil.retain(msg);
 
+        if (passthrough) {
+            ctx.fireChannelRead(msg);
+            return;
+        }
+
         final Netty4HttpChannel httpChannel = ctx.channel().attr(Netty4HttpServerTransport.HTTP_CHANNEL_KEY).get();
         final Netty4DefaultHttpRequest httpRequest = new Netty4DefaultHttpRequest(msg);
         RestRequest restRequest = AbstractHttpServerTransport.createRestRequest(xContentRegistry, httpRequest, httpChannel);

src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java

@@ -157,6 +157,6 @@ protected void configurePipeline(Channel ch) {
 
     @Override
     protected ChannelInboundHandlerAdapter createHeaderVerifier() {
-        return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings);
+        return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings, settings);
     }
 }