diff --git a/build.gradle b/build.gradle index d3b3846edd..07068bf2e5 100644 --- a/build.gradle +++ b/build.gradle @@ -424,8 +424,10 @@ configurations { force "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:${versions.jackson}" force "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}" force "io.netty:netty-buffer:${versions.netty}" + force "io.netty:netty-codec:${versions.netty}" force "io.netty:netty-common:${versions.netty}" force "io.netty:netty-handler:${versions.netty}" + force "io.netty:netty-resolver:${versions.netty}" force "io.netty:netty-transport:${versions.netty}" force "io.netty:netty-transport-native-unix-common:${versions.netty}" force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4 diff --git a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java index 95474aa719..2e0c94ec7a 100644 --- a/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/http/SecurityNonSslHttpServerTransport.java @@ -92,6 +92,6 @@ protected void initChannel(Channel ch) throws Exception { @Override protected ChannelInboundHandlerAdapter createHeaderVerifier() { - return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings); + return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings, settings); } } diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 59a4691977..1ad4ea7779 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -97,7 +97,7 @@ public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPl ); public static final boolean OPENSSL_SUPPORTED = (PlatformDependent.javaVersion() < 12) && USE_NETTY_DEFAULT_ALLOCATOR; protected final Logger log = LogManager.getLogger(this.getClass()); - protected static final String CLIENT_TYPE = "client.type"; + public static final String CLIENT_TYPE = "client.type"; protected final boolean client; protected final boolean httpSSLEnabled; protected final boolean transportSSLEnabled; diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java index 9770c3e83c..91537680d5 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/Netty4HttpRequestHeaderVerifier.java @@ -25,6 +25,9 @@ import org.opensearch.security.filter.SecurityRestFilter; import org.opensearch.security.http.InterceptingRestChannel; import org.opensearch.threadpool.ThreadPool; +import org.opensearch.security.support.ConfigConstants; +import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin; +import org.opensearch.common.settings.Settings; import java.util.regex.Matcher; @@ -40,17 +43,26 @@ public class Netty4HttpRequestHeaderVerifier extends SimpleChannelInboundHandler private final ThreadPool threadPool; private final NamedXContentRegistry xContentRegistry; private final HttpHandlingSettings handlingSettings; + private final Settings settings; + private final boolean passthrough; public Netty4HttpRequestHeaderVerifier( SecurityRestFilter restFilter, NamedXContentRegistry xContentRegistry, ThreadPool threadPool, - HttpHandlingSettings handlingSettings + HttpHandlingSettings handlingSettings, + Settings settings ) { this.restFilter = restFilter; this.xContentRegistry = xContentRegistry; this.threadPool = threadPool; this.handlingSettings = handlingSettings; + this.settings = settings; + + boolean sslOnly = settings.getAsBoolean(ConfigConstants.SECURITY_SSL_ONLY, false); + boolean disabled = settings.getAsBoolean(ConfigConstants.SECURITY_DISABLED, false); + boolean client = !"node".equals(settings.get(OpenSearchSecuritySSLPlugin.CLIENT_TYPE)); + this.passthrough = client || disabled || sslOnly; } @Override @@ -58,6 +70,11 @@ public void channelRead0(ChannelHandlerContext ctx, DefaultHttpRequest msg) thro // DefaultHttpRequest should always be first and contain headers ReferenceCountUtil.retain(msg); + if (passthrough) { + ctx.fireChannelRead(msg); + return; + } + final Netty4HttpChannel httpChannel = ctx.channel().attr(Netty4HttpServerTransport.HTTP_CHANNEL_KEY).get(); final Netty4DefaultHttpRequest httpRequest = new Netty4DefaultHttpRequest(msg); RestRequest restRequest = AbstractHttpServerTransport.createRestRequest(xContentRegistry, httpRequest, httpChannel); diff --git a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java index da36a92250..a3133d6ef8 100644 --- a/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java +++ b/src/main/java/org/opensearch/security/ssl/http/netty/SecuritySSLNettyHttpServerTransport.java @@ -157,6 +157,6 @@ protected void configurePipeline(Channel ch) { @Override protected ChannelInboundHandlerAdapter createHeaderVerifier() { - return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings); + return new Netty4HttpRequestHeaderVerifier(restFilter, xContentRegistry, threadPool, handlingSettings, settings); } }