-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix unconsumed parameter exception when authenticating with jwtUrlParameter #3975
Fix unconsumed parameter exception when authenticating with jwtUrlParameter #3975
Conversation
…ameter Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
src/main/java/org/opensearch/security/filter/SecurityRequest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ty @cwperks for this contribution! left a small nit to improve readability. +1 to Peter's comment about keeping the interface void of any potential abstraction leakage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Outside of the comments from Peter and DC it looks good to me. One place where I wanted to double check we handle an edge case.
src/integrationTest/java/org/opensearch/security/http/JwtAuthenticationWithUrlParamTests.java
Show resolved
Hide resolved
Signed-off-by: Craig Perkins <[email protected]>
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #3975 +/- ##
==========================================
+ Coverage 65.56% 65.87% +0.31%
==========================================
Files 298 298
Lines 21246 21307 +61
Branches 3457 3469 +12
==========================================
+ Hits 13930 14037 +107
+ Misses 5595 5534 -61
- Partials 1721 1736 +15
|
src/main/java/org/opensearch/security/filter/OpenSearchRequest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me @cwperks . Not sure why the codecov checks are failing would you please check that.
….java Co-authored-by: Peter Nied <[email protected]> Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
…ameter (#3975) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> (cherry picked from commit ccea744) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
… with jwtUrlParameter (#4065) Backport ccea744 from #3975. --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Craig Perkins <[email protected]>
…ameter (opensearch-project#3975) Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Peter Nied <[email protected]> Signed-off-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]> Co-authored-by: Peter Nied <[email protected]>
Description
Discovered this bug when analyzing #3949. There is a regression in authentication with the
jwtUrlParameter
where it fails to consume the parameter and responds withillegal_argument_exception: contains unrecognized parameter
:The regression was introduced with the HeaderVerifier changes. With the HeaderVerifier, the HTTP Authenticators are authenticating with a lower-level request object, a NettyRequest. After the request is authenticated, it is then handled by the SecurityRestFilter using the higher-level OpenSearchRequest. The SecurityRestFilter is where authentication was previously performed before the HeaderVerifier changes. The JWT Authenticator "consumes" the jwtUrlParameter, but since its operating on the lower-level request object it is not properly consuming the parameter.
This change takes advantage of the channel attributes to carry the CONSUMED_PARAMS from the header verifier to the security rest filter where they are then consumed on the RestRequest object to prevent the illegal_argument_exception.
Bug Fix
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.