Skip to content

Commit fa37403

Browse files
BigPandaTooBigPandaToo
committed
Don't remove warning headers on all failure
We shouldn't remove warning when request is failing not because of security reasons (syntax error for ex.). Note, that security related failure could happen not only during authentication (therefore we will check for the rest status), also all failures happened during authentication will be considered security related and warnings will be removed from the response. Resolves: elastic#75739
1 parent 5679e10 commit fa37403

File tree

1 file changed

+28
-10
lines changed

1 file changed

+28
-10
lines changed

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java

+28-10
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,17 @@ public class SecurityRestFilter implements RestHandler {
4646
private final ThreadContext threadContext;
4747
private final boolean extractClientCertificate;
4848

49+
public enum ActionType {
50+
Authentication("Authentication"),
51+
SecondaryAuthentication("Secondary authentication"),
52+
RequestHandling("Request handling");
53+
54+
private final String name;
55+
ActionType(String name) { this.name = name; }
56+
@Override
57+
public String toString() { return name; }
58+
}
59+
4960
public SecurityRestFilter(Settings settings, ThreadContext threadContext, AuthenticationService authenticationService,
5061
SecondaryAuthenticator secondaryAuthenticator, RestHandler restHandler, boolean extractClientCertificate) {
5162
this.settings = settings;
@@ -89,17 +100,21 @@ public void handleRequest(RestRequest request, RestChannel channel, NodeClient c
89100
logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, requestUri);
90101
}
91102
RemoteHostHeader.process(request, threadContext);
92-
restHandler.handleRequest(request, channel, client);
103+
try {
104+
restHandler.handleRequest(request, channel, client);
105+
} catch (Exception e) {
106+
handleException(ActionType.RequestHandling, request, channel, e);
107+
}
93108
},
94-
e -> handleException("Secondary authentication", request, channel, e)));
95-
}, e -> handleException("Authentication", request, channel, e)));
109+
e -> handleException(ActionType.SecondaryAuthentication, request, channel, e)));
110+
}, e -> handleException(ActionType.Authentication, request, channel, e)));
96111
} else {
97112
restHandler.handleRequest(request, channel, client);
98113
}
99114
}
100115

101-
private void handleException(String actionType, RestRequest request, RestChannel channel, Exception e) {
102-
logger.debug(new ParameterizedMessage("{} failed for REST request [{}]", actionType, request.uri()), e);
116+
protected void handleException(ActionType actionType, RestRequest request, RestChannel channel, Exception e) {
117+
logger.debug(new ParameterizedMessage("{} failed for REST request [{}]", actionType.name(), request.uri()), e);
103118
final RestStatus restStatus = ExceptionsHelper.status(e);
104119
try {
105120
channel.sendResponse(new BytesRestResponse(channel, restStatus, e) {
@@ -109,11 +124,14 @@ private void handleException(String actionType, RestRequest request, RestChannel
109124

110125
@Override
111126
public Map<String, List<String>> filterHeaders(Map<String, List<String>> headers) {
112-
if (headers.containsKey("Warning")) {
113-
headers = Maps.copyMapWithRemovedEntry(headers, "Warning");
114-
}
115-
if (headers.containsKey("X-elastic-product")) {
116-
headers = Maps.copyMapWithRemovedEntry(headers, "X-elastic-product");
127+
if (actionType != ActionType.RequestHandling
128+
|| (restStatus == RestStatus.UNAUTHORIZED || restStatus == RestStatus.FORBIDDEN)) {
129+
if (headers.containsKey("Warning")) {
130+
headers = Maps.copyMapWithRemovedEntry(headers, "Warning");
131+
}
132+
if (headers.containsKey("X-elastic-product")) {
133+
headers = Maps.copyMapWithRemovedEntry(headers, "X-elastic-product");
134+
}
117135
}
118136
return headers;
119137
}

0 commit comments

Comments
 (0)