Skip to content

[SECURITY] Set Auth-scheme preference #33156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Sep 6, 2018
Merged

[SECURITY] Set Auth-scheme preference #33156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c287d89
[SECURITY] Auth scheme preference
Aug 24, 2018
ce10118
Address review comment.
Aug 29, 2018
e1b4bde
Merge branch 'master' into fix/32699
Aug 29, 2018
d156292
Merge branch 'master' into fix/32699
Aug 29, 2018
a5ba1f6
Address review comments
Aug 29, 2018
4c6b0b2
Merge branch 'master' into fix/32699
Aug 30, 2018
aa2ea72
Remove unused import
Aug 30, 2018
aed90c3
forgot to run precommit, addressed the issue
Aug 30, 2018
48277ab
Address review comments
Sep 6, 2018
4b17283
Merge branch 'master' into fix/32699
Sep 6, 2018
87ca139
Merge branch 'master' into fix/32699
Sep 6, 2018
71b10ec
Merge branch 'master' into fix/32699
Sep 6, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions ...java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,11 @@
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.core.XPackField;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

import static org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError;

Expand Down Expand Up @@ -44,12 +46,42 @@ public DefaultAuthenticationFailureHandler() {
* be sent as failure response.
* @see Realm#getAuthenticationFailureHeaders()
*/
public DefaultAuthenticationFailureHandler(Map<String, List<String>> failureResponseHeaders) {
public DefaultAuthenticationFailureHandler(final Map<String, List<String>> failureResponseHeaders) {
if (failureResponseHeaders == null || failureResponseHeaders.isEmpty()) {
failureResponseHeaders = Collections.singletonMap("WWW-Authenticate",
this.defaultFailureResponseHeaders = Collections.singletonMap("WWW-Authenticate",
Collections.singletonList("Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\""));
} else {
this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders.entrySet().stream().collect(Collectors
.toMap(entry -> entry.getKey(), entry -> {
if (entry.getKey().equalsIgnoreCase("WWW-Authenticate")) {
List<String> values = new ArrayList<>(entry.getValue());
Collections.sort(values, (o1, o2) -> authSchemePriority(o1).compareTo(authSchemePriority(o2)));
return Collections.unmodifiableList(values);
} else {
return Collections.unmodifiableList(entry.getValue());
}
})));
}
}

/**
* For given 'WWW-Authenticate' header value returns the priority based on
* the auth-scheme. Lower number denotes more secure and preferred
* auth-scheme than the higher number.
*
* @param headerValue string starting with auth-scheme name
* @return integer value denoting priority for given auth scheme.
*/
private static Integer authSchemePriority(final String headerValue) {
if (headerValue.regionMatches(true, 0, "negotiate", 0, "negotiate".length())) {
return 0;
} else if (headerValue.regionMatches(true, 0, "bearer", 0, "bearer".length())) {
return 1;
} else if (headerValue.regionMatches(true, 0, "basic", 0, "basic".length())) {
return 2;
} else {
return 3;
}
this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders);
}

@Override
Expand Down
27 changes: 23 additions & 4 deletions ...org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public void testAuthenticationRequired() {
if (testDefault) {
assertWWWAuthenticateWithSchemes(ese, basicAuthScheme);
} else {
assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme);
assertWWWAuthenticateWithSchemes(ese, bearerAuthScheme, basicAuthScheme);
}
}

Expand Down Expand Up @@ -83,12 +83,12 @@ public void testExceptionProcessingRequest() {
assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
assertThat(ese, is(sameInstance(cause)));
if (withAuthenticateHeader == false) {
assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
} else {
if (selectedScheme.contains("Negotiate ")) {
assertWWWAuthenticateWithSchemes(ese, selectedScheme);
} else {
assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
}
}
assertThat(ese.getMessage(), equalTo("unauthorized"));
Expand All @@ -102,11 +102,30 @@ public void testExceptionProcessingRequest() {
assertThat(ese, is(notNullValue()));
assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
assertThat(ese.getMessage(), equalTo("error attempting to authenticate request"));
assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
}

}

public void testSortsWWWAuthenticateHeaderValues() {
final String basicAuthScheme = "Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"";
final String bearerAuthScheme = "Bearer realm=\"" + XPackField.SECURITY + "\"";
final String negotiateAuthScheme = randomFrom("Negotiate", "Negotiate Ijoijksdk");
final Map<String, List<String>> failureResponeHeaders = new HashMap<>();
final List<String> supportedSchemes = Arrays.asList(basicAuthScheme, bearerAuthScheme, negotiateAuthScheme);
Collections.shuffle(supportedSchemes, random());
failureResponeHeaders.put("WWW-Authenticate", supportedSchemes);
final DefaultAuthenticationFailureHandler failuerHandler = new DefaultAuthenticationFailureHandler(failureResponeHeaders);

final ElasticsearchSecurityException ese = failuerHandler.exceptionProcessingRequest(Mockito.mock(RestRequest.class), null,
new ThreadContext(Settings.builder().build()));

assertThat(ese, is(notNullValue()));
assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue()));
assertThat(ese.getMessage(), equalTo("error attempting to authenticate request"));
assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme);
}

private void assertWWWAuthenticateWithSchemes(final ElasticsearchSecurityException ese, final String... schemes) {
assertThat(ese.getHeader("WWW-Authenticate").size(), is(schemes.length));
assertThat(ese.getHeader("WWW-Authenticate"), contains(schemes));
Expand Down