private void putInitialActionClassHeader(String initialActionClassValue, String resolvedActionClass) { if(initialActionClassValue == null) { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, resolvedActionClass); } } else { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, initialActionClassValue); } } }
String initialActionClassValue = getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER); final String originHeader = getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER); final String userHeader = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER); final String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER); || HeaderHelper.isTrustedClusterRequest(getThreadContext())) { final String userHeader = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER); String originalRemoteAddress = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
private void attachSourceFieldContext(ActionRequest request) { if(request instanceof SearchRequest && SourceFieldsContext.isNeeded((SearchRequest) request)) { if(threadContext.getHeader("_sg_source_field_context") == null) { final String serializedSourceFieldContext = Base64Helper.serializeObject(new SourceFieldsContext((SearchRequest) request)); threadContext.putHeader("_sg_source_field_context", serializedSourceFieldContext); } } else if (request instanceof GetRequest && SourceFieldsContext.isNeeded((GetRequest) request)) { if(threadContext.getHeader("_sg_source_field_context") == null) { final String serializedSourceFieldContext = Base64Helper.serializeObject(new SourceFieldsContext((GetRequest) request)); threadContext.putHeader("_sg_source_field_context", serializedSourceFieldContext); } } }
if (threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER) != null) { if (!maskedFieldsMap.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_MASKED_FIELD_HEADER + " does not match (SG 901D)"); } else { if (threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER) != null) { if (!dlsQueries.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_DLS_QUERY_HEADER + " does not match (SG 900D)"); if (threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER) != null) { if (!flsFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER)))) { throw new ElasticsearchSecurityException(ConfigConstants.SG_FLS_FIELDS_HEADER + " does not match (SG 901D)"); } else {
@Override protected void addAdditionalContextValues(final String action, final TransportRequest request, final X509Certificate[] localCerts, final X509Certificate[] peerCerts, final String principal) throws Exception { boolean isInterClusterRequest = requestEvalProvider.isInterClusterRequest(request, localCerts, peerCerts, principal); if (isInterClusterRequest) { boolean fromTn = Boolean.parseBoolean(getThreadContext().getHeader("_sg_header_tn")); if(fromTn || cs.getClusterName().value().equals(getThreadContext().getHeader("_sg_remotecn"))) { if (log.isTraceEnabled() && !action.startsWith("internal:")) { log.trace("Is inter cluster request ({}/{}/{})", action, request.getClass(), request.remoteAddress()); } getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE); } else { getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE); } } else { if (log.isTraceEnabled()) { log.trace("Is not an inter cluster request"); } } super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal); } }
private void ensureCorrectHeaders(final Object remoteAdr, final User origUser, final String origin) { // keep original address if(origin != null && !origin.isEmpty() /*&& !Origin.LOCAL.toString().equalsIgnoreCase(origin)*/ && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, origin); } if(origin == null && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, Origin.LOCAL.toString()); } if (remoteAdr != null && remoteAdr instanceof TransportAddress) { String remoteAddressHeader = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER); if(remoteAddressHeader == null) { getThreadContext().putHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(((TransportAddress) remoteAdr).address())); } /*else { if(!((InetSocketAddress)Base64Helper.deserializeObject(remoteAddressHeader)).equals(((TransportAddress) remoteAdr).address())) { throw new RuntimeException("remote address mismatch "+Base64Helper.deserializeObject(remoteAddressHeader)+"!="+((TransportAddress) remoteAdr).address()); } }*/ } if(origUser != null) { String userHeader = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER); if(userHeader == null) { getThreadContext().putHeader(ConfigConstants.SG_USER_HEADER, Base64Helper.serializeObject(origUser)); } /*else { if(!((User)Base64Helper.deserializeObject(userHeader)).getName().equals(origUser.getName())) { throw new RuntimeException("user mismatch "+Base64Helper.deserializeObject(userHeader)+"!="+origUser); } }*/ } }
private User impersonate(final TransportRequest tr, final User origPKIuser) throws ElasticsearchSecurityException { final String impersonatedUser = threadPool.getThreadContext().getHeader("sg_impersonate_as"); if(Strings.isNullOrEmpty(impersonatedUser)) { return null; //nothing to do } if (!isInitialized()) { throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized"); } if (origPKIuser == null) { throw new ElasticsearchSecurityException("no original PKI user found"); } User aU = origPKIuser; if (adminDns.isAdminDN(impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as an adminuser '" + impersonatedUser+"'"); } try { if (impersonatedUser != null && !adminDns.isTransportImpersonationAllowed(new LdapName(origPKIuser.getName()), impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as '" + impersonatedUser+"'"); } else if (impersonatedUser != null) { aU = new User(impersonatedUser); if(log.isDebugEnabled()) { log.debug("Impersonate from '{}' to '{}'",origPKIuser.getName(), impersonatedUser); } } } catch (final InvalidNameException e1) { throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + origPKIuser.getName() + "'), should never happen", e1); } return aU; }
final String authorizationHeader = threadPool.getThreadContext().getHeader("Authorization");
ThreadContext threadContext = threadPool.getThreadContext(); for (String key : taskHeaders) { String httpHeader = threadContext.getHeader(key); if (httpHeader != null) { headerSize += key.length() * 2 + httpHeader.length() * 2;
private void putInitialActionClassHeader(String initialActionClassValue, String resolvedActionClass) { if(initialActionClassValue == null) { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, resolvedActionClass); } } else { if(getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, initialActionClassValue); } } }
@Override protected void addAdditionalContextValues(final String action, final TransportRequest request, final X509Certificate[] localCerts, final X509Certificate[] peerCerts, final String principal) throws Exception { boolean isInterClusterRequest = requestEvalProvider.isInterClusterRequest(request, localCerts, peerCerts, principal); if (isInterClusterRequest) { boolean fromTn = Boolean.parseBoolean(getThreadContext().getHeader("_sg_header_tn")); if(fromTn || cs.getClusterName().value().equals(getThreadContext().getHeader("_sg_remotecn"))) { if (log.isTraceEnabled() && !action.startsWith("internal:")) { log.trace("Is inter cluster request ({}/{}/{})", action, request.getClass(), request.remoteAddress()); } getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE); } else { getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE); } } else { if (log.isTraceEnabled()) { log.trace("Is not an inter cluster request"); } } super.addAdditionalContextValues(action, request, localCerts, peerCerts, principal); } }
private void attachSourceFieldContext(ActionRequest request) { if(request instanceof SearchRequest && SourceFieldsContext.isNeeded((SearchRequest) request)) { if(threadContext.getHeader("_sg_source_field_context") == null) { final String serializedSourceFieldContext = Base64Helper.serializeObject(new SourceFieldsContext((SearchRequest) request)); threadContext.putHeader("_sg_source_field_context", serializedSourceFieldContext); } } else if (request instanceof GetRequest && SourceFieldsContext.isNeeded((GetRequest) request)) { if(threadContext.getHeader("_sg_source_field_context") == null) { final String serializedSourceFieldContext = Base64Helper.serializeObject(new SourceFieldsContext((GetRequest) request)); threadContext.putHeader("_sg_source_field_context", serializedSourceFieldContext); } } }
@Override public void handleResponse(StringMessageResponse response) { assertThat("pong", equalTo(response.message)); assertEquals("ping_user", threadPool.getThreadContext().getHeader("test.ping.user")); assertNull(threadPool.getThreadContext().getHeader("test.pong.user")); assertSame(context, threadPool.getThreadContext().getTransient("my_private_context")); threadPool.getThreadContext().putHeader("some.temp.header", "booooom"); }
@Override public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String action, TransportRequest request, TransportRequestOptions options, TransportResponseHandler<T> handler) { if (bucklerConfig.getAuthConfig().isEnabledForTcp()) { String authorization = bucklerConfig.getAuthConfig().getAuthorization(); if (threadContext.getHeader("Authorization") == null) { threadContext.putHeader("Authorization", authorization); } } sender.sendRequest(connection, action, request, options, handler); } }
private void ensureCorrectHeaders(final Object remoteAdr, final User origUser, final String origin) { // keep original address if(origin != null && !origin.isEmpty() /*&& !Origin.LOCAL.toString().equalsIgnoreCase(origin)*/ && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, origin); } if(origin == null && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) { getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, Origin.LOCAL.toString()); } if (remoteAdr != null && remoteAdr instanceof TransportAddress) { String remoteAddressHeader = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER); if(remoteAddressHeader == null) { getThreadContext().putHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(((TransportAddress) remoteAdr).address())); } /*else { if(!((InetSocketAddress)Base64Helper.deserializeObject(remoteAddressHeader)).equals(((TransportAddress) remoteAdr).address())) { throw new RuntimeException("remote address mismatch "+Base64Helper.deserializeObject(remoteAddressHeader)+"!="+((TransportAddress) remoteAdr).address()); } }*/ } if(origUser != null) { String userHeader = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER); if(userHeader == null) { getThreadContext().putHeader(ConfigConstants.SG_USER_HEADER, Base64Helper.serializeObject(origUser)); } /*else { if(!((User)Base64Helper.deserializeObject(userHeader)).getName().equals(origUser.getName())) { throw new RuntimeException("user mismatch "+Base64Helper.deserializeObject(userHeader)+"!="+origUser); } }*/ } }
ThreadContext threadContext = threadPool.getThreadContext(); for (String key : taskHeaders) { String httpHeader = threadContext.getHeader(key); if (httpHeader != null) { headerSize += key.length() * 2 + httpHeader.length() * 2;
ThreadContext threadContext = threadPool.getThreadContext(); for (String key : taskHeaders) { String httpHeader = threadContext.getHeader(key); if (httpHeader != null) { headerSize += key.length() * 2 + httpHeader.length() * 2;
String authorization = threadContext.getHeader("Authorization");
public void testThreadContext() throws ExecutionException, InterruptedException { assertEquals("ping_user", threadPool.getThreadContext().getHeader("test.ping.user")); assertNull(threadPool.getThreadContext().getTransient("my_private_context")); try { assertEquals("ping_user", threadPool.getThreadContext().getHeader("test.ping.user")); assertSame(context, threadPool.getThreadContext().getTransient("my_private_context")); assertNull("this header is only visible in the handler context", threadPool.getThreadContext().getHeader("some.temp.header"));
private User impersonate(final TransportRequest tr, final User origPKIuser) throws ElasticsearchSecurityException { final String impersonatedUser = threadPool.getThreadContext().getHeader("sg_impersonate_as"); if(Strings.isNullOrEmpty(impersonatedUser)) { return null; //nothing to do } if (!isInitialized()) { throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized"); } if (origPKIuser == null) { throw new ElasticsearchSecurityException("no original PKI user found"); } User aU = origPKIuser; if (adminDns.isAdminDN(impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as an adminuser '" + impersonatedUser+"'"); } try { if (impersonatedUser != null && !adminDns.isTransportImpersonationAllowed(new LdapName(origPKIuser.getName()), impersonatedUser)) { throw new ElasticsearchSecurityException("'"+origPKIuser.getName() + "' is not allowed to impersonate as '" + impersonatedUser+"'"); } else if (impersonatedUser != null) { aU = new User(impersonatedUser); if(log.isDebugEnabled()) { log.debug("Impersonate from '{}' to '{}'",origPKIuser.getName(), impersonatedUser); } } } catch (final InvalidNameException e1) { throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + origPKIuser.getName() + "'), should never happen", e1); } return aU; }