public static boolean isTrustedClusterRequest(final ThreadContext context) { return context.getTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST) == Boolean.TRUE; } }
public static boolean isInterClusterRequest(final ThreadContext context) { return context.getTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST) == Boolean.TRUE; }
public static boolean isDirectRequest(final ThreadContext context) { return "direct".equals(context.getTransient(ConfigConstants.SG_CHANNEL_TYPE)) || context.getTransient(ConfigConstants.SG_CHANNEL_TYPE) == null; }
protected final boolean isAdminAuthenticatedOrInternalRequest() { final User user = (User) threadContext.getTransient(ConfigConstants.SG_USER); if (user != null && adminDns.isAdmin(user)) { return true; } if ("true".equals(HeaderHelper.getSafeFromHeader(threadContext, ConfigConstants.SG_CONF_REQUEST_HEADER))) { return true; } return false; }
@Override public AuthCredentials extractCredentials(final RestRequest request, final ThreadContext threadContext) { final String principal = threadContext.getTransient(ConfigConstants.SG_SSL_PRINCIPAL);
final User user0 = getThreadContext().getTransient(ConfigConstants.SG_USER); final String origin0 = getThreadContext().getTransient(ConfigConstants.SG_ORIGIN); final Object remoteAdress0 = getThreadContext().getTransient(ConfigConstants.SG_REMOTE_ADDRESS);
if(threadContext.getTransient(ConfigConstants.SG_XFF_DONE) == Boolean.TRUE) { log.trace("xff resolved {} to {}", request.getRemoteAddress(), isa); } else {
@Override protected void doExecute(WhoAmIRequest request, ActionListener<WhoAmIResponse> listener) { final User user = threadPool.getThreadContext().getTransient(ConfigConstants.SG_USER); final String dn = user==null?threadPool.getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL):user.getName(); final boolean isAdmin = adminDNs.isAdminDN(dn); final boolean isAuthenticated = isAdmin?true: user != null; final boolean isNodeCertificateRequest = HeaderHelper.isInterClusterRequest(threadPool.getThreadContext()) || HeaderHelper.isTrustedClusterRequest(threadPool.getThreadContext()); listener.onResponse(new WhoAmIResponse(dn, isAdmin, isAuthenticated, isNodeCertificateRequest)); } }
String injectedUserString = threadPool.getThreadContext().getTransient(ConfigConstants.SG_INJECTED_USER);
final User user = (User)threadContext.getTransient(ConfigConstants.SG_USER); final TransportAddress remoteAddress = (TransportAddress) threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS);
final User user = (User)threadContext.getTransient(ConfigConstants.SG_USER);
final TransportAddress caller = Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS)); final SgRoles sgRoles = getSgRoles(user, caller);
final X509Certificate[] certs = threadContext.getTransient(ConfigConstants.SG_SSL_PEER_CERTIFICATES); final User user = (User)threadContext.getTransient(ConfigConstants.SG_USER); final TransportAddress remoteAddress = (TransportAddress) threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS); builder.field("sg_roles", evaluator.mapSgRoles(user, remoteAddress)); builder.field("sg_tenants", evaluator.mapTenants(user, remoteAddress)); builder.field("principal", (String)threadContext.getTransient(ConfigConstants.SG_SSL_PRINCIPAL)); builder.field("peer_certificates", certs != null && certs.length > 0 ? certs.length + "" : "0"); builder.field("sso_logout_url", (String)threadContext.getTransient(ConfigConstants.SSO_LOGOUT_URL));
@Override public AuthCredentials extractCredentials(final RestRequest request, ThreadContext context) { if(context.getTransient(ConfigConstants.SG_XFF_DONE) != Boolean.TRUE) { throw new ElasticsearchSecurityException("xff not done"); } final String userHeader = settings.get("user_header"); final String rolesHeader = settings.get("roles_header"); final String rolesSeparator = settings.get("roles_separator", ","); if(log.isDebugEnabled()) { log.debug("headers {}", request.getHeaders()); log.debug("userHeader {}, value {}", userHeader, userHeader == null?null:request.header(userHeader)); log.debug("rolesHeader {}, value {}", rolesHeader, rolesHeader == null?null:request.header(rolesHeader)); } if (!Strings.isNullOrEmpty(userHeader) && !Strings.isNullOrEmpty((String) request.header(userHeader))) { String[] backendRoles = null; if (!Strings.isNullOrEmpty(rolesHeader) && !Strings.isNullOrEmpty((String) request.header(rolesHeader))) { backendRoles = ((String) request.header(rolesHeader)).split(rolesSeparator); } return new AuthCredentials((String) request.header(userHeader), backendRoles).markComplete(); } else { if(log.isTraceEnabled()) { log.trace("No '{}' header, send 401", userHeader); } return null; } }
if(threadContext.getTransient(ConfigConstants.SG_ORIGIN) == null) { threadContext.putTransient(ConfigConstants.SG_ORIGIN, Origin.LOCAL.toString()); final User user = threadContext.getTransient(ConfigConstants.SG_USER); final boolean userIsAdmin = isUserAdmin(user, adminDns); final boolean interClusterRequest = HeaderHelper.isInterClusterRequest(threadContext); +"origin="+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()); +"origin="+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+"/directRequest="+HeaderHelper.isDirectRequest(threadContext)+"/remoteAddress="+request.remoteAddress()+" "+threadContext.getHeaders().entrySet().stream().filter(p->!p.getKey().startsWith("_sg_trace")).collect(Collectors.toMap(p -> p.getKey(), p -> p.getValue()))); if(Origin.LOCAL.toString().equals(threadContext.getTransient(ConfigConstants.SG_ORIGIN)) && (interClusterRequest || HeaderHelper.isDirectRequest(threadContext)) ) { log.error("No user found for "+ action+" from "+request.remoteAddress()+" "+threadContext.getTransient(ConfigConstants.SG_ORIGIN)+" via "+threadContext.getTransient(ConfigConstants.SG_CHANNEL_TYPE)+" "+threadContext.getHeaders()); listener.onFailure(new ElasticsearchSecurityException("No user found for "+action, RestStatus.INTERNAL_SERVER_ERROR)); return;
final String sslPrincipal = (String) threadPool.getThreadContext().getTransient(ConfigConstants.SG_SSL_PRINCIPAL);
if ((principal = getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL)) == null) { Exception ex = new ElasticsearchSecurityException( "No SSL client certificates found for transport type "+transportChannel.getChannelType()+". Search Guard needs the Search Guard SSL plugin to be installed"); } else { if(getThreadContext().getTransient(ConfigConstants.SG_ORIGIN) == null) { getThreadContext().putTransient(ConfigConstants.SG_ORIGIN, Origin.TRANSPORT.toString()); log.error("Cannot authenticate {} for {}", getThreadContext().getTransient(ConfigConstants.SG_USER), task.getAction()); transportChannel.sendResponse(new ElasticsearchSecurityException("Cannot authenticate "+getThreadContext().getTransient(ConfigConstants.SG_USER))); return; } else {
} else { org.apache.logging.log4j.ThreadContext.put("user", ((User)threadContext.getTransient(ConfigConstants.SG_USER)).getName());
protected final boolean isAdminAuthenticatedOrInternalRequest() { final User user = (User) threadContext.getTransient(ConfigConstants.SG_USER); if (user != null && adminDns.isAdmin(user)) { return true; } if ("true".equals(HeaderHelper.getSafeFromHeader(threadContext, ConfigConstants.SG_CONF_REQUEST_HEADER))) { return true; } return false; }
public boolean processWriteConditional(final ConsistencyLevel cl, final ConsistencyLevel serialCl, final String query, Object... values) { ClientState clientState = this.threadPool.getThreadContext().getTransient("_client_state"); if (clientState == null) clientState = ClientState.forInternalCalls(); return processWriteConditional(cl, serialCl, clientState, query, values); }