Use BytesRestResponse constructor with contentType in asRestResponse #3717
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
shikharj05
reviewed
Nov 15, 2023
src/main/java/org/opensearch/security/filter/SecurityResponse.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
cwperks
requested review from
cliu123,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3717 +/- ##
==========================================
+ Coverage 64.88% 66.26% +1.37%
==========================================
Files 292 292
Lines 20776 20806 +30
Branches 3409 3411 +2
==========================================
+ Hits 13481 13787 +306
+ Misses 5606 5318 -288
- Partials 1689 1701 +12
|
70 tasks
peternied
reviewed
Nov 15, 2023
|
@peternied @DarshitChanpura is working on adding tests to this PR that will fail if the response does not have the expected content-type (from before 2.11). @scrawfor99 is working on cataloging APIs or different scenarios where the content-type of the response object changed in 2.11 from prior versions. The issue to track that is #3718 |
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Add Security response tests
|
I added some tests for Craig's fix. I noted on my merge to Craig's branch but will note here too: There is a known failing test I marked. I do not like that we don't pick a standard default type and would like us to do so. I would pick JSON and that is what I wrote the test for, but I can be overruled to use a different type or keep the behavior in the split way it is now. Edit: I cleaned it so the test passes but I am still grumpy about it and wish it was standard. |
cwperks
commented
Nov 15, 2023
src/test/java/org/opensearch/security/filter/SecurityResponseTests.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Craig Perkins <cwperx@amazon.com>
stephen-crawford
previously approved these changes
Nov 16, 2023
src/test/java/org/opensearch/security/filter/SecurityResponseTests.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/filter/SecurityResponseTests.java
Outdated
Show resolved
Hide resolved
cwperks
dismissed stale reviews from DarshitChanpura and stephen-crawford
via
90255b7
…ests.java Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
…ests.java Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Craig Perkins <craig5008@gmail.com>
stephen-crawford
approved these changes
Nov 16, 2023
cwperks
added
backport 2.x
DarshitChanpura
approved these changes
Nov 16, 2023
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3717-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b7f47b1f516bee03a7dfaeec3a9133e4eafa3a73
# Push it to GitHub
git push --set-upstream origin backport/backport-3717-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.xThen, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.11 2.11
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.11
# Create a new branch
git switch --create backport/backport-3717-to-2.11
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b7f47b1f516bee03a7dfaeec3a9133e4eafa3a73
# Push it to GitHub
git push --set-upstream origin backport/backport-3717-to-2.11
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.11Then, create a pull request where the |
cwperks
added a commit
to cwperks/security
that referenced
this pull request
Nov 16, 2023
…pensearch-project#3717) Modifies `SecurityResponse.asRestResponse` to use the corresponding constructor for `BytesRestResponse` if the `SecurityResponse` contains the content-type header. This adds a test that fails before the change and demonstrates how using the constructor of BytesRestResponse without content-type defaults to text/plain --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Stephen Crawford <steecraw@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> (cherry picked from commit b7f47b1)
kumjiten
reviewed
Nov 16, 2023
| final String negotiateResponseBody = getNegotiateResponseBody(); | ||
| if (negotiateResponseBody != null) { | ||
| responseBody = negotiateResponseBody; | ||
| headers.putAll(SecurityResponse.CONTENT_TYPE_APP_JSON); | ||
| contentType = XContentType.JSON.mediaType(); |
There was a problem hiding this comment.
We should understand who populates the header if we explicitly don't populate here?
| this.body = body; | ||
| this.contentType = contentType; |
| if (getHeaders() != null) { | ||
| getHeaders().forEach(restResponse::addHeader); | ||
| getHeaders().entrySet().forEach(entry -> { entry.getValue().forEach(value -> restResponse.addHeader(entry.getKey(), value)); }); |
There was a problem hiding this comment.
we should understand why the header approach was not working and which part of the code is populating the content type header now?
cwperks
added a commit
to cwperks/security
that referenced
this pull request
Nov 16, 2023
…pensearch-project#3717) Modifies `SecurityResponse.asRestResponse` to use the corresponding constructor for `BytesRestResponse` if the `SecurityResponse` contains the content-type header. This adds a test that fails before the change and demonstrates how using the constructor of BytesRestResponse without content-type defaults to text/plain --------- Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Stephen Crawford <steecraw@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> (cherry picked from commit b7f47b1)
peternied
pushed a commit
to peternied/security
that referenced
this pull request
Nov 21, 2023
… asRestResponse (opensearch-project#3717) (opensearch-project#3721) Backport opensearch-project#3717 to 2.11 Signed-off-by: Craig Perkins <cwperx@amazon.com>
3 tasks
willyborankin
pushed a commit
that referenced
this pull request
Nov 27, 2023
…requests (#3418) (#3675) ### Description Includes: - Backport f7c47af of #3418 - Backport 2dab119 of #3717 - Backport f27dee2 of #3583 --- Previously unauthorized requests were fully processed and rejected once they reached the RestHandler. This allocations more memory and resources for these requests that might not be useful if they are already detected as unauthorized. Using the headerVerifer and decompressor customization from [1], perform an early authorization check when only the headers are available, save an 'early response' for transmission and do not perform the decompression on the request to speed up closing out the connection. ```mermaid graph TD oA["Receive Request Headers<br>(Orginal)"] --> oB[Decompress Request] oB --> oC[RestHandler] oC --> osrf[Intercept Request] subgraph sp[Security Plugin] osrf --> oD[Check Authorization] oD --> oE{Authorized?} oE -->|Yes| oF[Process and Respond] oE -->|No| oG[Reject Request] end oF --> oH[Forward to Request Handler] H["Receive Request Headers<br>(Updated)"] --> I[HeaderVerifier] subgraph nsp[Security Plugin] I --> J{Authorized?} J -->|Yes| K[Decompress Request] J -->|No| N[Save Early Response] end K --> L[RestHandler] N --> L L --> M[Intercept Request] subgraph n2sp[Security Plugin] M --> n2D["Check Authorization<br>(Cached)"] n2D --> nE{Authorized?} nE -->|Yes| nF[Process and Respond] nE -->|No| nG[Reject Request] end nF --> nH[Forward to Request Handler] class oA,oB old; class H,I,K,N,n2D new; classDef old fill:#f9d0c4,stroke:#f28b82; classDef new fill:#cfe8fc,stroke:#68a9ef; ``` ### Issues Resolved - Related #3559 ### Check List - [X] New functionality includes testing - [ ] ~New functionality has been documented~ - [X] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Peter Nied <petern@amazon.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: Peter Nied <peternied@hotmail.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Modifies
SecurityResponse.asRestResponseto use the corresponding constructor forBytesRestResponseif theSecurityResponsecontains the content-type header. This adds a test that fails before the change and demonstrates how using the constructor of BytesRestResponse without content-type defaults to text/plainBug fix
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.