Skip to content

Do not swallow I/O exception getting authentication #44398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 16, 2019
Merged

Do not swallow I/O exception getting authentication #44398

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a022cd5
Do not swallow I/O exception getting authentication
jasontedor Jul 16, 2019
7d05b8f
Remove unneeded throws declaration
jasontedor Jul 16, 2019
1d7a6b8
Add comment
jasontedor Jul 16, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
*/
package org.elasticsearch.xpack.core.security;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
Expand All @@ -17,6 +17,7 @@
import org.elasticsearch.xpack.core.security.user.User;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Collections;
import java.util.Objects;
import java.util.function.Consumer;
Expand Down Expand Up @@ -53,10 +54,8 @@ public Authentication getAuthentication() {
try {
return Authentication.readFromContext(threadContext);
} catch (IOException e) {
// TODO: this seems bogus, the only way to get an ioexception here is from a corrupt or tampered
// auth header, which should be be audited?
logger.error("failed to read authentication", e);
return null;
throw new UncheckedIOException(e);
}
}

Expand Down
13 changes: 13 additions & 0 deletions .../plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityContextTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,18 @@
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType;
import org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef;
import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.junit.Before;

import java.io.EOFException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.concurrent.atomic.AtomicReference;

import static org.hamcrest.Matchers.instanceOf;

public class SecurityContextTests extends ESTestCase {

private Settings settings;
Expand Down Expand Up @@ -51,6 +56,14 @@ public void testGetAuthenticationAndUser() throws IOException {
assertEquals(user, securityContext.getUser());
}

public void testGetAuthenticationDoesNotSwallowIOException() {
threadContext.putHeader(AuthenticationField.AUTHENTICATION_KEY, ""); // an intentionally corrupt header
final SecurityContext securityContext = new SecurityContext(Settings.EMPTY, threadContext);
final UncheckedIOException e = expectThrows(UncheckedIOException.class, securityContext::getAuthentication);
assertNotNull(e.getCause());
assertThat(e.getCause(), instanceOf(EOFException.class));
}

public void testSetUser() {
final User user = new User("test");
assertNull(securityContext.getAuthentication());
Expand Down