From 7b3b2d5f02554f3a4fa2f59e1f0b042afe2943b4 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Fri, 30 Jun 2017 14:19:49 -0500
Subject: [PATCH] Localhost check: check if addr bound to interface
 (elastic/x-pack-elasticsearch#1901)

This is related to elastic/x-pack-elasticsearch#1217 and elastic/x-pack-elasticsearch#1896. Right now we are checking if an
incoming address is the loopback address or a special local addres. It
appears that we also need to check if that address is bound to a
network interface to be thorough in our localhost check.

This change mimicks how we check if localhost in `PatternRule`.

Original commit: elastic/x-pack-elasticsearch@a8947d6174cdca8312c1638bb07b375c4b652aa5
---
 .../xpack/security/authc/esnative/ReservedRealm.java | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
index 1192cbadf07..aae18d0976a 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.java
@@ -32,6 +32,8 @@ import org.elasticsearch.xpack.security.user.LogstashSystemUser;
 import org.elasticsearch.xpack.security.user.User;
 
 import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.SocketException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -78,7 +80,15 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
             doAuthenticate(token, listener, false);
         } else {
             InetAddress address = incomingRequest.getRemoteAddress().getAddress();
-            doAuthenticate(token, listener, address.isAnyLocalAddress() || address.isLoopbackAddress());
+
+            try {
+                // This checks if the address is the loopback address or if it is bound to one of this machine's
+                // network interfaces. This is because we want to allow requests that originate from this machine.
+                final boolean isLocalMachine = address.isLoopbackAddress() || NetworkInterface.getByInetAddress(address) != null;
+                doAuthenticate(token, listener, isLocalMachine);
+            } catch (SocketException e) {
+                listener.onFailure(Exceptions.authenticationError("failed to authenticate user [{}]", e, token.principal()));
+            }
         }
     }