Auditing requests with null indices (elastic/x-pack-elasticsearch#4016)

Adds null check. relates elastic/x-pack-elasticsearch#3988 Original commit: elastic/x-pack-elasticsearch@64bab62ca6
2018-03-11 13:13:14 +02:00 · 2018-03-11 13:13:14 +02:00 · d31d90d378
parent 8d68b03cb6
commit d31d90d378
2 changed files with 62 additions and 4 deletions
--- a/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
+++ b/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@ -287,8 +287,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,

    @Override
    public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
-        if (events.contains(REALM_AUTHENTICATION_FAILED)
-                && filterPolicyPredicate.test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
+        if (events.contains(REALM_AUTHENTICATION_FAILED) && filterPolicyPredicate
+                .test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
            if (includeRequestBody) {
                logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]",
                        localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(),
@ -514,7 +514,10 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,

    static Optional<String[]> indices(TransportMessage message) {
        if (message instanceof IndicesRequest) {
-            return Optional.ofNullable(((IndicesRequest) message).indices());
+            final String[] indices = ((IndicesRequest) message).indices();
+            if ((indices != null) && (indices.length != 0)) {
+                return Optional.of(((IndicesRequest) message).indices());
+            }
        }
        return Optional.empty();
    }
@ -546,7 +549,7 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
     * that will be ignored, aka filtered out, aka not logged. The event can be
     * filtered by the following fields : `user`, `realm`, `role` and `index`.
     * Predicates on each field are ANDed together to form the filter predicate of
-     * the policy.
+     * the policy. 
     */
    private static final class EventFilterPolicy {
        final String name;
--- a/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@ -48,6 +48,8 @@ import java.util.Map;

 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.containsString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;

@ -703,6 +705,59 @@ public class LoggingAuditTrailTests extends ESTestCase {
        assertEmptyLog(logger);
    }

+    public void testRequestsWithoutIndices() throws Exception {
+        final Logger logger = CapturingLogger.newCapturingLogger(Level.INFO);
+        final Settings allEventsSettings = Settings.builder()
+                .put(settings)
+                .put("xpack.security.audit.logfile.events.include", "_all")
+                .build();
+        final LoggingAuditTrail auditTrail = new LoggingAuditTrail(allEventsSettings, clusterService, logger, threadContext);
+        final User user = new User("_username", new String[] { "r1" });
+        final String role = randomAlphaOfLengthBetween(1, 6);
+        final String realm = randomAlphaOfLengthBetween(1, 6);
+        // transport messages without indices
+        final TransportMessage[] messages = new TransportMessage[] { new MockMessage(threadContext),
+                new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), new String[0]),
+                new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), (String[]) null) };
+        final List<String> output = CapturingLogger.output(logger.getName(), Level.INFO);
+        int logEntriesCount = 1;
+        for (final TransportMessage message : messages) {
+            auditTrail.anonymousAccessDenied("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed(new MockToken(), "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed(realm, new MockToken(), "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.accessGranted(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.accessDenied(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.tamperedRequest("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.tamperedRequest(user, "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.runAsGranted(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.runAsDenied(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationSuccess(realm, user, "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+        }
+    }
+
    private void assertMsg(Logger logger, Level level, String message) {
        final List<String> output = CapturingLogger.output(logger.getName(), level);
        assertThat(output.size(), is(1));