From ee73bc2f3fbf8a47d8e68f09dadccb92e5bc2fd9 Mon Sep 17 00:00:00 2001 From: Yogesh Gaikwad <902768+bizybot@users.noreply.github.com> Date: Fri, 7 Sep 2018 08:46:49 +1000 Subject: [PATCH] [SECURITY] Set Auth-scheme preference (#33156) Some browsers (eg. Firefox) behave differently when presented with multiple auth schemes in 'WWW-Authenticate' header. The expected behavior is that browser select the most secure auth-scheme before trying others, but Firefox selects the first presented auth scheme and tries the next ones sequentially. As the browser interpretation is something that we do not control, we can at least present the auth schemes in most to least secure order as the server's preference. This commit modifies the code to collect and sort the auth schemes presented by most to least secure. The priority of the auth schemes is fixed, the lower number denoting more secure auth-scheme. The current order of schemes based on the ES supported auth-scheme is [Negotiate, Bearer,Basic] and when we add future support for other schemes we will need to update the code. If need be we will make this configuration customizable in future. Unit test to verify the WWW-Authenticate header values are sorted by server preference as more secure to least secure auth schemes. Tested with Firefox, Chrome, Internet Explorer 11. Closes#32699 --- .../DefaultAuthenticationFailureHandler.java | 38 +++++++++++++++++-- ...aultAuthenticationFailureHandlerTests.java | 27 +++++++++++-- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java index d6f678a2dcb..736b9378e38 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.java @@ -12,9 +12,11 @@ import org.elasticsearch.rest.RestStatus; import org.elasticsearch.transport.TransportMessage; import org.elasticsearch.xpack.core.XPackField; +import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.stream.Collectors; import static org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError; @@ -44,12 +46,42 @@ public class DefaultAuthenticationFailureHandler implements AuthenticationFailur * be sent as failure response. * @see Realm#getAuthenticationFailureHeaders() */ - public DefaultAuthenticationFailureHandler(Map> failureResponseHeaders) { + public DefaultAuthenticationFailureHandler(final Map> failureResponseHeaders) { if (failureResponseHeaders == null || failureResponseHeaders.isEmpty()) { - failureResponseHeaders = Collections.singletonMap("WWW-Authenticate", + this.defaultFailureResponseHeaders = Collections.singletonMap("WWW-Authenticate", Collections.singletonList("Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\"")); + } else { + this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders.entrySet().stream().collect(Collectors + .toMap(entry -> entry.getKey(), entry -> { + if (entry.getKey().equalsIgnoreCase("WWW-Authenticate")) { + List values = new ArrayList<>(entry.getValue()); + Collections.sort(values, (o1, o2) -> authSchemePriority(o1).compareTo(authSchemePriority(o2))); + return Collections.unmodifiableList(values); + } else { + return Collections.unmodifiableList(entry.getValue()); + } + }))); + } + } + + /** + * For given 'WWW-Authenticate' header value returns the priority based on + * the auth-scheme. Lower number denotes more secure and preferred + * auth-scheme than the higher number. + * + * @param headerValue string starting with auth-scheme name + * @return integer value denoting priority for given auth scheme. + */ + private static Integer authSchemePriority(final String headerValue) { + if (headerValue.regionMatches(true, 0, "negotiate", 0, "negotiate".length())) { + return 0; + } else if (headerValue.regionMatches(true, 0, "bearer", 0, "bearer".length())) { + return 1; + } else if (headerValue.regionMatches(true, 0, "basic", 0, "basic".length())) { + return 2; + } else { + return 3; } - this.defaultFailureResponseHeaders = Collections.unmodifiableMap(failureResponseHeaders); } @Override diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java index 2598461c372..15593f0b82e 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandlerTests.java @@ -50,7 +50,7 @@ public class DefaultAuthenticationFailureHandlerTests extends ESTestCase { if (testDefault) { assertWWWAuthenticateWithSchemes(ese, basicAuthScheme); } else { - assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme); + assertWWWAuthenticateWithSchemes(ese, bearerAuthScheme, basicAuthScheme); } } @@ -83,12 +83,12 @@ public class DefaultAuthenticationFailureHandlerTests extends ESTestCase { assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue())); assertThat(ese, is(sameInstance(cause))); if (withAuthenticateHeader == false) { - assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme); + assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme); } else { if (selectedScheme.contains("Negotiate ")) { assertWWWAuthenticateWithSchemes(ese, selectedScheme); } else { - assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme); + assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme); } } assertThat(ese.getMessage(), equalTo("unauthorized")); @@ -102,11 +102,30 @@ public class DefaultAuthenticationFailureHandlerTests extends ESTestCase { assertThat(ese, is(notNullValue())); assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue())); assertThat(ese.getMessage(), equalTo("error attempting to authenticate request")); - assertWWWAuthenticateWithSchemes(ese, basicAuthScheme, bearerAuthScheme, negotiateAuthScheme); + assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme); } } + public void testSortsWWWAuthenticateHeaderValues() { + final String basicAuthScheme = "Basic realm=\"" + XPackField.SECURITY + "\" charset=\"UTF-8\""; + final String bearerAuthScheme = "Bearer realm=\"" + XPackField.SECURITY + "\""; + final String negotiateAuthScheme = randomFrom("Negotiate", "Negotiate Ijoijksdk"); + final Map> failureResponeHeaders = new HashMap<>(); + final List supportedSchemes = Arrays.asList(basicAuthScheme, bearerAuthScheme, negotiateAuthScheme); + Collections.shuffle(supportedSchemes, random()); + failureResponeHeaders.put("WWW-Authenticate", supportedSchemes); + final DefaultAuthenticationFailureHandler failuerHandler = new DefaultAuthenticationFailureHandler(failureResponeHeaders); + + final ElasticsearchSecurityException ese = failuerHandler.exceptionProcessingRequest(Mockito.mock(RestRequest.class), null, + new ThreadContext(Settings.builder().build())); + + assertThat(ese, is(notNullValue())); + assertThat(ese.getHeader("WWW-Authenticate"), is(notNullValue())); + assertThat(ese.getMessage(), equalTo("error attempting to authenticate request")); + assertWWWAuthenticateWithSchemes(ese, negotiateAuthScheme, bearerAuthScheme, basicAuthScheme); + } + private void assertWWWAuthenticateWithSchemes(final ElasticsearchSecurityException ese, final String... schemes) { assertThat(ese.getHeader("WWW-Authenticate").size(), is(schemes.length)); assertThat(ese.getHeader("WWW-Authenticate"), contains(schemes));