honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update security rest filter 

Original commit: elastic/x-pack-elasticsearch@9a4f0bc184
This commit is contained in:
jaymode 2016-08-02 14:47:06 -04:00
parent 8fa06fbab7
commit fc8e787325
1 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
View File

@ -12,6 +12,7 @@ import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty3.Netty3HttpRequest;
import org.elasticsearch.http.netty4.Netty4HttpRequest;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestFilter;
@ -24,6 +25,7 @@ import org.elasticsearch.xpack.security.transport.netty3.SecurityNetty3HttpServe
import org.elasticsearch.threadpool.ThreadPool;
import org.jboss.netty.handler.ssl.SslHandler;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
@ -75,22 +77,35 @@ public class SecurityRestFilter extends RestFilter {
}
static void putClientCertificateInContext(RestRequest request, ThreadContext threadContext, ESLogger logger) throws Exception {
assert request instanceof Netty3HttpRequest;
Netty3HttpRequest nettyHttpRequest = (Netty3HttpRequest) request;
assert request instanceof Netty3HttpRequest || request instanceof Netty4HttpRequest;
if (request instanceof Netty3HttpRequest) {
Netty3HttpRequest nettyHttpRequest = (Netty3HttpRequest) request;
SslHandler handler = nettyHttpRequest.getChannel().getPipeline().get(SslHandler.class);
assert handler != null;
SslHandler handler = nettyHttpRequest.getChannel().getPipeline().get(SslHandler.class);
assert handler != null;
extractClientCerts(handler.getEngine(), nettyHttpRequest.getChannel(), threadContext, logger);
} else if (request instanceof Netty4HttpRequest) {
Netty4HttpRequest nettyHttpRequest = (Netty4HttpRequest) request;
io.netty.handler.ssl.SslHandler handler = nettyHttpRequest.getChannel().pipeline().get(io.netty.handler.ssl.SslHandler.class);
assert handler != null;
extractClientCerts(handler.engine(), nettyHttpRequest.getChannel(), threadContext, logger);
}
}
private static void extractClientCerts(SSLEngine sslEngine, Object channel, ThreadContext threadContext, ESLogger logger) {
try {
Certificate[] certs = handler.getEngine().getSession().getPeerCertificates();
Certificate[] certs = sslEngine.getSession().getPeerCertificates();
if (certs instanceof X509Certificate[]) {
threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, certs);
}
} catch (SSLPeerUnverifiedException e) {
// this happens when we only request client authentication and the client does not provide it
if (logger.isTraceEnabled()) {
logger.trace("SSL Peer did not present a certificate on channel [{}]", e, nettyHttpRequest.getChannel());
logger.trace("SSL Peer did not present a certificate on channel [{}]", e, channel);
} else if (logger.isDebugEnabled()) {
logger.debug("SSL Peer did not present a certificate on channel [{}]", nettyHttpRequest.getChannel());
logger.debug("SSL Peer did not present a certificate on channel [{}]", channel);
}
}
}