Added check for OPENDISTRO_SECURITY_CONF_REQUEST_HEADER

Signed-off-by: Nils Bandener <[email protected]>
nibix · Nov 6, 2024 · 3064614 · 3064614
1 parent 05fac07
commit 3064614
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java b/src/main/java/org/opensearch/security/configuration/DlsFlsValveImpl.java
@@ -364,6 +364,15 @@ public void handleSearchContext(SearchContext searchContext, ThreadPool threadPo
                 return;
             }
 
+            if (dlsFlsBaseContext.isPrivilegedConfigRequest()) {
+                // Requests with the header OPENDISTRO_SECURITY_CONF_REQUEST_HEADER set bypass any access controls.
+                // This follows the logic from
+                // https://github.com/opensearch-project/security/blob/1c898dcc4a92e8d4aa8b18c3fed761b5f6e52d4f/src/main/java/org/opensearch/security/filter/SecurityFilter.java#L209
+                // In the old DLS/FLS implementation, that check in SecurityFilter would also affect this code.
+                // Now it does not any more, thus we need this additional check here.
+                return;
+            }
+
             PrivilegesEvaluationContext privilegesEvaluationContext = this.dlsFlsBaseContext.getPrivilegesEvaluationContext();
             if (privilegesEvaluationContext == null) {
                 return;

diff --git a/src/main/java/org/opensearch/security/privileges/dlsfls/DlsFlsBaseContext.java b/src/main/java/org/opensearch/security/privileges/dlsfls/DlsFlsBaseContext.java
@@ -15,6 +15,7 @@
 import org.opensearch.security.privileges.PrivilegesEvaluationContext;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.support.ConfigConstants;
+import org.opensearch.security.support.HeaderHelper;
 import org.opensearch.security.user.User;
 
 /**
@@ -52,4 +53,16 @@ public boolean isDlsDoneOnFilterLevel() {
             return false;
         }
     }
+
+    /**
+     * Returns true for requests that have raised privileges. This corresponds to the check in SecurityFilter:
+     * https://github.com/opensearch-project/security/blob/1c898dcc4a92e8d4aa8b18c3fed761b5f6e52d4f/src/main/java/org/opensearch/security/filter/SecurityFilter.java#L209
+     * <p>
+     * In earlier versions the check in SecurityFilter would automatically bypass any DLS/FLS logic if it was true,
+     * because no DLS/FLS thread context headers were written. As these are no longer used and the DLS/FLS components
+     * do the access control checks by themselves, we now need to do that check at these particular locations.
+     */
+    public boolean isPrivilegedConfigRequest() {
+        return "true".equals(HeaderHelper.getSafeFromHeader(threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER));
+    }
 }