org.elasticsearch.common.util.concurrent.ThreadContext Java Examples

@Override
public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws ElasticsearchSecurityException {
    final SecurityManager sm = System.getSecurityManager();

    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }

    AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {
        @Override
        public AuthCredentials run() {
            return extractCredentials0(request);
        }
    });

    return creds;
}
 

@Override
public AuthCredentials extractCredentials(RestRequest request, ThreadContext context)
        throws ElasticsearchSecurityException {
    final SecurityManager sm = System.getSecurityManager();

    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }

    AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {
        @Override
        public AuthCredentials run() {
            return extractCredentials0(request);
        }
    });

    return creds;
}
 

/**
 * Sends back an error response to the caller via the given channel
 *
 * @param nodeVersion the caller node version
 * @param features    the caller features
 * @param channel     the channel to send the response to
 * @param error       the error to return
 * @param requestId   the request ID this response replies to
 * @param action      the action this response replies to
 */
public void sendErrorResponse(
        final Version nodeVersion,
        final Set<String> features,
        final TcpChannel channel,
        final Exception error,
        final long requestId,
        final String action) throws IOException {
    try (BytesStreamOutput stream = new BytesStreamOutput()) {
        stream.setVersion(nodeVersion);
        stream.setFeatures(features);
        RemoteTransportException tx = new RemoteTransportException(
            nodeName, new TransportAddress(channel.getLocalAddress()), action, error);
        ThreadContext.bwcWriteHeaders(stream);
        stream.writeException(tx);
        byte status = 0;
        status = TransportStatus.setResponse(status);
        status = TransportStatus.setError(status);
        final BytesReference bytes = stream.bytes();
        final BytesReference header = buildHeader(requestId, status, nodeVersion, bytes.length());
        CompositeBytesReference message = new CompositeBytesReference(header, bytes);
        SendListener onResponseSent = new SendListener(channel, null,
            () -> messageListener.onResponseSent(requestId, action, error), message.length());
        internalSendMessage(channel, message, onResponseSent);
    }
}
 

@Override
public AuthCredentials extractCredentials(final RestRequest request, ThreadContext threadContext) {
    final SecurityManager sm = System.getSecurityManager();

    if (sm != null) {
        sm.checkPermission(new SpecialPermission());
    }

    AuthCredentials creds = AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() {
        @Override
        public AuthCredentials run() {
            return extractCredentials0(request);
        }
    });

    return creds;
}
 

public FieldReadCallback(final ThreadContext threadContext, final IndexService indexService,
        final ClusterService clusterService, final ComplianceConfig complianceConfig, final AuditLog auditLog,
        final Set<String> maskedFields, ShardId shardId) {
    super();
    //this.threadContext = Objects.requireNonNull(threadContext);
    //this.clusterService = Objects.requireNonNull(clusterService);
    this.index = Objects.requireNonNull(indexService).index();
    this.complianceConfig = complianceConfig;
    this.auditLog = auditLog;
    this.maskedFields = maskedFields;
    this.shardId = shardId;
    try {
        sfc = (SourceFieldsContext) HeaderHelper.deserializeSafeFromHeader(threadContext, "_opendistro_security_source_field_context");
        if(sfc != null && sfc.hasIncludesOrExcludes()) {
            if(log.isTraceEnabled()) {
                log.trace("_opendistro_security_source_field_context: "+sfc);
            }

            filterFunction = XContentMapValues.filter(sfc.getIncludes(), sfc.getExcludes());
        }
    } catch (Exception e) {
        if(log.isDebugEnabled()) {
            log.debug("Cannot deserialize _opendistro_security_source_field_context because of {}", e.toString());
        }
    }
}
 

public void testTransportClient() throws Exception {
    NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().get();
    List<NodeInfo>  nodes = nodeInfos.getNodes();
    assertTrue(nodes.size() > 0);
    TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress();
    String clusterName = nodeInfos.getClusterName().value();

    Settings settings = Settings.builder()
            .put("cluster.name", clusterName)
            .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, randomFrom(KNOWN_USERS))
            .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, PASSWORD)
            .build();
    try (TransportClient client = new PreBuiltXPackTransportClient(settings)) {
        client.addTransportAddress(publishAddress);
        ClusterHealthResponse response = client.admin().cluster().prepareHealth().execute().actionGet();
        assertThat(response.isTimedOut(), is(false));
    }
}
 

public void testAuthenticateBadUser() {
    Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build();
    Settings realmSettings = Settings.builder()
            .put("type", CustomRealm.TYPE)
            .put("users.john.password", "doe")
            .put("users.john.roles", "user")
            .put("users.jane.password", "test")
            .putList("users.jane.roles", "user", "admin")
            .build();

    CustomRealm realm = new CustomRealm(new RealmConfig("test", realmSettings, globalSettings,
            new Environment(globalSettings, createTempDir()), new ThreadContext(globalSettings)));
    UsernamePasswordToken token =
            new UsernamePasswordToken("john1", new SecureString(randomAlphaOfLengthBetween(4, 16).toCharArray()));
    realm.authenticate(token, ActionListener.wrap(result -> {
        assertFalse(result.isAuthenticated());
        assertThat(result.getUser(), nullValue());
    }, e -> fail("Failed with exception: " + e.getMessage())));
}
 

@Override
public AuthCredentials extractCredentials(RestRequest request, ThreadContext context)
        throws ElasticsearchSecurityException {
    if (PluginServiceFactory.isReady()) {
        OpenshiftRequestContextFactory contextFactory = PluginServiceFactory.getContextFactory();
        try {
            OpenshiftRequestContext requestContext = contextFactory.create(request);
            context.putTransient(ConfigurationSettings.OPENSHIFT_REQUEST_CONTEXT, requestContext);
            if (requestContext == OpenshiftRequestContext.EMPTY) {
                return null;
            }
            return new AuthCredentials(requestContext.getUser(), requestContext.getBackendRoles()).markComplete();
        } catch (ElasticsearchSecurityException ese) {
            throw ese;
        } catch (Exception e) {
            LOGGER.error("Error handling request", e);
        }
    }
    return null;
}
 

public OpenshiftRequestContextFactory(
        final Settings settings,
        final RequestUtils utils,
        final OpenshiftAPIService apiService,
        final ThreadContext threadContext){
    this.threadContext = threadContext;
    this.apiService = apiService;
    this.utils = utils;
    this.operationsProjects = settings.getAsArray(ConfigurationSettings.OPENSHIFT_CONFIG_OPS_PROJECTS,
            ConfigurationSettings.DEFAULT_OPENSHIFT_OPS_PROJECTS);
    this.kibanaPrefix = settings.get(ConfigurationSettings.KIBANA_CONFIG_INDEX_NAME,
            ConfigurationSettings.DEFAULT_USER_PROFILE_PREFIX);
    this.kibanaIndexMode = settings.get(ConfigurationSettings.OPENSHIFT_KIBANA_INDEX_MODE, UNIQUE);
    if (!ArrayUtils.contains(new String[] { UNIQUE, SHARED_OPS, SHARED_NON_OPS }, kibanaIndexMode.toLowerCase())) {
        this.kibanaIndexMode = UNIQUE;
    }
    LOGGER.info("Using kibanaIndexMode: '{}'", this.kibanaIndexMode);
    
    contextCache = CacheBuilder.newBuilder()
            .maximumSize(settings.getAsInt(ConfigurationSettings.OPENSHIFT_CONTEXT_CACHE_MAXSIZE, 
                    ConfigurationSettings.DEFAULT_OPENSHIFT_CONTEXT_CACHE_MAXSIZE))
            .expireAfterWrite(settings.getAsLong(ConfigurationSettings.OPENSHIFT_CONTEXT_CACHE_EXPIRE_SECONDS, 
                    ConfigurationSettings.DEFAULT_OPENSHIFT_CONTEXT_CACHE_EXPIRE_SECONDS), TimeUnit.SECONDS)
            .removalListener(this)
            .build(this);
}
 

protected void dumpIndices() throws Exception {
    ThreadContext threadContext = esNode1.client().threadPool().getThreadContext();
    try (StoredContext cxt = threadContext.stashContext()) {
        threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
        ClusterStateResponse response = esNode1.client().admin().cluster().prepareState().get();
        Iterator<ObjectObjectCursor<String, IndexMetaData>> iterator = response.getState().getMetaData().indices().iterator();
        while (iterator.hasNext()) {
            ObjectObjectCursor<String, IndexMetaData> c = (ObjectObjectCursor<String, IndexMetaData>) iterator.next();
            IndexMetaData meta = c.value;
            ImmutableOpenMap<String, MappingMetaData> mappings = meta.getMappings();
            Iterator<String> it = mappings.keysIt();
            while (it.hasNext()) {
                String key = it.next();
                System.out.println(String.format("%s %s %s", c.key, key,  mappings.get(key).type()));
            }
        }
    }
}
 

protected void givenDocumentIsIndexed(String index, String type, String id, XContentBuilder content)
        throws Exception {
    ThreadContext threadContext = esNode1.client().threadPool().getThreadContext();
    try (StoredContext cxt = threadContext.stashContext()) {
        threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
        IndexResponse response = esNode1.client().prepareIndex(index, type, id)
                .setSource(content)
                .setRefreshPolicy(RefreshPolicy.IMMEDIATE)
                .execute()
                .get();
        if(!Result.CREATED.equals(response.getResult())){
            throw new RuntimeException("Test setup failed trying to index a document.  Exp. CREATED but was: " + response.getResult());
        }
    }
}
 

private void sendResponse(
        final Version nodeVersion,
        final Set<String> features,
        final TcpChannel channel,
        final TransportResponse response,
        final long requestId,
        final String action,
        TransportResponseOptions options,
        byte status) throws IOException {
    if (compress) {
        options = TransportResponseOptions.builder(options).withCompress(true).build();
    }
    status = TransportStatus.setResponse(status); // TODO share some code with sendRequest
    ReleasableBytesStreamOutput bStream = new ReleasableBytesStreamOutput(bigArrays);
    CompressibleBytesOutputStream stream = new CompressibleBytesOutputStream(bStream, options.compress());
    boolean addedReleaseListener = false;
    try {
        if (options.compress()) {
            status = TransportStatus.setCompress(status);
        }
        ThreadContext.bwcWriteHeaders(stream);
        stream.setVersion(nodeVersion);
        stream.setFeatures(features);
        BytesReference message = buildMessage(requestId, status, nodeVersion, response, stream);

        final TransportResponseOptions finalOptions = options;
        // this might be called in a different thread
        SendListener listener = new SendListener(channel, stream,
            () -> messageListener.onResponseSent(requestId, action, response, finalOptions), message.length());
        internalSendMessage(channel, message, listener);
        addedReleaseListener = true;
    } finally {
        if (!addedReleaseListener) {
            IOUtils.close(stream);
        }
    }
}
 

protected void givenDocumentIsRemoved(String index, String type, String id)
        throws Exception {
    ThreadContext threadContext = esNode1.client().threadPool().getThreadContext();
    try (StoredContext cxt = threadContext.stashContext()) {
        threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
        esNode1.client().prepareDelete(index, type, id).execute().get();
    }
}
 

protected void dumpDocument(String index, String type, String id) throws Exception {
    ThreadContext threadContext = client().threadPool().getThreadContext();
    try (StoredContext cxt = threadContext.stashContext()) {
        threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
        GetResponse response = client().prepareGet(index, type, id).get();
        System.out.println(response.getSourceAsString());
    }
}
 

private void givenUserContextFactory(boolean isOperationsUser) {
    Settings settings = settingsBuilder.build();
    utils = spy(new RequestUtils(new PluginSettings(settings), apiService));
    doReturn(isOperationsUser).when(utils).isOperationsUser(anyString(), anyString());

    factory = new OpenshiftRequestContextFactory(settings, utils, apiService, new ThreadContext(settings));
}
 

/**
 * This method will extract a token from the given {@link RestRequest} if possible. This implementation of token
 * extraction looks for two headers, the <code>User</code> header for the username and the <code>Password</code>
 * header for the plaintext password
 * @param threadContext the {@link ThreadContext} that contains headers and transient objects for a request
 * @return the {@link AuthenticationToken} if possible to extract or <code>null</code>
 */
@Override
public UsernamePasswordToken token(ThreadContext threadContext) {
    String user = threadContext.getHeader(USER_HEADER);
    if (user != null) {
        String password = threadContext.getHeader(PW_HEADER);
        if (password != null) {
            return new UsernamePasswordToken(user, new SecureString(password.toCharArray()));
        }
    }
    return null;
}
 

@Override
public ElasticsearchSecurityException failedAuthentication(RestRequest request, AuthenticationToken token, ThreadContext context) {
    ElasticsearchSecurityException e = super.failedAuthentication(request, token, context);
    // set a custom header
    e.addHeader("WWW-Authenticate", "custom-challenge");
    return e;
}
 

@Override
public ElasticsearchSecurityException failedAuthentication(TransportMessage message, AuthenticationToken token, String action,
                                                           ThreadContext context) {
    ElasticsearchSecurityException e = super.failedAuthentication(message, token, action, context);
    // set a custom header
    e.addHeader("WWW-Authenticate", "custom-challenge");
    return e;
}
 

@Override
public ElasticsearchSecurityException missingToken(RestRequest request, ThreadContext context) {
    ElasticsearchSecurityException e = super.missingToken(request, context);
    // set a custom header
    e.addHeader("WWW-Authenticate", "custom-challenge");
    return e;
}
 

@Override
public ElasticsearchSecurityException missingToken(TransportMessage message, String action, ThreadContext context) {
    ElasticsearchSecurityException e = super.missingToken(message, action, context);
    // set a custom header
    e.addHeader("WWW-Authenticate", "custom-challenge");
    return e;
}
 

@Override
public ElasticsearchSecurityException exceptionProcessingRequest(RestRequest request, Exception e, ThreadContext context) {
    ElasticsearchSecurityException se = super.exceptionProcessingRequest(request, e, context);
    // set a custom header
    se.addHeader("WWW-Authenticate", "custom-challenge");
    return se;
}
 

@Override
public ElasticsearchSecurityException exceptionProcessingRequest(TransportMessage message, String action, Exception e,
                                                                 ThreadContext context) {
    ElasticsearchSecurityException se = super.exceptionProcessingRequest(message, action, e, context);
    // set a custom header
    se.addHeader("WWW-Authenticate", "custom-challenge");
    return se;
}
 

@Override
public ElasticsearchSecurityException authenticationRequired(String action, ThreadContext context) {
    ElasticsearchSecurityException se = super.authenticationRequired(action, context);
    // set a custom header
    se.addHeader("WWW-Authenticate", "custom-challenge");
    return se;
}
 

/**
 * The client used to connect to the external cluster must have authentication credentials since the cluster is
 * protected by shield
 */
@Override
protected Settings externalClusterClientSettings() {
    return Settings.builder()
            .put("transport.type", "security4")
            .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, randomFrom(KNOWN_USERS))
            .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, PASSWORD)
            .build();
}
 

public void testTransportClientWrongAuthentication() throws Exception {
    NodesInfoResponse nodeInfos = client().admin().cluster().prepareNodesInfo().get();
    List<NodeInfo> nodes = nodeInfos.getNodes();
    assertTrue(nodes.size() > 0);
    TransportAddress publishAddress = randomFrom(nodes).getTransport().address().publishAddress();
    String clusterName = nodeInfos.getClusterName().value();

    Settings settings;
    if (randomBoolean()) {
        settings = Settings.builder()
                .put("cluster.name", clusterName)
                .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, randomFrom(KNOWN_USERS) + randomAlphaOfLength(1))
                .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, PASSWORD)
                .build();
    } else {
        settings = Settings.builder()
                .put("cluster.name", clusterName)
                .put(ThreadContext.PREFIX + "." + CustomRealm.USER_HEADER, randomFrom(KNOWN_USERS))
                .put(ThreadContext.PREFIX + "." + CustomRealm.PW_HEADER, randomAlphaOfLengthBetween(16, 32))
                .build();
    }

    try (TransportClient client = new PreBuiltXPackTransportClient(settings)) {
        client.addTransportAddress(publishAddress);
        client.admin().cluster().prepareHealth().execute().actionGet();
        fail("authentication failure should have resulted in a NoNodesAvailableException");
    } catch (NoNodeAvailableException e) {
        // expected
    }
}
 

@Override
public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext)
        throws ElasticsearchSecurityException {
    if ("/_opendistro/_security/api/authtoken".equals(restRequest.path())) {
        return null;
    }

    AuthCredentials authCredentials = this.httpJwtAuthenticator.extractCredentials(restRequest, threadContext);

    if ("/_opendistro/_security/authinfo".equals(restRequest.path())) {
        this.initLogoutUrl(restRequest, threadContext, authCredentials);
    }

    return authCredentials;
}
 

@Override
public AuthCredentials extractCredentials(RestRequest request, ThreadContext context) throws ElasticsearchSecurityException {
    final String authorizationHeader = request.header("Authorization");
    if (authorizationHeader != null) {
        if (authorizationHeader.trim().toLowerCase().startsWith("basic ")) {
            final String decoded = new String(DatatypeConverter.parseBase64Binary(authorizationHeader.split(" ")[1]),
                    StandardCharsets.UTF_8);

            //username:password
            //Assume password is all chars from the last : to the end
            //this is the only way to send service accounts
           
            final int delimiter = decoded.lastIndexOf(':');

            String username = null;
            String password = null;

            if (delimiter > 0) {
                username = decoded.substring(0, delimiter);
                
                if(decoded.length() - 1 != delimiter) {
                    password = decoded.substring(delimiter + 1).trim();
                }
            }
            if (username != null && StringUtils.isNotEmpty(password)) {
                return new AuthCredentials(username, password.getBytes(StandardCharsets.UTF_8)).markComplete();
            }
        }
    }
    return null;
}
 

public static ThreadContext createThreadContext() {
    Settings build = Settings.builder().put("request.headers.default", "1").build();
    ThreadContext context = new ThreadContext(build);
    context.putHeader("foo", "bar");
    context.putTransient("x", 1);
    return context;
}
 

@Before
public void setup() throws Exception {
    super.setUp();
    super.setUpLog4jForJUnit(AnomalyDetectorJobRunner.class);
    MockitoAnnotations.initMocks(this);
    ThreadFactory threadFactory = EsExecutors.daemonThreadFactory(EsExecutors.threadName("node1", "test-ad"));
    ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
    executorService = EsExecutors.newFixed("test-ad", 4, 100, threadFactory, threadContext);
    doReturn(executorService).when(mockedThreadPool).executor(anyString());
    runner.setThreadPool(mockedThreadPool);
    runner.setClient(client);
    runner.setClientUtil(clientUtil);
    runner.setAnomalyResultHandler(anomalyResultHandler);

    setUpJobParameter();

    runner
        .setSettings(
            Settings
                .builder()
                .put("opendistro.anomaly_detection.max_retry_for_backoff", 2)
                .put("opendistro.anomaly_detection.backoff_initial_delay", TimeValue.timeValueMillis(1))
                .put("opendistro.anomaly_detection.max_retry_for_end_run_exception", 3)
                .build()
        );

    lockService = new LockService(client, clusterService);
    doReturn(lockService).when(context).getLockService();
}
 

public static boolean containsBadHeader(final ThreadContext context, String prefix) {
    if (context != null) {
        for (final Entry<String, String> header : context.getHeaders().entrySet()) {
            if (header != null && header.getKey() != null && header.getKey().trim().toLowerCase().startsWith(prefix)) {
                return true;
            }
        }
    }
    
    return false;
}