Skip to content

Commit

Permalink
Fixes for security
Browse files Browse the repository at this point in the history
Signed-off-by: Bharathwaj G <[email protected]>
  • Loading branch information
bharath-techie committed Sep 2, 2022
1 parent 8c97d73 commit 5167a2c
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import org.opensearch.common.Strings;
import org.opensearch.common.io.stream.StreamInput;
import org.opensearch.common.io.stream.StreamOutput;
import org.opensearch.common.xcontent.XContentParser;

import java.io.IOException;
import java.util.ArrayList;
Expand Down Expand Up @@ -84,4 +85,37 @@ public ActionRequestValidationException validate() {
}
return validationException;
}

public void fromXContent(XContentParser parser) throws IOException {
pitIds.clear();
if (parser.nextToken() != XContentParser.Token.START_OBJECT) {
throw new IllegalArgumentException("Malformed content, must start with an object");
} else {
XContentParser.Token token;
String currentFieldName = null;
while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
if (token == XContentParser.Token.FIELD_NAME) {
currentFieldName = parser.currentName();
} else if ("pit_id".equals(currentFieldName)) {
if (token == XContentParser.Token.START_ARRAY) {
while ((token = parser.nextToken()) != XContentParser.Token.END_ARRAY) {
if (token.isValue() == false) {
throw new IllegalArgumentException("pit_id array element should only contain pit_id");
}
pitIds.add(parser.text());
}
} else {
if (token.isValue() == false) {
throw new IllegalArgumentException("pit_id element should only contain pit_id");
}
pitIds.add(parser.text());
}
} else {
throw new IllegalArgumentException(
"Unknown parameter [" + currentFieldName + "] in request body or parameter is of the wrong type[" + token + "] "
);
}
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,11 @@ public TransportPitSegmentsAction(
@Override
protected void doExecute(Task task, PitSegmentsRequest request, ActionListener<IndicesSegmentResponse> listener) {
List<String> pitIds = request.getPitIds();
if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) {
// when security plugin intercepts the request, if PITs are not present in the cluster the PIT IDs in request will be empty
// and in this case return empty response
if (pitIds.isEmpty()) {
listener.onResponse(new IndicesSegmentResponse(new ShardSegments[] {}, 0, 0, 0, new ArrayList<>()));
} else if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) {
pitService.getAllPits(ActionListener.wrap(response -> {
request.clearAndSetPitIds(response.getPitInfos().stream().map(ListPitInfo::getPitId).collect(Collectors.toList()));
super.doExecute(task, request, listener);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import org.opensearch.action.admin.indices.segments.ShardSegments;
import org.opensearch.client.node.NodeClient;
import org.opensearch.cluster.node.DiscoveryNodes;
import org.opensearch.common.Strings;
import org.opensearch.common.Table;
import org.opensearch.common.logging.DeprecationLogger;
import org.opensearch.index.engine.Segment;
Expand All @@ -29,6 +28,7 @@
import org.opensearch.rest.action.RestActionListener;
import org.opensearch.rest.action.RestResponseListener;

import java.io.IOException;
import java.util.List;
import java.util.Map;

Expand All @@ -45,7 +45,7 @@ public class RestPitSegmentsAction extends AbstractCatAction {

@Override
public List<RestHandler.Route> routes() {
return unmodifiableList(asList(new Route(GET, "/_cat/pit_segments"), new Route(GET, "/_cat/pit_segments/{pit_id}")));
return unmodifiableList(asList(new Route(GET, "/_cat/pit_segments/_all"), new Route(GET, "/_cat/pit_segments")));
}

@Override
Expand All @@ -60,7 +60,6 @@ public boolean allowSystemIndexAccessByDefault() {

@Override
protected BaseRestHandler.RestChannelConsumer doCatRequest(final RestRequest request, final NodeClient client) {
final String[] pitIds = Strings.splitStringByCommaToArray(request.param("pit_id"));
final ClusterStateRequest clusterStateRequest = new ClusterStateRequest();
clusterStateRequest.local(false);
clusterStateRequest.clusterManagerNodeTimeout(
Expand All @@ -70,8 +69,23 @@ protected BaseRestHandler.RestChannelConsumer doCatRequest(final RestRequest req
clusterStateRequest.clear().nodes(true).routingTable(true).indices("*");
return channel -> client.admin().cluster().state(clusterStateRequest, new RestActionListener<>(channel) {
@Override
public void processResponse(final ClusterStateResponse clusterStateResponse) {
final PitSegmentsRequest pitSegmentsRequest = new PitSegmentsRequest(pitIds);
public void processResponse(final ClusterStateResponse clusterStateResponse) throws IOException {
String allPitIdsQualifier = "_all";
final PitSegmentsRequest pitSegmentsRequest;
if (request.path().contains(allPitIdsQualifier)) {
pitSegmentsRequest = new PitSegmentsRequest(allPitIdsQualifier);
} else {
pitSegmentsRequest = new PitSegmentsRequest();
request.withContentOrSourceParamParserOrNull((xContentParser -> {
if (xContentParser != null) {
try {
pitSegmentsRequest.fromXContent(xContentParser);
} catch (IOException e) {
throw new IllegalArgumentException("Failed to parse request body", e);
}
}
}));
}
client.execute(PitSegmentsAction.INSTANCE, pitSegmentsRequest, new RestResponseListener<>(channel) {
@Override
public RestResponse buildResponse(final IndicesSegmentResponse indicesSegmentResponse) throws Exception {
Expand Down

0 comments on commit 5167a2c

Please sign in to comment.