prestodb · tdcmeehan · Apr 24, 2024 · Apr 11, 2024
@@ -89,6 +89,9 @@ Property                                                Description
                                                         used to secure TLS.
 ``http-server.https.keystore.key``                      The password for the keystore. This must match the
                                                         password you specified when creating the keystore.
+``http-server.authentication.allow-forwarded-https``    Enable treating forwarded HTTPS requests over HTTP as secure.
+                                                        Requires the ``X-Forwarded-Proto`` header to be set to ``https`` on forwarded requests.
+                                                        Default value is ``false``.
 ======================================================= ======================================================
 
 Password Authenticator Configuration

@@ -16,7 +16,9 @@
 import com.facebook.airlift.http.server.AuthenticationException;
 import com.facebook.airlift.http.server.Authenticator;
 import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
+import com.google.common.net.HttpHeaders;
 
 import javax.inject.Inject;
 import javax.servlet.Filter;
@@ -45,12 +47,15 @@
 public class AuthenticationFilter
         implements Filter
 {
+    private static final String HTTPS_PROTOCOL = "https";
     private final List<Authenticator> authenticators;
+    private final boolean allowForwardedHttps;
 
     @Inject
-    public AuthenticationFilter(List<Authenticator> authenticators)
+    public AuthenticationFilter(List<Authenticator> authenticators, SecurityConfig securityConfig)
     {
         this.authenticators = ImmutableList.copyOf(requireNonNull(authenticators, "authenticators is null"));
+        this.allowForwardedHttps = requireNonNull(securityConfig, "securityConfig is null").getAllowForwardedHttps();
     }
 
     @Override
@@ -109,10 +114,15 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
     private boolean doesRequestSupportAuthentication(HttpServletRequest request)
     {
-        if (!authenticators.isEmpty() && request.isSecure()) {
+        if (authenticators.isEmpty()) {
+            return false;
+        }
+        if (request.isSecure()) {
             return true;
         }
-
+        if (allowForwardedHttps) {
+            return Strings.nullToEmpty(request.getHeader(HttpHeaders.X_FORWARDED_PROTO)).equalsIgnoreCase(HTTPS_PROTOCOL);
+        }
         return false;
     }
 

@@ -32,6 +32,7 @@ public class SecurityConfig
     private static final Splitter SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
 
     private List<AuthenticationType> authenticationTypes = ImmutableList.of();
+    private boolean allowForwardedHttps;
     private boolean authorizedIdentitySelectionEnabled;
 
     public enum AuthenticationType
@@ -69,6 +70,19 @@ public SecurityConfig setAuthenticationTypes(String types)
         return this;
     }
 
+    public boolean getAllowForwardedHttps()
+    {
+        return allowForwardedHttps;
+    }
+
+    @Config("http-server.authentication.allow-forwarded-https")
+    @ConfigDescription("Allow forwarded HTTPS requests")
+    public SecurityConfig setAllowForwardedHttps(boolean allowForwardedHttps)
+    {
+        this.allowForwardedHttps = allowForwardedHttps;
+        return this;
+    }
+
     @Config("permissions.authorized-identity-selection-enabled")
     @ConfigDescription("Authorized identity selection enabled")
     public SecurityConfig setAuthorizedIdentitySelectionEnabled(boolean authorizedIdentitySelectionEnabled)

@@ -30,6 +30,7 @@ public void testDefaults()
     {
         ConfigAssertions.assertRecordedDefaults(ConfigAssertions.recordDefaults(SecurityConfig.class)
                 .setAuthenticationTypes("")
+                .setAllowForwardedHttps(false)
                 .setAuthorizedIdentitySelectionEnabled(false));
     }
 
@@ -38,11 +39,13 @@ public void testExplicitPropertyMappings()
     {
         Map<String, String> properties = new ImmutableMap.Builder<String, String>()
                 .put("http-server.authentication.type", "KERBEROS,PASSWORD")
+                .put("http-server.authentication.allow-forwarded-https", "true")
                 .put("permissions.authorized-identity-selection-enabled", "true")
                 .build();
 
         SecurityConfig expected = new SecurityConfig()
                 .setAuthenticationTypes(ImmutableList.of(KERBEROS, PASSWORD))
+                .setAllowForwardedHttps(true)
                 .setAuthorizedIdentitySelectionEnabled(true);
 
         ConfigAssertions.assertFullMapping(properties, expected);