Accept X-Forwarded-For configurable as a rule and limited to a hosts list (still, host list accepts a net mask -> be cautious!)

Author: Simone Scarduzio

README.md

@@ -34,6 +34,7 @@ Explicitly allow/forbid requests by access control rule parameters:
 * ```hosts``` a list of origin IP addresses or subnets
 * ```api_keys``` a list of api keys passed in via header ```X-Api-Key```
 * ```methods``` a list of HTTP methods
+* ```accept_x-forwarded-for_header``` interpret the ```X-Forwarded-For``` header as origin host (useful for AWS ELB and other reverse proxies)
 * ```uri_re``` a regular expression to match the request URI (useful to restrict certain indexes)
 * ```maxBodyLength``` limit HTTP request body length.
 
@@ -119,6 +120,12 @@ readonlyrest:
       type: allow
       hosts: [127.0.0.1, 10.0.1.0/24]
 
+    # Allow if the origin host or the host in X-Forwarded-For header is 9.9.9.9 (useful for AWS ELB and other reverse proxies)
+    - name: full access to internal servers
+      type: allow
+      accept_x-forwarded-for_header: true
+      hosts: [9.9.9.9]
+
     # From these API Keys, accept any method, any URI, any HTTP body
     - name: full access to remote authorized clients
       type: allow

src/main/java/org/elasticsearch/rest/action/readonlyrest/acl/ACL.java

@@ -9,9 +9,9 @@
 
 public class ACL {
 
-  private Settings            s;
-  private ESLogger            logger;
-  private TreeMap<Integer, Rule>           rules  = new TreeMap<>();
+  private Settings s;
+  private ESLogger logger;
+  private TreeMap<Integer, Rule> rules = new TreeMap<>();
   private final static String PREFIX = "readonlyrest.access_control_rules";
 
   public ACL(ESLogger logger, Settings s) {
@@ -38,7 +38,7 @@ private void readRules() {
   /**
    * Check the request against configured ACL rules. This does not work with try/catch because stacktraces are expensive
    * for performance.
-   * 
+   *
    * @param req the ACLRequest to be checked by the ACL rules.
    * @return null if request pass the rules or the name of the first violated rule
    */
@@ -47,7 +47,7 @@ public String check(ACLRequest req) {
       Rule rule = rules.get(exOrder);
       // The logic will exit at the first rule that matches the request
       boolean match = true;
-      match &= rule.matchesAddress(req.getAddress());
+      match &= rule.matchesAddress(req.getAddress(), req.getXForwardedForHeader());
       match &= rule.matchesApiKey(req.getApiKey());
       match &= rule.matchesAuthKey(req.getAuthKey());
       match &= rule.matchesMaxBodyLength(req.getBodyLength());

src/main/java/org/elasticsearch/rest/action/readonlyrest/acl/ACLRequest.java

@@ -30,10 +30,12 @@ public class ACLRequest {
   private String               uri;
   private Integer              bodyLength;
   private Method               method;
+  private String               xForwardedForHeader;
 
   @Override
   public String toString() {
-    return method +" "+ uri + " len: "+ bodyLength + " originator address: " + address + " api key: " + apiKey;
+    return method +" "+ uri + " len: "+ bodyLength + " originator address: " + address +
+        " api key: " + apiKey + " auth_key: " + authKey + " acceptXForwardedForHeader:" + xForwardedForHeader;
   }
   public String getAddress() {
     return address;
@@ -51,8 +53,10 @@ public Integer getBodyLength() {
     return bodyLength;
   }
 
+  public String getXForwardedForHeader() {return xForwardedForHeader; }
+
   public ACLRequest(RestRequest request, RestChannel channel) {
-    this(request.uri(), getAddress(request, channel), request.header("X-Api-Key"), request.header("Authorization"), request.content().length(), request.method());
+    this(request.uri(), getAddress(request, channel), request.header("X-Api-Key"), request.header("Authorization"), request.content().length(), request.method(), getXForwardedForHeader(request));
 
     ESLogger logger = ESLoggerFactory.getLogger(ACLRequest.class.getName());
     logger.debug("Headers:\n");
@@ -61,24 +65,28 @@ public ACLRequest(RestRequest request, RestChannel channel) {
     }
   }
 
-  public ACLRequest(String uri, String address, String apiKey, String authKey, Integer bodyLength, Method method){
+  public ACLRequest(String uri, String address, String apiKey, String authKey, Integer bodyLength, Method method, String xForwardedForHeader){
     this.uri = uri;
     this.address = address;
     this.apiKey = apiKey;
     this.authKey = authKey;
     this.bodyLength = bodyLength;
     this.method = method;
+    this.xForwardedForHeader = xForwardedForHeader;
   }
 
-  static String getAddress(RestRequest request, RestChannel channel) {
-    String remoteHost = null;
-
+  static String getXForwardedForHeader(RestRequest request) {
     if (!ConfigurationHelper.isNullOrEmpty(request.header("X-Forwarded-For"))) {
       String[] parts = request.header("X-Forwarded-For").split(",");
       if (!ConfigurationHelper.isNullOrEmpty(parts[0])) {
         return parts[0];
       }
     }
+    return null;
+  }
+
+  static String getAddress(RestRequest request, RestChannel channel) {
+    String remoteHost = null;
 
     try {
       NettyHttpChannel obj = (NettyHttpChannel) channel;

src/main/java/org/elasticsearch/rest/action/readonlyrest/acl/Rule.java

@@ -38,8 +38,9 @@ public static String valuesString(){
   String               authKey;
   private List<Method> methods;
   String               stringRepresentation;
+  Boolean              acceptXForwardedForHeader;
 
-  public Rule(String name, Type type, Pattern uri_re, Integer bodyLenght, List<String> addresses, List<String> apiKeys, String authKey, List<Method> methods, String toString) {
+  public Rule(String name, Type type, Pattern uri_re, Integer bodyLenght, List<String> addresses, List<String> apiKeys, String authKey, List<Method> methods, String toString, Boolean acceptXForwardedForHeader) {
     this.name = name;
     this.type = type;
     this.uri_re = uri_re;
@@ -49,6 +50,7 @@ public Rule(String name, Type type, Pattern uri_re, Integer bodyLenght, List<Str
     this.authKey= authKey;
     this.methods = methods;
     this.stringRepresentation = toString;
+    this.acceptXForwardedForHeader = acceptXForwardedForHeader;
   }
 
   public static Rule build(Settings s) {
@@ -74,6 +76,8 @@ public static Rule build(Settings s) {
       }
     }
 
+    Boolean acceptXForwardedForHeader = s.getAsBoolean("accept_x-forwarded-for_header", false);
+
     String authKey = s.get("auth_key");
     if(authKey != null && authKey.trim().length() > 0) {
       authKey = Base64.encodeBytes(authKey.getBytes(Charsets.UTF_8));
@@ -111,8 +115,8 @@ public static Rule build(Settings s) {
     Integer maxBodyLength = s.getAsInt("maxBodyLength", null);
 
     if ((!ConfigurationHelper.isNullOrEmpty(name) && type != null) &&
-        (uri_re != null || maxBodyLength != null || hosts != null || apiKeys != null || authKey != null|| methods != null)) {
-      return new Rule(name.trim(), type, uri_re, maxBodyLength, hosts, apiKeys, authKey, methods, s.toDelimitedString(' '));
+        (uri_re != null || maxBodyLength != null || hosts != null || apiKeys != null || authKey != null || methods != null || acceptXForwardedForHeader != null)) {
+      return new Rule(name.trim(), type, uri_re, maxBodyLength, hosts, apiKeys, authKey, methods, s.toDelimitedString(' '), acceptXForwardedForHeader);
     }
     throw new RuleConfigurationError("insufficient or invalid configuration for rule: '" + name + "'", null);
 
@@ -126,11 +130,14 @@ public String toString() {
   /*
    * All "matches" methods should return true if no explicit condition was configured
    */
-  public boolean matchesAddress(String address) {
+  public boolean matchesAddress(String address, String xForwardedForHeader) {
     if (addresses == null) {
       return true;
     }
-
+    if(acceptXForwardedForHeader && xForwardedForHeader != null) {
+      // Give it a try with the header
+      if(matchesAddress(xForwardedForHeader, null)) return true;
+    }
     for (String allowedAddress : addresses) {
       if (allowedAddress.indexOf("/") > 0) {
         try {
@@ -188,4 +195,5 @@ public boolean matchesMethods(Method method) {
     }
     return methods.contains(method);
   }
+
 }

src/test/java/org/elasticsearch/rest/action/readonlyrest/acl/test/ACLTest.java

@@ -45,54 +45,60 @@ public void tearDown() throws Exception {
 
     @Test
     public final void testExternalGet() {
-        ACLRequest ar = new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.GET);
+        ACLRequest ar = new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.GET,null);
         Assert.assertNull(acl.check(ar));
     }
 
     @Test
     public final void testExternalPost() {
-        Assert.assertNotNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.POST)));
+        Assert.assertNotNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.POST, null)));
     }
 
     @Test
-    public final void testExternalURIRE() {
-        Assert.assertNotNull(acl.check(new ACLRequest("http://localhost:9200/reservedIdx/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.GET)));
+    public final void testExternalURIRegEx() {
+        Assert.assertNotNull(acl.check(new ACLRequest("http://localhost:9200/reservedIdx/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.GET, null)));
     }
 
     @Test
     public final void testExternalMatchAddress() {
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "127.0.0.1", "","", 0, Method.GET)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "127.0.0.1", "","", 0, Method.GET, null)));
     }
 
     @Test
     public final void testExternalWithBody() {
-        Assert.assertNotNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 20, Method.GET)));
+        Assert.assertNotNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 20, Method.GET, null)));
     }
 
     @Test
     public final void testExternalMethods() {
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "", "", 0, Method.OPTIONS)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "", "", 0, Method.OPTIONS, null)));
     }
 
     @Test
     public final void testInternalMethods() {
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "127.0.0.1", "","", 0, Method.HEAD)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "127.0.0.1", "","", 0, Method.HEAD, null)));
     }
 
     @Test
     public final void testNetMask() {
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "192.168.1.5", "","", 0, Method.POST)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "192.168.1.5", "","", 0, Method.POST, null)));
     }
 
     @Test
     public final void testApiKey() {
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "192.168.1.5", "1234567890","", 0, Method.POST)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "1234567890","", 0, Method.POST, null)));
     }
 
     @Test
     public final void testHttpBasicAuth() {
         String secret64 = Base64.encodeBytes("1234567890".getBytes(Charsets.UTF_8));
-        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "192.168.1.5","", secret64, 0, Method.POST)));
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1","", secret64, 0, Method.POST, null)));
     }
 
+    @Test
+    public final void testXforwardedForHeader() {
+        Assert.assertNull(acl.check(new ACLRequest("http://es/index1/_search?q=item.name:fishingpole&size=200", "1.1.1.1", "","", 0, Method.POST, "9.9.9.9")));
+    }
+
+
 }

src/test/java/org/elasticsearch/rest/action/readonlyrest/acl/test/MarvelPassthroughACL.java

@@ -41,7 +41,7 @@ public void tearDown() throws Exception {}
 
     @Test
     public final void testInternalMethods(){
-        Assert.assertNull(acl.check( new ACLRequest(".marvel-2015.11.10/_search", "127.0.0.1", "", "", 0, Method.POST)));
+        Assert.assertNull(acl.check( new ACLRequest(".marvel-2015.11.10/_search", "127.0.0.1", "", "", 0, Method.POST, null)));
     }
 
 }

src/test/three_rules.yml

@@ -28,8 +28,13 @@ readonlyrest:
     # Default policy is to forbid everything, so let's define a whitelist
     access_control_rules:
 
-    - name: full access to Basic Auth
+    - name: read X-Forwarded-For header and interpret it as part of "hosts"
       type: allow 
+      accept_x-forwarded-for_header: true
+      hosts: [9.9.9.9]
+
+    - name: full access to Basic Auth
+      type: allow
       auth_key: 1234567890
 
     - name: full access to API Key