Added basic authorization via HTTP Header to bypass all ACL checking.

Sebastian Choina · Sebastian Choina · commit c2c8cc292853 · 2015-10-22T20:07:05.000+02:00
diff --git a/src/main/java/org/elasticsearch/rest/action/readonlyrest/ConfigurationHelper.java b/src/main/java/org/elasticsearch/rest/action/readonlyrest/ConfigurationHelper.java
@@ -1,5 +1,7 @@
 package org.elasticsearch.rest.action.readonlyrest;
 
+import org.elasticsearch.common.Base64;
+import org.elasticsearch.common.base.Charsets;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.Settings;
 
@@ -19,6 +21,8 @@ public class ConfigurationHelper {
   private final static String K_RESP_REQ_FORBIDDEN = "response_if_req_forbidden";
   final public boolean enabled;
   final public String forbiddenResponse;
+  final public String authKeyBase64;
+  private final static String K_AUTH_KEY = "auth_key";
 
   
   public ConfigurationHelper(Settings settings, ESLogger logger) {
@@ -44,6 +48,16 @@ public ConfigurationHelper(Settings settings, ESLogger logger) {
       this.forbiddenResponse = t;
     }
     
+	String key = s.get(K_AUTH_KEY);
+	if (key != null) {
+		key = key.trim();
+	}
+	if (isNullOrEmpty(key)) {
+		this.authKeyBase64 = null;
+	} else {
+		this.authKeyBase64 = Base64.encodeBytes(key.getBytes(Charsets.UTF_8));
+	}
+    
   }
   
   public static boolean isNullOrEmpty(String s){
diff --git a/src/main/java/org/elasticsearch/rest/action/readonlyrest/ReadonlyRestAction.java b/src/main/java/org/elasticsearch/rest/action/readonlyrest/ReadonlyRestAction.java
@@ -23,6 +23,7 @@
  * <pre>
  * readonlyrest: 
  *  enable: true 
+ *  auth_key: secretAuthKey // this can bypasses all other rules and allows for operation if matched
  *  allow_localhost: true 
  *  whitelist: [192.168.1.144]
  *  forbidden_uri_re: .*bar_me_pls.* 
@@ -57,6 +58,13 @@ public ReadonlyRestAction(final Settings settings, Client client, RestController
 
       @Override
       public void process(RestRequest request, RestChannel channel, RestFilterChain filterChain) {
+		if (isAuthorisedToBypassACL(request, conf)) {
+			logger.debug("Auth ok, will bypass filters");
+			ok(request, filterChain, channel);
+			return;
+		} else {
+			logger.debug("Cannot bypass filters via Authorization");
+		}
         ACLRequest aclReq = new ACLRequest(request, channel);
         String reason = acl.check(aclReq);
         if(reason == null){
@@ -73,6 +81,21 @@ public void process(RestRequest request, RestChannel channel, RestFilterChain fi
       }
     });
   }
+  
+  protected boolean isAuthorisedToBypassACL(RestRequest request, ConfigurationHelper conf) {
+	logger.debug("Auth key: {}", conf.authKeyBase64);
+	if (conf.authKeyBase64 == null) {
+		return false;
+	}
+	String authVal = request.header("Authorization");
+	logger.debug("Auth header: {}", authVal);
+	if (authVal == null) {
+		return false;
+	}
+	String val = authVal.replace("Basic ", "").trim();
+	return val.equals(conf.authKeyBase64);
+  }
+	
   public void ok(RestRequest request, RestFilterChain filterChain, RestChannel channel ){
     filterChain.continueProcessing(request, channel);
   }
