Merge pull request #129 from yaauie/request-authentication-when-required-and-missing

yaauie · web-flow · commit 3b1bf4d1fb19 · 2020-10-19T07:01:32.000-07:00
negotiate for credentials when required and not supplied
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 3.3.6
+ - Fixes a regression introduced in 3.1.0's migration to the Netty back-end that broke some users'
+   browser-based workflows. When an instance of this plugin that is configured to require Basic
+   authentication receives a request that does not include authentication, it now appropriately
+   includes an `WWW-Authenticate` header in its `401 Unauthorized` response, allowing the browser
+   to collect credentials before retrying the request.
+
 ## 3.3.5
  - Updated jackson databind and Netty dependencies. Additionally, this release removes the dependency on `tcnative` +
    `boringssl`, using JVM supplied ciphers instead. This may result in fewer ciphers being available if the JCE
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.3.5
+3.3.6
diff --git a/lib/logstash/inputs/http/message_handler.rb b/lib/logstash/inputs/http/message_handler.rb
@@ -22,6 +22,10 @@ def validates_token(token)
       end
     end
 
+    def requires_token
+      !!@auth_token
+    end
+
     def onNewMessage(remote_address, headers, body)
       @input.decode_body(headers, remote_address, body, @default_codec, @additional_codecs)
     end
diff --git a/spec/inputs/http_spec.rb b/spec/inputs/http_spec.rb
@@ -279,6 +279,11 @@
         it "should respond with 401" do
           expect(response.code).to eq(401)
         end
+        it 'should include a WWW-Authenticate: Basic header' do
+          expect(response['WWW-Authenticate']).to_not be_nil
+
+          expect(response['WWW-Authenticate']).to start_with('Basic realm=')
+        end
         it "should not generate an event" do
           expect(logstash_queue).to be_empty
         end
@@ -295,6 +300,9 @@
         it "should respond with 401" do
           expect(response.code).to eq(401)
         end
+        it 'should not include a WWW-Authenticate header' do
+          expect(response['WWW-Authenticate']).to be_nil
+        end
         it "should not generate an event" do
           expect(logstash_queue).to be_empty
         end
diff --git a/src/main/java/org/logstash/plugins/inputs/http/IMessageHandler.java b/src/main/java/org/logstash/plugins/inputs/http/IMessageHandler.java
@@ -23,6 +23,8 @@ public interface IMessageHandler {
      */
     boolean validatesToken(String token);
 
+    boolean requiresToken();
+
     /**
      *
      * @return copy of the message handler
diff --git a/src/main/java/org/logstash/plugins/inputs/http/MessageHandler.java b/src/main/java/org/logstash/plugins/inputs/http/MessageHandler.java
@@ -41,4 +41,6 @@ public Map<String, String> responseHeaders() {
         logger.debug("responseHeaders");
         return null;
     }
+
+    public boolean requiresToken() { return false; }
 }
diff --git a/src/main/java/org/logstash/plugins/inputs/http/MessageProcessor.java b/src/main/java/org/logstash/plugins/inputs/http/MessageProcessor.java
@@ -11,6 +11,8 @@
 import io.netty.handler.codec.http.HttpHeaders;
 import io.netty.handler.codec.http.HttpResponse;
 import io.netty.handler.codec.http.HttpResponseStatus;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.logstash.plugins.inputs.http.util.RejectableRunnable;
 
 import java.nio.charset.Charset;
@@ -23,7 +25,9 @@ public class MessageProcessor implements RejectableRunnable {
     private final String remoteAddress;
     private final IMessageHandler messageHandler;
     private final HttpResponseStatus responseStatus;
-    private static final Charset charset = Charset.forName("UTF-8");
+
+    private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
+    private final static Logger LOGGER = LogManager.getLogger(MessageHandler.class);
 
     MessageProcessor(ChannelHandlerContext ctx, FullHttpRequest req, String remoteAddress,
                             IMessageHandler messageHandler, HttpResponseStatus responseStatus) {
@@ -47,12 +51,19 @@ public void onRejection() {
     public void run() {
         try {
             final HttpResponse response;
-            final String token = req.headers().get(HttpHeaderNames.AUTHORIZATION);
-            req.headers().remove(HttpHeaderNames.AUTHORIZATION);
-            if (messageHandler.validatesToken(token)) {
-                response = processMessage();
+            if (messageHandler.requiresToken() && !req.headers().contains(HttpHeaderNames.AUTHORIZATION)) {
+                LOGGER.debug("Required authorization not provided; requesting authentication.");
+                response = generateAuthenticationRequestResponse();
             } else {
-                response = generateFailedResponse(HttpResponseStatus.UNAUTHORIZED);
+                final String token = req.headers().get(HttpHeaderNames.AUTHORIZATION);
+                req.headers().remove(HttpHeaderNames.AUTHORIZATION);
+                if (messageHandler.validatesToken(token)) {
+                    LOGGER.debug("Valid authorization; processing request.");
+                    response = processMessage();
+                } else {
+                    LOGGER.debug("Invalid authorization; rejecting request.");
+                    response = generateFailedResponse(HttpResponseStatus.UNAUTHORIZED);
+                }
             }
             ctx.writeAndFlush(response);
         } finally {
@@ -62,7 +73,7 @@ public void run() {
 
     private FullHttpResponse processMessage() {
         final Map<String, String> formattedHeaders = formatHeaders(req.headers());
-        final String body = req.content().toString(charset);
+        final String body = req.content().toString(UTF8_CHARSET);
         if (messageHandler.onNewMessage(remoteAddress, formattedHeaders, body)) {
             return generateResponse(messageHandler.responseHeaders());
         } else {
@@ -76,6 +87,13 @@ private FullHttpResponse generateFailedResponse(HttpResponseStatus status) {
         return response;
     }
 
+    private FullHttpResponse generateAuthenticationRequestResponse() {
+        final FullHttpResponse response = new DefaultFullHttpResponse(req.protocolVersion(), HttpResponseStatus.UNAUTHORIZED);
+        response.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"Logstash HTTP Input\"");
+        response.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
+        return response;
+    }
+
     private FullHttpResponse generateResponse(Map<String, String> stringHeaders) {
 
         final FullHttpResponse response = new DefaultFullHttpResponse(
@@ -88,7 +106,7 @@ private FullHttpResponse generateResponse(Map<String, String> stringHeaders) {
         response.headers().set(headers);
 
         if (responseStatus != HttpResponseStatus.NO_CONTENT) {
-            final ByteBuf payload = Unpooled.wrappedBuffer("ok".getBytes(charset));
+            final ByteBuf payload = Unpooled.wrappedBuffer("ok".getBytes(UTF8_CHARSET));
             response.headers().set(HttpHeaderNames.CONTENT_LENGTH, payload.readableBytes());
             response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/plain");
             response.content().writeBytes(payload);

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ public interface IMessageHandler {`
`23`	`23`	`*/`
`24`	`24`	`boolean validatesToken(String token);`
`25`	`25`
	`26`	`+ boolean requiresToken();`
	`27`	`+`
`26`	`28`	`/**`
`27`	`29`	`*`
`28`	`30`	`* @return copy of the message handler`
Original file line number	Diff line number	Diff line change
`@@ -41,4 +41,6 @@ public Map<String, String> responseHeaders() {`
`41`	`41`	`logger.debug("responseHeaders");`
`42`	`42`	`return null;`
`43`	`43`	`}`
	`44`	`+`
	`45`	`+ public boolean requiresToken() { return false; }`
`44`	`46`	`}`