Merge pull request #6 from karussell/master

Maven integration, 0.20.5 update, IP whitelist, CORS support

Author: Peter

.gitignore

@@ -1,3 +1,6 @@
 *.class
 *.jar
 *.zip
+/target/
+*~
+deploy.sh

pom.xml

@@ -0,0 +1,87 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.asquera.elasticsearch</groupId>
+    <artifactId>http-basic</artifactId>
+    <version>0.20.5-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>Basic Authentication Plugin</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <elasticsearch.version>0.20.5</elasticsearch.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.elasticsearch</groupId>
+            <artifactId>elasticsearch</artifactId>
+            <version>${elasticsearch.version}</version>
+        </dependency>
+        
+        <dependency>
+            <groupId>org.testng</groupId>
+            <artifactId>testng</artifactId>
+            <version>6.8</version>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.hamcrest</groupId>
+                    <artifactId>hamcrest-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-all</artifactId>
+            <version>1.3</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    <build>
+        <!-- Create a zip file according to elasticsearch naming scheme -->
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <version>1.6</version>
+                <executions>
+                    <execution>
+                        <id>zip</id>
+                        <phase>package</phase>
+                        <configuration>
+                            <target>
+                                <zip basedir="${project.build.directory}"
+                                     includes="${project.build.finalName}.jar"
+                                     destfile="${project.build.directory}/elasticsearch-${project.artifactId}-${elasticsearch.version}.zip" />
+                            </target>
+                        </configuration>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-compiler-plugin</artifactId>
+                    <configuration>
+                        <source>1.6</source>
+                        <target>1.6</target>
+                    </configuration>
+                </plugin>
+            </plugins>
+        </pluginManagement>
+    </build>
+</project>

reinstall.sh

@@ -0,0 +1,6 @@
+ES=/usr/share/elasticsearch
+sudo $ES/bin/plugin remove http-basic
+mvn -DskipTests clean package
+FILE=`ls ./target/elasticsearch-*zip`
+sudo $ES/bin/plugin -url file:$FILE -install http-basic
+sudo service elasticsearch restart

src/main/java/com/asquera/elasticsearch/plugins/http/HttpBasicServer.java

@@ -9,71 +9,156 @@
 import org.elasticsearch.common.Base64;
 
 import org.elasticsearch.rest.RestRequest;
-import org.elasticsearch.rest.StringRestResponse;
 
 import static org.elasticsearch.rest.RestStatus.*;
 
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import org.elasticsearch.common.logging.Loggers;
+import org.elasticsearch.rest.RestRequest.Method;
+import org.elasticsearch.rest.StringRestResponse;
 
+// # possible http config
+// http.basic.user: admin
+// http.basic.password: password
+// http.basic.ipwhitelist: ["localhost", "somemoreip"]
+// http.basic.xforward: "X-Forwarded-For"
+// # if you use javascript
+// # EITHER $.ajaxSetup({ headers: { 'Authorization': "Basic " + credentials }});
+// # OR use beforeSend in  $.ajax({
+// http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, Authorization"
+// 
 /**
  * @author Florian Gilcher (florian.gilcher@asquera.de)
+ * @author Peter Karich
  */
 public class HttpBasicServer extends HttpServer {
+
     private final String user;
     private final String password;
-    
+    private final Set<String> whitelist;
+    private final String xForwardFor;
+    private final boolean log;
+
     @Inject public HttpBasicServer(Settings settings, Environment environment, HttpServerTransport transport,
-                              RestController restController,
-                              NodeService nodeService) {
-        super(settings, environment, transport, restController, nodeService);                                  
-    
-        this.user = settings.get("http.basic.user");
-        this.password = settings.get("http.basic.password");
+            RestController restController,
+            NodeService nodeService) {
+        super(settings, environment, transport, restController, nodeService);
+
+        this.user = settings.get("http.basic.user", "admin");
+        this.password = settings.get("http.basic.password", "admin_pw");
+        this.whitelist = new HashSet<String>(Arrays.asList(
+                settings.getAsArray("http.basic.ipwhitelist",
+                new String[]{"localhost", "127.0.0.1"})));
+
+        // for AWS load balancers it is X-Forwarded-For -> hmmh does not work 
+        this.xForwardFor = settings.get("http.basic.xforward", "");
+        this.log = settings.getAsBoolean("http.basic.log", false);
+        Loggers.getLogger(getClass()).info("using {}:{} with whitelist {}, xforward {}",
+                user, password, whitelist, xForwardFor);
     }
-    
+
+    @Override
     public void internalDispatchRequest(final HttpRequest request, final HttpChannel channel) {
-        if (shouldLetPass(request) || authBasic(request)) {
+        if (log)
+            logger.info("Authorization:{}, host:{}, xforward:{}, path:{}, isInWhitelist:{}, Client-IP:{}, X-Client-IP:{}",
+                    request.header("Authorization"), request.header("host"),
+                    request.header(xForwardFor), request.path(), isInIPWhitelist(request),
+                    request.header("X-Client-IP"), request.header("Client-IP"));
+
+        // allow health check even without authorization
+        if (healthCheck(request)) {
+            channel.sendResponse(new StringRestResponse(OK, "{\"OK\":{}}"));
+        } else if (allowOptionsForCORS(request) || authBasic(request) || isInIPWhitelist(request)) {
             super.internalDispatchRequest(request, channel);
         } else {
-            channel.sendResponse(new StringRestResponse(UNAUTHORIZED));
+            String addr = getAddress(request);
+            Loggers.getLogger(getClass()).error("UNAUTHORIZED type:{}, address:{}, path:{}, request:{}, content:{}, credentials:{}",
+                    request.method(), addr, request.path(), request.params(), request.content().toUtf8(), getDecoded(request));
+            channel.sendResponse(new StringRestResponse(UNAUTHORIZED, "Authentication Required"));
         }
     }
 
-    private boolean shouldLetPass(final HttpRequest request) {
-        return (request.method() == RestRequest.Method.GET) && request.path().equals("/");
+    private boolean healthCheck(final HttpRequest request) {
+        String path = request.path();
+        return (request.method() == RestRequest.Method.GET) && path.equals("/");
     }
-    
-    private boolean authBasic(final HttpRequest request){
+
+    public String getDecoded(HttpRequest request) {
         String authHeader = request.header("Authorization");
-        
-        if (authHeader == null) {
-            return false;
-        }
-        
-        String[] split = authHeader.split(" ");
+        if (authHeader == null)
+            return "";
 
-        if (!split[0].equals("Basic")){
-            return false;
+        String[] split = authHeader.split(" ", 2);
+        if (split.length != 2 || !split[0].equals("Basic"))
+            return "";
+        try {
+            return new String(Base64.decode(split[1]));
+        } catch (IOException ex) {
+            throw new RuntimeException(ex);
         }
+    }
 
-        String decoded = null;
-        
+    private boolean authBasic(final HttpRequest request) {
+        String decoded = "";
         try {
-            decoded = new String(Base64.decode(split[1]));
-        } catch (IOException e) {
-            logger.warn("Decoding of basic auth failed.");
-            return false;
+            decoded = getDecoded(request);
+            if (!decoded.isEmpty()) {
+                String[] userAndPassword = decoded.split(":", 2);
+                String givenUser = userAndPassword[0];
+                String givenPass = userAndPassword[1];
+                if (this.user.equals(givenUser) && this.password.equals(givenPass))
+                    return true;
+            }
+        } catch (Exception e) {
+            logger.warn("Retrieving of user and password failed for " + decoded + " ," + e.getMessage());
         }
-        
-        String[] user_and_password = decoded.split(":");
-        String given_user = user_and_password[0];
-        String given_pass = user_and_password[1];
-        
-        if (this.user.equals(given_user) &&
-            this.password.equals(given_pass)) {
-            return true;
+        return false;
+    }
+
+    private String getAddress(HttpRequest request) {
+        String addr;
+        if (xForwardFor.isEmpty()) {
+            addr = request.header("Host");
+            addr = addr == null ? "" : addr;
         } else {
+            addr = request.header(xForwardFor);
+            addr = addr == null ? "" : addr;
+            int addrIndex = addr.indexOf(',');
+            if (addrIndex >= 0)
+                addr = addr.substring(0, addrIndex);
+        }
+
+        int portIndex = addr.indexOf(":");
+        if (portIndex >= 0)
+            addr = addr.substring(0, portIndex);
+        return addr;
+    }
+
+    private boolean isInIPWhitelist(HttpRequest request) {
+        String addr = getAddress(request);
+//        Loggers.getLogger(getClass()).info("address {}, path {}, request {}",
+//                addr, request.path(), request.params());
+        if (whitelist.isEmpty() || addr.isEmpty())
             return false;
+        return whitelist.contains(addr);
+    }
+
+    /**
+     * https://en.wikipedia.org/wiki/Cross-origin_resource_sharing the
+     * specification mandates that browsers “preflight” the request, soliciting
+     * supported methods from the server with an HTTP OPTIONS request
+     */
+    private boolean allowOptionsForCORS(HttpRequest request) {
+        // in elasticsearch.yml set
+        // http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, Authorization"
+        if (request.method() == Method.OPTIONS) {
+//            Loggers.getLogger(getClass()).error("CORS type {}, address {}, path {}, request {}, content {}",
+//                    request.method(), getAddress(request), request.path(), request.params(), request.content().toUtf8());
+            return true;
         }
+        return false;
     }
-}
+}

src/main/java/com/asquera/elasticsearch/plugins/http/HttpBasicServerModule.java

@@ -1,7 +1,5 @@
 package com.asquera.elasticsearch.plugins.http;
 
-import org.elasticsearch.common.inject.AbstractModule;
-import com.asquera.elasticsearch.plugins.http.HttpBasicServer;
 import org.elasticsearch.http.HttpServerModule;
 import org.elasticsearch.common.settings.Settings;
 

src/main/java/com/asquera/elasticsearch/plugins/http/HttpBasicServerPlugin.java

@@ -4,10 +4,6 @@
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.plugins.AbstractPlugin;
-import org.elasticsearch.http.HttpServerModule;
-import org.elasticsearch.http.HttpServer;
-import com.asquera.elasticsearch.plugins.http.HttpBasicServer;
-import com.asquera.elasticsearch.plugins.http.HttpBasicServerModule;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.settings.ImmutableSettings;
 
@@ -19,8 +15,10 @@
  * @author Florian Gilcher (florian.gilcher@asquera.de)
  */
 public class HttpBasicServerPlugin extends AbstractPlugin {
+
+    private boolean enabledByDefault = true;
     private final Settings settings;
-    
+
     @Inject public HttpBasicServerPlugin(Settings settings) {
         this.settings = settings;
     }
@@ -32,26 +30,28 @@ public class HttpBasicServerPlugin extends AbstractPlugin {
     @Override public String description() {
         return "HTTP Basic Server Plugin";
     }
-    
+
     @Override public Collection<Class<? extends Module>> modules() {
         Collection<Class<? extends Module>> modules = newArrayList();
-        if (settings.getAsBoolean("http.basic.enabled", false)) {
+        if (settings.getAsBoolean("http.basic.enabled", enabledByDefault)) {
             modules.add(HttpBasicServerModule.class);
         }
         return modules;
     }
-    
+
     @Override public Collection<Class<? extends LifecycleComponent>> services() {
         Collection<Class<? extends LifecycleComponent>> services = newArrayList();
-        if (settings.getAsBoolean("http.basic.enabled", false)) {
+        if (settings.getAsBoolean("http.basic.enabled", enabledByDefault)) {
             services.add(HttpBasicServer.class);
         }
         return services;
     }
-    
+
     @Override public Settings additionalSettings() {
-        if (settings.getAsBoolean("http.basic.enabled", false)) {
-            return ImmutableSettings.settingsBuilder().put("http.enabled", false).build();
+        if (settings.getAsBoolean("http.basic.enabled", enabledByDefault)) {
+            return ImmutableSettings.settingsBuilder().
+                    put("http.enabled", false).                    
+                    build();
         } else {
             return ImmutableSettings.Builder.EMPTY_SETTINGS;
         }