Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle exceptions for adding request body audit log if rest request is invalid #4232

Merged
merged 2 commits into from
Apr 16, 2024
Merged

Handle exceptions for adding request body audit log if rest request is invalid #4232

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fa6a54f
Handle exceptions for adding request body audit log if rest request i…
Aayush8394 Apr 8, 2024
e0b5bcd
Fixing spotless issue
Aayush8394 Apr 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.hc.core5.net.URIBuilder;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.ExceptionsHelper;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.collect.Tuple;
Expand Down Expand Up @@ -59,6 +61,8 @@

public final class AuditMessage {

private static final Logger log = LogManager.getLogger(AuditMessage.class);

// clustername and cluster uuid
private static final WildcardMatcher AUTHORIZATION_HEADER = WildcardMatcher.from("Authorization", false);
private static final String SENSITIVE_KEY = "password";
Expand Down Expand Up @@ -417,8 +421,9 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
} else {
auditInfo.put(REQUEST_BODY, requestBody);
}
} catch (IOException e) {
} catch (Exception e) {
auditInfo.put(REQUEST_BODY, "ERROR: Unable to generate request body");
log.error("Error while generating request body for audit log", e);
}
}
}
Expand Down
44 changes: 44 additions & 0 deletions src/test/java/org/opensearch/security/auditlog/impl/AuditMessageTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,16 @@
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.collect.Tuple;
import org.opensearch.common.xcontent.XContentType;
import org.opensearch.core.common.bytes.BytesArray;
import org.opensearch.core.common.bytes.BytesReference;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.http.HttpChannel;
import org.opensearch.http.HttpRequest;
import org.opensearch.rest.RestRequest;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.auditlog.config.AuditConfig;
import org.opensearch.security.filter.SecurityRequest;
import org.opensearch.security.filter.SecurityRequestFactory;
import org.opensearch.security.securityconf.impl.CType;

import static org.junit.Assert.assertEquals;
Expand Down Expand Up @@ -155,4 +162,41 @@ public void testBCryptHashIsRedacted() {
message.addSecurityConfigTupleToRequestBody(new Tuple<>(XContentType.JSON, ref), internalUsersDocId);
assertEquals("Hash in tuple is __HASH__", message.getAsMap().get(AuditMessage.REQUEST_BODY));
}

@Test
public void testRequestBodyLoggingWithInvalidSourceOrContentTypeParam() {
when(auditConfig.getFilter().shouldLogRequestBody()).thenReturn(true);

HttpRequest httpRequest = mock(HttpRequest.class);

// No content or Source paramater
when(httpRequest.uri()).thenReturn("");
when(httpRequest.content()).thenReturn(new BytesArray(new byte[0]));

RestRequest restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
SecurityRequest request = SecurityRequestFactory.from(restRequest);

message.addRestRequestInfo(request, auditConfig.getFilter());
assertNull(message.getAsMap().get(AuditMessage.REQUEST_BODY));

// No source parameter, content present but Invalid content-type header
when(httpRequest.uri()).thenReturn("");
when(httpRequest.content()).thenReturn(new BytesArray(new byte[1]));

restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
request = SecurityRequestFactory.from(restRequest);

message.addRestRequestInfo(request, auditConfig.getFilter());
assertEquals("ERROR: Unable to generate request body", message.getAsMap().get(AuditMessage.REQUEST_BODY));

// No content, source parameter present but Invalid source-content-type parameter
when(httpRequest.uri()).thenReturn("/aaaa?source=request_body");
when(httpRequest.content()).thenReturn(new BytesArray(new byte[0]));

restRequest = RestRequest.request(mock(NamedXContentRegistry.class), httpRequest, mock(HttpChannel.class));
request = SecurityRequestFactory.from(restRequest);

message.addRestRequestInfo(request, auditConfig.getFilter());
assertEquals("ERROR: Unable to generate request body", message.getAsMap().get(AuditMessage.REQUEST_BODY));
}
}
Loading