Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning headers are removed on any failure #75739

Closed
pgomulka opened this issue Jul 27, 2021 · 4 comments · Fixed by #76434
Closed

Warning headers are removed on any failure #75739

pgomulka opened this issue Jul 27, 2021 · 4 comments · Fixed by #76434
Assignees
@BigPandaToo
Labels
>bug :Security/Security Security issues without another label Team:Security Meta label for security team v8.0.0-alpha2

Comments

@pgomulka
Copy link
Contributor

Whenever a request fails, the previously emitted response header warnings are removed from a response.
This was intentionally done so that when authentication fails, there would be no warnings presented to a user.
However when a failure is not related to authentication, headers are removed as well.
I suspect this behaviour fails only when security is enabled

introduced by #64948

reproduction steps:

  1. create an index
  2. send a request that emits a warning and also fails. For instance a rest api compatible typed search endpoint - emits deprecation warning- and typed query - fails parsing.

--url http://localhost:9200/test1/sometype/_search
--header ‘Accept: application/vnd.elasticsearch+json;compatible-with=7’
--header ‘Authorization: Basic ZWxhc3RpYzpwYXNzd29yZA==’
--header ‘Content-Type: application/vnd.elasticsearch+json;compatible-with=7’
--header ‘X-Opaque-ID: he’
--data ‘{
“query”: {
“type”:{
“value”: “_doc”
}
}
}’

`Warning` headers are missing
@pgomulka pgomulka added >bug :Security/Security Security issues without another label v8.0.0 needs:triage Requires assignment of a team area label labels Jul 27, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 27, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@BigPandaToo
Copy link
Contributor

While adding a warning header when a license is about to expire we also removed all the warning headers from response if it fails when handling the request in SecurityRestFilter. But SecurityRestFilter handles all exceptions happening during the request including not security related.
We can limit warning headers filtering to only filter 401 (or 401 and 403) in filterHeaders like:
if (headers.containsKey("Warning") && (restStatus == RestStatus.UNAUTHORIZED || restStatus == RestStatus.FORBIDDEN)) {...

@albertzaharovits albertzaharovits removed the needs:triage Requires assignment of a team area label label Jul 29, 2021
@tvernum
Copy link
Contributor

tvernum commented Aug 10, 2021

@BigPandaToo Where did we get to with the fix for this?

@BigPandaToo
Copy link
Contributor

@BigPandaToo Where did we get to with the fix for this?

Adding test

BigPandaToo added a commit to BigPandaToo/elasticsearch that referenced this issue Aug 12, 2021
@BigPandaToo
Don't remove warning headers on all failure
fa37403 
We shouldn't remove warning when request is failing not because of
security reasons (syntax error for ex.).
Note, that security related failure could happen not only during
authentication (therefore we will check for the rest status), also all
failures happened during authentication will be considered security
related and warnings will be removed from the response.

Resolves: elastic#75739
@BigPandaToo BigPandaToo mentioned this issue Aug 12, 2021
Merged
BigPandaToo added a commit that referenced this issue Aug 16, 2021
@BigPandaToo
Don't remove warning headers on all failure (#76434)
34ea976 
* Don't remove warning headers on all failure

We shouldn't remove warning when request is failing not because of
security reasons (syntax error for ex.).
Note, that security related failure could happen not only during
authentication (therefore we will check for the rest status), also all
failures happened during authentication will be considered security
related and warnings will be removed from the response.

Resolves: #75739
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BigPandaToo BigPandaToo

Labels
>bug :Security/Security Security issues without another label Team:Security Meta label for security team v8.0.0-alpha2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't remove warning headers on all failure BigPandaToo/elasticsearch
6 participants
@jakelandis @tvernum @albertzaharovits @pgomulka @elasticmachine @BigPandaToo