switch from complete to queue requests

Signed-off-by: Peter Nied <petern@amazon.com>
peternied · Oct 5, 2023 · 8701359 · 8701359
1 parent 7940233
commit 8701359
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 16 deletions.
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -201,7 +201,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("Rejecting REST request because of blocked address: {}", request.getRemoteAddress().orElse(null));
             }
 
-            request.completeWith(new SecurityResponse(SC_UNAUTHORIZED, null, "Authentication finally failed"));
+            request.queueForSending(new SecurityResponse(SC_UNAUTHORIZED, null, "Authentication finally failed"));
             return false;
         }
 
@@ -221,7 +221,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
         if (!isInitialized()) {
             log.error("Not yet initialized (you may need to run securityadmin)");
-            request.completeWith(new SecurityResponse(SC_SERVICE_UNAVAILABLE, null, "OpenSearch Security not initialized."));
+            request.queueForSending(new SecurityResponse(SC_SERVICE_UNAVAILABLE, null, "OpenSearch Security not initialized."));
             return false;
         }
 
@@ -295,7 +295,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                             log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                         }
                         notifyIpAuthFailureListeners(request, authCredentials);
-                        request.completeWith(restResponse.get());
+                        request.queueForSending(restResponse.get());
                         return false;
                     }
                 } else {
@@ -312,7 +312,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
                     final Optional<SecurityResponse> restResponse = httpAuthenticator.reRequestAuthentication(request, ac);
                     if (restResponse.isPresent()) {
                         notifyIpAuthFailureListeners(request, ac);
-                        request.completeWith(restResponse.get());
+                        request.queueForSending(restResponse.get());
                         return false;
                     } else {
                         // no reRequest possible
@@ -350,7 +350,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
             if (adminDns.isAdmin(authenticatedUser)) {
                 log.error("Cannot authenticate rest user because admin user is not permitted to login via HTTP");
                 auditLog.logFailedLogin(authenticatedUser.getName(), true, null, request);
-                request.completeWith(
+                request.queueForSending(
                     new SecurityResponse(
                         SC_FORBIDDEN,
                         null,
@@ -425,7 +425,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
 
             notifyIpAuthFailureListeners(request, authCredentials);
 
-            request.completeWith(
+            request.queueForSending(
                 challengeResponse.orElseGet(() -> new SecurityResponse(SC_UNAUTHORIZED, null, "Authentication finally failed"))
             );
             return false;

diff --git a/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java b/src/main/java/org/opensearch/security/filter/OpenSearchRequestChannel.java
@@ -72,7 +72,7 @@ public boolean sendResponse() {
             throw new UnsupportedOperationException("This channel has already completed");
         }
 
-        if (getQueuedResponse()) {
+        if (getQueuedResponse().isEmpty()) {
             throw new UnsupportedOperationException("No response has been associated with this channel");
         }
 

diff --git a/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java b/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
@@ -132,8 +132,8 @@ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) {
 
             // Authenticate request
             checkAndAuthenticateRequest(requestChannel);
-            if (requestChannel.hasCompleted()) {
-                // Unable to authenticate the caller
+            if (requestChannel.getQueuedResponse().isPresent()) {
+                requestChannel.sendResponse();
                 return;
             }
 
@@ -149,13 +149,14 @@ public RestHandler wrap(RestHandler original, AdminDNs adminDNs) {
                 .or(() -> allowlistingSettings.checkRequestIsAllowed(requestChannel));
 
             if (deniedResponse.isPresent()) {
-                requestChannel.completeWith(deniedResponse.orElseThrow());
+                requestChannel.queueForSending(deniedResponse.orElseThrow());
+                requestChannel.sendResponse();
                 return;
             }
 
             authorizeRequest(original, requestChannel, user);
-            if (requestChannel.hasCompleted()) {
-                // Caller was not authorized
+            if (requestChannel.getQueuedResponse().isPresent()) {
+                requestChannel.sendResponse();
                 return;
             }
 
@@ -209,7 +210,7 @@ private void authorizeRequest(RestHandler original, SecurityRequestChannel reque
                 }
                 log.debug(err);
 
-                request.completeWith(new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, null, err));
+                request.queueForSending(new SecurityResponse(HttpStatus.SC_UNAUTHORIZED, null, err));
                 return;
             }
         }
@@ -223,7 +224,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
             log.error(exception.toString());
             auditLog.logBadHeaders(requestChannel);
 
-            requestChannel.completeWith(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
+            requestChannel.queueForSending(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
             return;
         }
 
@@ -232,7 +233,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
             log.error(exception.toString());
             auditLog.logBadHeaders(requestChannel);
 
-            requestChannel.completeWith(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
+            requestChannel.queueForSending(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, exception.toString()));
             return;
         }
 
@@ -252,7 +253,7 @@ public void checkAndAuthenticateRequest(SecurityRequestChannel requestChannel) t
         } catch (SSLPeerUnverifiedException e) {
             log.error("No ssl info", e);
             auditLog.logSSLException(requestChannel, e);
-            requestChannel.completeWith(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, null));
+            requestChannel.queueForSending(new SecurityResponse(HttpStatus.SC_FORBIDDEN, null, null));
             return;
         }