opensearch-project · StewartWBrown · Mar 14, 2025 · Apr 24, 2025 · Apr 25, 2025 · Apr 25, 2025
@@ -279,7 +279,7 @@ public boolean authenticate(final SecurityRequestChannel request) {
             }
             final AuthCredentials ac;
             try {
-                ac = httpAuthenticator.extractCredentials(request, threadPool.getThreadContext());
+                ac = httpAuthenticator.extractCredentials(request, threadPool.getThreadContext(), authDomain.isChallenge());
             } catch (Exception e1) {
                 if (isDebugEnabled) {
                     log.debug("'{}' extracting credentials from {} http authenticator", e1.toString(), httpAuthenticator.getType(), e1);

@@ -66,13 +66,15 @@ public interface HTTPAuthenticator {
      *
      * @param request The rest request
      * @param context The current thread context
+     * @param isChallenge The challenge setting of authentication method currently being evaluated
      * @return The authentication credentials (complete or incomplete) or null when no credentials are found in the request
      * <p>
      * When the credentials could be fully extracted from the request {@code .markComplete()} must be called on the {@link AuthCredentials} which are returned.
      * If the authentication flow needs another roundtrip with the request originator do not mark it as complete.
      * @throws OpenSearchSecurityException
      */
-    AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) throws OpenSearchSecurityException;
+    AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge)
+        throws OpenSearchSecurityException;
 
     /**
      * If the {@code extractCredentials()} call was not successful or the authentication flow needs another roundtrip this method

@@ -97,7 +97,7 @@ public AbstractHTTPJwtAuthenticator(Settings settings, Path configPath) {
 
     @Override
     @SuppressWarnings("removal")
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context)
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge)
         throws OpenSearchSecurityException {
         final SecurityManager sm = System.getSecurityManager();
 

@@ -108,7 +108,7 @@ public HTTPJwtAuthenticator(final Settings settings, final Path configPath) {
 
     @Override
     @SuppressWarnings("removal")
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context)
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge)
         throws OpenSearchSecurityException {
         final SecurityManager sm = System.getSecurityManager();
 

@@ -171,7 +171,7 @@ public Void run() {
 
     @Override
     @SuppressWarnings("removal")
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) {
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext, final boolean isChallenge) {
         final SecurityManager sm = System.getSecurityManager();
 
         if (sm != null) {

@@ -158,15 +158,15 @@
     }
 
     @Override
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext)
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext, final boolean isChallenge)
         throws OpenSearchSecurityException {
         Matcher matcher = PATTERN_PATH_PREFIX.matcher(request.path());
         final String suffix = matcher.matches() ? matcher.group(2) : null;
         if (API_AUTHTOKEN_SUFFIX.equals(suffix)) {
             return null;
         }
 
-        AuthCredentials authCredentials = this.httpJwtAuthenticator.extractCredentials(request, threadContext);
+        AuthCredentials authCredentials = this.httpJwtAuthenticator.extractCredentials(request, threadContext, isChallenge);
 
         if (AUTHINFO_SUFFIX.equals(suffix)) {
             this.initLogoutUrl(threadContext, authCredentials);

@@ -52,7 +52,7 @@ public HTTPBasicAuthenticator(final Settings settings, final Path configPath) {
     }
 
     @Override
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) {
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext, final boolean isChallenge) {
 
         final boolean forceLogin = Boolean.getBoolean(request.params().get("force_login"));
 
@@ -62,7 +62,7 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
 
         final String authorizationHeader = request.header("Authorization");
 
-        return HTTPHelper.extractCredentials(authorizationHeader, log);
+        return HTTPHelper.extractCredentials(authorizationHeader, log, isChallenge);
     }
 
     @Override

@@ -57,7 +57,7 @@ public HTTPClientCertAuthenticator(final Settings settings, final Path configPat
     }
 
     @Override
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext) {
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext threadContext, final boolean isChallenge) {
 
         final String principal = threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_PRINCIPAL);
 

@@ -57,7 +57,7 @@ public HTTPProxyAuthenticator(Settings settings, final Path configPath) {
     }
 
     @Override
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) {
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge) {
 
         if (context.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) != Boolean.TRUE) {
             throw new OpenSearchSecurityException("xff not done");

@@ -146,7 +146,7 @@ private String[] extractBackendRolesFromClaims(Claims claims) {
 
     @Override
     @SuppressWarnings("removal")
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context)
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge)
         throws OpenSearchSecurityException {
         final SecurityManager sm = System.getSecurityManager();
 

@@ -54,8 +54,8 @@ public HTTPExtendedProxyAuthenticator(Settings settings, final Path configPath)
     }
 
     @Override
-    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context) {
-        AuthCredentials credentials = super.extractCredentials(request, context);
+    public AuthCredentials extractCredentials(final SecurityRequest request, final ThreadContext context, final boolean isChallenge) {
+        AuthCredentials credentials = super.extractCredentials(request, context, isChallenge);
         if (credentials == null) {
             return null;
         }

@@ -38,11 +38,17 @@
 
 public class HTTPHelper {
 
-    public static AuthCredentials extractCredentials(String authorizationHeader, Logger log) {
+    public static AuthCredentials extractCredentials(String authorizationHeader, Logger log, boolean isChallenge) {
+
+        boolean isTraceEnabled = log.isTraceEnabled();
 
         if (authorizationHeader != null) {
             if (!authorizationHeader.trim().toLowerCase().startsWith("basic ")) {
-                log.warn("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'");
+                if (isChallenge) {
+                    log.warn("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'");
+                } else if (isTraceEnabled) {
+                    log.trace("No 'Basic Authorization' header");
+                }
                 return null;
             } else {
 

@@ -108,30 +108,30 @@ public void testSearchScroll() throws Exception {
     public void testDnParsingCertAuth() throws Exception {
         Settings settings = Settings.builder().put("username_attribute", "cn").put("roles_attribute", "l").build();
         HTTPClientCertAuthenticator auth = new HTTPClientCertAuthenticator(settings, null);
-        assertThat(auth.extractCredentials(null, newThreadContext("cn=abc,cn=xxx,l=ert,st=zui,c=qwe")).getUsername(), is("abc"));
-        assertThat(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername(), is("abc"));
-        assertThat(auth.extractCredentials(null, newThreadContext("CN=abc,L=ert,st=zui,c=qwe")).getUsername(), is("abc"));
-        assertThat(auth.extractCredentials(null, newThreadContext("l=ert,cn=abc,st=zui,c=qwe")).getUsername(), is("abc"));
-        Assert.assertNull(auth.extractCredentials(null, newThreadContext("L=ert,CN=abc,c,st=zui,c=qwe")));
-        assertThat(auth.extractCredentials(null, newThreadContext("l=ert,st=zui,c=qwe,cn=abc")).getUsername(), is("abc"));
-        assertThat(auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe,CN=abc")).getUsername(), is("abc"));
-        assertThat(auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe")).getUsername(), is("L=ert,st=zui,c=qwe"));
+        assertThat(auth.extractCredentials(null, newThreadContext("cn=abc,cn=xxx,l=ert,st=zui,c=qwe"), false).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("cn=abc,cn=xxx,l=ert,st=zui,c=qwe"), true).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe"), false).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("CN=abc,L=ert,st=zui,c=qwe"), false).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("l=ert,cn=abc,st=zui,c=qwe"), false).getUsername(), is("abc"));
+        Assert.assertNull(auth.extractCredentials(null, newThreadContext("L=ert,CN=abc,c,st=zui,c=qwe"), false));
+        assertThat(auth.extractCredentials(null, newThreadContext("l=ert,st=zui,c=qwe,cn=abc"), false).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe,CN=abc"), false).getUsername(), is("abc"));
+        assertThat(auth.extractCredentials(null, newThreadContext("L=ert,st=zui,c=qwe"), false).getUsername(), is("L=ert,st=zui,c=qwe"));
         Assert.assertArrayEquals(
             new String[] { "ert" },
-            auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getBackendRoles().toArray(new String[0])
+            auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe"), false).getBackendRoles().toArray(new String[0])
         );
         Assert.assertArrayEquals(
             new String[] { "bleh", "ert" },
-            new TreeSet<>(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,L=bleh,st=zui,c=qwe")).getBackendRoles()).toArray(
-                new String[0]
-            )
+            new TreeSet<>(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,L=bleh,st=zui,c=qwe"), false).getBackendRoles())
+                .toArray(new String[0])
         );
 
         settings = Settings.builder().build();
         auth = new HTTPClientCertAuthenticator(settings, null);
         assertThat(
             "cn=abc,l=ert,st=zui,c=qwe",
-            is(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername())
+            is(auth.extractCredentials(null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe"), false).getUsername())
         );
     }