Only log Invalid Authorization header when HTTP Basic auth challenge is called

[cwperks]

Description

This PR is a replacement for #5221 which simplifies the logic in the basic authenticator.

The goal is to only log this in valid scenarios. The following criteria needs to be met:

• Request has invalid basic auth header
  1. no Authorization header
  2. not a basic auth header
  3. corrupted basic auth header..i.e. the base64 encoded header has no : delimiter
• There is a one-and-only-one challenging basic auth authenticator
• If SAML is configured (and SAML requires challenge: true) this log line should never be logged.

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Bugfix

Check List

• New functionality includes testing
• New functionality has been documented
• New Roles/Permissions have a corresponding security dashboards plugin PR
• API changes companion pull request created
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

CC: @StewartWBrown @terryquigleysas @shikharj05 This should solve the problem and only log this line when appropriate.

[terryquigleysas]

CC: @StewartWBrown @terryquigleysas @shikharj05 This should solve the problem and only log this line when appropriate.

I agree. See also #5221 (comment)

Thanks @cwperks

[codecov]

Codecov Report

Attention: Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 72.12%. Comparing base (79a663e) to head (0542a9e).
Report is 9 commits behind head on main.

Files with missing lines	Patch %	Lines
.../org/opensearch/security/auth/BackendRegistry.java	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5377      +/-   ##
==========================================
- Coverage   72.23%   72.12%   -0.11%     
==========================================
  Files         382      382              
  Lines       23697    23696       -1     
  Branches     3644     3644              
==========================================
- Hits        17117    17091      -26     
- Misses       4781     4806      +25     
  Partials     1799     1799              

Files with missing lines	Coverage Δ
...ensearch/security/http/HTTPBasicAuthenticator.java	81.81% <100.00%> (ø)
...va/org/opensearch/security/support/HTTPHelper.java	84.00% <100.00%> (-0.62%)	⬇️
.../org/opensearch/security/auth/BackendRegistry.java	77.81% <50.00%> (+0.29%)	⬆️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[StewartWBrown]

Thanks so much for doing this @cwperks! Seems like a good approach for this pesky log-buildup. Missed the other location of this log message when making my PR!

[terryquigleysas]

@cwperks Thank you for providing this approach. Could it be backported to 2.19 too please?

[StewartWBrown]

This being merged should resolve #4054 ! :)

[opensearch-trigger-bot]

The backport to 2.19 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.19 2.19
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.19
# Create a new branch
git switch --create backport/backport-5377-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9e6047f99da4df3404e2d52f3afe4e49e508c3a5
# Push it to GitHub
git push --set-upstream origin backport/backport-5377-to-2.19
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.19

Then, create a pull request where the base branch is 2.19 and the compare/head branch is backport/backport-5377-to-2.19.

[cwperks]

@cwperks Thank you for providing this approach. Could it be backported to 2.19 too please?

Opened a backport to 2.19 branch: #5390