SOLR-18048 Move authentication into a Servlet Filter

changelog/unreleased/SOLR-18048.yml

@@ -0,0 +1,8 @@
+# See https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc
+title: Authentication checks have been moved to a Servlet Filter
+type: other # added, changed, fixed, deprecated, removed, dependency_update, security, other
+authors:
+  - name: Gus Heck
+links:
+  - name: SOLR-18048
+    url: https://issues.apache.org/jira/browse/SOLR-18048

solr/core/src/java/org/apache/solr/core/CoreContainer.java

@@ -147,6 +147,7 @@
 import org.apache.solr.search.SolrFieldCacheBean;
 import org.apache.solr.search.SolrIndexSearcher;
 import org.apache.solr.security.AllowListUrlChecker;
+import org.apache.solr.security.AuditEvent;
 import org.apache.solr.security.AuditLoggerPlugin;
 import org.apache.solr.security.AuthenticationPlugin;
 import org.apache.solr.security.AuthorizationPlugin;
@@ -2510,4 +2511,19 @@ public void addKeyVal(Object map, Object key, Object val) throws IOException {
           }
         });
   }
+
+  /**
+   * Audit an event if our audit plugin is installed and wants to audit this type of event.
+   *
+   * @param event the event to audit.
+   * @param eventType a Supplier to defer event creation and avoid gc load when auditing is not
+   *     enabled. Lambdas are preferred for this since they are easily inlined.
+   */
+  public void audit(Supplier<AuditEvent> event, AuditEvent.EventType eventType) {
+    if (getAuditLoggerPlugin() != null && getAuditLoggerPlugin().shouldLog(eventType)) {
+      // The lambda should get optimized out, and produce no GC load:
+      // https://medium.com/@reetesh043/how-lambda-expressions-work-internally-in-java-f2a6f0e0bc68
+      getAuditLoggerPlugin().doAudit(event.get());
+    }
+  }
 }

solr/core/src/java/org/apache/solr/security/AuthenticationPlugin.java

@@ -69,8 +69,8 @@ public abstract class AuthenticationPlugin implements SolrInfoBean {
    * @param request the http request
    * @param response the http response
    * @param filterChain the servlet filter chain
-   * @return false if the request not be processed by Solr (not continue), i.e. the response and
-   *     status code have already been sent.
+   * @return false if the request should not be processed by Solr (not continue), i.e. the response
+   *     and status code have already been sent.
    * @throws Exception any exception thrown during the authentication, e.g.
    *     PrivilegedActionException
    */
@@ -79,7 +79,7 @@ public abstract boolean doAuthenticate(
       throws Exception;
 
   /**
-   * This method is called by SolrDispatchFilter in order to initiate authentication. It does some
+   * This method is called by AuthenticationFilter in order to initiate authentication. It does some
    * standard metrics counting.
    */
   public final boolean authenticate(

solr/core/src/java/org/apache/solr/security/AuthorizationUtils.java

@@ -21,7 +21,9 @@
 import static org.apache.solr.common.params.CollectionParams.CollectionAction.CREATE;
 import static org.apache.solr.common.params.CollectionParams.CollectionAction.DELETE;
 import static org.apache.solr.common.params.CollectionParams.CollectionAction.RELOAD;
-import static org.apache.solr.servlet.HttpSolrCall.shouldAudit;
+import static org.apache.solr.security.AuditEvent.EventType.ERROR;
+import static org.apache.solr.security.AuditEvent.EventType.REJECTED;
+import static org.apache.solr.security.AuditEvent.EventType.UNAUTHORIZED;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -73,11 +75,7 @@ public static AuthorizationFailure authorize(
             servletReq.getHeader("Authorization"),
             servletReq.getUserPrincipal());
       }
-      if (shouldAudit(cores, AuditEvent.EventType.REJECTED)) {
-        cores
-            .getAuditLoggerPlugin()
-            .doAudit(new AuditEvent(AuditEvent.EventType.REJECTED, servletReq, context));
-      }
+      cores.audit(() -> new AuditEvent(REJECTED, servletReq, context), REJECTED);
       return new AuthorizationFailure(
           statusCode, "Authentication failed, Response code: " + statusCode);
     }
@@ -89,32 +87,22 @@ public static AuthorizationFailure authorize(
             context,
             authResponse.getMessage()); // nowarn
       }
-      if (shouldAudit(cores, AuditEvent.EventType.UNAUTHORIZED)) {
-        cores
-            .getAuditLoggerPlugin()
-            .doAudit(new AuditEvent(AuditEvent.EventType.UNAUTHORIZED, servletReq, context));
-      }
+      cores.audit(() -> new AuditEvent(UNAUTHORIZED, servletReq, context), UNAUTHORIZED);
       return new AuthorizationFailure(
           statusCode, "Unauthorized request, Response code: " + statusCode);
     }
     if (!(statusCode == HttpStatus.ACCEPTED_202) && !(statusCode == HttpStatus.OK_200)) {
       log.warn(
           "ERROR {} during authentication: {}", statusCode, authResponse.getMessage()); // nowarn
-      if (shouldAudit(cores, AuditEvent.EventType.ERROR)) {
-        cores
-            .getAuditLoggerPlugin()
-            .doAudit(new AuditEvent(AuditEvent.EventType.ERROR, servletReq, context));
-      }
+      cores.audit(() -> new AuditEvent(ERROR, servletReq, context), ERROR);
       return new AuthorizationFailure(
           statusCode, "ERROR during authorization, Response code: " + statusCode);
     }
-
     // No failures! Audit if necessary and return
-    if (shouldAudit(cores, AuditEvent.EventType.AUTHORIZED)) {
-      cores
-          .getAuditLoggerPlugin()
-          .doAudit(new AuditEvent(AuditEvent.EventType.AUTHORIZED, servletReq, context));
-    }
+    cores.audit(
+        () -> new AuditEvent(AuditEvent.EventType.AUTHORIZED, servletReq, context),
+        AuditEvent.EventType.AUTHORIZED);
+
     return null;
   }
 

solr/core/src/java/org/apache/solr/servlet/AuthenticationFilter.java

@@ -0,0 +1,203 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.servlet;
+
+import static org.apache.solr.common.SolrException.ErrorCode.SERVER_ERROR;
+import static org.apache.solr.security.AuditEvent.EventType.ANONYMOUS;
+import static org.apache.solr.security.AuditEvent.EventType.AUTHENTICATED;
+import static org.apache.solr.security.AuditEvent.EventType.REJECTED;
+
+import io.opentelemetry.api.trace.Span;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.core.CoreContainer;
+import org.apache.solr.security.AuditEvent;
+import org.apache.solr.security.AuthenticationPlugin;
+import org.apache.solr.security.PKIAuthenticationPlugin;
+import org.apache.solr.security.PublicKeyHandler;
+import org.apache.solr.util.tracing.TraceUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A servlet filter to handle authentication. Anything this filter wraps that needs to be served
+ * without authentication (such as UI) must be resolved and returned by a filter preceding this one,
+ * typically by forwarding to the default servlet or another servlet. Also, any tracing, auditing
+ * and ratelimiting decisions or setup usually want to be resolved ahead of this filter. Similarly,
+ * any potentially expensive operations should occur after this filter to eliminate denial of
+ * service by unauthenticated users.
+ */
+public class AuthenticationFilter extends CoreContainerAwareHttpFilter {
+
+  private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+  public static final String PLUGIN_DID_NOT_SET_ERROR_STATUS =
+      "{} threw SolrAuthenticationException without setting request status >= 400";
+
+  @Override
+  public void init(FilterConfig config) throws ServletException {
+    super.init(config);
+  }
+
+  @Override
+  protected void doFilter(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
+      throws IOException, ServletException {
+
+    CoreContainer cc = getCores();
+    AuthenticationPlugin authenticationPlugin = cc.getAuthenticationPlugin();
+    String requestPath = ServletUtils.getPathAfterContext(req);
+
+    /////////////////////////////////////////////////////////
+    //////// Check cases where auth is not required. ////////
+    /////////////////////////////////////////////////////////
+
+    // Is authentication configured?
+    if (authenticationPlugin == null) {
+      cc.audit(() -> new AuditEvent(ANONYMOUS, req), ANONYMOUS);
+      chain.doFilter(req, res);
+      return;
+    }
+
+    // /admin/info/key must be always open. see SOLR-9188
+    if (PublicKeyHandler.PATH.equals(requestPath)) {
+      log.debug("Pass through PKI authentication endpoint");
+      chain.doFilter(req, res);
+      return;
+    }
+
+    if (isAdminUI(requestPath)) {
+      log.debug("Pass through Admin UI entry point");
+      chain.doFilter(req, res);
+      return;
+    }
+
+    /////////////////////////////////////////////////////////////////
+    //////// if we make it here, authentication is required. ////////
+    /////////////////////////////////////////////////////////////////
+
+    // internode (internal) requests have their own PKI auth plugin
+    if (isInternodePKI(req, cc)) {
+      authenticationPlugin = cc.getPkiAuthenticationSecurityBuilder();
+    }
+
+    boolean authSuccess = false;
+    try {
+      authSuccess =
+          authenticate(req, res, new AuditSuccessChainWrapper(cc, chain), authenticationPlugin);
+    } finally {
+      if (!authSuccess) {
+        cc.audit(() -> new AuditEvent(REJECTED, req), REJECTED);
+        res.flushBuffer();
+        if (res.getStatus() < 400) {
+          log.error(PLUGIN_DID_NOT_SET_ERROR_STATUS, authenticationPlugin.getClass());
+          res.sendError(401, "Authentication Plugin rejected credentials.");
+        }
+      }
+    }
+  }
+
+  /**
+   * The plugin called by this method will call doFilter(req, res) for us (which is why we pass in
+   * the filter chain object as a parameter).
+   */
+  private boolean authenticate(
+      HttpServletRequest req,
+      HttpServletResponse res,
+      FilterChain chain,
+      AuthenticationPlugin authenticationPlugin) {
+    try {
+
+      // It is imperative that authentication plugins obey the contract in the javadoc for
+      // org.apache.solr.security.AuthenticationPlugin.doAuthenticate, and either return
+      // false or throw an exception if they cannot validate the user's credentials.
+      // Any plugin that doesn't do this is broken and should be fixed.
+
+      logAuthAttempt(req);
+      return authenticationPlugin.authenticate(req, res, chain);
+    } catch (Exception e) {
+      log.info("Error authenticating", e);
+      throw new SolrException(SERVER_ERROR, "Error during request authentication, ", e);
+    }
+  }
+
+  private static boolean isAdminUI(String requestPath) {
+    return "/solr/".equals(requestPath) || "/".equals(requestPath);
+  }
+
+  private boolean isInternodePKI(HttpServletRequest req, CoreContainer cores) {
+    String header = req.getHeader(PKIAuthenticationPlugin.HEADER);
+    String headerV2 = req.getHeader(PKIAuthenticationPlugin.HEADER_V2);
+    return (header != null || headerV2 != null)
+        && cores.getPkiAuthenticationSecurityBuilder() != null;
+  }
+
+  private void logAuthAttempt(HttpServletRequest req) {
+    // moved this to a method because spotless formatting is so horrible, and makes the log
+    // message look like a big deal... but it's just taking up space
+    if (log.isDebugEnabled()) {
+      log.debug(
+          "Request to authenticate: {}, domain: {}, port: {}",
+          req,
+          req.getLocalName(),
+          req.getLocalPort());
+    }
+  }
+
+  @SuppressWarnings("ClassCanBeRecord")
+  private static class AuditSuccessChainWrapper implements FilterChain {
+
+    private final FilterChain chain;
+    private final CoreContainer cc;
+
+    private AuditSuccessChainWrapper(CoreContainer cc, FilterChain chain) {
+      this.cc = cc;
+      this.chain = chain;
+    }
+
+    @Override
+    public void doFilter(ServletRequest rq, ServletResponse rsp)
+        throws IOException, ServletException {
+      // this is a hack. The authentication plugin should accept a callback
+      // to be executed before doFilter is called if authentication succeeds
+      cc.audit(() -> new AuditEvent(AUTHENTICATED, (HttpServletRequest) rq), AUTHENTICATED);
+      Span span = TraceUtils.getSpan((HttpServletRequest) rq);
+      setPrincipalForTracing((HttpServletRequest) rq, span);
+      chain.doFilter(rq, rsp);
+    }
+
+    private void setPrincipalForTracing(HttpServletRequest request, Span span) {
+      if (log.isDebugEnabled()) {
+        log.debug("User principal: {}", request.getUserPrincipal());
+      }
+      final String principalName;
+      if (request.getUserPrincipal() != null) {
+        principalName = request.getUserPrincipal().getName();
+      } else {
+        principalName = null;
+      }
+      TraceUtils.setUser(span, String.valueOf(principalName));
+    }
+  }
+}