security icon indicating copy to clipboard operation
security copied to clipboard
verified publisher icon opensearch-project

[BUG] User Injection is failing for IPV6 addresses

Open devardee opened this issue 1 year ago • 2 comments

What is the bug? User Injection is a construct in security plugin, which will allow other plugins to enforce authorization, by setting the User Information in thread context. Security plugin will read this information and initialize a User object and apply authorization if needed. User Injected String has the following pattern :

"user|backendRole|remoteIpPort|customAttributes|tenant"

in the remoteIpPort part, For IPV6 address, we are observing the following exception being thrown : https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/UserInjector.java#L99

How can one reproduce the bug? Added a simple UT here : https://github.com/devardee/security-1/commit/c47d9c0339899a9d544631f99484e71fa8ab59cd

What is the expected behavior? Security Plugin should correctly instantiate User object, when the Injected User has IPV6 address.

What is your host/environment? NA

Do you have any screenshots? NA

Do you have any additional context? No

devardee avatar Mar 27 '24 12:03 devardee

@devardee Thanks for filing this issue and creating a reproduction. What do you think about creating a pull request to fix this?

peternied avatar Mar 27 '24 12:03 peternied

[Triage] Thanks for filing this issue @devardee. Looks like you are going to take care of this with a PR. Thank you! Marking as triaged.

stephen-crawford avatar Apr 01 '24 15:04 stephen-crawford