Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13835

HttpSolrCall produces incorrect extra AuditEvent on AuthorizationResponse.PROMPT

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 8.3
    • Authentication, Authorization
    • None

    Description

      spinning this out of SOLR-13741...

      Wrt the REJECTED + UNAUTHORIZED events I see the same as you, and I believe there is a code bug, not a test bug. In HttpSolrCall#471 in the authorize() call, if authResponse == PROMPT, it will actually match both blocks and emit two audit events: https://github.com/apache/lucene-solr/blob/26ede632e6259eb9d16861a3c0f782c9c8999762/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L475:L493 

      if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {...}
if (!(authResponse.statusCode == HttpStatus.SC_ACCEPTED) && !(authResponse.statusCode == HttpStatus.SC_OK)) {...}

      When code==401, it is also true that code!=200. Intuitively there should be both a sendErrora and return RETURN before line #484 in the first if block?

      This causes any and all REJECTED AuditEvent messages to be accompanied by a coresponding UNAUTHORIZED AuditEvent.

      It's not yet clear if, from the perspective of the external client, there are any other bugs in behavior (TBD)

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. SOLR-13840 AuditLogger issues when logged from HttpServletRequest

          • Major - Major loss of function.
          • Resolved
          causes

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-13905 Make findRequestType in AuditEvent more robust

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SOLR-13840 AuditLogger issues when logged from HttpServletRequest

          • Major - Major loss of function.
          • Resolved
          relates to

          Test - A new unit, integration or system test. SOLR-13741 AuditLoggerIntegrationTest hardening

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #946

          Activity

            People

              janhoy Jan Høydahl
              hossman Chris M. Hostetter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h