The plugin does not support Authentication to ElasticSearch

[jberkers42]

Instances of ElasticSearch that are built to current best-practice standards, and wanting to make use of certain functionality, typically have Authentication enabled. The plugin does not connect to environments configured in this way.

Authentication may take the for of "Basic" authentication used with many web applications.

When connecting to such an environment the following error is generated:

{
    "statusCode": 401,
    "body": {
        "error": {
            "root_cause": [
                {
                    "type": "security_exception",
                    "reason": "missing authentication credentials for REST request [/index/_search?filter_path=hits.hits.fields]",
                    "header": {
                        "WWW-Authenticate": [
                            "Basic realm=\"security\" charset=\"UTF-8\"",
                            "Bearer realm=\"security\"",
                            "ApiKey"
                        ]
                    }
                }
            ],
            "type": "security_exception",
            "reason": "missing authentication credentials for REST request [/index/_search?filter_path=hits.hits.fields]",
            "header": {
                "WWW-Authenticate": [
                    "Basic realm=\"security\" charset=\"UTF-8\"",
                    "Bearer realm=\"security\"",
                    "ApiKey"
                ]
            }
        },
        "status": 401
    },
    "headers": {
        "www-authenticate": "Basic realm=\"security\" charset=\"UTF-8\", Bearer realm=\"security\", ApiKey",
        "content-type": "application/json; charset=UTF-8",
        "content-length": "561"
    },
    "request": {
        "uri": {
            "protocol": "https:",
            "slashes": true,
            "auth": null,
            "host": "elastichost.domain.com:9200",
            "port": "9200",
            "hostname": "elastichost.domain.com",
            "hash": null,
            "search": "?filter_path=hits.hits.fields",
            "query": "filter_path=hits.hits.fields",
            "pathname": "/fs-departments/_search",
            "path": "/index/_search?filter_path=hits.hits.fields",
            "href": "https://elastichost.domain.com:9200/index/_search?filter_path=hits.hits.fields"
        },
        "method": "GET",
        "headers": {
            "Accept": "application/json",
            "Content-Type": "application/json",
            "User-Agent": "elasticdeveloper",
            "content-length": 60
        }
    },
    "message": "Unauthorized",
    "completed": false,
    "environment": {
        "_textTokens": [
            {
                "_index": 0,
                "_isValid": true,
                "_depth": -1,
                "_text": null,
                "_offset": 0,
                "_type": 0
            },
            {
                "_index": 0,
                "_isValid": true,
                "_depth": 0,
                "_text": "host",
                "_offset": 8,
                "_type": 5,
                "_path": "host",
                "_propertyValueToken": {
                    "_index": 0,
                    "_isValid": true,
                    "_depth": -1,
                    "_text": "https://elastichost.domain.com:9200",
                    "_offset": 16,
                    "_type": 6
                }
            },
            {
                "_index": 0,
                "_isValid": true,
                "_depth": 0,
                "_text": "name",
                "_offset": 64,
                "_type": 5,
                "_path": "name",
                "_propertyValueToken": {
                    "_index": 0,
                    "_isValid": true,
                    "_depth": -1,
                    "_text": "esenv name",
                    "_offset": 72,
                    "_type": 6
                }
            },
            {
                "_index": 0,
                "_isValid": true,
                "_depth": 0,
                "_text": "apikey",
                "_offset": 95,
                "_type": 5,
                "_path": "apikey",
                "_propertyValueToken": {
                    "_index": 0,
                    "_isValid": true,
                    "_depth": -1,
                    "_text": "SnVlNUlIa0IyTXFEX3l3WV9YWFM6dGVNNGN6dEdSY0s4d2NoRXJvNmw3Zw==",
                    "_offset": 105,
                    "_type": 6
                }
            }
        ],
        "_version": null,
        "_host": "https://elastichost.domain.com:9200",
        "_name": "esenv name"
    }
}

Would it be possible to add authentication support? Any assistance provided would be great.

Regards,
JohnB

[mytelo]

so do I

[mytelo]

1. environment.ts add "authorization" property

'use strict'

import { Entity } from "./entity";
import { PropertyToken } from "./propertyToken";
import { TokenType } from "../parsers/entityDocumentScanner";
import { EnvironmentDocument } from "../parsers/environmentDocument";
import { Version } from "./version";

export class Environment extends Entity {

    private _name:string;
    private _version:Version = null;
    private _host:string;
    private _userAgent:string;
    private _authorization:string;
    
    public static hydrate(environmentAsObject:any):Environment {

        let environment: Environment = new Environment();
        environment.host = environmentAsObject._host;
        environment.name = environmentAsObject._name;
        environment.userAgent = environmentAsObject._userAgent;
        environment.authorization = environmentAsObject._authorization;
        environment.version = Version.hydrate(environmentAsObject._version);

        return environment;
    }

    public static parse(environmentAsString:string):Environment {

        let environment: Environment = null;

        let document = EnvironmentDocument.parse(environmentAsString);

        if(document.environments.length > 0) {
            environment = document.environments[0];
        }

        return environment;
    }

    public get id():string {
        return this.name;
    }

    public get hasName(): boolean {
        return (this._name && this._name.length > 0);
    }

    public get name():string {
        return this._name;
    }

    public set name(value:string) {
        this._name = value;
    }

    public get hasVersion():boolean {
        return (this._version != null);
    }

    public get version():Version {
        return this._version;
    }

    public set version(value:Version) {
        this._version = value;
    }

    public get host():string {
        return this._host;
    }

    public set host(host:string) {
        this._host = host;
    }

    public get hasHost():boolean {
        return (this._host && this._host.length > 0);
    }

    public get userAgent():string {
        return this._userAgent;
    }

    public set userAgent(userAgent:string) {
        this._userAgent = userAgent;
    }

    
    public get authorization():string {
        return this._authorization;
    }

    public set authorization(authorization:string) {
        this._authorization = authorization;
    }

    public get hasUserAgent():boolean {
        return (this._userAgent && this._userAgent.length > 0);
    }

    public addTextToken(textToken:PropertyToken) {
        
        super.addTextToken(textToken);

        if(textToken.type == TokenType.Property) {

            let propertyName = textToken.text.toLocaleLowerCase();

            switch(propertyName) {

                case "host":
                    this.host = textToken.propertyValueToken.text;
                    break;
                case "name":
                    this.name = textToken.propertyValueToken.text;
                    break;
                case "useragent":
                    this.userAgent = textToken.propertyValueToken.text;
                    break;
                case "authorization":
                    this.authorization = textToken.propertyValueToken.text;
                    break;
            }

        }

    }

    public toString(): string {
        return this.host + ' ('+ this.name +')';
    }
}

2.elasticService.ts

'use strict'

import * as request from 'request'

import { ElasticsearchQuery } from '../models/elasticsearchQuery';
import { ElasticsearchResponse } from '../models/elasticsearchResponse';
import { Environment } from '../models/environment';
import { LogManager } from '../managers/logManager';

export class ElasticService {

    private _host: string;
    private _userAgent: string;
    private _authorization:string;

    constructor(host:string, userAgent:string,authorization:string) {
        this._host = host;
        this._userAgent = userAgent;
        this._authorization = authorization;

        if(!this._userAgent) {
            this._userAgent = "elasticdeveloper";
        }
    }

    public static async execute(query:any, environment:any): Promise<ElasticsearchResponse> {

        let host:string;
        let userAgent:string;
        let authorization:string;
        let q:ElasticsearchQuery;

        if(!(query instanceof Object)) {
            q = ElasticsearchQuery.parse(query as string);
        } else {
            q = query;
        }

        if(environment instanceof Object) {
            host = (environment as Environment).host;
            userAgent = (environment as Environment).userAgent;
            authorization = (environment as Environment).authorization;
        } else {
            host = environment as string;
        }

        let service = new ElasticService(host, userAgent,authorization);
        let response = await service.execute(q);

        if(q.hasName) {
            response.name = q.name;
        }

        response.environment = environment;

        return response;
    }

    public async execute(query:ElasticsearchQuery) : Promise<ElasticsearchResponse> {

        let url = query.getUrl();

        if(query.isBulk) {
            return this.performBulk(url, query.bulk, query.method);
        } else {
            return this.perform(url, query.body, query.method);
        }
    }

    public async perform(url: string, body:string, method:string = 'GET', contentType:string = 'application/json') : Promise<ElasticsearchResponse> {
        if (contentType !== 'application/x-ndjson') {
            body = this.normalizeBody(body);
        }

        let uri = this._host + url;
        let options: any = {
            method: method,
            url: uri,
            body: body,
            headers: {
                'Accept': 'application/json',
                'Content-Type': contentType,
                'User-Agent': this._userAgent,
                'Authorization': this._authorization
            }
        };

        return new Promise<ElasticsearchResponse>((resolve, reject)=> {

            request(options, (error, response, body)=> {
                if(error) {

                    let elasticsearchResponse = {
                        statusCode: 0,
                        message: error.message,
                        completed: false
                    }

                    reject(elasticsearchResponse);

                } else {

                    let elasticsearchResponse = response.toJSON();
                    elasticsearchResponse.message = response.statusMessage;

                    if(elasticsearchResponse.body) {

                        try
                        {
                            elasticsearchResponse.body = JSON.parse(elasticsearchResponse.body);

                            if(response.statusCode === 200) {
                                elasticsearchResponse.completed = true;
                            } else {
                                elasticsearchResponse.completed = false;
                            }

                        } catch(ex) {

                            LogManager.warning(false, 'failed parse elasticsearchResponse.body with reason %s', ex.message);
                            elasticsearchResponse.message = 'elastic developer failed parse elasticsearchResponse.body with reason ' + ex.message;
                            elasticsearchResponse.completed = false;
                        }
                    } else {

                        if(response.statusCode === 200) {
                            elasticsearchResponse.completed = true;
                        } else {
                            elasticsearchResponse.completed = false;
                        }
                    }

                    resolve(elasticsearchResponse);

                }
            });

        });
    }

    public async performBulk(url: string, bulk:string[], method:string = 'POST'): Promise<ElasticsearchResponse> {

        let body = '';

        LogManager.verbose('building NDJSON of a array with %s entries', bulk.length);

        for(let index = 0; index < bulk.length; index++) {
            body += bulk[index].replace(/[\r\n]+/g, '');
            body += '\r\n';
        }

        return this.perform(url, body, method, 'application/x-ndjson');
    }

    public post(url: string, body) {
    }

    private normalizeBody(body:string):string {

        if(body && body.length > 0) {
            body = body.replace(/[\r\n]+/g, '');
        }

        return body;
    }

}

3.esenv file config "authorization":Basic Base64(username:password)

  {
    "host": "http://localhost:9200",
    "name": "prod.7",
    "authorization":"Basic ZWxhc3RpYzoxMjM0NTY="
    }

[Redw0od]

I've updated the code posted by mytelo to work with the current version. I'm able to authenticate using an ApiKey on Windows 10, Elasticsearch 7.13
elasticService.js.txt
environment.js.txt

Had to change the extension to txt to upload here.

[JuoCode]

Include username and password in host like: http://username:password@example.com

[jberkers42]

Placing the Username and Password in a URL is considered bad practice as this enables the capture of the credentials by any in-line solution that has the ability to see the URL requested. This may include local logging on the device making the request. If the credentials are able to be passed via the payload over an SSL/TLS connection, this is significantly less likely to occur.

Ultimately, whether this is supported or not is your call. Just pointing out the security deficiencies of doing it in the way suggested.