client certificate setting bypasses password requirements #4378

[asifbashar]

Signed-off-by: Asif Bashar [email protected]

Description

[Describe what this change achieves]

• Category Bug fix
• Why these changes are required?
• Client certificate setting bypasses password requirements #4378
• When client authentication certificate is set as required in opensearch.yaml , and opensearch_dashboards.yml has "alwaysPresentCertficate" : true, browser login to dashboard does not validate password and allows login with any user/password. This allows for any user to view dashboard.

config.yaml example below

config:
dynamic:
authc:
basic_internal_auth_domain:
authentication_backend:
type: intern
description: Authenticate via HTTP Basic against internal users database
http_authenticator:
challenge: true
type: basic
http_enabled: true
order: 4
transport_enabled: true
clientcert_auth_domain:
authentication_backend:
type: noop
description: Authenticate via SSL client certificates
http_authenticator:
challenge: false
config:
username_attribute: ''
type: clientcert
http_enabled: true
order: 2
transport_enabled: false

• What is the old behavior before changes and new behavior after changes?
  With this fix any password from browser will not let user login when above conditions are configured.

Issues Resolved

#4378

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here
N/A

Testing

manual testing

Check List

• [ N/A] New functionality includes testing
• [ N/A] New functionality has been documented
• N/A[ ] New Roles/Permissions have a corresponding security dashboards plugin PR
• [N/A ] API changes companion pull request created
• [x ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.

Project coverage is 72.02%. Comparing base (280d8e5) to head (2cfe396).

Files with missing lines	Patch %	Lines
.../org/opensearch/security/auth/BackendRegistry.java	0.00%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5278      +/-   ##
==========================================
- Coverage   72.05%   72.02%   -0.04%     
==========================================
  Files         336      336              
  Lines       22648    22652       +4     
  Branches     3560     3561       +1     
==========================================
- Hits        16320    16315       -5     
- Misses       4554     4560       +6     
- Partials     1774     1777       +3     

Files with missing lines	Coverage Δ
.../org/opensearch/security/auth/BackendRegistry.java	76.48% <0.00%> (-1.29%)	⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.