From 219b0b329efe7d736ce5a492df87350bc3932795 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Fri, 30 Jun 2023 16:35:19 -0400
Subject: [PATCH] Handle skipSecurityInDualMode

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/transport/SecurityRequestHandler.java | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
index 2e1eeadc2d..8ea82c9d9d 100644
--- a/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
+++ b/src/main/java/org/opensearch/security/transport/SecurityRequestHandler.java
@@ -204,6 +204,11 @@ protected void messageReceivedDecorate(
                 }
             }
 
+            if (channelType.equals("direct")) {
+                super.messageReceivedDecorate(request, handler, transportChannel, task);
+                return;
+            }
+
             boolean skipSecurityIfDualMode = getThreadContext().getTransient(
                 ConfigConstants.SECURITY_SSL_DUAL_MODE_SKIP_SECURITY
             ) == Boolean.TRUE;
@@ -224,6 +229,8 @@ protected void messageReceivedDecorate(
                     );
                 }
 
+                super.messageReceivedDecorate(request, handler, transportChannel, task);
+                return;
             }
 
             // if the incoming request is an internal:* or a shard request allow only if request was sent by a server node
@@ -234,7 +241,6 @@ protected void messageReceivedDecorate(
             if (!HeaderHelper.isInterClusterRequest(getThreadContext())
                 && !HeaderHelper.isTrustedClusterRequest(getThreadContext())
                 && !HeaderHelper.isExtensionRequest(getThreadContext())
-                && !HeaderHelper.isDirectRequest(getThreadContext())
                 && !task.getAction().equals("internal:transport/handshake")
                 && (task.getAction().startsWith("internal:") || task.getAction().contains("["))) {
                 // CS-ENFORCE-SINGLE
@@ -257,8 +263,7 @@ protected void messageReceivedDecorate(
 
             String principal = null;
 
-            if ((principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null
-                && !HeaderHelper.isDirectRequest(getThreadContext())) {
+            if ((principal = getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_PRINCIPAL)) == null) {
                 Exception ex = new OpenSearchSecurityException(
                     "No SSL client certificates found for transport type "
                         + transportChannel.getChannelType()
@@ -281,8 +286,7 @@ protected void messageReceivedDecorate(
                 // CS-SUPPRESS-SINGLE: RegexpSingleline Used to allow/disallow TLS connections to extensions
                 if (!(HeaderHelper.isInterClusterRequest(getThreadContext())
                     || HeaderHelper.isTrustedClusterRequest(getThreadContext())
-                    || HeaderHelper.isExtensionRequest(getThreadContext())
-                    || channelType.equals("direct"))) {
+                    || HeaderHelper.isExtensionRequest(getThreadContext()))) {
                     // CS-ENFORCE-SINGLE
                     final OpenSearchException exception = ExceptionUtils.createTransportClientNoLongerSupportedException();
                     log.error(exception.toString());