-
Notifications
You must be signed in to change notification settings - Fork 24.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport] Add support for secondary authentication (#53530)
This change makes it possible to send secondary authentication credentials to select endpoints that need to perform a single action in the context of two users. Typically this need arises when a server process needs to call an endpoint that users should not (or might not) have direct access to, but some part of that action must be performed using the logged-in user's identity. Backport of: #52093
- Loading branch information
Showing
13 changed files
with
953 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
86 changes: 86 additions & 0 deletions
86
...ain/java/org/elasticsearch/xpack/core/security/authc/support/SecondaryAuthentication.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.authc.support; | ||
|
||
import org.elasticsearch.common.Nullable; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.xpack.core.security.SecurityContext; | ||
import org.elasticsearch.xpack.core.security.authc.Authentication; | ||
|
||
import java.io.IOException; | ||
import java.util.Objects; | ||
import java.util.function.Function; | ||
|
||
/** | ||
* Some Elasticsearch APIs need to be provided with 2 sets of credentials. | ||
* Typically this happens when a system user needs to perform an action while accessing data on behalf of, or user information regarding | ||
* a logged in user. | ||
* This class is a representation of that secondary user that can be activated in the security context while processing specific blocks | ||
* of code or within a listener. | ||
*/ | ||
public class SecondaryAuthentication { | ||
|
||
private static final String THREAD_CTX_KEY = "_xpack_security_secondary_authc"; | ||
|
||
private final SecurityContext securityContext; | ||
private final Authentication authentication; | ||
|
||
public SecondaryAuthentication(SecurityContext securityContext, Authentication authentication) { | ||
this.securityContext = Objects.requireNonNull(securityContext); | ||
this.authentication = Objects.requireNonNull(authentication); | ||
} | ||
|
||
@Nullable | ||
public static SecondaryAuthentication readFromContext(SecurityContext securityContext) throws IOException { | ||
final Authentication authentication = serializer().readFromContext(securityContext.getThreadContext()); | ||
if (authentication == null) { | ||
return null; | ||
} | ||
return new SecondaryAuthentication(securityContext, authentication); | ||
} | ||
|
||
public void writeToContext(ThreadContext threadContext) throws IOException { | ||
serializer().writeToContext(this.authentication, threadContext); | ||
} | ||
|
||
private static AuthenticationContextSerializer serializer() { | ||
return new AuthenticationContextSerializer(THREAD_CTX_KEY); | ||
} | ||
|
||
public Authentication getAuthentication() { | ||
return authentication; | ||
} | ||
|
||
public <T> T execute(Function<ThreadContext.StoredContext, T> body) { | ||
return this.securityContext.executeWithAuthentication(this.authentication, body); | ||
} | ||
|
||
public Runnable wrap(Runnable runnable) { | ||
return () -> execute(ignore -> { | ||
runnable.run(); | ||
return null; | ||
}); | ||
} | ||
|
||
@Override | ||
public String toString() { | ||
return getClass().getSimpleName() + "{" + authentication + "}"; | ||
} | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) return true; | ||
if (o == null || getClass() != o.getClass()) return false; | ||
final SecondaryAuthentication that = (SecondaryAuthentication) o; | ||
return authentication.equals(that.authentication); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return Objects.hash(authentication); | ||
} | ||
} |
162 changes: 162 additions & 0 deletions
162
...ava/org/elasticsearch/xpack/core/security/authc/support/SecondaryAuthenticationTests.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,162 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.authc.support; | ||
|
||
import org.elasticsearch.Version; | ||
import org.elasticsearch.action.ActionListener; | ||
import org.elasticsearch.action.support.ContextPreservingActionListener; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.test.ESTestCase; | ||
import org.elasticsearch.threadpool.TestThreadPool; | ||
import org.elasticsearch.threadpool.ThreadPool; | ||
import org.elasticsearch.xpack.core.security.SecurityContext; | ||
import org.elasticsearch.xpack.core.security.authc.Authentication; | ||
import org.elasticsearch.xpack.core.security.user.User; | ||
import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication; | ||
import org.junit.After; | ||
import org.junit.Before; | ||
|
||
import java.util.concurrent.Future; | ||
import java.util.concurrent.Semaphore; | ||
import java.util.concurrent.TimeUnit; | ||
import java.util.concurrent.atomic.AtomicReference; | ||
|
||
import static org.hamcrest.Matchers.equalTo; | ||
import static org.hamcrest.Matchers.notNullValue; | ||
import static org.hamcrest.Matchers.sameInstance; | ||
|
||
public class SecondaryAuthenticationTests extends ESTestCase { | ||
|
||
private SecurityContext securityContext; | ||
private ThreadPool threadPool; | ||
|
||
@Before | ||
public void setupObjects() { | ||
this.threadPool = new TestThreadPool(getTestName()); | ||
this.securityContext = new SecurityContext(Settings.EMPTY, threadPool.getThreadContext()); | ||
} | ||
|
||
@After | ||
public void cleanup() { | ||
this.threadPool.shutdownNow(); | ||
} | ||
|
||
public void testCannotCreateObjectWithNullAuthentication() { | ||
expectThrows(NullPointerException.class, () -> new SecondaryAuthentication(securityContext, null)); | ||
} | ||
|
||
public void testSynchronousExecuteInSecondaryContext() { | ||
final User user1 = new User("u1", "role1"); | ||
securityContext.setUser(user1, Version.CURRENT); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
final Authentication authentication2 = new Authentication(new User("u2", "role2"), realm(), realm()); | ||
final SecondaryAuthentication secondaryAuth = new SecondaryAuthentication(securityContext, authentication2); | ||
|
||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
String result = secondaryAuth.execute(original -> { | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
assertThat(securityContext.getAuthentication(), sameInstance(authentication2)); | ||
return "xyzzy"; | ||
}); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
assertThat(result, equalTo("xyzzy")); | ||
} | ||
|
||
public void testSecondaryContextCanBeRestored() { | ||
final User user1 = new User("u1", "role1"); | ||
securityContext.setUser(user1, Version.CURRENT); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
final Authentication authentication2 = new Authentication(new User("u2", "role2"), realm(), realm()); | ||
final SecondaryAuthentication secondaryAuth = new SecondaryAuthentication(securityContext, authentication2); | ||
|
||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
final AtomicReference<ThreadContext.StoredContext> secondaryContext = new AtomicReference<>(); | ||
secondaryAuth.execute(storedContext -> { | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
assertThat(securityContext.getAuthentication(), sameInstance(authentication2)); | ||
secondaryContext.set(threadPool.getThreadContext().newStoredContext(false)); | ||
storedContext.restore(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
return null; | ||
}); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
secondaryContext.get().restore(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
} | ||
|
||
public void testWrapRunnable() throws Exception { | ||
final User user1 = new User("u1", "role1"); | ||
securityContext.setUser(user1, Version.CURRENT); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
final Authentication authentication2 = new Authentication(new User("u2", "role2"), realm(), realm()); | ||
final SecondaryAuthentication secondaryAuth = new SecondaryAuthentication(securityContext, authentication2); | ||
|
||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
final Semaphore semaphore = new Semaphore(0); | ||
final Future<?> future = threadPool.generic().submit(secondaryAuth.wrap(() -> { | ||
try { | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
semaphore.acquire(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
semaphore.acquire(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
} catch (InterruptedException e) { | ||
Thread.currentThread().interrupt(); | ||
throw new RuntimeException(e); | ||
} | ||
})); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
semaphore.release(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
semaphore.release(); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
// ensure that the runnable didn't throw any exceptions / assertions | ||
future.get(1, TimeUnit.SECONDS); | ||
} | ||
|
||
public void testPreserveSecondaryContextAcrossThreads() throws Exception { | ||
final User user1 = new User("u1", "role1"); | ||
securityContext.setUser(user1, Version.CURRENT); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
final Authentication authentication2 = new Authentication(new User("u2", "role2"), realm(), realm()); | ||
final SecondaryAuthentication secondaryAuth = new SecondaryAuthentication(securityContext, authentication2); | ||
|
||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
|
||
final AtomicReference<User> threadUser = new AtomicReference<>(); | ||
final AtomicReference<User> listenerUser = new AtomicReference<>(); | ||
|
||
final ThreadContext threadContext = threadPool.getThreadContext(); | ||
secondaryAuth.execute(originalContext -> { | ||
assertThat(securityContext.getUser().principal(), equalTo("u2")); | ||
ActionListener<Void> listener = new ContextPreservingActionListener<>(threadContext.newRestorableContext(false), | ||
ActionListener.wrap(() -> listenerUser.set(securityContext.getUser()))); | ||
originalContext.restore(); | ||
threadPool.generic().execute(() -> { | ||
threadUser.set(securityContext.getUser()); | ||
listener.onResponse(null); | ||
}); | ||
return null; | ||
}); | ||
assertThat(securityContext.getUser().principal(), equalTo("u1")); | ||
assertBusy(() -> assertThat(listenerUser.get(), notNullValue()), 1, TimeUnit.SECONDS); | ||
assertThat(threadUser.get(), notNullValue()); | ||
assertThat(threadUser.get().principal(), equalTo("u1")); | ||
assertThat(listenerUser.get().principal(), equalTo("u2")); | ||
} | ||
|
||
private Authentication.RealmRef realm() { | ||
return new Authentication.RealmRef(randomAlphaOfLengthBetween(4, 8), randomAlphaOfLengthBetween(2, 4), randomAlphaOfLength(12)); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.