Remove deprecated Authentication#getUser (#91069)

This PR removes the deprecated Authentication#getUser method and
replaces its usages with #getEffectiveSubject#getUser.

Relates: #88494

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/async/DeleteAsyncResultsService.java

@@ -55,7 +55,7 @@ private void hasCancelTaskPrivilegeAsync(Consumer<Boolean> consumer) {
         final Authentication current = store.getSecurityContext().getAuthentication();
         if (current != null) {
             HasPrivilegesRequest req = new HasPrivilegesRequest();
-            req.username(current.getUser().principal());
+            req.username(current.getEffectiveSubject().getUser().principal());
             req.clusterPrivileges(ClusterPrivilegeResolver.CANCEL_TASK.name());
             req.indexPrivileges(new RoleDescriptor.IndicesPrivileges[] {});
             req.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[] {});

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java

@@ -68,7 +68,7 @@ public User requireUser() {
     @Nullable
     public User getUser() {
         Authentication authentication = getAuthentication();
-        return authentication == null ? null : authentication.getUser();
+        return authentication == null ? null : authentication.getEffectiveSubject().getUser();
     }
 
     /** Returns the authentication information, or null if the current request has no authentication info. */

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java

@@ -28,7 +28,7 @@ public OpenIdConnectAuthenticateResponse(
         String refreshTokenString,
         TimeValue expiresIn
     ) {
-        this.principal = authentication.getUser().principal();
+        this.principal = authentication.getEffectiveSubject().getUser().principal();
         ;
         this.accessTokenString = accessTokenString;
         this.refreshTokenString = refreshTokenString;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java

@@ -43,7 +43,7 @@ public SamlAuthenticateResponse(StreamInput in) throws IOException {
     }
 
     public SamlAuthenticateResponse(Authentication authentication, String tokenString, String refreshToken, TimeValue expiresIn) {
-        this.principal = authentication.getUser().principal();
+        this.principal = authentication.getEffectiveSubject().getUser().principal();
         this.realm = authentication.getAuthenticatedBy().getName();
         this.tokenString = tokenString;
         this.refreshToken = refreshToken;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -167,14 +167,6 @@ public boolean isRunAs() {
         return authenticatingSubject != effectiveSubject;
     }
 
-    /**
-     * Use {@code getEffectiveSubject().getUser()} instead.
-     */
-    @Deprecated
-    public User getUser() {
-        return effectiveSubject.getUser();
-    }
-
     /**
      * Use {@code getAuthenticatingSubject().getRealm()} instead.
      */
@@ -313,8 +305,8 @@ public Authentication token() {
     public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser) {
         final boolean shouldAddAnonymousRoleNames = anonymousUser != null
             && anonymousUser.enabled()
-            && false == anonymousUser.equals(getUser())
-            && false == User.isInternal(getUser())
+            && false == anonymousUser.equals(getEffectiveSubject().getUser())
+            && false == User.isInternal(getEffectiveSubject().getUser())
             && false == isApiKey()
             && false == isServiceAccount();
 
@@ -326,7 +318,7 @@ public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUs
         if (anonymousUser.roles().length == 0) {
             throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
         }
-        final String[] allRoleNames = ArrayUtils.concat(getUser().roles(), anonymousUser.roles());
+        final String[] allRoleNames = ArrayUtils.concat(getEffectiveSubject().getUser().roles(), anonymousUser.roles());
 
         if (isRunAs()) {
             final User user = effectiveSubject.getUser();
@@ -425,7 +417,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
 
         // There is no reason for internal users to run-as. This check prevents either internal user itself
         // or a token created for it (though no such thing in current code) to run-as.
-        if (User.isInternal(getUser())) {
+        if (User.isInternal(getEffectiveSubject().getUser())) {
             return false;
         }
 
@@ -441,7 +433,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
         // Also, if anonymous access is disabled or anonymous username, roles are changed after the token is created.
         // Should we still consider the token being created by an anonymous user which is now different from the new
         // anonymous user?
-        if (getUser().equals(anonymousUser)) {
+        if (getEffectiveSubject().getUser().equals(anonymousUser)) {
             assert ANONYMOUS_REALM_TYPE.equals(getAuthenticatingSubject().getRealm().getType())
                 && ANONYMOUS_REALM_NAME.equals(getAuthenticatingSubject().getRealm().getName());
             return false;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/SecondaryAuthentication.java

@@ -58,7 +58,7 @@ public Authentication getAuthentication() {
     }
 
     public User getUser() {
-        return authentication.getUser();
+        return authentication.getEffectiveSubject().getUser();
     }
 
     public <T> T execute(Function<ThreadContext.StoredContext, T> body) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java

@@ -142,7 +142,7 @@ private static boolean checkIfUserIsOwnerOfApiKeys(
                 } else if (ownedByAuthenticatedUser) {
                     return true;
                 } else if (Strings.hasText(username) && Strings.hasText(realmName)) {
-                    if (false == username.equals(authentication.getUser().principal())) {
+                    if (false == username.equals(authentication.getEffectiveSubject().getUser().principal())) {
                         return false;
                     }
                     RealmDomain domain = authentication.getSourceRealm().getDomain();

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/execution/WatchExecutionContext.java

@@ -270,7 +270,7 @@ public static String getUsernameFromWatch(Watch watch) throws IOException {
             String header = watch.status().getHeaders().get(AuthenticationField.AUTHENTICATION_KEY);
             if (header != null) {
                 Authentication auth = AuthenticationContextSerializer.decode(header);
-                return auth.getUser().principal();
+                return auth.getEffectiveSubject().getUser().principal();
             }
         }
         return null;

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ClientHelperTests.java

@@ -455,14 +455,14 @@ public void testGetPersistableSafeSecurityHeaders() throws IOException {
                 headers2.get(AuthenticationField.AUTHENTICATION_KEY)
             );
             assertThat(rewrittenAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
-            assertThat(rewrittenAuth.getUser(), equalTo(authentication.getUser()));
+            assertThat(rewrittenAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
         }
         if (hasSecondaryAuthHeader) {
             final Authentication rewrittenSecondaryAuth = AuthenticationContextSerializer.decode(
                 headers2.get(SecondaryAuthentication.THREAD_CTX_KEY)
             );
             assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
-            assertThat(rewrittenSecondaryAuth.getUser(), equalTo(authentication.getUser()));
+            assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
         }
     }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java

@@ -209,7 +209,7 @@ private static User stripRoles(User user) {
     }
 
     public static String randomInternalUsername() {
-        return builder().internal().build(false).getUser().principal();
+        return builder().internal().build(false).getEffectiveSubject().getUser().principal();
     }
 
     /**

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/SecurityRealmSettingsTests.java

@@ -146,8 +146,8 @@ public void testClusterStarted() {
         final AuthenticateResponse authenticate = client().execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
             .actionGet(10, TimeUnit.SECONDS);
         assertThat(authenticate.authentication(), notNullValue());
-        assertThat(authenticate.authentication().getUser(), notNullValue());
-        assertThat(authenticate.authentication().getUser().enabled(), is(true));
+        assertThat(authenticate.authentication().getEffectiveSubject().getUser(), notNullValue());
+        assertThat(authenticate.authentication().getEffectiveSubject().getUser().enabled(), is(true));
     }
 
 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java

@@ -744,7 +744,7 @@ public void testOperationsOnReservedUsers() throws Exception {
         AuthenticateResponse authenticateResponse = client().filterWithHeader(
             Collections.singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword()))
         ).execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE).get();
-        assertThat(authenticateResponse.authentication().getUser().principal(), is(username));
+        assertThat(authenticateResponse.authentication().getEffectiveSubject().getUser().principal(), is(username));
         assertThat(authenticateResponse.authentication().getAuthenticatedBy().getName(), equalTo("reserved"));
         assertThat(authenticateResponse.authentication().getAuthenticatedBy().getType(), equalTo("reserved"));
         assertNull(authenticateResponse.authentication().getLookedUpBy());

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListenerTests.java

@@ -165,7 +165,10 @@ public void testValidateSearchContext() throws Exception {
                 threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
                 threadContext.putTransient(
                     AUTHORIZATION_INFO_KEY,
-                    (AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
+                    (AuthorizationInfo) () -> Collections.singletonMap(
+                        PRINCIPAL_ROLES_FIELD_NAME,
+                        authentication.getEffectiveSubject().getUser().roles()
+                    )
                 );
                 final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
                 SearchContextMissingException expected = expectThrows(
@@ -179,7 +182,7 @@ public void testValidateSearchContext() throws Exception {
                     eq(authentication),
                     eq("action"),
                     eq(request),
-                    authzInfoRoles(authentication.getUser().roles())
+                    authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
                 );
             }
 
@@ -216,7 +219,10 @@ public void testValidateSearchContext() throws Exception {
                 threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
                 threadContext.putTransient(
                     AUTHORIZATION_INFO_KEY,
-                    (AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
+                    (AuthorizationInfo) () -> Collections.singletonMap(
+                        PRINCIPAL_ROLES_FIELD_NAME,
+                        authentication.getEffectiveSubject().getUser().roles()
+                    )
                 );
                 final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
                 SearchContextMissingException expected = expectThrows(
@@ -230,7 +236,7 @@ public void testValidateSearchContext() throws Exception {
                     eq(authentication),
                     eq("action"),
                     eq(request),
-                    authzInfoRoles(authentication.getUser().roles())
+                    authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
                 );
             }
         }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/enrollment/EnrollmentSingleNodeTests.java

@@ -101,7 +101,7 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {
         );
         final AuthenticateResponse authenticateResponse1 = apiKeyClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
             .actionGet();
-        assertThat(authenticateResponse1.authentication().getUser().principal(), equalTo("_xpack_security"));
+        assertThat(authenticateResponse1.authentication().getEffectiveSubject().getUser().principal(), equalTo("_xpack_security"));
 
         final KibanaEnrollmentResponse kibanaEnrollmentResponse = apiKeyClient.execute(
             KibanaEnrollmentAction.INSTANCE,
@@ -115,6 +115,6 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {
 
         final AuthenticateResponse authenticateResponse2 = kibanaClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
             .actionGet();
-        assertThat(authenticateResponse2.authentication().getUser().principal(), equalTo("elastic/kibana"));
+        assertThat(authenticateResponse2.authentication().getEffectiveSubject().getUser().principal(), equalTo("elastic/kibana"));
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/apikey/TransportGetApiKeyAction.java

@@ -53,7 +53,7 @@ protected void doExecute(Task task, GetApiKeyRequest request, ActionListener<Get
             assert username == null;
             assert realms == null;
             // restrict username and realm to current authenticated user.
-            username = authentication.getUser().principal();
+            username = authentication.getEffectiveSubject().getUser().principal();
             realms = ApiKeyService.getOwnersRealmNames(authentication);
         }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/apikey/TransportInvalidateApiKeyAction.java

@@ -59,7 +59,7 @@ protected void doExecute(Task task, InvalidateApiKeyRequest request, ActionListe
             assert username == null;
             assert realms == null;
             // restrict username and realm to current authenticated user.
-            username = authentication.getUser().principal();
+            username = authentication.getEffectiveSubject().getUser().principal();
             realms = ApiKeyService.getOwnersRealmNames(authentication);
         }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutAction.java

@@ -72,7 +72,7 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
                     if (logger.isTraceEnabled()) {
                         logger.trace(
                             "OpenID Connect Logout for user [{}] and token [{}...{}]",
-                            authentication.getUser().principal(),
+                            authentication.getEffectiveSubject().getUser().principal(),
                             token.substring(0, 8),
                             token.substring(token.length() - 8)
                         );
@@ -103,7 +103,7 @@ private void validateAuthenticationAndMetadata(Authentication authentication, Ma
         if (authentication == null) {
             throw new ElasticsearchSecurityException("No active authentication");
         }
-        final User user = authentication.getUser();
+        final User user = authentication.getEffectiveSubject().getUser();
         if (user == null) {
             throw new ElasticsearchSecurityException("No active user");
         }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutAction.java

@@ -64,7 +64,7 @@ protected void doExecute(Task task, SamlLogoutRequest request, ActionListener<Sa
                         if (logger.isTraceEnabled()) {
                             logger.trace(
                                 "SAML Logout User [{}], Token [{}...{}]",
-                                authentication.getUser().principal(),
+                                authentication.getEffectiveSubject().getUser().principal(),
                                 token.substring(0, 8),
                                 token.substring(token.length() - 8)
                             );
@@ -91,7 +91,7 @@ private SamlLogoutResponse buildResponse(Authentication authentication, Map<Stri
         if (authentication == null) {
             throw SamlUtils.samlException("No active authentication");
         }
-        final User user = authentication.getUser();
+        final User user = authentication.getEffectiveSubject().getUser();
         if (user == null) {
             throw SamlUtils.samlException("No active user");
         }