Patterns support for allowed subjects by the JWT realm

[albertzaharovits]

This adds support for allowing JWT token sub claims with Lucene patterns and wildcards,
by introducing a new JWT realm setting allowed_subject_patterns that can be used
alongside the exist allowed_subjects realm setting.

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)

[elasticsearchmachine]

Hi @albertzaharovits, I've created a changelog YAML for you.

[slobodanadamovic]

Overall functional changes are looking good. I left a few non-blocking comments for the code change. 👍

I still need to review tests and documentation changes. Just wanted to leave the initial feedback first.

[slobodanadamovic]

nit: The allowedClaimValues is not nullable anymore and will cause NPE when used below. We do validate it before constructing the validator, but maybe we should assert it as well. Same is for newly added allowedClaimValuePatterns.

[albertzaharovits]

I pushed the asserts, but in principal I prefer we annotate nullable parameters and assume the others cannot be null.

[slobodanadamovic]

I like that we don't accept null anymore, but the null here was nicely short-circuiting the check to mean allow all and avoid any checks. Maybe we could do something similar and introduce a new private constructor which instead of allowedClaimValues and allowedClaimValuePatterns collections simply accepts allowedClaimValuesPredicate . This way we can create ALLOW_ALL_SUBJECTS which always returns true and thus avoid string matching against *.

[slobodanadamovic]

On a second thought, this would not solve it completely. The proper way to short-circuit it would be if allowedClaimValuesPredicate accepted a list of strings to check.

[albertzaharovits]

The * used in the ALLOW_ALL_SUBJECTS benefits of some short-circuting of sorts:

elasticsearch/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/Automatons.java

Lines 214 to 216 in 5c26cf0

	} else if (pattern.equals("*")) {
	return MATCH_ALL;
	} else {

In the JwtStringClaimValidator constructor I could short-circuit the predicate building logic if either one of the "allowed" lists is empty, but I think that would complicate the logic for very little benefit (e.g. I expect the JVM will figure out that set stays empty and expedite the contains check).

[slobodanadamovic]

Wasn't aware of a short-circuit in Automatons. Agreed, let's keep it simple and optimize if we need to.

[slobodanadamovic]

optional: I don't feel strongly, but we could potentially move this settings validation to JwtRealmSetting class and implement a custom Setting.Validator for both allowed_subjects and allowed_subject_patterns.

[albertzaharovits]

Good point. I've pushed f095252 , but the "richness" of the error description decreased because it's not possible to tell if the dependent setting (of some other setting) is specified or not (validation has access to the default value in case it's not specified).
So now the error message only tells you that one of allowed_subjects or allowed_subject_patterns must be specified and not be empty.

[slobodanadamovic]

optional: Would be nice to include a small example (similarly like you did for Lucene regex) that shows usage of both wildcards (including escaping).

[albertzaharovits]

Pushed cc62b3b .

[slobodanadamovic]

Nice job on testing.
small nit: We could potentially add tests which demonstrate that:

1. sub validation is case sensitive
2. ? can be used as a single special character that must be present
3. an empty ("") sub is rejected

[slobodanadamovic]

Additional test suggestion, we could adjust existing JwtRestIT integration test to randomly include allowed_subjects or allowed_subject_patterns (e.g. service_*@app?.example.com).

[albertzaharovits]

Pushed 59c5bd9 30cee67 2200f51 and 910a334

[slobodanadamovic]

LGTM 👍
Left a couple of non-blocking nits and suggestions. Feel free to address at your discretion.

[jakelandis]

LGTM

[jakelandis]

nit: should this also include the fallback sub if it is defined ?

[albertzaharovits]

Maybe, if we go with also using patterns for more claims in the future. I'm not convinced for subjects only, today, it's warranted, and in any case, it's slightly messy to implement.
This error shows up when the allowed_subject_patterns is invalid, and it will show up in the logs as: "Invalid patterns for allowed claim values for [sub]." Even if the settings also contain something such as fallback_claims.sub: client_id I think the error is telling enough.