Adding authentication information to access token create APIs #62490
Conversation
BigPandaToo
added
:Security/Client
|
Pinging @elastic/es-security (:Security/Client) |
There was a problem hiding this comment.
The changes are in the right direction. A few general things can be improved upon:
-
Tests
- For existing tests that use the updated response classes, we should use actual authentication object to fill the new field instead of
null. I commented it forDelegatePkiAuthenticationResponseTests, but there are a few more places like it. - The YAML test failures are genuine. Those tests try to match the response object literally. The fix should be along the line of adding the authentication field into the response samples.
- Tests for TransportXxxAction classes. This could get a bit tricky because there are not many unit tests for these type of classes. So you'll need add to the following integration tests. The following is a rough list for where some assertions could be added:
OpenIdConnectAuthIT#completeAuthenticationSamlAuthenticationIT#submitSamlResponseTokenAuthIntegTestsPkiAuthDelegationIntegTests
- For existing tests that use the updated response classes, we should use actual authentication object to fill the new field instead of
-
Client code - Many of the Request and Response classes have their correspondences in the High Level Rest Client (HLRC) package, e.g. For
DelegatePkiAuthenticationResponse, there is one in theorg.elasticsearch.client.securitypackage, which is different from the one inorg.elasticsearch.xpack.core.security.action. They also need to be updated with the new fields. Naturally, the relevant tests also need to be updated after the main code changes. -
New field and BackWards Compatibility (BWC) - When fields are added or removed from existing entitiy classes, extra handling are mostly (if not always) needed to ensure things work correctly in a mixed-version cluster environment. The most common changes are with the Reader and Writer interfaces, where the field is handled differently based on the in/out stream version. An example of this can be seen in
SamlAuthenticateResponse, which is one of the class you need update as well.
.../src/test/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponseTests.java
Outdated
Show resolved
Hide resolved
...ava/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
Outdated
Show resolved
Hide resolved
...ava/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
Outdated
Show resolved
Hide resolved
...ava/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
Show resolved
Hide resolved
...rc/test/java/org/elasticsearch/xpack/core/action/DelegatePkiAuthenticationResponseTests.java
Outdated
Show resolved
Hide resolved
...src/main/java/org/elasticsearch/xpack/security/action/token/TransportRefreshTokenAction.java
Outdated
Show resolved
Hide resolved
|
@elasticmachine update branch |
1 similar comment
|
@elasticmachine update branch |
|
Fixed tests, added changes to RHL APIs + test, backward compatibility, updated TransportRefreshTokenAction |
There was a problem hiding this comment.
Thanks @BigPandaToo The latest changes are looking great. This PR is turning out to be of decent size because of heavy involvement of the request/response objects. There is only one thing from my previous comment still needs to be addressed: "Tests for TransportXxxAction classes". What needs to be done is essentially adding assertions into the existing test methods that perform token related authentication to assert that the response does contain the new authentication field.
I also left a few other comments.
...est-high-level/src/test/java/org/elasticsearch/client/security/CreateTokenResponseTests.java
Outdated
Show resolved
Hide resolved
.../src/test/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponseTests.java
Outdated
Show resolved
Hide resolved
x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc
Outdated
Show resolved
Hide resolved
...ain/java/org/elasticsearch/xpack/core/security/action/DelegatePkiAuthenticationResponse.java
Outdated
Show resolved
Hide resolved
...ava/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectAuthenticateResponse.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/elasticsearch/xpack/core/security/action/saml/SamlAuthenticateResponse.java
Show resolved
Hide resolved
...re/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenResponse.java
Outdated
Show resolved
Hide resolved
...rc/test/java/org/elasticsearch/xpack/core/action/DelegatePkiAuthenticationResponseTests.java
Outdated
Show resolved
Hide resolved
...c/test/java/org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenActionTests.java
Show resolved
Hide resolved
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine run elasticsearch-ci/packaging-sample-windows |
1 similar comment
|
@elasticmachine run elasticsearch-ci/packaging-sample-windows |
There was a problem hiding this comment.
Thanks for the iteration. It's looking good. One of my initial comments still needs to be addressed. I am copying/pasting it here for your convenience:
- Tests for TransportXxxAction classes. This could get a bit tricky because there are not many unit tests for these type of classes. So you'll need add them to the following integration tests. The following is a rough list for where some assertions could be added:
- OpenIdConnectAuthIT#completeAuthentication
- SamlAuthenticationIT#submitSamlResponse
- TokenAuthIntegTests
- PkiAuthDelegationIntegTests
Other than the above, I have a few other minor comments.
docs/java-rest/high-level/security/delegate-pki-authentication.asciidoc
Outdated
Show resolved
Hide resolved
...re/src/main/java/org/elasticsearch/xpack/core/security/action/token/CreateTokenResponse.java
Outdated
Show resolved
Hide resolved
Adding authentication object to following APIs: /_security/oauth2/token /_security/delegate_pki /_security/saml/authenticate /_security/oidc/authenticate Resolves: elastic#59685 (cherry picked from commit 51dbd9e)
…AD metadata) Addressing PR comments
…AD metadata) Update version check
…AD metadata) Update version check
BigPandaToo
force-pushed
the
APIresponse
branch
from
20b3799
to
58a8c7b
Compare
|
@elasticmachine run elasticsearch-ci/2 |
|
@elasticmachine run elasticsearch-ci/1 |
client/rest-high-level/src/main/java/org/elasticsearch/client/security/CreateTokenResponse.java
Show resolved
Hide resolved
| @@ -104,6 +104,7 @@ public void testTokenServiceBootstrapOnNodeJoin() throws Exception { | |||
| PlainActionFuture<UserToken> userTokenFuture = new PlainActionFuture<>(); | |||
| tokenService.decodeToken(response.getAccessToken(), userTokenFuture); | |||
| assertNotNull(userTokenFuture.actionGet()); | |||
| assertNotNull(response.getAuthenticationResponse()); | |||
There was a problem hiding this comment.
Nit: I think this assertion is better to be close to where the response object is defined, i.e. straight after CreateTokenResponse response = restClient.... It reads better this way since the test is close to the target. Also, in case it fails, it fails quickly before having to go through the token decrpytion which involves cluster traffic.
| @@ -133,6 +134,7 @@ public void testTokenServiceCanRotateKeys() throws Exception { | |||
| assertNotNull(userTokenFuture.actionGet()); | |||
| assertNotEquals(activeKeyHash, tokenService.getActiveKeyHash()); | |||
| } | |||
| assertNotNull(response.getAuthenticationResponse()); | |||
There was a problem hiding this comment.
We should assert the authentication object's principal name as well. This is because the token creation call involves two credentials, one is the invoking user and the other is the user whom the token is created for. We can assert that the authentication's principal is the second user, not the first one.
| builder.field("access_token", response.getAccessTokenString()); | ||
| builder.field("refresh_token", response.getRefreshTokenString()); | ||
| builder.field("expires_in", response.getExpiresIn().seconds()); | ||
| builder.field("authentication", response.getAuthentication()); |
There was a problem hiding this comment.
I wonder whether we should have null check here as well similar to how it is done in the toXContent, writeTo methods. It may not be absolutely necessary since this is a rest action and odic cannot be perform with transport client only. But then I am not sure whether there could be some weird combination that could lead to a null value here. Overall I'd say it is easier to just add a null check here so we are sure it is covered in any cases.
| builder.field("access_token", response.getTokenString()); | ||
| builder.field("refresh_token", response.getRefreshToken()); | ||
| builder.field("expires_in", response.getExpiresIn().seconds()); | ||
| builder.field("authentication", response.getAuthentication()); |
There was a problem hiding this comment.
Addressed in #63792
|
Heya @BigPandaToo , I think you missed some of the comments from @ywangd in the last review round! We can either revert and redo this or handle in a followup, before backporting the changes to 7.x ? |
|
Yep, sorry about that, already working on follow up |
Fixing username
Fixing formatting
…c#62490) * Adding authentication information to access token create APIs Adding authentication object to following APIs: /_security/oauth2/token /_security/delegate_pki /_security/saml/authenticate /_security/oidc/authenticate Resolves: elastic#59685 (cherry picked from commit 51dbd9e) * Addressing PR commends, fixing tests * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Addressing PR comments * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Update version check * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Update version check * Addressing more PR comments * Adding more to integration tests + some small fixes
) * Nit fixes and formatting following elastic#62490 comments Resolves: elastic#63792 * Nit fixes and formatting following elastic#62490 comments Resolves: elastic#63792 * Nit fixes and formatting following elastic#62490 comments Fixing username * Nit fixes and formatting following elastic#62490 comments Fixing formatting
#63841) * Adding authentication information to access token create APIs (#62490) * Adding authentication information to access token create APIs Adding authentication object to following APIs: /_security/oauth2/token /_security/delegate_pki /_security/saml/authenticate /_security/oidc/authenticate Resolves: #59685 (cherry picked from commit 51dbd9e) * Addressing PR commends, fixing tests * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Addressing PR comments * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Update version check * Returning tokenGroups attribute as SID string instead of byte array (AD metadata) Update version check * Addressing more PR comments * Adding more to integration tests + some small fixes * Nit fixes and formatting following #62490 comments (#63797) * Nit fixes and formatting following #62490 comments Resolves: #63792 * Nit fixes and formatting following #62490 comments Resolves: #63792 * Nit fixes and formatting following #62490 comments Fixing username * Nit fixes and formatting following #62490 comments Fixing formatting * Fixing merge conflicts * Fixing merge conflicts
Adding authentication object to following APIs:
/_security/oauth2/token
/_security/delegate_pki
/_security/saml/authenticate
/_security/oidc/authenticate
Resolves: #59685