[PoC] Pluggable authenticator chain

Author: slobodanadamovic

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java

@@ -16,7 +16,7 @@
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
 import org.elasticsearch.xpack.core.security.authc.Realm;
-import org.elasticsearch.xpack.core.security.authc.apikey.CustomTokenAuthenticator;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.service.NodeLocalServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
@@ -129,7 +129,7 @@ default ServiceAccountTokenStore getServiceAccountTokenStore(SecurityComponents
         return null;
     }
 
-    default List<CustomTokenAuthenticator> getCustomApiKeyAuthenticator(SecurityComponents components) {
+    default List<CustomAuthenticator> getCustomAuthenticators(SecurityComponents components) {
         return null;
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/apikey/CustomAuthenticator.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.authc.apikey;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.core.Nullable;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.user.User;
+
+/**
+ * An extension point to provide a custom token authenticator implementation. For example, a custom API key or a custom OAuth2 token implementation.
+ * The implementation is wrapped by a core `Authenticator` class and included in the authenticator chain _before_ the
+ * respective "standard" authenticator(s).
+ */
+public interface CustomAuthenticator {
+
+    boolean supports(AuthenticationToken token);
+
+    @Nullable
+    AuthenticationToken extractToken(ThreadContext context);
+
+    void authenticate(@Nullable AuthenticationToken token, ActionListener<AuthenticationResult<Authentication>> listener);
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/apikey/CustomTokenAuthenticator.java

@@ -201,7 +201,7 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.Subject;
-import org.elasticsearch.xpack.core.security.authc.apikey.CustomTokenAuthenticator;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.service.NodeLocalServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
@@ -1068,9 +1068,7 @@ Collection<Object> createComponents(
             operatorPrivilegesService.set(OperatorPrivileges.NOOP_OPERATOR_PRIVILEGES_SERVICE);
         }
 
-        final Collection<CustomTokenAuthenticator> customTokenAuthenticator = createCustomApiKeyAuthenticator(extensionComponents);
-
-        components.add(customTokenAuthenticator);
+        final List<CustomAuthenticator> customAuthenticators = getCustomAuthenticatorFromExtensions(extensionComponents);
 
         authcService.set(
             new AuthenticationService(
@@ -1084,7 +1082,7 @@ Collection<Object> createComponents(
                 apiKeyService,
                 serviceAccountService,
                 operatorPrivilegesService.get(),
-                customTokenAuthenticator,
+                customAuthenticators,
                 telemetryProvider.getMeterRegistry()
             )
         );
@@ -1220,47 +1218,48 @@ Collection<Object> createComponents(
         return components;
     }
 
-    private List<CustomTokenAuthenticator> createCustomApiKeyAuthenticator(SecurityExtension.SecurityComponents extensionComponents) {
-        final Map<String, List<CustomTokenAuthenticator>> customApiKeyAuthenticatorByExtension = new HashMap<>();
-        for (final SecurityExtension extension : securityExtensions) {
-            final List<CustomTokenAuthenticator> customTokenAuthenticator = extension.getCustomApiKeyAuthenticator(extensionComponents);
-            if (customTokenAuthenticator != null) {
-                if (false == isInternalExtension(extension)) {
+    private List<CustomAuthenticator> getCustomAuthenticatorFromExtensions(SecurityExtension.SecurityComponents extensionComponents) {
+        final Map<String, List<CustomAuthenticator>> customAuthenticatorsByExtension = new HashMap<>();
+        for (final SecurityExtension securityExtension : securityExtensions) {
+            final List<CustomAuthenticator> customAuthenticators = securityExtension.getCustomAuthenticators(extensionComponents);
+            if (customAuthenticators != null) {
+                if (false == isInternalExtension(securityExtension)) {
                     throw new IllegalStateException(
                         "The ["
-                            + extension.extensionName()
-                            + "] extension tried to install a custom CustomApiKeyAuthenticator. "
+                            + securityExtension.extensionName()
+                            + "] extension tried to install a  "
+                            + CustomAuthenticator.class.getSimpleName()
+                            + ". "
                             + "This functionality is not available to external extensions."
                     );
                 }
-                customApiKeyAuthenticatorByExtension.put(extension.extensionName(), customTokenAuthenticator);
+                customAuthenticatorsByExtension.put(securityExtension.extensionName(), customAuthenticators);
             }
         }
 
-        if (customApiKeyAuthenticatorByExtension.isEmpty()) {
+        if (customAuthenticatorsByExtension.isEmpty()) {
             logger.debug(
-                "No custom implementation for [{}]. Falling-back to noop implementation.",
-                CustomTokenAuthenticator.class.getCanonicalName()
+                "No custom implementations for [{}] provided by security extensions.",
+                CustomAuthenticator.class.getCanonicalName()
             );
-            return List.of(new CustomTokenAuthenticator.Noop());
-
-        } else if (customApiKeyAuthenticatorByExtension.size() > 1) {
+            return List.of();
+        } else if (customAuthenticatorsByExtension.size() > 1) {
             throw new IllegalStateException(
-                "Multiple extensions tried to install a custom CustomApiKeyAuthenticator: " + customApiKeyAuthenticatorByExtension.keySet()
+                "Multiple extensions tried to install custom authenticators: " + customAuthenticatorsByExtension.keySet()
             );
-
         } else {
-            final var authenticatorByExtensionEntry = customApiKeyAuthenticatorByExtension.entrySet().iterator().next();
-            final List<CustomTokenAuthenticator> customTokenAuthenticators = authenticatorByExtensionEntry.getValue();
+            final var authenticatorByExtensionEntry = customAuthenticatorsByExtension.entrySet().iterator().next();
+            final List<CustomAuthenticator> customAuthenticators = authenticatorByExtensionEntry.getValue();
             final String extensionName = authenticatorByExtensionEntry.getKey();
-            for (CustomTokenAuthenticator authenticator : customTokenAuthenticators) {
+            for (CustomAuthenticator authenticator : customAuthenticators) {
                 logger.debug(
-                    "CustomApiKeyAuthenticator implementation [{}] provided by extension [{}]",
+                    "{} implementation [{}] provided by extension [{}]",
+                    CustomAuthenticator.class.getSimpleName(),
                     authenticator.getClass().getCanonicalName(),
                     extensionName
                 );
             }
-            return customTokenAuthenticators;
+            return customAuthenticators;
         }
     }
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -30,7 +30,7 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.Realm;
-import org.elasticsearch.xpack.core.security.authc.apikey.CustomTokenAuthenticator;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.EmptyAuthorizationInfo;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
@@ -94,7 +94,7 @@ public AuthenticationService(
         ApiKeyService apiKeyService,
         ServiceAccountService serviceAccountService,
         OperatorPrivilegesService operatorPrivilegesService,
-        Collection<CustomTokenAuthenticator> customTokenAuthenticators,
+        List<CustomAuthenticator> customAuthenticators,
         MeterRegistry meterRegistry
     ) {
         this.realms = realms;
@@ -111,23 +111,15 @@ public AuthenticationService(
         }
 
         final String nodeName = Node.NODE_NAME_SETTING.get(settings);
-        CustomTokenAuthenticator oauth2Authenticator = customTokenAuthenticators.stream()
-            .filter(t -> t.name().contains("oauth2") || t instanceof CustomTokenAuthenticator.Noop)
-            .findAny()
-            .orElseThrow();
-        CustomTokenAuthenticator apiKeyAuthenticator = customTokenAuthenticators.stream()
-            .filter(t -> t.name().contains("api key") || t instanceof CustomTokenAuthenticator.Noop)
-            .findAny()
-            .orElseThrow();
+
         this.authenticatorChain = new AuthenticatorChain(
             settings,
             operatorPrivilegesService,
             anonymousUser,
             new AuthenticationContextSerializer(),
+            new PluggableAuthenticatorChain(customAuthenticators),
             new ServiceAccountAuthenticator(serviceAccountService, nodeName, meterRegistry),
-            new PluggableOAuth2TokenAuthenticator(oauth2Authenticator),
             new OAuth2TokenAuthenticator(tokenService, meterRegistry),
-            new PluggableApiKeyAuthenticator(apiKeyAuthenticator),
             new ApiKeyAuthenticator(apiKeyService, nodeName, meterRegistry),
             new RealmsAuthenticator(numInvalidation, lastSuccessfulAuthCache, meterRegistry)
         );

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/AbstractPluggableAuthenticator.java

@@ -26,6 +26,8 @@
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService;
 
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.function.BiConsumer;
@@ -52,10 +54,9 @@ class AuthenticatorChain {
         OperatorPrivilegesService operatorPrivilegesService,
         AnonymousUser anonymousUser,
         AuthenticationContextSerializer authenticationSerializer,
+        PluggableAuthenticatorChain pluggableAuthenticatorChain,
         ServiceAccountAuthenticator serviceAccountAuthenticator,
-        PluggableOAuth2TokenAuthenticator pluggableOAuth2TokenAuthenticator,
         OAuth2TokenAuthenticator oAuth2TokenAuthenticator,
-        PluggableApiKeyAuthenticator pluggableApiKeyAuthenticator,
         ApiKeyAuthenticator apiKeyAuthenticator,
         RealmsAuthenticator realmsAuthenticator
     ) {
@@ -66,14 +67,16 @@ class AuthenticatorChain {
         this.isAnonymousUserEnabled = AnonymousUser.isAnonymousEnabled(settings);
         this.authenticationSerializer = authenticationSerializer;
         this.realmsAuthenticator = realmsAuthenticator;
-        this.allAuthenticators = List.of(
-            serviceAccountAuthenticator,
-            pluggableOAuth2TokenAuthenticator,
-            oAuth2TokenAuthenticator,
-            pluggableApiKeyAuthenticator,
-            apiKeyAuthenticator,
-            realmsAuthenticator
-        );
+
+        List<Authenticator> authenticators = new ArrayList<>();
+        if (pluggableAuthenticatorChain.hasCustomAuthenticators()) {
+            authenticators.add(pluggableAuthenticatorChain);
+        }
+        authenticators.add(serviceAccountAuthenticator);
+        authenticators.add(oAuth2TokenAuthenticator);
+        authenticators.add(apiKeyAuthenticator);
+        authenticators.add(realmsAuthenticator);
+        this.allAuthenticators = Collections.unmodifiableList(authenticators);
     }
 
     void authenticate(Authenticator.Context context, ActionListener<Authentication> originalListener) {