Allow cofiguring SAML secure attributes

This PR is twofold:
- it adds a new `secure_attributes` setting to the SAML realm, and
- introduces extension point that allows providing a custom
 `SamlAuthenticateResponseHandler`

The `secure_attributes` setting can be used to define which SAML attributes
should be treated as secure. This implies that these attributes should not
be logged, or returned as part of user's metadata when
`populate_user_metadata` is set to `true`.

Author: slobodanadamovic

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/saml/SamlRealmSettings.java

@@ -139,6 +139,16 @@ public class SamlRealmSettings {
         key -> Setting.positiveTimeSetting(key, TimeValue.timeValueMinutes(3), Setting.Property.NodeScope)
     );
 
+    /**
+     * The names of attributes that should be treated as secure and never populated as part of user metadata
+     * (even when {@code #POPULATE_USER_METADATA} is configured).
+     */
+    public static final Function<String, Setting.AffixSetting<List<String>>> SECURE_ATTRIBUTES = (type) -> Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(type),
+        "secure_attributes",
+        (key) -> Setting.stringListSetting(key, attributes -> verifyNonNullNotEmpty(key, attributes), Setting.Property.NodeScope)
+    );
+
     public static final Function<String, Setting.AffixSetting<List<String>>> EXCLUDE_ROLES = (type) -> Setting.affixKeySetting(
         RealmSettings.realmSettingPrefix(type),
         "exclude_roles",
@@ -201,7 +211,8 @@ public static Set<Setting.AffixSetting<?>> getSettings(String type) {
             ENCRYPTION_KEY_ALIAS.apply(type),
             SIGNING_KEY_ALIAS.apply(type),
             SIGNING_MESSAGE_TYPES.apply(type),
-            REQUESTED_AUTHN_CONTEXT_CLASS_REF.apply(type)
+            REQUESTED_AUTHN_CONTEXT_CLASS_REF.apply(type),
+            SECURE_ATTRIBUTES.apply(type)
         );
 
         set.addAll(X509KeyPairSettings.affix(RealmSettings.realmSettingPrefix(type), ENCRYPTION_SETTING_KEY, false));

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -310,6 +310,7 @@
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
 import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
 import org.elasticsearch.xpack.security.authc.jwt.JwtRealm;
+import org.elasticsearch.xpack.security.authc.saml.SamlAuthenticateResponseHandler;
 import org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore;
 import org.elasticsearch.xpack.security.authc.service.CompositeServiceAccountTokenStore;
 import org.elasticsearch.xpack.security.authc.service.FileServiceAccountTokenStore;
@@ -641,6 +642,7 @@ public class Security extends Plugin
     private final SetOnce<SecondaryAuthActions> secondaryAuthActions = new SetOnce<>();
     private final SetOnce<QueryableBuiltInRolesProviderFactory> queryableRolesProviderFactory = new SetOnce<>();
     private final SetOnce<SecurityMigrationExecutor> securityMigrationExecutor = new SetOnce<>();
+    private final SetOnce<SamlAuthenticateResponseHandler.Factory> samlAuthenticateResponseHandlerFactory = new SetOnce<>();
 
     // Node local retry count for migration jobs that's checked only on the master node to make sure
     // submit migration jobs doesn't get out of hand and retries forever if they fail. Reset by a
@@ -990,6 +992,15 @@ Collection<Object> createComponents(
         if (fileRoleValidator.get() == null) {
             fileRoleValidator.set(new FileRoleValidator.Default());
         }
+        if (samlAuthenticateResponseHandlerFactory.get() == null) {
+            samlAuthenticateResponseHandlerFactory.set(new SamlAuthenticateResponseHandler.DefaultFactory());
+        }
+        components.add(
+            new PluginComponentBinding<>(
+                SamlAuthenticateResponseHandler.class,
+                samlAuthenticateResponseHandlerFactory.get().create(tokenService, getClock())
+            )
+        );
         this.fileRolesStore.set(
             new FileRolesStore(settings, environment, resourceWatcherService, getLicenseState(), xContentRegistry, fileRoleValidator.get())
         );
@@ -2477,6 +2488,7 @@ public void loadExtensions(ExtensionLoader loader) {
         loadSingletonExtensionAndSetOnce(loader, fileRoleValidator, FileRoleValidator.class);
         loadSingletonExtensionAndSetOnce(loader, secondaryAuthActions, SecondaryAuthActions.class);
         loadSingletonExtensionAndSetOnce(loader, queryableRolesProviderFactory, QueryableBuiltInRolesProviderFactory.class);
+        loadSingletonExtensionAndSetOnce(loader, samlAuthenticateResponseHandlerFactory, SamlAuthenticateResponseHandler.Factory.class);
     }
 
     private <T> void loadSingletonExtensionAndSetOnce(ExtensionLoader loader, SetOnce<T> setOnce, Class<T> clazz) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

@@ -12,7 +12,6 @@
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.injection.guice.Inject;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.threadpool.ThreadPool;
@@ -25,11 +24,9 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
-import org.elasticsearch.xpack.security.authc.TokenService;
-import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
+import org.elasticsearch.xpack.security.authc.saml.SamlAuthenticateResponseHandler;
 import org.elasticsearch.xpack.security.authc.saml.SamlToken;
 
-import java.util.Map;
 import java.util.concurrent.Executor;
 
 /**
@@ -39,7 +36,7 @@ public final class TransportSamlAuthenticateAction extends HandledTransportActio
 
     private final ThreadPool threadPool;
     private final AuthenticationService authenticationService;
-    private final TokenService tokenService;
+    private final SamlAuthenticateResponseHandler tokenHandler;
     private final SecurityContext securityContext;
     private final Executor genericExecutor;
 
@@ -49,7 +46,7 @@ public TransportSamlAuthenticateAction(
         TransportService transportService,
         ActionFilters actionFilters,
         AuthenticationService authenticationService,
-        TokenService tokenService,
+        SamlAuthenticateResponseHandler tokenHandler,
         SecurityContext securityContext
     ) {
         // TODO replace DIRECT_EXECUTOR_SERVICE when removing workaround for https://github.com/elastic/elasticsearch/issues/97916
@@ -62,7 +59,7 @@ public TransportSamlAuthenticateAction(
         );
         this.threadPool = threadPool;
         this.authenticationService = authenticationService;
-        this.tokenService = tokenService;
+        this.tokenHandler = tokenHandler;
         this.securityContext = securityContext;
         this.genericExecutor = threadPool.generic();
     }
@@ -88,25 +85,9 @@ private void doExecuteForked(Task task, SamlAuthenticateRequest request, ActionL
                 }
                 assert authentication != null : "authentication should never be null at this point";
                 assert false == authentication.isRunAs() : "saml realm authentication cannot have run-as";
-                @SuppressWarnings("unchecked")
-                final Map<String, Object> tokenMeta = (Map<String, Object>) result.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
-                tokenService.createOAuth2Tokens(
-                    authentication,
-                    originatingAuthentication,
-                    tokenMeta,
-                    true,
-                    ActionListener.wrap(tokenResult -> {
-                        final TimeValue expiresIn = tokenService.getExpirationDelay();
-                        listener.onResponse(
-                            new SamlAuthenticateResponse(
-                                authentication,
-                                tokenResult.getAccessToken(),
-                                tokenResult.getRefreshToken(),
-                                expiresIn
-                            )
-                        );
-                    }, listener::onFailure)
-                );
+                assert result.isAuthenticated();
+                tokenHandler.handleTokenResponse(authentication, originatingAuthentication, result, listener);
+
             }, e -> {
                 logger.debug(() -> "SamlToken [" + saml + "] could not be authenticated", e);
                 listener.onFailure(e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/DefaultSamlAuthenticateResponseHandler.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+package org.elasticsearch.xpack.security.authc.saml;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.core.TimeValue;
+import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateResponse;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.TokenService;
+
+import java.util.Map;
+
+/**
+ * Default implementation of {@link SamlAuthenticateResponseHandler} that returns tokens crested using the {@link TokenService}.
+ */
+public final class DefaultSamlAuthenticateResponseHandler implements SamlAuthenticateResponseHandler {
+
+    private final TokenService tokenService;
+
+    public DefaultSamlAuthenticateResponseHandler(TokenService tokenService) {
+        this.tokenService = tokenService;
+    }
+
+    @Override
+    public void handleTokenResponse(
+        Authentication authentication,
+        Authentication originatingAuthentication,
+        AuthenticationResult<User> authenticationResult,
+        ActionListener<SamlAuthenticateResponse> listener
+    ) {
+        @SuppressWarnings("unchecked")
+        final Map<String, Object> tokenMeta = (Map<String, Object>) authenticationResult.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
+        tokenService.createOAuth2Tokens(authentication, originatingAuthentication, tokenMeta, true, ActionListener.wrap(tokenResult -> {
+            final TimeValue expiresIn = tokenService.getExpirationDelay();
+            listener.onResponse(
+                new SamlAuthenticateResponse(authentication, tokenResult.getAccessToken(), tokenResult.getRefreshToken(), expiresIn)
+            );
+        }, listener::onFailure));
+    }
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAttributes.java

@@ -7,7 +7,10 @@
 package org.elasticsearch.xpack.security.authc.saml;
 
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.core.Releasable;
 import org.opensaml.saml.saml2.core.Attribute;
 import org.opensaml.saml.saml2.core.NameIDType;
 
@@ -17,19 +20,25 @@
 /**
  * An lightweight collection of SAML attributes
  */
-public class SamlAttributes {
+public class SamlAttributes implements Releasable {
 
     public static final String NAMEID_SYNTHENTIC_ATTRIBUTE = "nameid";
     public static final String PERSISTENT_NAMEID_SYNTHENTIC_ATTRIBUTE = "nameid:persistent";
 
     private final SamlNameId name;
     private final String session;
     private final List<SamlAttribute> attributes;
+    private final List<SamlSecureAttribute> secureAttributes;
 
     SamlAttributes(SamlNameId name, String session, List<SamlAttribute> attributes) {
+        this(name, session, attributes, List.of());
+    }
+
+    SamlAttributes(SamlNameId name, String session, List<SamlAttribute> attributes, List<SamlSecureAttribute> secureAttributes) {
         this.name = name;
         this.session = session;
         this.attributes = attributes;
+        this.secureAttributes = secureAttributes;
     }
 
     /**
@@ -54,10 +63,28 @@ List<String> getAttributeValues(String attributeId) {
             .toList();
     }
 
+    List<SecureString> getSecureAttributeValues(String attributeId) {
+        if (Strings.isNullOrEmpty(attributeId)) {
+            return List.of();
+        }
+        return secureAttributes.stream()
+            .filter(attr -> attributeId.equals(attr.name) || attributeId.equals(attr.friendlyName))
+            .flatMap(attr -> attr.values.stream())
+            .toList();
+    }
+
     List<SamlAttribute> attributes() {
         return attributes;
     }
 
+    List<SamlSecureAttribute> secureAttributes() {
+        return secureAttributes;
+    }
+
+    boolean isEmpty() {
+        return attributes.isEmpty() && secureAttributes.isEmpty();
+    }
+
     SamlNameId name() {
         return name;
     }
@@ -68,7 +95,12 @@ String session() {
 
     @Override
     public String toString() {
-        return getClass().getSimpleName() + "(" + name + ")[" + session + "]{" + attributes + "}";
+        return getClass().getSimpleName() + "(" + name + ")[" + session + "]{" + attributes + "}{" + secureAttributes + "}";
+    }
+
+    @Override
+    public void close() {
+        IOUtils.closeWhileHandlingException(secureAttributes);
     }
 
     static class SamlAttribute {
@@ -103,4 +135,59 @@ public String toString() {
         }
     }
 
+    static class SamlSecureAttribute implements Releasable {
+
+        final String name;
+        final String friendlyName;
+        final List<SecureString> values;
+
+        SamlSecureAttribute(Attribute attribute) {
+            this(
+                attribute.getName(),
+                attribute.getFriendlyName(),
+                attribute.getAttributeValues()
+                    .stream()
+                    .map(x -> x.getDOM().getTextContent())
+                    .filter(Objects::nonNull)
+                    .map(String::toCharArray)
+                    .map(SecureString::new)
+                    .toList()
+            );
+        }
+
+        SamlSecureAttribute(String name, @Nullable String friendlyName, List<SecureString> values) {
+            this.name = Objects.requireNonNull(name, "Attribute name cannot be null");
+            this.friendlyName = friendlyName;
+            this.values = values;
+        }
+
+        String name() {
+            return name;
+        }
+
+        String friendlyName() {
+            return friendlyName;
+        }
+
+        List<SecureString> values() {
+            return values;
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder str = new StringBuilder();
+            if (Strings.isNullOrEmpty(friendlyName)) {
+                str.append(name);
+            } else {
+                str.append(friendlyName).append('(').append(name).append(')');
+            }
+            str.append("=").append("::es_redacted::").append("(len=").append(values.size()).append(')');
+            return str.toString();
+        }
+
+        @Override
+        public void close() {
+            IOUtils.closeWhileHandlingException(values);
+        }
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticateResponseHandler.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+package org.elasticsearch.xpack.security.authc.saml;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateResponse;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.TokenService;
+
+import java.time.Clock;
+
+/**
+ * Interface for handling successful SAML authentications.
+ */
+public interface SamlAuthenticateResponseHandler {
+
+    /**
+     * Called to handle and return a ({@link SamlAuthenticateResponse}) after successful SAML authentication.
+     */
+    void handleTokenResponse(
+        Authentication authentication,
+        Authentication originatingAuthentication,
+        AuthenticationResult<User> authenticationResult,
+        ActionListener<SamlAuthenticateResponse> listener
+    );
+
+    /**
+     * The factory is used to make handler pluggable.
+     */
+    interface Factory {
+        SamlAuthenticateResponseHandler create(TokenService tokenService, Clock clock);
+    }
+
+    /**
+     * The default factory that creates {@link DefaultSamlAuthenticateResponseHandler}.
+     */
+    class DefaultFactory implements Factory {
+
+        @Override
+        public SamlAuthenticateResponseHandler create(TokenService tokenService, Clock clock) {
+            return new DefaultSamlAuthenticateResponseHandler(tokenService);
+        }
+    }
+}