set default request timeout of 10 seconds

Author: richard-dennehy

plugins/microsoft-graph-authz/build.gradle

@@ -71,7 +71,7 @@ dependencies {
   runtimeOnly "com.squareup.okio:okio:3.4.0"
   runtimeOnly "com.squareup.okio:okio-jvm:3.4.0"
   runtimeOnly "io.github.std-uritemplate:std-uritemplate:2.0.0"
-  runtimeOnly "com.azure:azure-core-http-okhttp:1.12.10"
+  implementation "com.azure:azure-core-http-okhttp:1.12.10"
   implementation "com.google.code.gson:gson:2.10"
 
   testRuntimeOnly "net.minidev:json-smart:2.5.2"

plugins/microsoft-graph-authz/src/main/java/module-info.java

@@ -22,6 +22,8 @@
     requires com.microsoft.graph.core;
     requires kotlin.stdlib;
     requires com.google.gson;
+    requires okhttp3;
+    requires com.azure.core.http.okhttp;
 
     provides org.elasticsearch.xpack.core.security.SecurityExtension with MicrosoftGraphAuthzPlugin;
 }

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java

@@ -9,6 +9,10 @@
 
 package org.elasticsearch.xpack.security.authz.microsoft;
 
+import com.azure.core.http.HttpClient;
+import com.azure.core.http.okhttp.OkHttpAsyncHttpClientBuilder;
+import com.azure.core.http.policy.RetryPolicy;
+import com.azure.core.util.HttpClientOptions;
 import com.azure.identity.ClientSecretCredentialBuilder;
 import com.microsoft.graph.core.requests.BaseGraphRequestAdapter;
 import com.microsoft.graph.core.tasks.PageIterator;
@@ -17,6 +21,10 @@
 import com.microsoft.graph.serviceclient.GraphServiceClient;
 import com.microsoft.kiota.authentication.AzureIdentityAuthenticationProvider;
 
+import com.microsoft.kiota.http.middleware.RetryHandler;
+
+import okhttp3.OkHttpClient;
+
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Setting;
@@ -39,6 +47,7 @@
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
 import org.elasticsearch.xpack.core.security.user.User;
 
+import java.time.Duration;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -151,12 +160,21 @@ public void lookupUser(String principal, ActionListener<User> listener) {
     private static GraphServiceClient buildClient(RealmConfig config) {
         final var clientSecret = config.getSetting(MicrosoftGraphAuthzRealmSettings.CLIENT_SECRET);
 
+        final var timeout = config.getSetting(MicrosoftGraphAuthzRealmSettings.HTTP_REQUEST_TIMEOUT);
+        final var httpClient = new OkHttpClient.Builder()
+            .callTimeout(Duration.ofSeconds(timeout.seconds()))
+            .addInterceptor(new RetryHandler())
+            .build();
+
         final var credentialProviderBuilder = new ClientSecretCredentialBuilder().clientId(
             config.getSetting(MicrosoftGraphAuthzRealmSettings.CLIENT_ID)
         )
             .clientSecret(clientSecret.toString())
             .tenantId(config.getSetting(MicrosoftGraphAuthzRealmSettings.TENANT_ID))
-            .authorityHost(config.getSetting(MicrosoftGraphAuthzRealmSettings.ACCESS_TOKEN_HOST));
+            .authorityHost(config.getSetting(MicrosoftGraphAuthzRealmSettings.ACCESS_TOKEN_HOST))
+            .httpClient(new OkHttpAsyncHttpClientBuilder(httpClient).build())
+            .enableUnsafeSupportLogging()
+            .enableAccountIdentifierLogging();
 
         if (DISABLE_INSTANCE_DISCOVERY) {
             credentialProviderBuilder.disableInstanceDiscovery();
@@ -166,7 +184,8 @@ private static GraphServiceClient buildClient(RealmConfig config) {
         return new GraphServiceClient(
             new BaseGraphRequestAdapter(
                 new AzureIdentityAuthenticationProvider(credentialProvider, Strings.EMPTY_ARRAY, "https://graph.microsoft.com/.default"),
-                config.getSetting(MicrosoftGraphAuthzRealmSettings.API_HOST)
+                config.getSetting(MicrosoftGraphAuthzRealmSettings.API_HOST),
+                httpClient
             )
         );
     }

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmSettings.java

@@ -11,6 +11,7 @@
 
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 
 import java.util.ArrayList;
@@ -45,6 +46,12 @@ public class MicrosoftGraphAuthzRealmSettings {
         key -> Setting.simpleString(key, "https://graph.microsoft.com/v1.0", Setting.Property.NodeScope)
     );
 
+    public static final Setting.AffixSetting<TimeValue> HTTP_REQUEST_TIMEOUT = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(REALM_TYPE),
+        "http_request_timeout",
+        key -> Setting.timeSetting(key, TimeValue.timeValueSeconds(10), Setting.Property.NodeScope)
+    );
+
     public static List<Setting<?>> getSettings() {
         var settings = new ArrayList<Setting<?>>(RealmSettings.getStandardSettings(REALM_TYPE));
         settings.add(CLIENT_ID);

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.action.support.GroupedActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.client.Request;
+import org.elasticsearch.client.RestClientBuilder;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
@@ -183,6 +184,16 @@ protected Settings restClientSettings() {
         return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build();
     }
 
+    @Override
+    protected void configureClient(RestClientBuilder builder, Settings settings) throws IOException {
+        super.configureClient(builder, settings);
+
+        builder.setRequestConfigCallback(requestConfigBuilder -> {
+            requestConfigBuilder.setSocketTimeout(-1);
+            return requestConfigBuilder;
+        });
+    }
+
     @Override
     protected boolean shouldConfigureProjects() {
         return false;

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphHttpFixture.java

@@ -110,7 +110,12 @@ public String getBaseUrl() {
     private void registerGetAccessTokenHandler() {
         server.createContext("/" + tenantId + "/oauth2/v2.0/token", exchange -> {
             logger.info("Received access token request");
-            loginCount.incrementAndGet();
+            final var callCount = loginCount.incrementAndGet();
+
+            if (callCount == 1) {
+                graphError(exchange, RestStatus.GATEWAY_TIMEOUT, "Gateway timed out");
+                return;
+            }
 
             if (exchange.getRequestMethod().equals("POST") == false) {
                 graphError(exchange, RestStatus.METHOD_NOT_ALLOWED, "Expected POST request");
@@ -214,7 +219,12 @@ private void registerGetUserMembershipHandler(TestUser user) {
 
         server.createContext("/v1.0/users/" + user.username() + "/transitiveMemberOf", exchange -> {
             logger.info("Received get user membership request [{}]", exchange.getRequestURI());
-            getGroupMembershipCount.incrementAndGet();
+            final var callCount = getGroupMembershipCount.incrementAndGet();
+
+            if (callCount == 1) {
+                graphError(exchange, RestStatus.GATEWAY_TIMEOUT, "Gateway timed out");
+                return;
+            }
 
             if (exchange.getRequestMethod().equals("GET") == false) {
                 graphError(exchange, RestStatus.METHOD_NOT_ALLOWED, "Expected GET request");