Authenticator

Author: n1v0lg

x-pack/plugin/core/src/main/java/module-info.java

@@ -230,7 +230,7 @@
     exports org.elasticsearch.xpack.core.watcher.trigger;
     exports org.elasticsearch.xpack.core.watcher.watch;
     exports org.elasticsearch.xpack.core.watcher;
-    exports org.elasticsearch.xpack.core.security.authc.cloud;
+    exports org.elasticsearch.xpack.core.security.authc.apikey;
 
     provides org.elasticsearch.action.admin.cluster.node.info.ComponentVersionNumber
         with

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java

@@ -16,7 +16,7 @@
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
 import org.elasticsearch.xpack.core.security.authc.Realm;
-import org.elasticsearch.xpack.core.security.authc.cloud.CloudApiKeyService;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomApiKeyAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.service.NodeLocalServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
@@ -129,7 +129,7 @@ default ServiceAccountTokenStore getServiceAccountTokenStore(SecurityComponents
         return null;
     }
 
-    default CloudApiKeyService getCloudApiKeyService(SecurityComponents components) {
+    default CustomApiKeyAuthenticator getCustomApiKeyAuthenticator(SecurityComponents components) {
         return null;
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/apikey/CustomApiKeyAuthenticator.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.authc.apikey;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.core.Nullable;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+
+public interface CustomApiKeyAuthenticator {
+    String name();
+
+    AuthenticationToken extractCredentials(@Nullable SecureString apiKeyCredentials);
+
+    void authenticate(@Nullable AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<Authentication>> listener);
+
+    class Noop implements CustomApiKeyAuthenticator {
+        @Override
+        public String name() {
+            return "noop";
+        }
+
+        @Override
+        public AuthenticationToken extractCredentials(@Nullable SecureString apiKeyCredentials) {
+            return null;
+        }
+
+        @Override
+        public void authenticate(
+            @Nullable AuthenticationToken authenticationToken,
+            ActionListener<AuthenticationResult<Authentication>> listener
+        ) {
+            listener.onResponse(AuthenticationResult.notHandled());
+        }
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/cloud/CloudApiKey.java

@@ -208,7 +208,7 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.Subject;
-import org.elasticsearch.xpack.core.security.authc.cloud.CloudApiKeyService;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomApiKeyAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.service.NodeLocalServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountTokenStore;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
@@ -1102,9 +1102,9 @@ Collection<Object> createComponents(
             operatorPrivilegesService.set(OperatorPrivileges.NOOP_OPERATOR_PRIVILEGES_SERVICE);
         }
 
-        final CloudApiKeyService cloudApiKeyService = createCloudApiKeyService(extensionComponents);
+        final CustomApiKeyAuthenticator customApiKeyAuthenticator = createCustomApiKeyAuthenticator(extensionComponents);
 
-        components.add(cloudApiKeyService);
+        components.add(customApiKeyAuthenticator);
 
         authcService.set(
             new AuthenticationService(
@@ -1118,7 +1118,7 @@ Collection<Object> createComponents(
                 apiKeyService,
                 serviceAccountService,
                 operatorPrivilegesService.get(),
-                cloudApiKeyService,
+                customApiKeyAuthenticator,
                 telemetryProvider.getMeterRegistry()
             )
         );
@@ -1254,34 +1254,34 @@ Collection<Object> createComponents(
         return components;
     }
 
-    private CloudApiKeyService createCloudApiKeyService(SecurityExtension.SecurityComponents extensionComponents) {
-        final SetOnce<CloudApiKeyService> cloudApiKeyServiceSetOnce = new SetOnce<>();
+    private CustomApiKeyAuthenticator createCustomApiKeyAuthenticator(SecurityExtension.SecurityComponents extensionComponents) {
+        final SetOnce<CustomApiKeyAuthenticator> customApiKeyAuthenticatorSetOnce = new SetOnce<>();
         for (var extension : securityExtensions) {
-            final CloudApiKeyService cloudApiKeyService = extension.getCloudApiKeyService(extensionComponents);
-            if (cloudApiKeyService != null) {
+            final CustomApiKeyAuthenticator customApiKeyAuthenticator = extension.getCustomApiKeyAuthenticator(extensionComponents);
+            if (customApiKeyAuthenticator != null) {
                 if (false == isInternalExtension(extension)) {
                     throw new IllegalStateException(
                         "The ["
                             + extension.getClass().getName()
-                            + "] extension tried to install a custom CloudApiKeyService. "
+                            + "] extension tried to install a custom CustomApiKeyAuthenticator. "
                             + "This functionality is not available to external extensions."
                     );
                 }
-                boolean success = cloudApiKeyServiceSetOnce.trySet(cloudApiKeyService);
+                boolean success = customApiKeyAuthenticatorSetOnce.trySet(customApiKeyAuthenticator);
                 if (false == success) {
                     throw new IllegalStateException(
                         "The ["
                             + extension.getClass().getName()
-                            + "] extension tried to install a custom CloudApiKeyService, but one has already been installed."
+                            + "] extension tried to install a custom CustomApiKeyAuthenticator, but one has already been installed."
                     );
                 }
-                logger.debug("CloudApiKeyService provided by extension [{}]", extension.extensionName());
+                logger.debug("CustomApiKeyAuthenticator provided by extension [{}]", extension.extensionName());
             }
         }
-        if (cloudApiKeyServiceSetOnce.get() == null) {
-            cloudApiKeyServiceSetOnce.set(new CloudApiKeyService.Noop());
+        if (customApiKeyAuthenticatorSetOnce.get() == null) {
+            customApiKeyAuthenticatorSetOnce.set(new CustomApiKeyAuthenticator.Noop());
         }
-        return cloudApiKeyServiceSetOnce.get();
+        return customApiKeyAuthenticatorSetOnce.get();
     }
 
     private ServiceAccountService createServiceAccountService(

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/cloud/CloudApiKeyService.java

@@ -30,7 +30,7 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.Realm;
-import org.elasticsearch.xpack.core.security.authc.cloud.CloudApiKeyService;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomApiKeyAuthenticator;
 import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.EmptyAuthorizationInfo;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
@@ -93,7 +93,7 @@ public AuthenticationService(
         ApiKeyService apiKeyService,
         ServiceAccountService serviceAccountService,
         OperatorPrivilegesService operatorPrivilegesService,
-        CloudApiKeyService cloudApiKeyService,
+        CustomApiKeyAuthenticator customApiKeyAuthenticator,
         MeterRegistry meterRegistry
     ) {
         this.realms = realms;
@@ -117,7 +117,7 @@ public AuthenticationService(
             new AuthenticationContextSerializer(),
             new ServiceAccountAuthenticator(serviceAccountService, nodeName, meterRegistry),
             new OAuth2TokenAuthenticator(tokenService, meterRegistry),
-            new CloudApiKeyAuthenticator(nodeName, cloudApiKeyService),
+            new PluggableApiKeyAuthenticator(customApiKeyAuthenticator),
             new ApiKeyAuthenticator(apiKeyService, nodeName, meterRegistry),
             new RealmsAuthenticator(numInvalidation, lastSuccessfulAuthCache, meterRegistry)
         );

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -54,7 +54,7 @@ class AuthenticatorChain {
         AuthenticationContextSerializer authenticationSerializer,
         ServiceAccountAuthenticator serviceAccountAuthenticator,
         OAuth2TokenAuthenticator oAuth2TokenAuthenticator,
-        CloudApiKeyAuthenticator cloudApiKeyAuthenticator,
+        PluggableApiKeyAuthenticator customApiKeyAuthenticator,
         ApiKeyAuthenticator apiKeyAuthenticator,
         RealmsAuthenticator realmsAuthenticator
     ) {
@@ -68,7 +68,7 @@ class AuthenticatorChain {
         this.allAuthenticators = List.of(
             serviceAccountAuthenticator,
             oAuth2TokenAuthenticator,
-            cloudApiKeyAuthenticator,
+            customApiKeyAuthenticator,
             apiKeyAuthenticator,
             realmsAuthenticator
         );

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.authc.apikey.CustomApiKeyAuthenticator;
+
+public class PluggableApiKeyAuthenticator implements Authenticator {
+    private final CustomApiKeyAuthenticator authenticator;
+
+    public PluggableApiKeyAuthenticator(CustomApiKeyAuthenticator authenticator) {
+        this.authenticator = authenticator;
+    }
+
+    @Override
+    public String name() {
+        return authenticator.name();
+    }
+
+    @Override
+    public AuthenticationToken extractCredentials(Context context) {
+        return authenticator.extractCredentials(context.getApiKeyString());
+    }
+
+    @Override
+    public void authenticate(Context context, ActionListener<AuthenticationResult<Authentication>> listener) {
+        final AuthenticationToken authenticationToken = context.getMostRecentAuthenticationToken();
+        authenticator.authenticate(
+            authenticationToken,
+            ActionListener.wrap(
+                listener::onResponse,
+                ex -> listener.onFailure(context.getRequest().exceptionProcessingRequest(ex, authenticationToken))
+            )
+        );
+    }
+}