add RemoteClusterAuthenticationService interface

- define a new interface based on CrossClusterAccessAuthenticationService
- hide method that accepts ApiKeyCredentials as it's only used for testing

Author: slobodanadamovic

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/CrossClusterAccessAuthenticationService.java

@@ -34,7 +34,7 @@
 import static org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo.CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY;
 import static org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY;
 
-public class CrossClusterAccessAuthenticationService {
+public class CrossClusterAccessAuthenticationService implements RemoteClusterAuthenticationService {
 
     private static final Logger logger = LogManager.getLogger(CrossClusterAccessAuthenticationService.class);
 
@@ -52,6 +52,7 @@ public CrossClusterAccessAuthenticationService(
         this.authenticationService = authenticationService;
     }
 
+    @Override
     public void authenticate(final String action, final TransportRequest request, final ActionListener<Authentication> listener) {
         final ThreadContext threadContext = clusterService.threadPool().getThreadContext();
         final CrossClusterAccessHeaders crossClusterAccessHeaders;
@@ -117,6 +118,7 @@ public void authenticate(final String action, final TransportRequest request, fi
         }
     }
 
+    @Override
     public void tryAuthenticate(Map<String, String> headers, ActionListener<Void> listener) {
         final ApiKeyService.ApiKeyCredentials credentials;
         try {
@@ -128,7 +130,8 @@ public void tryAuthenticate(Map<String, String> headers, ActionListener<Void> li
         tryAuthenticate(credentials, listener);
     }
 
-    public void tryAuthenticate(ApiKeyService.ApiKeyCredentials credentials, ActionListener<Void> listener) {
+    // package-private for testing
+    void tryAuthenticate(ApiKeyService.ApiKeyCredentials credentials, ActionListener<Void> listener) {
         Objects.requireNonNull(credentials);
         apiKeyService.tryAuthenticate(clusterService.threadPool().getThreadContext(), credentials, ActionListener.wrap(authResult -> {
             if (authResult.isAuthenticated()) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/RemoteClusterAuthenticationService.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+
+import java.util.Map;
+
+/**
+ * Service interface for authenticating remote cluster requests.
+ *
+ * <p>
+ * This service handles authentication for cross-cluster requests.
+ * It provides methods to authenticate both full transport requests
+ * and credential headers only.
+ */
+public interface RemoteClusterAuthenticationService {
+
+    /**
+     * Called to authenticates a remote cluster transport request.
+     *
+     * @param action the transport action being performed
+     * @param request the transport request containing authentication headers
+     * @param listener callback to receive the authenticated {@link Authentication}
+     *                 object on success, or an exception on failure
+     */
+    void authenticate(String action, TransportRequest request, ActionListener<Authentication> listener);
+
+    /**
+     * This method is called to do a preliminary check if headers contain valid
+     * remote cluster credentials, without the overhead of full authentication
+     * processing.
+     *
+     * @param headers map of request headers containing authentication credentials
+     * @param listener callback to receive {@code null} on successful authentication,
+     *                 or an exception on authentication failure
+     */
+    void tryAuthenticate(Map<String, String> headers, ActionListener<Void> listener);
+
+}

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/crossclusteraccess/CrossClusterAccessAuthenticationServiceIntegTests.java renamed to x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/CrossClusterAccessAuthenticationServiceIntegTests.java

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-package org.elasticsearch.xpack.security.crossclusteraccess;
+package org.elasticsearch.xpack.security.authc;
 
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
@@ -31,10 +31,6 @@
 import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.user.InternalUsers;
-import org.elasticsearch.xpack.security.authc.ApiKeyService;
-import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
-import org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders;
-import org.elasticsearch.xpack.security.authc.CrossClusterAccessHeadersTests;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;