address review feedback

slobodanadamovic · slobodanadamovic · commit 6fae14b46f66 · 2025-06-12T10:19:18.000+02:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
@@ -919,9 +919,7 @@ private void checkConsistencyForInternalAuthenticationType() {
 
     private void checkConsistencyForApiKeyAuthenticationType() {
         final RealmRef authenticatingRealm = authenticatingSubject.getRealm();
-        if (false == authenticatingRealm.isApiKeyRealm()
-            && false == authenticatingRealm.isCrossClusterAccessRealm()
-            && false == authenticatingRealm.isCloudApiKeyRealm()) {
+        if (false == authenticatingRealm.usesApiKeys()) {
             throw new IllegalArgumentException(
                 Strings.format("API key authentication cannot have realm type [%s]", authenticatingRealm.type)
             );
@@ -1217,6 +1215,10 @@ private boolean isAnonymousRealm() {
             return ANONYMOUS_REALM_NAME.equals(name) && ANONYMOUS_REALM_TYPE.equals(type);
         }
 
+        private boolean usesApiKeys() {
+            return isCloudApiKeyRealm() || isApiKeyRealm() || isCrossClusterAccessRealm();
+        }
+
         private boolean isCloudApiKeyRealm() {
             return CLOUD_API_KEY_REALM_NAME.equals(name) && CLOUD_API_KEY_REALM_TYPE.equals(type);
         }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -1254,33 +1254,45 @@ Collection<Object> createComponents(
     }
 
     private CustomApiKeyAuthenticator createCustomApiKeyAuthenticator(SecurityExtension.SecurityComponents extensionComponents) {
-        final SetOnce<CustomApiKeyAuthenticator> customApiKeyAuthenticatorSetOnce = new SetOnce<>();
-        for (var extension : securityExtensions) {
+        final Map<String, CustomApiKeyAuthenticator> customApiKeyAuthenticatorByExtension = new HashMap<>();
+        for (final SecurityExtension extension : securityExtensions) {
             final CustomApiKeyAuthenticator customApiKeyAuthenticator = extension.getCustomApiKeyAuthenticator(extensionComponents);
             if (customApiKeyAuthenticator != null) {
                 if (false == isInternalExtension(extension)) {
                     throw new IllegalStateException(
                         "The ["
-                            + extension.getClass().getName()
+                            + extension.extensionName()
                             + "] extension tried to install a custom CustomApiKeyAuthenticator. "
                             + "This functionality is not available to external extensions."
                     );
                 }
-                boolean success = customApiKeyAuthenticatorSetOnce.trySet(customApiKeyAuthenticator);
-                if (false == success) {
-                    throw new IllegalStateException(
-                        "The ["
-                            + extension.getClass().getName()
-                            + "] extension tried to install a custom CustomApiKeyAuthenticator, but one has already been installed."
-                    );
-                }
-                logger.debug("CustomApiKeyAuthenticator provided by extension [{}]", extension.extensionName());
+                customApiKeyAuthenticatorByExtension.put(extension.extensionName(), customApiKeyAuthenticator);
             }
         }
-        if (customApiKeyAuthenticatorSetOnce.get() == null) {
-            customApiKeyAuthenticatorSetOnce.set(new CustomApiKeyAuthenticator.Noop());
+
+        if (customApiKeyAuthenticatorByExtension.isEmpty()) {
+            logger.debug(
+                "No custom implementation for [{}]. Falling-back to noop implementation.",
+                CustomApiKeyAuthenticator.class.getCanonicalName()
+            );
+            return new CustomApiKeyAuthenticator.Noop();
+
+        } else if (customApiKeyAuthenticatorByExtension.size() > 1) {
+            throw new IllegalStateException(
+                "Multiple extensions tried to install a custom CustomApiKeyAuthenticator: " + customApiKeyAuthenticatorByExtension.keySet()
+            );
+
+        } else {
+            final var authenticatorByExtensionEntry = customApiKeyAuthenticatorByExtension.entrySet().iterator().next();
+            final CustomApiKeyAuthenticator customApiKeyAuthenticator = authenticatorByExtensionEntry.getValue();
+            final String extensionName = authenticatorByExtensionEntry.getKey();
+            logger.debug(
+                "CustomApiKeyAuthenticator implementation [{}] provided by extension [{}]",
+                customApiKeyAuthenticator.getClass().getCanonicalName(),
+                extensionName
+            );
+            return customApiKeyAuthenticator;
         }
-        return customApiKeyAuthenticatorSetOnce.get();
     }
 
     private ServiceAccountService createServiceAccountService(
