followups from previous PR -

1. Using IteratingActionListener instead of a for-loop in the main flow of PluggableAuthenticatorChain
2. Adding unit test coverage for PluggableAuthenticatorChain

Author: ankit--sethi

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -59,6 +59,7 @@
 import static org.elasticsearch.transport.RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY;
 import static org.elasticsearch.xcontent.ConstructingObjectParser.constructorArg;
 import static org.elasticsearch.xcontent.ConstructingObjectParser.optionalConstructorArg;
+import static org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType.TOKEN;
 import static org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef.newAnonymousRealmRef;
 import static org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef.newApiKeyRealmRef;
 import static org.elasticsearch.xpack.core.security.authc.Authentication.RealmRef.newCloudApiKeyRealmRef;
@@ -83,6 +84,7 @@
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.FALLBACK_REALM_NAME;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.FALLBACK_REALM_TYPE;
 import static org.elasticsearch.xpack.core.security.authc.RealmDomain.REALM_DOMAIN_PARSER;
+import static org.elasticsearch.xpack.core.security.authc.Subject.Type.USER;
 import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.Fields.REMOTE_CLUSTER;
 import static org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS;
 
@@ -424,7 +426,7 @@ public Authentication token() {
         assert false == isAuthenticatedInternally();
         assert false == isServiceAccount();
         assert false == isCrossClusterAccess();
-        final Authentication newTokenAuthentication = new Authentication(effectiveSubject, authenticatingSubject, AuthenticationType.TOKEN);
+        final Authentication newTokenAuthentication = new Authentication(effectiveSubject, authenticatingSubject, TOKEN);
         return newTokenAuthentication;
     }
 
@@ -603,7 +605,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
         // Run-as is supported for authentication with realm, api_key or token.
         if (AuthenticationType.REALM == getAuthenticationType()
             || AuthenticationType.API_KEY == getAuthenticationType()
-            || AuthenticationType.TOKEN == getAuthenticationType()) {
+            || TOKEN == getAuthenticationType()) {
             return true;
         }
 
@@ -717,7 +719,7 @@ public boolean canAccessResourcesOf(Authentication resourceCreatorAuthentication
         assert EnumSet.of(
             Authentication.AuthenticationType.REALM,
             Authentication.AuthenticationType.API_KEY,
-            Authentication.AuthenticationType.TOKEN,
+            TOKEN,
             Authentication.AuthenticationType.ANONYMOUS,
             Authentication.AuthenticationType.INTERNAL
         ).containsAll(EnumSet.of(getAuthenticationType(), resourceCreatorAuthentication.getAuthenticationType()))
@@ -823,6 +825,9 @@ public void toXContentFragment(XContentBuilder builder) throws IOException {
             apiKeyField.put("managed_by", CredentialManagedBy.CLOUD.getDisplayName());
             builder.field("api_key", Collections.unmodifiableMap(apiKeyField));
         }
+        if (metadata.containsKey("managed_by")) {
+            builder.field("managed_by", metadata.get("managed_by"));
+        }
     }
 
     public static Authentication getAuthenticationFromCrossClusterAccessMetadata(Authentication authentication) {
@@ -982,7 +987,7 @@ private void checkConsistencyForApiKeyAuthenticationType() {
     }
 
     private void checkConsistencyForRealmAuthenticationType() {
-        if (Subject.Type.USER != authenticatingSubject.getType()) {
+        if (USER != authenticatingSubject.getType()) {
             throw new IllegalArgumentException("Realm authentication must have subject type of user");
         }
         if (isRunAs()) {
@@ -1025,7 +1030,7 @@ private static void checkRunAsConsistency(Subject effectiveSubject, Subject auth
                 )
             );
         }
-        if (Subject.Type.USER != effectiveSubject.getType()) {
+        if (USER != effectiveSubject.getType()) {
             throw new IllegalArgumentException(Strings.format("Run-as subject type cannot be [%s]", effectiveSubject.getType()));
         }
         if (false == effectiveSubject.getMetadata().isEmpty()) {
@@ -1357,7 +1362,7 @@ public static Authentication newServiceAccountAuthentication(User serviceAccount
         final Authentication.RealmRef authenticatedBy = newServiceAccountRealmRef(nodeName);
         Authentication authentication = new Authentication(
             new Subject(serviceAccountUser, authenticatedBy, TransportVersion.current(), metadata),
-            AuthenticationType.TOKEN
+            TOKEN
         );
         return authentication;
     }
@@ -1384,7 +1389,7 @@ public static Authentication newCloudAccessTokenAuthentication(
         final User user = authResult.getValue();
         return new Authentication(
             new Subject(user, realmRef, TransportVersion.current(), authResult.getMetadata()),
-            AuthenticationType.TOKEN
+            TOKEN
         );
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/apikey/CustomAuthenticator.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.user.User;
 
 /**
  * An extension point to provide a custom authenticator implementation. For example, a custom API key or a custom OAuth2
@@ -28,4 +29,6 @@ public interface CustomAuthenticator {
 
     void authenticate(@Nullable AuthenticationToken token, ActionListener<AuthenticationResult<Authentication>> listener);
 
+    Authentication getAuthentication(AuthenticationResult<User> result, String nodeName);
+
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/PluggableAuthenticatorChain.java

@@ -8,13 +8,15 @@
 package org.elasticsearch.xpack.security.authc;
 
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.xpack.core.common.IteratingActionListener;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.apikey.CustomAuthenticator;
 
 import java.util.List;
 import java.util.Objects;
+import java.util.function.BiConsumer;
 
 public class PluggableAuthenticatorChain implements Authenticator {
 
@@ -55,28 +57,47 @@ public void authenticate(Context context, ActionListener<AuthenticationResult<Au
         }
         AuthenticationToken token = context.getMostRecentAuthenticationToken();
         if (token != null) {
-            // TODO switch to IteratingActionListener
-            for (CustomAuthenticator customAuthenticator : customAuthenticators) {
-                if (customAuthenticator.supports(token)) {
-                    customAuthenticator.authenticate(token, ActionListener.wrap(response -> {
-                        if (response.isAuthenticated()) {
-                            listener.onResponse(response);
-                        } else if (response.getStatus() == AuthenticationResult.Status.TERMINATE) {
-                            final Exception ex = response.getException();
-                            if (ex == null) {
-                                listener.onFailure(context.getRequest().authenticationFailed(token));
-                            } else {
-                                listener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token));
-                            }
-                        } else if (response.getStatus() == AuthenticationResult.Status.CONTINUE) {
-                            listener.onResponse(AuthenticationResult.notHandled());
-                        }
-                    }, ex -> listener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token))));
-                    return;
-                }
-            }
+            var lis = new IteratingActionListener<>(listener,
+                getAuthConsumer(context),
+                customAuthenticators,
+                context.getThreadContext(),
+                result -> {
+                    if (result == null) {
+                        // all custom authenticators left the token unhandled
+                        return AuthenticationResult.notHandled();
+                    }
+                    return result;
+                },
+                result -> result == null || result.getStatus() == AuthenticationResult.Status.CONTINUE);
+            lis.run();
+            return;
         }
         listener.onResponse(AuthenticationResult.notHandled());
     }
 
+    private BiConsumer<CustomAuthenticator, ActionListener<AuthenticationResult<Authentication>>> getAuthConsumer(Context context) {
+        AuthenticationToken token = context.getMostRecentAuthenticationToken();
+        return (authenticator, iteratingListener) -> {
+            if (authenticator.supports(token)) {
+                authenticator.authenticate(token, ActionListener.wrap(response -> {
+                    if (response.isAuthenticated()) {
+                        iteratingListener.onResponse(response);
+                    } else if (response.getStatus() == AuthenticationResult.Status.TERMINATE) {
+                        final Exception ex = response.getException();
+                        if (ex == null) {
+                            iteratingListener.onFailure(context.getRequest().authenticationFailed(token));
+                        } else {
+                            iteratingListener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token));
+                        }
+                    } else if (response.getStatus() == AuthenticationResult.Status.CONTINUE) {
+                        iteratingListener.onResponse(AuthenticationResult.notHandled());
+                    }
+                }, ex -> iteratingListener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token))));
+            }
+            else {
+                iteratingListener.onResponse(null); // try the next custom authenticator
+            }
+        };
+    }
+
 }