Add ThreadContextTransient utility class (#134278)

This class is a little bit like `ThreadLocal` and a little bit like
`Setting`. It allows for type-safe getting and setting of _transient_
values insode of a `ThreadContext`, eliminating the need to work with
`String` keys and type-inferred values.

Author: tvernum

server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContextTransient.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.common.util.concurrent;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.core.Nullable;
+
+/**
+ * A utility class for resolving/setting values in the {@link ThreadContext} in a typesafe way
+ * @see ThreadContext#getTransient(String)
+ * @see ThreadContext#putTransient(String, Object)
+ */
+public final class ThreadContextTransient<T> {
+
+    private final String key;
+    private final Class<T> type;
+
+    private ThreadContextTransient(String key, Class<T> type) {
+        this.key = key;
+        this.type = type;
+    }
+
+    /**
+     * @return The key/name of the transient header
+     */
+    public String getKey() {
+        return key;
+    }
+
+    /**
+     * @return {@code true} if the thread context contains a non-null value for this {@link #getKey() key}
+     */
+    public boolean exists(ThreadContext threadContext) {
+        return threadContext.getTransient(key) != null;
+    }
+
+    /**
+     * @return The current value for this {@link #getKey() key}. May be {@code null}.
+     */
+    @Nullable
+    public T get(ThreadContext threadContext) {
+        final Object val = threadContext.getTransient(key);
+        if (val == null) {
+            return null;
+        }
+        if (this.type.isInstance(val)) {
+            return this.type.cast(val);
+        } else {
+            final String message = Strings.format(
+                "Found object of type [%s] as transient [%s] in thread-context, but expected it to be [%s]",
+                val.getClass(),
+                key,
+                type
+            );
+            assert false : message;
+            throw new IllegalStateException(message);
+        }
+    }
+
+    /**
+     * @return The current value for this {@link #getKey() key}. May not be {@code null}
+     * @throws IllegalStateException if the thread context does not contain a value (or contains {@code null}).
+     */
+    public T require(ThreadContext threadContext) {
+        final T value = get(threadContext);
+        if (value == null) {
+            throw new IllegalStateException("Cannot find value for [" + key + "] in thread-context");
+        }
+        return value;
+    }
+
+    /**
+     * Set the value for the this {@link #getKey() key}.
+     * Because transient headers cannot be overwritten, this method will throw an exception if a value already exists
+     * @see ThreadContext#putTransient(String, Object)
+     */
+    public void set(ThreadContext threadContext, T value) {
+        threadContext.putTransient(this.key, value);
+    }
+
+    /**
+     * Set the value for the this {@link #getKey() key}, if and only if there is no current value
+     * @return {@code true} if the value was set, {@code false} otherwise
+     */
+    public boolean setIfEmpty(ThreadContext threadContext, T value) {
+        if (exists(threadContext) == false) {
+            set(threadContext, value);
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public static <T> ThreadContextTransient<T> transientValue(String key, Class<T> type) {
+        return new ThreadContextTransient<>(key, type);
+    }
+}

server/src/test/java/org/elasticsearch/common/util/concurrent/ThreadContextTransientTests.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.common.util.concurrent;
+
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.test.ESTestCase;
+
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.nullValue;
+import static org.hamcrest.Matchers.sameInstance;
+
+public class ThreadContextTransientTests extends ESTestCase {
+
+    public void testSetAndGetSecureStringValue() {
+        final String key = randomAlphanumericOfLength(12);
+        final ThreadContextTransient<SecureString> tcv = ThreadContextTransient.transientValue(key, SecureString.class);
+
+        final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+
+        assertThat(tcv.exists(threadContext), is(false));
+        assertThat(tcv.get(threadContext), nullValue());
+        expectThrows(IllegalStateException.class, () -> tcv.require(threadContext));
+
+        final SecureString value = new SecureString(randomAlphanumericOfLength(8).toCharArray());
+        tcv.set(threadContext, value);
+        assertThat(tcv.exists(threadContext), is(true));
+        assertThat(tcv.get(threadContext), sameInstance(value));
+        assertThat(tcv.require(threadContext), sameInstance(value));
+
+        final SecureString value2 = new SecureString(randomAlphanumericOfLength(10).toCharArray());
+        assertThat(tcv.setIfEmpty(threadContext, value2), is(false));
+        assertThat(tcv.get(threadContext), sameInstance(value));
+        assertThat(tcv.require(threadContext), sameInstance(value));
+
+        try (var restore = threadContext.stashContext()) {
+            assertThat(tcv.exists(threadContext), is(false));
+            assertThat(tcv.get(threadContext), nullValue());
+
+            assertThat(tcv.setIfEmpty(threadContext, value2), is(true));
+            assertThat(tcv.get(threadContext), sameInstance(value2));
+            assertThat(tcv.require(threadContext), sameInstance(value2));
+        }
+
+        assertThat(tcv.get(threadContext), sameInstance(value));
+        assertThat(tcv.require(threadContext), sameInstance(value));
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityContext.java

@@ -37,7 +37,7 @@
 
 import static org.elasticsearch.xpack.core.security.authc.Authentication.getAuthenticationFromCrossClusterAccessMetadata;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.AUTHENTICATION_KEY;
-import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.AUTHORIZATION_INFO_KEY;
+import static org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField.AUTHORIZATION_INFO_VALUE;
 
 /**
  * A lightweight utility that can find the current user and authentication information for the local thread.
@@ -92,7 +92,7 @@ public Authentication getAuthentication() {
     }
 
     public AuthorizationEngine.AuthorizationInfo getAuthorizationInfoFromContext() {
-        return Objects.requireNonNull(threadContext.getTransient(AUTHORIZATION_INFO_KEY), "authorization info is missing from context");
+        return Objects.requireNonNull(AUTHORIZATION_INFO_VALUE.get(threadContext), "authorization info is missing from context");
     }
 
     @Nullable
@@ -135,20 +135,22 @@ public void putIndicesAccessControl(@Nullable IndicesAccessControl indicesAccess
             if (indicesAccessControl.isGranted() == false) {
                 throw new IllegalStateException("Unexpected unauthorized access control :" + indicesAccessControl);
             }
-            threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
+            AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.set(threadContext, indicesAccessControl);
         }
     }
 
     public void copyIndicesAccessControlToReaderContext(ReaderContext readerContext) {
-        IndicesAccessControl indicesAccessControl = getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
+        IndicesAccessControl indicesAccessControl = AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.get(getThreadContext());
         assert indicesAccessControl != null : "thread context does not contain index access control";
-        readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
+        readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.getKey(), indicesAccessControl);
     }
 
     public void copyIndicesAccessControlFromReaderContext(ReaderContext readerContext) {
-        IndicesAccessControl scrollIndicesAccessControl = readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
+        IndicesAccessControl scrollIndicesAccessControl = readerContext.getFromContext(
+            AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.getKey()
+        );
         assert scrollIndicesAccessControl != null : "scroll does not contain index access control";
-        getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, scrollIndicesAccessControl);
+        AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.set(getThreadContext(), scrollIndicesAccessControl);
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationResult.java

@@ -6,6 +6,8 @@
  */
 package org.elasticsearch.xpack.core.security.authc;
 
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.common.util.concurrent.ThreadContextTransient;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.xpack.core.security.user.User;
 
@@ -26,7 +28,16 @@
 public final class AuthenticationResult<T> {
     private static final AuthenticationResult<?> NOT_HANDLED = new AuthenticationResult<>(Status.CONTINUE, null, null, null, null);
 
-    public static final String THREAD_CONTEXT_KEY = "_xpack_security_auth_result";
+    @SuppressWarnings("rawtypes")
+    public static final ThreadContextTransient<AuthenticationResult> THREAD_CONTEXT_VALUE = ThreadContextTransient.transientValue(
+        "_xpack_security_auth_result",
+        AuthenticationResult.class
+    );
+
+    @SuppressWarnings("unchecked")
+    public static <T> AuthenticationResult<T> get(ThreadContext threadContext) {
+        return (AuthenticationResult<T>) AuthenticationResult.THREAD_CONTEXT_VALUE.get(threadContext);
+    }
 
     public enum Status {
         /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/AuthorizationServiceField.java

@@ -6,18 +6,31 @@
  */
 package org.elasticsearch.xpack.core.security.authz;
 
+import org.elasticsearch.common.util.concurrent.ThreadContextTransient;
+import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
+
 import java.util.Collection;
 import java.util.List;
 
 public final class AuthorizationServiceField {
 
-    public static final String INDICES_PERMISSIONS_KEY = "_indices_permissions";
-    public static final String ORIGINATING_ACTION_KEY = "_originating_action_name";
-    public static final String AUTHORIZATION_INFO_KEY = "_authz_info";
+    public static final ThreadContextTransient<IndicesAccessControl> INDICES_PERMISSIONS_VALUE = ThreadContextTransient.transientValue(
+        "_indices_permissions",
+        IndicesAccessControl.class
+    );
+    public static final ThreadContextTransient<String> ORIGINATING_ACTION_VALUE = ThreadContextTransient.transientValue(
+        "_originating_action_name",
+        String.class
+    );
+    public static final ThreadContextTransient<AuthorizationEngine.AuthorizationInfo> AUTHORIZATION_INFO_VALUE = ThreadContextTransient
+        .transientValue("_authz_info", AuthorizationEngine.AuthorizationInfo.class);
 
     // Most often, transient authorisation headers are scoped (i.e. set, read and cleared) for the authorisation and execution
     // of individual actions (i.e. there is a different scope between the parent and the child actions)
-    public static final Collection<String> ACTION_SCOPE_AUTHORIZATION_KEYS = List.of(INDICES_PERMISSIONS_KEY, AUTHORIZATION_INFO_KEY);
+    public static final Collection<String> ACTION_SCOPE_AUTHORIZATION_KEYS = List.of(
+        INDICES_PERMISSIONS_VALUE.getKey(),
+        AUTHORIZATION_INFO_VALUE.getKey()
+    );
 
     private AuthorizationServiceField() {}
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.java

@@ -107,7 +107,7 @@ public DirectoryReader apply(final DirectoryReader reader) {
 
     protected IndicesAccessControl getIndicesAccessControl() {
         final ThreadContext threadContext = securityContext.getThreadContext();
-        IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
+        IndicesAccessControl indicesAccessControl = AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.get(threadContext);
         if (indicesAccessControl == null) {
             throw Exceptions.authorizationError("no indices permissions found");
         }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/termsenum/action/TransportTermsEnumAction.java

@@ -428,7 +428,7 @@ private boolean canAccess(
         ThreadContext threadContext
     ) {
         if (XPackSettings.SECURITY_ENABLED.get(settings)) {
-            IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
+            IndicesAccessControl indicesAccessControl = AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.get(threadContext);
             IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(shardId.getIndexName());
 
             if (indexAccessControl != null

x-pack/plugin/downsample/src/main/java/org/elasticsearch/xpack/downsample/TransportDownsampleAction.java

@@ -212,7 +212,7 @@ protected void masterOperation(
         String sourceIndexName = request.getSourceIndex();
         IndexNameExpressionResolver.assertExpressionHasNullOrDataSelector(sourceIndexName);
         IndexNameExpressionResolver.assertExpressionHasNullOrDataSelector(request.getTargetIndex());
-        final IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
+        final IndicesAccessControl indicesAccessControl = AuthorizationServiceField.INDICES_PERMISSIONS_VALUE.get(threadContext);
         if (indicesAccessControl != null) {
             final IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(sourceIndexName);
             if (indexPermissions != null) {