move client_secret to keystore

richard-dennehy · richard-dennehy · commit 918285808315 · 2025-05-20T10:41:44.000+01:00
diff --git a/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java b/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java
@@ -20,6 +20,8 @@
 import org.apache.http.message.BasicNameValuePair;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.logging.LogManager;
@@ -46,13 +48,15 @@ public class MicrosoftGraphAuthzRealm extends Realm {
     private final HttpClient httpClient;
     private final RealmConfig config;
     private final UserRoleMapper roleMapper;
+    private final SecureString clientSecret;
 
     public MicrosoftGraphAuthzRealm(UserRoleMapper roleMapper, RealmConfig config) {
         super(config);
 
         this.roleMapper = roleMapper;
         this.config = config;
         this.httpClient = HttpClients.createDefault();
+        this.clientSecret = config.getSetting(MicrosoftGraphAuthzRealmSettings.CLIENT_SECRET);
     }
 
     @Override
@@ -110,7 +114,7 @@ private String fetchAccessToken() throws IOException, ParseException {
                     new BasicNameValuePair("grant_type", "client_credentials"),
                     new BasicNameValuePair("scope", "https://graph.microsoft.com/.default"),
                     new BasicNameValuePair("client_id", config.getSetting(MicrosoftGraphAuthzRealmSettings.CLIENT_ID)),
-                    new BasicNameValuePair("client_secret", config.getSetting(MicrosoftGraphAuthzRealmSettings.CLIENT_SECRET))
+                    new BasicNameValuePair("client_secret", clientSecret.toString())
                 )
             )
         );
diff --git a/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmSettings.java b/plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmSettings.java
@@ -9,6 +9,8 @@
 
 package org.elasticsearch.xpack.security.authz.microsoft;
 
+import org.elasticsearch.common.settings.SecureSetting;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 
@@ -24,10 +26,9 @@ public class MicrosoftGraphAuthzRealmSettings {
         Setting.Property.NodeScope
     );
 
-    public static final Setting.AffixSetting<String> CLIENT_SECRET = RealmSettings.simpleString(
+    public static final Setting.AffixSetting<SecureString> CLIENT_SECRET = RealmSettings.secureString(
         REALM_TYPE,
-        "client_secret",
-        Setting.Property.NodeScope
+        "client_secret"
     );
 
     public static final Setting.AffixSetting<String> TENANT_ID = RealmSettings.simpleString(
diff --git a/x-pack/plugin/security/qa/microsoft-graph-authz-tests/build.gradle b/x-pack/plugin/security/qa/microsoft-graph-authz-tests/build.gradle
@@ -5,8 +5,5 @@ dependencies {
   javaRestTestImplementation project(':x-pack:plugin:security')
   javaRestTestImplementation testArtifact(project(":x-pack:plugin:security:qa:saml-rest-tests"), "javaRestTest")
   clusterPlugins project(':plugins:microsoft-graph-authz')
-}
-
-tasks.named('javaRestTest') {
-  usesDefaultDistribution("Reason why default distribution is required")
+  clusterModules project(":modules:analysis-common")
 }
diff --git a/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java b/x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java
@@ -68,7 +68,7 @@ public class MicrosoftGraphAuthzPluginIT extends ESRestTestCase {
 
     private static ElasticsearchCluster initTestCluster() {
         return ElasticsearchCluster.local()
-            .distribution(DistributionType.DEFAULT)
+            .module("analysis-common")
             .setting("xpack.security.enabled", "true")
             .setting("xpack.license.self_generated.type", "trial")
             .setting("xpack.security.authc.token.enabled", "true")
@@ -88,7 +88,7 @@ private static ElasticsearchCluster initTestCluster() {
             .setting("xpack.security.authc.realms.saml.saml1.authorization_realms", "microsoft_graph1")
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.order", "2")
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.client_id", CLIENT_ID)
-            .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.client_secret", CLIENT_SECRET)
+            .keystore("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.client_secret", CLIENT_SECRET)
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.tenant_id", TENANT_ID)
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.graph_host", graphFixture::getBaseUrl)
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.access_token_host", graphFixture::getBaseUrl)
