http proxy support in JWT realm

Author: richard-dennehy

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.java

@@ -6,6 +6,7 @@
  */
 package org.elasticsearch.xpack.core.security.authc.jwt;
 
+import org.apache.http.HttpHost;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
@@ -193,7 +194,10 @@ private static Set<Setting.AffixSetting<?>> getNonSecureSettings() {
                 HTTP_CONNECTION_READ_TIMEOUT,
                 HTTP_SOCKET_TIMEOUT,
                 HTTP_MAX_CONNECTIONS,
-                HTTP_MAX_ENDPOINT_CONNECTIONS
+                HTTP_MAX_ENDPOINT_CONNECTIONS,
+                HTTP_PROXY_SCHEME,
+                HTTP_PROXY_HOST,
+                HTTP_PROXY_PORT
             )
         );
         // Standard TLS connection settings for outgoing connections to get JWT issuer jwkset_path
@@ -481,6 +485,72 @@ public Iterator<Setting<?>> settings() {
         key -> Setting.intSetting(key, DEFAULT_HTTP_MAX_ENDPOINT_CONNECTIONS, MIN_HTTP_MAX_ENDPOINT_CONNECTIONS, Setting.Property.NodeScope)
     );
 
+    public static final Setting.AffixSetting<String> HTTP_PROXY_HOST = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "http.proxy.host",
+        key -> Setting.simpleString(key, new Setting.Validator<>() {
+            @Override
+            public void validate(String value) {
+                // There is no point in validating the hostname in itself without the scheme and port
+            }
+
+            @Override
+            public void validate(String value, Map<Setting<?>, Object> settings) {
+                final String namespace = HTTP_PROXY_HOST.getNamespace(HTTP_PROXY_HOST.getConcreteSetting(key));
+                final Setting<Integer> portSetting = HTTP_PROXY_PORT.getConcreteSettingForNamespace(namespace);
+                final Integer port = (Integer) settings.get(portSetting);
+                final Setting<String> schemeSetting = HTTP_PROXY_SCHEME.getConcreteSettingForNamespace(namespace);
+                final String scheme = (String) settings.get(schemeSetting);
+                try {
+                    new HttpHost(value, port, scheme);
+                } catch (Exception e) {
+                    throw new IllegalArgumentException(
+                        "HTTP host for hostname ["
+                            + value
+                            + "] (from ["
+                            + key
+                            + "]),"
+                            + " port ["
+                            + port
+                            + "] (from ["
+                            + portSetting.getKey()
+                            + "]) and "
+                            + "scheme ["
+                            + scheme
+                            + "] (from (["
+                            + schemeSetting.getKey()
+                            + "]) is invalid"
+                    );
+                }
+            }
+
+            @Override
+            public Iterator<Setting<?>> settings() {
+                final String namespace = HTTP_PROXY_HOST.getNamespace(HTTP_PROXY_HOST.getConcreteSetting(key));
+                final List<Setting<?>> settings = List.of(
+                    HTTP_PROXY_PORT.getConcreteSettingForNamespace(namespace),
+                    HTTP_PROXY_SCHEME.getConcreteSettingForNamespace(namespace)
+                );
+                return settings.iterator();
+            }
+        }, Setting.Property.NodeScope)
+    );
+    public static final Setting.AffixSetting<Integer> HTTP_PROXY_PORT = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "http.proxy.port",
+        key -> Setting.intSetting(key, 80, 1, 65535, Setting.Property.NodeScope),
+        () -> HTTP_PROXY_HOST
+    );
+    public static final Setting.AffixSetting<String> HTTP_PROXY_SCHEME = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "http.proxy.scheme",
+        key -> Setting.simpleString(key, "http", value -> {
+            if (value.equals("http") == false && value.equals("https") == false) {
+                throw new IllegalArgumentException("Invalid value [" + value + "] for [" + key + "]. Only `http` or `https` are allowed.");
+            }
+        }, Setting.Property.NodeScope)
+    );
+
     // SSL Configuration settings
 
     public static final Collection<Setting.AffixSetting<?>> SSL_CONFIGURATION_SETTINGS = SSLConfigurationSettings.getRealmSettings(TYPE);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java

@@ -15,6 +15,7 @@
 import com.nimbusds.jwt.SignedJWT;
 
 import org.apache.http.HttpEntity;
+import org.apache.http.HttpHost;
 import org.apache.http.HttpResponse;
 import org.apache.http.StatusLine;
 import org.apache.http.client.config.RequestConfig;
@@ -27,6 +28,7 @@
 import org.apache.http.impl.nio.client.HttpAsyncClients;
 import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
 import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
+import org.apache.http.nio.conn.NoopIOSessionStrategy;
 import org.apache.http.nio.conn.SchemeIOSessionStrategy;
 import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
 import org.apache.http.nio.reactor.ConnectingIOReactor;
@@ -74,6 +76,10 @@
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 
+import static org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.HTTP_PROXY_HOST;
+import static org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.HTTP_PROXY_PORT;
+import static org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.HTTP_PROXY_SCHEME;
+
 /**
  * Utilities for JWT realm.
  */
@@ -271,6 +277,7 @@ public static CloseableHttpAsyncClient createHttpClient(final RealmConfig realmC
                 final SSLContext clientContext = sslService.sslContext(sslConfiguration);
                 final HostnameVerifier verifier = SSLService.getHostnameVerifier(sslConfiguration);
                 final Registry<SchemeIOSessionStrategy> registry = RegistryBuilder.<SchemeIOSessionStrategy>create()
+                    .register("http", NoopIOSessionStrategy.INSTANCE)
                     .register("https", new SSLIOSessionStrategy(clientContext, verifier))
                     .build();
                 final PoolingNHttpClientConnectionManager connectionManager = new PoolingNHttpClientConnectionManager(ioReactor, registry);
@@ -286,6 +293,15 @@ public static CloseableHttpAsyncClient createHttpClient(final RealmConfig realmC
                 final HttpAsyncClientBuilder httpAsyncClientBuilder = HttpAsyncClients.custom()
                     .setConnectionManager(connectionManager)
                     .setDefaultRequestConfig(requestConfig);
+                if (realmConfig.hasSetting(HTTP_PROXY_HOST)) {
+                    httpAsyncClientBuilder.setProxy(
+                        new HttpHost(
+                            realmConfig.getSetting(HTTP_PROXY_HOST),
+                            realmConfig.getSetting(HTTP_PROXY_PORT),
+                            realmConfig.getSetting(HTTP_PROXY_SCHEME)
+                        )
+                    );
+                }
                 final CloseableHttpAsyncClient httpAsyncClient = httpAsyncClientBuilder.build();
                 httpAsyncClient.start();
                 return httpAsyncClient;

x-pack/qa/oidc-op-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtWithOidcAuthIT.java

@@ -47,13 +47,17 @@
  */
 public class JwtWithOidcAuthIT extends C2IdOpTestCase {
 
-    // configured in the Elasticearch node test fixture
+    // configured in the Elasticsearch node test fixture
     private static final List<String> ALLOWED_AUDIENCES = List.of("elasticsearch-jwt1", "elasticsearch-jwt2");
-    private static final String JWT_REALM_NAME = "op-jwt";
+    private static final String JWT_FILE_REALM_NAME = "op-jwt";
+    private static final String JWT_PROXY_REALM_NAME = "op-jwt-proxy";
 
     // Constants for role mapping
-    private static final String ROLE_NAME = "jwt_role";
-    private static final String SHARED_SECRET = "jwt-realm-shared-secret";
+    private static final String FILE_ROLE_NAME = "jwt_role";
+    private static final String FILE_SHARED_SECRET = "jwt-realm-shared-secret";
+
+    private static final String PROXY_ROLE_NAME = "jwt_proxy_role";
+    private static final String PROXY_SHARED_SECRET = "jwt-proxy-realm-shared-secret";
 
     // Randomised values
     private static String clientId;
@@ -79,10 +83,10 @@ public static void registerClient() throws IOException {
     }
 
     @Before
-    public void setupRoleMapping() throws Exception {
+    public void setupRoleMappings() throws Exception {
         try (var restClient = getElasticsearchClient()) {
             var client = new TestSecurityClient(restClient);
-            final String mappingJson = Strings.format("""
+            String mappingJson = Strings.format("""
                 {
                   "roles": [ "%s" ],
                   "enabled": true,
@@ -93,8 +97,22 @@ public void setupRoleMapping() throws Exception {
                     ]
                   }
                 }
-                """, ROLE_NAME, JWT_REALM_NAME, TEST_SUBJECT_ID);
-            client.putRoleMapping(getTestName(), mappingJson);
+                """, FILE_ROLE_NAME, JWT_FILE_REALM_NAME, TEST_SUBJECT_ID);
+            client.putRoleMapping(FILE_ROLE_NAME, mappingJson);
+
+            mappingJson = Strings.format("""
+                {
+                  "roles": [ "%s" ],
+                  "enabled": true,
+                  "rules": {
+                    "all": [
+                      { "field": { "realm.name": "%s" } },
+                      { "field": { "metadata.jwt_claim_sub": "%s" } }
+                    ]
+                  }
+                }
+                """, PROXY_ROLE_NAME, JWT_PROXY_REALM_NAME, TEST_SUBJECT_ID);
+            client.putRoleMapping(PROXY_ROLE_NAME, mappingJson);
         }
     }
 
@@ -127,15 +145,21 @@ public void testAuthenticateWithOidcIssuedJwt() throws Exception {
         assertThat("Hash value of URI [" + implicitFlowURI + "] should be a JWT with an id Token", hashParams, hasKey("id_token"));
         String idJwt = hashParams.get("id_token");
 
-        final Map<String, Object> authenticateResponse = authenticateWithJwtAndSharedSecret(idJwt, SHARED_SECRET);
+        final Map<String, Object> authenticateResponse = authenticateWithJwtAndSharedSecret(idJwt, FILE_SHARED_SECRET);
         assertThat(authenticateResponse, Matchers.hasEntry(User.Fields.USERNAME.getPreferredName(), TEST_SUBJECT_ID));
         assertThat(authenticateResponse, Matchers.hasKey(User.Fields.ROLES.getPreferredName()));
-        assertThat((List<?>) authenticateResponse.get(User.Fields.ROLES.getPreferredName()), contains(ROLE_NAME));
+        assertThat((List<?>) authenticateResponse.get(User.Fields.ROLES.getPreferredName()), contains(FILE_ROLE_NAME));
+
+        // test that the proxy realm successfully loads the JWKS
+        final Map<String, Object> proxyAuthenticateResponse = authenticateWithJwtAndSharedSecret(idJwt, PROXY_SHARED_SECRET);
+        assertThat(proxyAuthenticateResponse, Matchers.hasEntry(User.Fields.USERNAME.getPreferredName(), TEST_SUBJECT_ID));
+        assertThat(proxyAuthenticateResponse, Matchers.hasKey(User.Fields.ROLES.getPreferredName()));
+        assertThat((List<?>) proxyAuthenticateResponse.get(User.Fields.ROLES.getPreferredName()), contains(PROXY_ROLE_NAME));
 
         // Use an incorrect shared secret and check it fails
         ResponseException ex = expectThrows(
             ResponseException.class,
-            () -> authenticateWithJwtAndSharedSecret(idJwt, "not-" + SHARED_SECRET)
+            () -> authenticateWithJwtAndSharedSecret(idJwt, "not-" + FILE_SHARED_SECRET)
         );
         assertThat(ex.getResponse(), TestMatchers.hasStatusCode(RestStatus.UNAUTHORIZED));
 
@@ -144,7 +168,7 @@ public void testAuthenticateWithOidcIssuedJwt() throws Exception {
         assertThat(dot, greaterThan(0));
         // change the first character of the payload section of the encoded JWT
         final String corruptToken = idJwt.substring(0, dot) + "." + transformChar(idJwt.charAt(dot + 1)) + idJwt.substring(dot + 2);
-        ex = expectThrows(ResponseException.class, () -> authenticateWithJwtAndSharedSecret(corruptToken, SHARED_SECRET));
+        ex = expectThrows(ResponseException.class, () -> authenticateWithJwtAndSharedSecret(corruptToken, FILE_SHARED_SECRET));
         assertThat(ex.getResponse(), TestMatchers.hasStatusCode(RestStatus.UNAUTHORIZED));
     }
 

x-pack/qa/oidc-op-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/oidc/C2IdOpTestCase.java

@@ -75,7 +75,7 @@ public abstract class C2IdOpTestCase extends ESRestTestCase {
 
     private static final String CLIENT_SECRET = "b07efb7a1cf6ec9462afe7b6d3ab55c6c7880262aa61ac28dded292aca47c9a2";
 
-    private static Network network = Network.newNetwork();
+    private static final Network network = Network.newNetwork();
     protected static OidcProviderTestContainer c2id = new OidcProviderTestContainer(network);
     protected static HttpProxyTestContainer proxy = new HttpProxyTestContainer(network);
 
@@ -165,6 +165,17 @@ public abstract class C2IdOpTestCase extends ESRestTestCase {
         .setting("xpack.security.authc.realms.jwt.op-jwt.claims.principal", "sub")
         .setting("xpack.security.authc.realms.jwt.op-jwt.claims.groups", "groups")
         .setting("xpack.security.authc.realms.jwt.op-jwt.client_authentication.type", "shared_secret")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.order", "8")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.allowed_issuer", () -> c2id.getC2IssuerUrl())
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.allowed_audiences", "elasticsearch-jwt1,elasticsearch-jwt2")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.pkc_jwkset_path", () -> c2id.getC2IDSslUrl() + "/jwks.json")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.claims.principal", "sub")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.claims.groups", "groups")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.client_authentication.type", "shared_secret")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.http.proxy.scheme", "http")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.http.proxy.host", "localhost")
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.http.proxy.port", () -> proxy.getTlsPort().toString())
+        .setting("xpack.security.authc.realms.jwt.op-jwt-proxy.ssl.keystore.path", "testnode.jks")
         .keystore("bootstrap.password", "x-pack-test-password")
         .keystore("xpack.security.http.ssl.keystore.secure_password", "testnode")
         .keystore("xpack.security.authc.realms.oidc.c2id.rp.client_secret", CLIENT_SECRET)
@@ -173,6 +184,8 @@ public abstract class C2IdOpTestCase extends ESRestTestCase {
         .keystore("xpack.security.authc.realms.oidc.c2id-post.rp.client_secret", CLIENT_SECRET)
         .keystore("xpack.security.authc.realms.oidc.c2id-jwt.rp.client_secret", CLIENT_SECRET)
         .keystore("xpack.security.authc.realms.jwt.op-jwt.client_authentication.shared_secret", "jwt-realm-shared-secret")
+        .keystore("xpack.security.authc.realms.jwt.op-jwt-proxy.client_authentication.shared_secret", "jwt-proxy-realm-shared-secret")
+        .keystore("xpack.security.authc.realms.jwt.op-jwt-proxy.ssl.keystore.secure_password", "testnode")
         .configFile("testnode.jks", Resource.fromClasspath("ssl/testnode.jks"))
         .configFile("op-jwks.json", Resource.fromClasspath("op-jwks.json"))
         .user("x_pack_rest_user", "x-pack-test-password", "superuser", false)

x-pack/test/idp-fixture/build.gradle

@@ -19,4 +19,6 @@ dependencies {
   testImplementation project(':test:framework')
   api project(':test:fixtures:testcontainer-utils')
   api "junit:junit:${versions.junit}"
+
+  runtimeOnly "net.java.dev.jna:jna:${versions.jna}"
 }

x-pack/test/idp-fixture/src/main/java/org/elasticsearch/test/fixtures/idp/HttpProxyTestContainer.java

@@ -13,8 +13,8 @@
 
 public final class HttpProxyTestContainer extends DockerEnvironmentAwareTestContainer {
 
-    public static final String DOCKER_BASE_IMAGE = "nginx:latest";
     private static final Integer PORT = 8888;
+    private static final Integer TLS_PORT = 8889;
 
     /**
      * for packer caching only
@@ -25,15 +25,18 @@ public HttpProxyTestContainer() {
 
     public HttpProxyTestContainer(Network network) {
         super(
-            new ImageFromDockerfile("es-http-proxy-fixture").withDockerfileFromBuilder(
-                builder -> builder.from(DOCKER_BASE_IMAGE).copy("oidc/nginx.conf", "/etc/nginx/nginx.conf").build()
-            ).withFileFromClasspath("oidc/nginx.conf", "/oidc/nginx.conf")
+            new ImageFromDockerfile("es-http-proxy-fixture").withFileFromClasspath("Dockerfile", "nginx/Dockerfile")
+                .withFileFromClasspath("nginx/nginx.conf", "/nginx/nginx.conf")
         );
-        addExposedPort(PORT);
+        addExposedPorts(PORT, TLS_PORT);
         withNetwork(network);
     }
 
     public Integer getProxyPort() {
         return getMappedPort(PORT);
     }
+
+    public Integer getTlsPort() {
+        return getMappedPort(TLS_PORT);
+    }
 }