testing and refactoring

Author: slobodanadamovic

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlAttributes.java

@@ -30,10 +30,6 @@ public class SamlAttributes implements Releasable {
     private final List<SamlAttribute> attributes;
     private final List<SamlSecureAttribute> secureAttributes;
 
-    SamlAttributes(SamlNameId name, String session, List<SamlAttribute> attributes) {
-        this(name, session, attributes, List.of());
-    }
-
     SamlAttributes(SamlNameId name, String session, List<SamlAttribute> attributes, List<SamlSecureAttribute> secureAttributes) {
         this.name = name;
         this.session = session;
@@ -103,10 +99,32 @@ public void close() {
         IOUtils.closeWhileHandlingException(secureAttributes);
     }
 
-    static class SamlAttribute {
+    abstract static class AbstractSamlAttribute<T> {
+
         final String name;
         final String friendlyName;
-        final List<String> values;
+        final List<T> values;
+
+        protected AbstractSamlAttribute(String name, @Nullable String friendlyName, List<T> values) {
+            this.name = Objects.requireNonNull(name, "Attribute name cannot be null");
+            this.friendlyName = friendlyName;
+            this.values = values;
+        }
+
+        String name() {
+            return name;
+        }
+
+        String friendlyName() {
+            return friendlyName;
+        }
+
+        List<T> values() {
+            return values;
+        }
+    }
+
+    static class SamlAttribute extends AbstractSamlAttribute<String> {
 
         SamlAttribute(Attribute attribute) {
             this(
@@ -117,9 +135,7 @@ static class SamlAttribute {
         }
 
         SamlAttribute(String name, @Nullable String friendlyName, List<String> values) {
-            this.name = Objects.requireNonNull(name, "Attribute name cannot be null");
-            this.friendlyName = friendlyName;
-            this.values = values;
+            super(name, friendlyName, values);
         }
 
         @Override
@@ -135,14 +151,10 @@ public String toString() {
         }
     }
 
-    static class SamlSecureAttribute implements Releasable {
-
-        final String name;
-        final String friendlyName;
-        final List<SecureString> values;
+    static class SamlSecureAttribute extends AbstractSamlAttribute<SecureString> implements Releasable {
 
         SamlSecureAttribute(Attribute attribute) {
-            this(
+            super(
                 attribute.getName(),
                 attribute.getFriendlyName(),
                 attribute.getAttributeValues()
@@ -156,21 +168,7 @@ static class SamlSecureAttribute implements Releasable {
         }
 
         SamlSecureAttribute(String name, @Nullable String friendlyName, List<SecureString> values) {
-            this.name = Objects.requireNonNull(name, "Attribute name cannot be null");
-            this.friendlyName = friendlyName;
-            this.values = values;
-        }
-
-        String name() {
-            return name;
-        }
-
-        String friendlyName() {
-            return friendlyName;
-        }
-
-        List<SecureString> values() {
-            return values;
+            super(name, friendlyName, values);
         }
 
         @Override
@@ -181,7 +179,7 @@ public String toString() {
             } else {
                 str.append(friendlyName).append('(').append(name).append(')');
             }
-            str.append("=").append("::es_redacted::").append("(len=").append(values.size()).append(')');
+            str.append("=").append("[::es_redacted::]").append("(len=").append(values.size()).append(')');
             return str.toString();
         }
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAttributesTests.java

@@ -7,6 +7,7 @@
 
 package org.elasticsearch.xpack.security.authc.saml;
 
+import org.elasticsearch.common.settings.SecureString;
 import org.hamcrest.Matchers;
 import org.opensaml.saml.saml2.core.NameID;
 
@@ -29,6 +30,13 @@ public void testToString() {
                     "groups",
                     List.of("employees", "engineering", "managers")
                 )
+            ),
+            List.of(
+                new SamlAttributes.SamlSecureAttribute(
+                    "urn:oid:0.9.2342.19200300.100.1.3",
+                    "mail",
+                    List.of(new SecureString("[email protected]".toCharArray()))
+                )
             )
         );
         assertThat(
@@ -45,6 +53,9 @@ public void testToString() {
                     + ", "
                     + "groups(urn:oid:1.3.6.1.4.1.5923.1.5.1.1)=[employees, engineering, managers](len=3)"
                     + "]}"
+                    + "{["
+                    + "mail(urn:oid:0.9.2342.19200300.100.1.3)=[::es_redacted::](len=1)"
+                    + "]}"
             )
         );
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.settings.MockSecureSettings;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.common.ssl.PemUtils;
@@ -72,6 +73,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
@@ -83,6 +85,7 @@
 import static org.elasticsearch.core.Strings.format;
 import static org.elasticsearch.test.ActionListenerUtils.anyActionListener;
 import static org.elasticsearch.test.TestMatchers.throwableWithMessage;
+import static org.elasticsearch.xpack.security.authc.saml.SamlRealm.SECURE_ATTRIBUTES_METADATA;
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
@@ -392,7 +395,8 @@ public void testAuthenticateWithEmptyRoleMapping() throws Exception {
             randomBoolean() ? REALM_NAME : null,
             testWithDelimiter ? List.of("STRIKE Team: Delta$shield") : Arrays.asList("avengers", "shield"),
             testWithDelimiter ? "$" : null,
-            randomBoolean() ? List.of("superuser", "kibana_admin") : randomFrom(List.of(), null)
+            randomBoolean() ? List.of("superuser", "kibana_admin") : randomFrom(List.of(), null),
+            null
         );
         assertThat(result, notNullValue());
         assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS));
@@ -419,7 +423,8 @@ public void testAuthenticateWithRoleMapping() throws Exception {
             authenticatingRealm,
             testWithDelimiter ? List.of("STRIKE Team: Delta$shield") : Arrays.asList("avengers", "shield"),
             testWithDelimiter ? "$" : null,
-            rolesToExclude
+            rolesToExclude,
+            Map.of("top_secret", List.of("Batman's secret identity is Bruce Wayne!"))
         );
 
         assertThat(result, notNullValue());
@@ -440,8 +445,24 @@ public void testAuthenticateWithRoleMapping() throws Exception {
             assertThat(result.getValue().metadata().get("saml_nameid"), equalTo(nameIdValue));
             assertThat(result.getValue().metadata().get("saml_uid"), instanceOf(Iterable.class));
             assertThat((Iterable<?>) result.getValue().metadata().get("saml_uid"), contains(uidValue));
+            assertThat(result.getValue().metadata().get("saml_top_secret"), nullValue());
         }
 
+        assertThat(result.getMetadata(), notNullValue());
+        assertThat(result.getMetadata().containsKey(SECURE_ATTRIBUTES_METADATA), is(true));
+        @SuppressWarnings("unchecked")
+        Map<String, List<SecureString>> secureAttributesMetadata = (Map<String, List<SecureString>>) result.getMetadata()
+            .get(SECURE_ATTRIBUTES_METADATA);
+        assertThat(secureAttributesMetadata, notNullValue());
+        assertThat(secureAttributesMetadata.keySet(), containsInAnyOrder("top_secret"));
+        List<SecureString> secretAttribute = secureAttributesMetadata.get("top_secret");
+        assertThat(secretAttribute, notNullValue());
+        assertThat(secretAttribute.size(), equalTo(1));
+        assertEquals(
+            "SecureString has already been closed",
+            expectThrows(IllegalStateException.class, () -> secretAttribute.getFirst().getChars()).getMessage()
+        );
+
         assertThat(userData.get().getUsername(), equalTo(useNameId ? "clint.barton" : "cbarton"));
         if (testWithDelimiter) {
             assertThat(userData.get().getGroups(), containsInAnyOrder("STRIKE Team: Delta", "shield"));
@@ -533,6 +554,7 @@ private AuthenticationResult<User> performAuthentication(
             authenticatingRealm,
             groups,
             groupsDelimiter,
+            null,
             null
         );
     }
@@ -546,7 +568,8 @@ private AuthenticationResult<User> performAuthentication(
         String authenticatingRealm,
         List<String> groups,
         String groupsDelimiter,
-        List<String> rolesToExclude
+        List<String> rolesToExclude,
+        Map<String, List<String>> secureAttributes
     ) throws Exception {
         final EntityDescriptor idp = mockIdp();
         final SpConfiguration sp = new SingleSamlSpConfiguration("<sp>", "https://saml/", null, null, null, Collections.emptyList());
@@ -610,6 +633,12 @@ private AuthenticationResult<User> performAuthentication(
                 String.join(",", rolesToExclude)
             );
         }
+        if (secureAttributes != null) {
+            settingsBuilder.put(
+                SingleSpSamlRealmSettings.getFullSettingKey(REALM_NAME, SamlRealmSettings.SECURE_ATTRIBUTES),
+                String.join(",", secureAttributes.keySet())
+            );
+        }
         if (useAuthorizingRealm) {
             settingsBuilder.putList(
                 RealmSettings.getFullSettingKey(
@@ -640,15 +669,35 @@ private AuthenticationResult<User> performAuthentication(
         final SamlAttributes attributes = new SamlAttributes(
             new SamlNameId(NameIDType.PERSISTENT, nameIdValue, idp.getEntityID(), sp.getEntityId(), null),
             randomAlphaOfLength(16),
-            Arrays.asList(
+            List.of(
                 new SamlAttributes.SamlAttribute("urn:oid:0.9.2342.19200300.100.1.1", "uid", Collections.singletonList(uidValue)),
                 new SamlAttributes.SamlAttribute("urn:oid:1.3.6.1.4.1.5923.1.5.1.1", "groups", groups),
                 new SamlAttributes.SamlAttribute("urn:oid:0.9.2342.19200300.100.1.3", "mail", Arrays.asList("[email protected]"))
-            )
+            ),
+            secureAttributes == null
+                ? List.of()
+                : secureAttributes.entrySet()
+                    .stream()
+                    .map(
+                        a -> new SamlAttributes.SamlSecureAttribute(a.getKey(), null, a.getValue().stream().map(SecureString::new).toList())
+                    )
+                    .toList()
         );
         when(authenticator.authenticate(token)).thenReturn(attributes);
 
-        final PlainActionFuture<AuthenticationResult<User>> future = new PlainActionFuture<>();
+        final PlainActionFuture<AuthenticationResult<User>> future = new PlainActionFuture<>() {
+            @Override
+            public void onResponse(AuthenticationResult<User> result) {
+                if (secureAttributes != null && result.isAuthenticated()) {
+                    assertThat(result.getMetadata(), notNullValue());
+                    assertThat(result.getMetadata().containsKey(SECURE_ATTRIBUTES_METADATA), is(true));
+                    @SuppressWarnings("unchecked")
+                    var metadata = (Map<String, List<SecureString>>) result.getMetadata().get(SECURE_ATTRIBUTES_METADATA);
+                    secureAttributes.forEach((name, value) -> assertThat(metadata.get(name), equalTo(value)));
+                }
+                super.onResponse(result);
+            }
+        };
         realm.authenticate(token, future);
         return future.get();
     }
@@ -725,13 +774,14 @@ private List<String> performAttributeSelectionWithSplit(String delimiter, String
         final SamlAttributes attributes = new SamlAttributes(
             new SamlNameId(NameIDType.TRANSIENT, randomAlphaOfLength(24), null, null, null),
             randomAlphaOfLength(16),
-            Collections.singletonList(
+            List.of(
                 new SamlAttributes.SamlAttribute(
                     "departments",
                     "departments",
                     Collections.singletonList(String.join(delimiter, returnedGroups))
                 )
-            )
+            ),
+            List.of()
         );
         return parser.getAttribute(attributes);
     }
@@ -796,13 +846,14 @@ public void testAttributeSelectionWithSplitAndListThrowsSecurityException() {
         final SamlAttributes attributes = new SamlAttributes(
             new SamlNameId(NameIDType.TRANSIENT, randomAlphaOfLength(24), null, null, null),
             randomAlphaOfLength(16),
-            Collections.singletonList(
+            List.of(
                 new SamlAttributes.SamlAttribute(
                     "departments",
                     "departments",
                     List.of("engineering", String.join(delimiter, "elasticsearch-admins", "employees"))
                 )
-            )
+            ),
+            List.of()
         );
 
         ElasticsearchSecurityException securityException = expectThrows(
@@ -828,13 +879,14 @@ public void testAttributeSelectionWithRegex() {
         final SamlAttributes attributes = new SamlAttributes(
             new SamlNameId(NameIDType.TRANSIENT, randomAlphaOfLength(24), null, null, null),
             randomAlphaOfLength(16),
-            Collections.singletonList(
+            List.of(
                 new SamlAttributes.SamlAttribute(
                     "urn:oid:0.9.2342.19200300.100.1.3",
                     "mail",
                     Arrays.asList("[email protected]", "[email protected]", "[email protected]")
                 )
-            )
+            ),
+            List.of()
         );
 
         final List<String> strings = parser.getAttribute(attributes);
@@ -952,9 +1004,8 @@ public void testNonMatchingPrincipalPatternThrowsSamlException() throws Exceptio
             final SamlAttributes attributes = new SamlAttributes(
                 new SamlNameId(NameIDType.TRANSIENT, randomAlphaOfLength(12), null, null, null),
                 randomAlphaOfLength(16),
-                Collections.singletonList(
-                    new SamlAttributes.SamlAttribute("urn:oid:0.9.2342.19200300.100.1.3", "mail", Collections.singletonList(mail))
-                )
+                List.of(new SamlAttributes.SamlAttribute("urn:oid:0.9.2342.19200300.100.1.3", "mail", Collections.singletonList(mail))),
+                List.of()
             );
             when(authenticator.authenticate(token)).thenReturn(attributes);