Add Microsoft Graph Delegated Authorization Realm Plugin (#127910)

* Add Microsoft Graph Delegated Authorization Realm Plugin

* Update docs/changelog/127910.yaml

Author: jfreden

docs/changelog/127910.yaml

@@ -0,0 +1,5 @@
+pr: 127910
+summary: Add Microsoft Graph Delegated Authorization Realm Plugin
+area: Authorization
+type: enhancement
+issues: []

plugins/microsoft-graph-authz/build.gradle

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+apply plugin: "elasticsearch.internal-java-rest-test"
+
+esplugin {
+    name = "microsoft-graph-authz"
+    description = "Microsoft Graph Delegated Authorization Realm Plugin"
+    classname = "org.elasticsearch.xpack.security.authz.microsoft.MicrosoftGraphAuthzPlugin"
+    extendedPlugins = ["x-pack-security"]
+}
+
+dependencies {
+    compileOnly project(":x-pack:plugin:core")
+}

plugins/microsoft-graph-authz/src/main/java/module-info.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import org.elasticsearch.xpack.security.authz.microsoft.MicrosoftGraphAuthzPlugin;
+
+module org.elasticsearch.plugin.security.authz {
+    requires org.elasticsearch.base;
+    requires org.elasticsearch.server;
+    requires org.elasticsearch.xcore;
+    requires org.elasticsearch.logging;
+
+    provides org.elasticsearch.xpack.core.security.SecurityExtension with MicrosoftGraphAuthzPlugin;
+}

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPlugin.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.xpack.security.authz.microsoft;
+
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.xpack.core.security.SecurityExtension;
+import org.elasticsearch.xpack.core.security.authc.Realm;
+
+import java.util.List;
+import java.util.Map;
+
+public class MicrosoftGraphAuthzPlugin extends Plugin implements SecurityExtension {
+    @Override
+    public Map<String, Realm.Factory> getRealms(SecurityComponents components) {
+        return Map.of(MicrosoftGraphAuthzRealmSettings.REALM_TYPE, MicrosoftGraphAuthzRealm::new);
+    }
+
+    @Override
+    public List<Setting<?>> getSettings() {
+        return MicrosoftGraphAuthzRealmSettings.getSettings();
+    }
+}

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.xpack.security.authz.microsoft;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
+import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.authc.Realm;
+import org.elasticsearch.xpack.core.security.authc.RealmConfig;
+import org.elasticsearch.xpack.core.security.user.User;
+
+public class MicrosoftGraphAuthzRealm extends Realm {
+
+    private static final Logger logger = LogManager.getLogger(MicrosoftGraphAuthzRealm.class);
+
+    public MicrosoftGraphAuthzRealm(RealmConfig config) {
+        super(config);
+    }
+
+    @Override
+    public boolean supports(AuthenticationToken token) {
+        return false;
+    }
+
+    @Override
+    public AuthenticationToken token(ThreadContext context) {
+        return null;
+    }
+
+    @Override
+    public void authenticate(AuthenticationToken token, ActionListener<AuthenticationResult<User>> listener) {
+        listener.onResponse(AuthenticationResult.notHandled());
+    }
+
+    @Override
+    public void lookupUser(String username, ActionListener<User> listener) {
+        logger.info("Microsoft Graph Authz not yet implemented, returning empty roles for [{}]", username);
+        listener.onResponse(new User(username));
+    }
+}

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmSettings.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.xpack.security.authz.microsoft;
+
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.xpack.core.security.authc.RealmSettings;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class MicrosoftGraphAuthzRealmSettings {
+    public static final String REALM_TYPE = "microsoft_graph";
+
+    public static List<Setting<?>> getSettings() {
+        return new ArrayList<>(RealmSettings.getStandardSettings(REALM_TYPE));
+    }
+}

plugins/microsoft-graph-authz/src/main/resources/META-INF/services/org.elasticsearch.xpack.core.security.SecurityExtension

@@ -0,0 +1 @@
+org.elasticsearch.xpack.security.authz.microsoft.MicrosoftGraphAuthzPlugin

x-pack/plugin/security/qa/microsoft-graph-authz-tests/build.gradle

@@ -0,0 +1,8 @@
+apply plugin: 'elasticsearch.internal-java-rest-test'
+
+dependencies {
+  javaRestTestImplementation project(':x-pack:plugin:core')
+  javaRestTestImplementation project(':x-pack:plugin:security')
+  javaRestTestImplementation testArtifact(project(":x-pack:plugin:security:qa:saml-rest-tests"), "javaRestTest")
+  clusterPlugins project(':plugins:microsoft-graph-authz')
+}

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authz.microsoft;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.core.PathUtils;
+import org.elasticsearch.test.XContentTestUtils;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.local.model.User;
+import org.elasticsearch.test.cluster.util.resource.Resource;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.elasticsearch.test.rest.ObjectPath;
+import org.elasticsearch.xcontent.json.JsonXContent;
+import org.elasticsearch.xpack.security.authc.saml.SamlIdpMetadataBuilder;
+import org.elasticsearch.xpack.security.authc.saml.SamlResponseBuilder;
+import org.junit.ClassRule;
+import org.junit.rules.RuleChain;
+import org.junit.rules.TestRule;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.CertificateException;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.equalTo;
+
+public class MicrosoftGraphAuthzPluginIT extends ESRestTestCase {
+    public static ElasticsearchCluster cluster = initTestCluster();
+
+    @ClassRule
+    public static TestRule ruleChain = RuleChain.outerRule(cluster);
+
+    private static final String IDP_ENTITY_ID = "http://idp.example.org/";
+
+    private static ElasticsearchCluster initTestCluster() {
+        return ElasticsearchCluster.local()
+            .setting("xpack.security.enabled", "true")
+            .setting("xpack.license.self_generated.type", "trial")
+            .setting("xpack.security.authc.token.enabled", "true")
+            .setting("xpack.security.http.ssl.enabled", "false")
+            .plugin("microsoft-graph-authz")
+            .keystore("bootstrap.password", "x-pack-test-password")
+            .user("test_admin", "x-pack-test-password", User.ROOT_USER_ROLE, true)
+            .user("rest_test", "rest_password", User.ROOT_USER_ROLE, true)
+            .configFile("metadata.xml", Resource.fromString(getIDPMetadata()))
+            .setting("xpack.security.authc.realms.saml.saml1.order", "1")
+            .setting("xpack.security.authc.realms.saml.saml1.idp.entity_id", IDP_ENTITY_ID)
+            .setting("xpack.security.authc.realms.saml.saml1.idp.metadata.path", "metadata.xml")
+            .setting("xpack.security.authc.realms.saml.saml1.attributes.principal", "urn:oid:2.5.4.3")
+            .setting("xpack.security.authc.realms.saml.saml1.sp.entity_id", "http://sp/default.example.org/")
+            .setting("xpack.security.authc.realms.saml.saml1.sp.acs", "http://acs/default")
+            .setting("xpack.security.authc.realms.saml.saml1.sp.logout", "http://logout/default")
+            .setting("xpack.security.authc.realms.saml.saml1.authorization_realms", "microsoft_graph1")
+            .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.order", "2")
+            .build();
+    }
+
+    private static String getIDPMetadata() {
+        try {
+            var signingCert = PathUtils.get(MicrosoftGraphAuthzPluginIT.class.getResource("/saml/signing.crt").toURI());
+            return new SamlIdpMetadataBuilder().entityId(IDP_ENTITY_ID).idpUrl(IDP_ENTITY_ID).sign(signingCert).asString();
+        } catch (URISyntaxException | CertificateException | IOException exception) {
+            fail(exception);
+        }
+        return null;
+    }
+
+    @Override
+    protected String getTestRestCluster() {
+        return cluster.getHttpAddresses();
+    }
+
+    @Override
+    protected String getProtocol() {
+        return "http";
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        final String token = basicAuthHeaderValue("rest_test", new SecureString("rest_password".toCharArray()));
+        return Settings.builder().put(ThreadContext.PREFIX + ".Authorization", token).build();
+    }
+
+    @Override
+    protected boolean shouldConfigureProjects() {
+        return false;
+    }
+
+    public void testAuthenticationSuccessful() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        samlAuthWithMicrosoftGraphAuthz(username, getSamlAssertionJsonBodyString(username));
+    }
+
+    private String getSamlAssertionJsonBodyString(String username) throws Exception {
+        var message = new SamlResponseBuilder().spEntityId("http://sp/default.example.org/")
+            .idpEntityId(IDP_ENTITY_ID)
+            .acs(new URL("http://acs/default"))
+            .attribute("urn:oid:2.5.4.3", username)
+            .sign(getDataPath("/saml/signing.crt"), getDataPath("/saml/signing.key"), new char[0])
+            .asString();
+
+        final Map<String, Object> body = new HashMap<>();
+        body.put("content", Base64.getEncoder().encodeToString(message.getBytes(StandardCharsets.UTF_8)));
+        body.put("realm", "saml1");
+        return Strings.toString(JsonXContent.contentBuilder().map(body));
+    }
+
+    private void samlAuthWithMicrosoftGraphAuthz(String username, String samlAssertion) throws Exception {
+        var req = new Request("POST", "_security/saml/authenticate");
+        req.setJsonEntity(samlAssertion);
+        var resp = entityAsMap(client().performRequest(req));
+        List<String> roles = new XContentTestUtils.JsonMapView(entityAsMap(client().performRequest(req))).get("authentication.roles");
+        assertThat(resp.get("username"), equalTo(username));
+        // TODO add check for mapped groups and roles when available
+        assertThat(roles, empty());
+        assertThat(ObjectPath.evaluate(resp, "authentication.authentication_realm.name"), equalTo("saml1"));
+    }
+
+}

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/resources/saml/README.txt

@@ -0,0 +1,14 @@
+#
+# Script / Instructions to (re)generate the certificates + keys in this directory
+#
+# You can run this with bash, provided "elasticsearch-certutil" is somewhere on your path (or aliased)
+
+#
+# Step 1: Create a Signing Key in PEM format
+#
+elasticsearch-certutil cert --self-signed --pem --out ${PWD}/signing.zip -days 9999 -keysize 2048 -name "signing"
+unzip signing.zip
+mv signing/signing.* ./
+rmdir signing
+rm signing.zip
+