cancel graph authorization tasks that are pending too long

Author: richard-dennehy

plugins/microsoft-graph-authz/src/main/java/module-info.java

@@ -24,6 +24,7 @@
     requires com.google.gson;
     requires okhttp3;
     requires com.azure.core.http.okhttp;
+    requires org.apache.logging.log4j;
 
     provides org.elasticsearch.xpack.core.security.SecurityExtension with MicrosoftGraphAuthzPlugin;
 }

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java

@@ -21,18 +21,20 @@
 import com.microsoft.kiota.authentication.AzureIdentityAuthenticationProvider;
 import com.microsoft.kiota.http.middleware.RetryHandler;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.SettingsException;
+import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.license.License;
 import org.elasticsearch.license.LicenseUtils;
 import org.elasticsearch.license.LicensedFeature;
 import org.elasticsearch.license.XPackLicenseState;
-import org.elasticsearch.logging.LogManager;
-import org.elasticsearch.logging.Logger;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.core.XPackPlugin;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
@@ -41,6 +43,7 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
+import org.elasticsearch.xpack.core.security.support.CancellableRunnable;
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.time.Duration;
@@ -69,6 +72,7 @@ public class MicrosoftGraphAuthzRealm extends Realm {
     private final GraphServiceClient client;
     private final XPackLicenseState licenseState;
     private final ThreadPool threadPool;
+    private final TimeValue executionTimeout;
 
     public MicrosoftGraphAuthzRealm(UserRoleMapper roleMapper, RealmConfig config, ThreadPool threadPool) {
         this(roleMapper, config, buildClient(config), XPackPlugin.getSharedLicenseState(), threadPool);
@@ -90,6 +94,7 @@ public MicrosoftGraphAuthzRealm(UserRoleMapper roleMapper, RealmConfig config, T
         this.client = client;
         this.licenseState = licenseState;
         this.threadPool = threadPool;
+        this.executionTimeout = config.getSetting(MicrosoftGraphAuthzRealmSettings.EXECUTION_TIMEOUT);
     }
 
     private static void validate(RealmConfig config) {
@@ -127,30 +132,39 @@ public void lookupUser(String principal, ActionListener<User> listener) {
             return;
         }
 
-        threadPool.generic().execute(() -> {
-            try {
-                final var userProperties = fetchUserProperties(client, principal);
-                final var groups = fetchGroupMembership(client, principal);
-
-                final var userData = new UserRoleMapper.UserData(principal, null, groups, Map.of(), config);
-
-                roleMapper.resolveRoles(userData, listener.delegateFailureAndWrap((l, roles) -> {
-                    final var user = new User(
-                        principal,
-                        roles.toArray(Strings.EMPTY_ARRAY),
-                        userProperties.v1(),
-                        userProperties.v2(),
-                        Map.of(),
-                        true
-                    );
-                    logger.trace("Authorized user from Microsoft Graph {}", user);
-                    l.onResponse(user);
-                }));
-            } catch (Exception e) {
-                logger.error(Strings.format("Failed to authorize [{}] with MS Graph realm", principal), e);
-                listener.onFailure(e);
-            }
-        });
+        final var runnable = new CancellableRunnable<>(
+            listener,
+            ex -> null,
+            () -> doLookupUser(principal, listener),
+            logger
+        );
+        threadPool.generic().execute(runnable);
+        threadPool.schedule(runnable::maybeTimeout, executionTimeout, EsExecutors.DIRECT_EXECUTOR_SERVICE);
+    }
+
+    private void doLookupUser(String principal, ActionListener<User> listener) {
+        try {
+            final var userProperties = fetchUserProperties(client, principal);
+            final var groups = fetchGroupMembership(client, principal);
+
+            final var userData = new UserRoleMapper.UserData(principal, null, groups, Map.of(), config);
+
+            roleMapper.resolveRoles(userData, listener.delegateFailureAndWrap((l, roles) -> {
+                final var user = new User(
+                    principal,
+                    roles.toArray(Strings.EMPTY_ARRAY),
+                    userProperties.v1(),
+                    userProperties.v2(),
+                    Map.of(),
+                    true
+                );
+                logger.trace("Authorized user from Microsoft Graph {}", user);
+                l.onResponse(user);
+            }));
+        } catch (Exception e) {
+            logger.error(Strings.format("Failed to authorize [{}] with MS Graph realm", principal), e);
+            listener.onFailure(e);
+        }
     }
 
     private static GraphServiceClient buildClient(RealmConfig config) {

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmSettings.java

@@ -52,6 +52,12 @@ public class MicrosoftGraphAuthzRealmSettings {
         key -> Setting.timeSetting(key, TimeValue.timeValueSeconds(10), Setting.Property.NodeScope)
     );
 
+    public static final Setting.AffixSetting<TimeValue> EXECUTION_TIMEOUT = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(REALM_TYPE),
+        "execution_timeout",
+        key -> Setting.timeSetting(key, TimeValue.timeValueSeconds(30), Setting.Property.NodeScope)
+    );
+
     public static List<Setting<?>> getSettings() {
         var settings = new ArrayList<Setting<?>>(RealmSettings.getStandardSettings(REALM_TYPE));
         settings.add(CLIENT_ID);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/CancellableRunnable.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.core.security.support;
+
+import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchTimeoutException;
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.util.concurrent.AbstractRunnable;
+
+import java.util.Objects;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Function;
+
+/**
+ * A runnable that allows us to terminate and call the listener. We use this as a runnable can
+ * be queued and not executed for a long time or ever and this causes user requests to appear
+ * to hang. In these cases at least we can provide a response.
+ */
+public class CancellableRunnable<T> extends AbstractRunnable {
+
+    private final Runnable in;
+    private final ActionListener<T> listener;
+    private final Function<Exception, T> defaultValue;
+    private final Logger logger;
+    private final AtomicReference<RunnableState> state = new AtomicReference<>(RunnableState.AWAITING_EXECUTION);
+
+    public CancellableRunnable(ActionListener<T> listener, Function<Exception, T> defaultValue, Runnable in, Logger logger) {
+        this.listener = listener;
+        this.defaultValue = Objects.requireNonNull(defaultValue);
+        this.in = in;
+        this.logger = logger;
+    }
+
+    @Override
+    public void onFailure(Exception e) {
+        logger.error("execution of cancellable runnable failed", e);
+        final T result = defaultValue.apply(e);
+        listener.onResponse(result);
+    }
+
+    @Override
+    protected void doRun() throws Exception {
+        if (state.compareAndSet(RunnableState.AWAITING_EXECUTION, RunnableState.EXECUTING)) {
+            in.run();
+        } else {
+            logger.trace("skipping execution of cancellable runnable as the current state is [{}]", state.get());
+        }
+    }
+
+    @Override
+    public void onRejection(Exception e) {
+        listener.onFailure(e);
+    }
+
+    /**
+     * If the execution of this runnable has not already started, the runnable is cancelled and we pass an exception to the user
+     * listener
+     */
+    public void maybeTimeout() {
+        if (state.compareAndSet(RunnableState.AWAITING_EXECUTION, RunnableState.TIMED_OUT)) {
+            logger.warn("skipping execution of cancellable runnable as it has been waiting for execution too long");
+            listener.onFailure(new ElasticsearchTimeoutException("timed out waiting for execution of cancellable runnable"));
+        }
+    }
+
+    private enum RunnableState {
+        AWAITING_EXECUTION,
+        EXECUTING,
+        TIMED_OUT
+    }
+}

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ldap/CancellableLdapRunnableTests.java renamed to x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/support/CancellableRunnableTests.java

@@ -4,14 +4,13 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-package org.elasticsearch.xpack.security.authc.ldap;
+package org.elasticsearch.xpack.core.security.support;
 
 import org.elasticsearch.ElasticsearchTimeoutException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionTestUtils;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authc.ldap.LdapRealm.CancellableLdapRunnable;
 
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -22,11 +21,11 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.sameInstance;
 
-public class CancellableLdapRunnableTests extends ESTestCase {
+public class CancellableRunnableTests extends ESTestCase {
 
     public void testTimingOutARunnable() {
         AtomicReference<Exception> exceptionAtomicReference = new AtomicReference<>();
-        final CancellableLdapRunnable<Object> runnable = new CancellableLdapRunnable<>(ActionListener.wrap(user -> {
+        final CancellableRunnable<Object> runnable = new CancellableRunnable<>(ActionListener.wrap(user -> {
             throw new AssertionError("onResponse should not be called");
         }, exceptionAtomicReference::set), e -> null, () -> { throw new AssertionError("runnable should not be executed"); }, logger);
 
@@ -40,7 +39,7 @@ public void testTimingOutARunnable() {
     public void testCallTimeOutAfterRunning() {
         final AtomicBoolean ran = new AtomicBoolean(false);
         final AtomicBoolean listenerCalled = new AtomicBoolean(false);
-        final CancellableLdapRunnable<Object> runnable = new CancellableLdapRunnable<>(ActionListener.wrap(user -> {
+        final CancellableRunnable<Object> runnable = new CancellableRunnable<>(ActionListener.wrap(user -> {
             listenerCalled.set(true);
             throw new AssertionError("onResponse should not be called");
         }, e -> {
@@ -59,7 +58,7 @@ public void testCallTimeOutAfterRunning() {
 
     public void testRejectingExecution() {
         AtomicReference<Exception> exceptionAtomicReference = new AtomicReference<>();
-        final CancellableLdapRunnable<Object> runnable = new CancellableLdapRunnable<>(ActionListener.wrap(user -> {
+        final CancellableRunnable<Object> runnable = new CancellableRunnable<>(ActionListener.wrap(user -> {
             throw new AssertionError("onResponse should not be called");
         }, exceptionAtomicReference::set), e -> null, () -> { throw new AssertionError("runnable should not be executed"); }, logger);
 
@@ -75,7 +74,7 @@ public void testTimeoutDuringExecution() throws InterruptedException {
         final CountDownLatch timeoutCalledLatch = new CountDownLatch(1);
         final CountDownLatch runningLatch = new CountDownLatch(1);
         final ActionListener<User> listener = ActionTestUtils.assertNoFailureListener(user -> listenerCalledLatch.countDown());
-        final CancellableLdapRunnable<User> runnable = new CancellableLdapRunnable<>(listener, e -> null, () -> {
+        final CancellableRunnable<User> runnable = new CancellableRunnable<>(listener, e -> null, () -> {
             runningLatch.countDown();
             try {
                 timeoutCalledLatch.await();
@@ -98,7 +97,7 @@ public void testExceptionInRunnable() {
         AtomicReference<String> resultRef = new AtomicReference<>();
         final ActionListener<String> listener = ActionTestUtils.assertNoFailureListener(resultRef::set);
         String defaultValue = randomAlphaOfLengthBetween(2, 10);
-        final CancellableLdapRunnable<String> runnable = new CancellableLdapRunnable<>(listener, e -> defaultValue, () -> {
+        final CancellableRunnable<String> runnable = new CancellableRunnable<>(listener, e -> defaultValue, () -> {
             throw new RuntimeException("runnable intentionally failed");
         }, logger);
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapRealm.java

@@ -8,13 +8,10 @@
 
 import com.unboundid.ldap.sdk.LDAPException;
 
-import org.apache.logging.log4j.Logger;
-import org.elasticsearch.ElasticsearchTimeoutException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ContextPreservingActionListener;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.IOUtils;
@@ -41,15 +38,14 @@
 import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
 import org.elasticsearch.xpack.security.authc.support.DnRoleMapper;
 import org.elasticsearch.xpack.security.authc.support.mapper.CompositeRoleMapper;
+import org.elasticsearch.xpack.core.security.support.CancellableRunnable;
 import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent;
 
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
-import java.util.function.Function;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
@@ -150,7 +146,7 @@ protected void doAuthenticate(UsernamePasswordToken token, ActionListener<Authen
         assert delegatedRealms != null : "Realm has not been initialized correctly";
         // we submit to the threadpool because authentication using LDAP will execute blocking I/O for a bind request and we don't want
         // network threads stuck waiting for a socket to connect. After the bind, then all interaction with LDAP should be async
-        final CancellableLdapRunnable<AuthenticationResult<User>> cancellableLdapRunnable = new CancellableLdapRunnable<>(
+        final CancellableRunnable<AuthenticationResult<User>> cancellableLdapRunnable = new CancellableRunnable<>(
             listener,
             ex -> AuthenticationResult.unsuccessful("Authentication against realm [" + this.toString() + "] failed", ex),
             () -> sessionFactory.session(
@@ -173,7 +169,7 @@ protected void doLookupUser(String username, ActionListener<User> userActionList
                 result -> userActionListener.onResponse(result.getValue()),
                 userActionListener::onFailure
             );
-            final CancellableLdapRunnable<User> cancellableLdapRunnable = new CancellableLdapRunnable<>(
+            final CancellableRunnable<User> cancellableLdapRunnable = new CancellableRunnable<>(
                 userActionListener,
                 e -> null,
                 () -> sessionFactory.unauthenticatedSession(
@@ -323,65 +319,5 @@ public void onFailure(Exception e) {
             }
             resultListener.onResponse(AuthenticationResult.unsuccessful(action + " failed", e));
         }
-
-    }
-
-    /**
-     * A runnable that allows us to terminate and call the listener. We use this as a runnable can
-     * be queued and not executed for a long time or ever and this causes user requests to appear
-     * to hang. In these cases at least we can provide a response.
-     */
-    static class CancellableLdapRunnable<T> extends AbstractRunnable {
-
-        private final Runnable in;
-        private final ActionListener<T> listener;
-        private final Function<Exception, T> defaultValue;
-        private final Logger logger;
-        private final AtomicReference<LdapRunnableState> state = new AtomicReference<>(LdapRunnableState.AWAITING_EXECUTION);
-
-        CancellableLdapRunnable(ActionListener<T> listener, Function<Exception, T> defaultValue, Runnable in, Logger logger) {
-            this.listener = listener;
-            this.defaultValue = Objects.requireNonNull(defaultValue);
-            this.in = in;
-            this.logger = logger;
-        }
-
-        @Override
-        public void onFailure(Exception e) {
-            logger.error("execution of ldap runnable failed", e);
-            final T result = defaultValue.apply(e);
-            listener.onResponse(result);
-        }
-
-        @Override
-        protected void doRun() throws Exception {
-            if (state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.EXECUTING)) {
-                in.run();
-            } else {
-                logger.trace("skipping execution of ldap runnable as the current state is [{}]", state.get());
-            }
-        }
-
-        @Override
-        public void onRejection(Exception e) {
-            listener.onFailure(e);
-        }
-
-        /**
-         * If the execution of this runnable has not already started, the runnable is cancelled and we pass an exception to the user
-         * listener
-         */
-        void maybeTimeout() {
-            if (state.compareAndSet(LdapRunnableState.AWAITING_EXECUTION, LdapRunnableState.TIMED_OUT)) {
-                logger.warn("skipping execution of ldap runnable as it has been waiting for " + "execution too long");
-                listener.onFailure(new ElasticsearchTimeoutException("timed out waiting for " + "execution of ldap runnable"));
-            }
-        }
-
-        enum LdapRunnableState {
-            AWAITING_EXECUTION,
-            EXECUTING,
-            TIMED_OUT
-        }
     }
 }