add test for concurrent login

Author: richard-dennehy

plugins/microsoft-graph-authz/build.gradle

@@ -95,4 +95,5 @@ tasks.named("javadoc").configure { enabled = false }
 
 tasks.named("dependencyLicenses").configure {
   mapping from: "microsoft-graph-core", to: "microsoft-graph"
+  mapping from: "azure-identity", to: "azure"
 }

plugins/microsoft-graph-authz/licenses/azure-NOTICE.txt

@@ -9,6 +9,7 @@
 
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionTestUtils;
+import org.elasticsearch.action.support.GroupedActionListener;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.client.Request;
 import org.elasticsearch.client.Response;
@@ -40,6 +41,7 @@
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateException;
 import java.util.Base64;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -55,19 +57,23 @@ public class MicrosoftGraphAuthzPluginIT extends ESRestTestCase {
     private static final String USERNAME = "Thor";
     private static final String EXPECTED_GROUP = "test_group";
 
+    private static final List<TestUser> TEST_USERS = List.of(
+        new TestUser(
+            USERNAME,
+            "Thor Odinson",
+            "[email protected]",
+            List.of("unmapped-group-1", "unmapped-group-2", "unmapped-group-3", EXPECTED_GROUP),
+            List.of("microsoft_graph_user")
+        ),
+        new TestUser("User2", "User 2", "[email protected]", List.of(EXPECTED_GROUP), List.of("microsoft_graph_user")),
+        new TestUser("User3", "User 3", "[email protected]", List.of(), List.of())
+    );
+
     private static final MsGraphHttpFixture graphFixture = new MsGraphHttpFixture(
         TENANT_ID,
         CLIENT_ID,
         CLIENT_SECRET,
-        List.of(
-            new TestUser(
-                USERNAME,
-                "Thor Odinson",
-                "[email protected]",
-                new String[] { "unmapped-group-1", "unmapped-group-2", "unmapped-group-3", EXPECTED_GROUP },
-                new String[] { "microsoft_graph_user" }
-            )
-        ),
+        TEST_USERS,
         3
     );
 
@@ -140,11 +146,6 @@ public void setupRoleMapping() throws IOException {
                     .startArray("all")
                     .startObject()
                     .startObject("field")
-                    .field("username", USERNAME)
-                    .endObject()
-                    .endObject()
-                    .startObject()
-                    .startObject("field")
                     .field("realm.name", "microsoft_graph1")
                     .endObject()
                     .endObject()
@@ -183,15 +184,33 @@ protected boolean shouldConfigureProjects() {
     }
 
     public void testAuthenticationSuccessful() throws Exception {
-        final var listener = new PlainActionFuture<Response>();
+        final var listener = new PlainActionFuture<Map<String, Object>>();
         samlAuthWithMicrosoftGraphAuthz(USERNAME, getSamlAssertionJsonBodyString(USERNAME), listener);
-        final var resp = entityAsMap(listener.get());
+        final var resp = listener.get();
         List<String> roles = new XContentTestUtils.JsonMapView(resp).get("authentication.roles");
         assertThat(resp.get("username"), equalTo(USERNAME));
         assertThat(roles, contains("microsoft_graph_user"));
         assertThat(ObjectPath.evaluate(resp, "authentication.authentication_realm.name"), equalTo("saml1"));
     }
 
+    public void testConcurrentAuthentication() throws Exception {
+        final var resultsListener = new PlainActionFuture<Collection<Map<String, Object>>>();
+        final var groupedListener = new GroupedActionListener<>(TEST_USERS.size(), resultsListener);
+        for (var user : TEST_USERS) {
+            samlAuthWithMicrosoftGraphAuthz(user.username(), getSamlAssertionJsonBodyString(user.username()), groupedListener);
+        }
+        final var responses = resultsListener.get();
+
+        assertThat(responses.size(), equalTo(TEST_USERS.size()));
+        for (var user : TEST_USERS) {
+            var response = responses.stream().filter(r -> r.get("username").equals(user.username())).findFirst();
+            assertTrue(response.isPresent());
+            final List<String> roles = new XContentTestUtils.JsonMapView(response.get()).get("authentication.roles");
+            assertThat(roles, equalTo(user.roles()));
+            assertThat(ObjectPath.evaluate(response.get(), "authentication.authentication_realm.name"), equalTo("saml1"));
+        }
+    }
+
     private String getSamlAssertionJsonBodyString(String username) throws Exception {
         var message = new SamlResponseBuilder().spEntityId("http://sp/default.example.org/")
             .idpEntityId(IDP_ENTITY_ID)
@@ -206,10 +225,10 @@ private String getSamlAssertionJsonBodyString(String username) throws Exception
         return Strings.toString(JsonXContent.contentBuilder().map(body));
     }
 
-    private void samlAuthWithMicrosoftGraphAuthz(String username, String samlAssertion, ActionListener<Response> listener) {
+    private void samlAuthWithMicrosoftGraphAuthz(String username, String samlAssertion, ActionListener<Map<String, Object>> listener) {
         var req = new Request("POST", "_security/saml/authenticate");
         req.setJsonEntity(samlAssertion);
-        client().performRequestAsync(req, ActionTestUtils.wrapAsRestResponseListener(listener));
+        client().performRequestAsync(req, ActionTestUtils.wrapAsRestResponseListener(listener.map(ESRestTestCase::entityAsMap)));
     }
 
 }

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java

@@ -234,15 +234,17 @@ private void registerGetUserMembershipHandler(TestUser user) {
                 return;
             }
 
-            var nextLink = getBaseUrl() + exchange.getRequestURI().toString() + "&$skiptoken=" + skipToken;
+            String nextLink = null;
             Object[] groups;
 
             // return multiple pages of results, to ensure client correctly supports paging
             if (exchange.getRequestURI().getQuery().contains("$skiptoken")) {
-                groups = Arrays.stream(user.groups()).skip(groupsPageSize).map(id -> Map.of("id", id)).toArray();
-                nextLink = null;
+                groups = user.groups().stream().skip(groupsPageSize).map(id -> Map.of("id", id)).toArray();
             } else {
-                groups = Arrays.stream(user.groups()).limit(groupsPageSize).map(id -> Map.of("id", id)).toArray();
+                groups = user.groups().stream().limit(groupsPageSize).map(id -> Map.of("id", id)).toArray();
+                if (user.groups().size() > groupsPageSize) {
+                    nextLink = getBaseUrl() + exchange.getRequestURI().toString() + "&$skiptoken=" + skipToken;
+                }
             }
 
             final var groupMembership = XContentBuilder.builder(XContentType.JSON.xContent());

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MsGraphHttpFixture.java

@@ -7,4 +7,6 @@
 
 package org.elasticsearch.xpack.security.authz.microsoft;
 
-public record TestUser(String username, String displayName, String email, String[] groups, String[] roles) {}
+import java.util.List;
+
+public record TestUser(String username, String displayName, String email, List<String> groups, List<String> roles) {}