test retry handling

Author: richard-dennehy

gradle/verification-metadata.xml

@@ -1168,6 +1168,11 @@
             <sha256 value="b642baef4c570055de4cb3d1667b2b16dced901ff8066345a063691aa06025a4" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.squareup.okio" name="okio-jvm" version="3.4.0">
+         <artifact name="okio-jvm-3.4.0.jar">
+            <sha256 value="0139ec7a506dbbd54cad62291b019cb850534be097c8c66c1000d5fbe8edef3e" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.squareup.okio" name="okio-jvm" version="3.6.0">
          <artifact name="okio-jvm-3.6.0.jar">
             <sha256 value="67543f0736fc422ae927ed0e504b98bc5e269fda0d3500579337cb713da28412" origin="Generated by Gradle"/>
@@ -3058,6 +3063,11 @@
             <sha256 value="015d5c229f3cd5c0ebf175c1da08d596d94043362ae9d92637d88848c90537c8" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-slf4j2-impl" version="2.24.3">
+         <artifact name="log4j-slf4j2-impl-2.24.3.jar">
+            <sha256 value="cdaac22e40ec30c4096e1ebe8c454c8826c0d1c378d7db5d7b3ad166354b0bd3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.lucene" name="lucene-analysis-common" version="10.2.1">
          <artifact name="lucene-analysis-common-10.2.1.jar">
             <sha256 value="73e5dfac4c64ea5af6a0e70276c4cf3216085c05de3a6547d4240145bb362a7d" origin="Generated by Gradle"/>

plugins/microsoft-graph-authz/build.gradle

@@ -68,8 +68,8 @@ dependencies {
   runtimeOnly "io.opentelemetry:opentelemetry-context:1.50.0"
   implementation "org.jetbrains.kotlin:kotlin-stdlib:1.6.20"
   implementation "com.squareup.okhttp3:okhttp:4.11.0"
-  runtimeOnly "com.squareup.okio:okio:3.2.0"
-  runtimeOnly "com.squareup.okio:okio-jvm:3.2.0"
+  runtimeOnly "com.squareup.okio:okio:3.4.0"
+  runtimeOnly "com.squareup.okio:okio-jvm:3.4.0"
   runtimeOnly "io.github.std-uritemplate:std-uritemplate:2.0.0"
   runtimeOnly "com.azure:azure-core-http-okhttp:1.12.10"
   implementation "com.google.code.gson:gson:2.10"

x-pack/plugin/security/build.gradle

@@ -65,8 +65,7 @@ dependencies {
     exclude group: 'org.bouncycastle'
   }
   api "org.slf4j:slf4j-api:${versions.slf4j}"
-  runtimeOnly "org.slf4j:slf4j-nop:${versions.slf4j}" // workaround for https://github.com/elastic/elasticsearch/issues/93714
- // api "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"  see above
+  api "org.apache.logging.log4j:log4j-slf4j2-impl:2.24.3"
 
   api "org.apache.httpcomponents:httpclient:${versions.httpclient}"
   api "org.apache.httpcomponents:httpcore:${versions.httpcore}"
@@ -184,6 +183,7 @@ tasks.named("dependencyLicenses").configure {
   mapping from: /http.*/, to: 'httpclient'
   mapping from: /bc.*/, to: 'bouncycastle'
   mapping from: /failureaccess.*/, to: 'guava'
+  mapping from: 'content-type', to: 'nimbus'
 }
 
 tasks.named("forbiddenPatterns").configure {

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzPluginIT.java

@@ -100,6 +100,8 @@ private static ElasticsearchCluster initTestCluster() {
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.graph_host", () -> graphFixture.getBaseUrl() + "/v1.0")
             .setting("xpack.security.authc.realms.microsoft_graph.microsoft_graph1.access_token_host", graphFixture::getBaseUrl)
             .setting("logger.org.elasticsearch.xpack.security.authz.microsoft", "TRACE")
+            .setting("logger.com.microsoft", "TRACE")
+            .setting("logger.com.azure", "TRACE")
             .systemProperty("javax.net.ssl.trustStore", () -> trustStore.getTrustStorePath().toString())
             .systemProperty("javax.net.ssl.trustStoreType", "jks")
             .systemProperty("tests.azure.credentials.disable_instance_discovery", "true")

x-pack/plugin/security/qa/microsoft-graph-authz-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authz/microsoft/MsGraphHttpFixture.java

@@ -36,11 +36,15 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Random;
 import java.util.UUID;
+import java.util.concurrent.atomic.AtomicInteger;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 
+import static org.elasticsearch.test.ESTestCase.randomBoolean;
+
 public class MsGraphHttpFixture extends ExternalResource {
 
     private static final Logger logger = LogManager.getLogger(MsGraphHttpFixture.class);
@@ -53,7 +57,11 @@ public class MsGraphHttpFixture extends ExternalResource {
     private final String email;
     private final String[] firstGroupsPage;
     private final String[] secondGroupsPage;
-    private final String jwt;
+    private final String jwt = "test jwt";
+
+    private final AtomicInteger loginCount = new AtomicInteger(0);
+    private final AtomicInteger getUserPropertiesCount = new AtomicInteger(0);
+    private final AtomicInteger getGroupMembershipCount = new AtomicInteger(0);
 
     private HttpsServer server;
 
@@ -75,8 +83,6 @@ public MsGraphHttpFixture(
         this.email = email;
         this.firstGroupsPage = firstGroupsPage;
         this.secondGroupsPage = secondGroupsPage;
-
-        this.jwt = "test jwt";
     }
 
     @Override
@@ -105,6 +111,7 @@ protected void before() throws Throwable {
             exchange.close();
         });
         server.start();
+        logger.info("Started server on port [{}]", server.getAddress().getPort());
     }
 
     @Override
@@ -118,6 +125,9 @@ public String getBaseUrl() {
 
     private void registerGetAccessTokenHandler() {
         server.createContext("/" + tenantId + "/oauth2/v2.0/token", exchange -> {
+            logger.info("Received access token request");
+            loginCount.incrementAndGet();
+
             if (exchange.getRequestMethod().equals("POST") == false) {
                 graphError(exchange, RestStatus.METHOD_NOT_ALLOWED, "Expected POST request");
                 return;
@@ -171,6 +181,9 @@ private void registerGetAccessTokenHandler() {
 
     private void registerGetUserHandler() {
         server.createContext("/v1.0/users/" + principal, exchange -> {
+            logger.info("Received get user properties request [{}]", exchange.getRequestURI());
+            final var callCount = getUserPropertiesCount.incrementAndGet();
+
             if (exchange.getRequestMethod().equals("GET") == false) {
                 graphError(exchange, RestStatus.METHOD_NOT_ALLOWED, "Expected GET request");
                 return;
@@ -187,6 +200,15 @@ private void registerGetUserHandler() {
                 return;
             }
 
+            // ensure the client retries temporary errors
+            if (callCount == 1) {
+                graphError(exchange, RestStatus.GATEWAY_TIMEOUT, "Gateway timed out");
+                return;
+            } else if (callCount == 2) {
+                graphError(exchange, RestStatus.TOO_MANY_REQUESTS, "Too many requests");
+                return;
+            }
+
             var userProperties = XContentBuilder.builder(XContentType.JSON.xContent());
             userProperties.startObject();
             userProperties.field("displayName", displayName);
@@ -207,6 +229,9 @@ private void registerGetUserMembershipHandler() {
         final var skipToken = UUID.randomUUID().toString();
 
         server.createContext("/v1.0/users/" + principal + "/memberOf", exchange -> {
+            logger.info("Received get user membership request [{}]", exchange.getRequestURI());
+            getGroupMembershipCount.incrementAndGet();
+
             if (exchange.getRequestMethod().equals("GET") == false) {
                 graphError(exchange, RestStatus.METHOD_NOT_ALLOWED, "Expected GET request");
                 return;