Fix error message when changing the password for a user in the file realm

docs/changelog/127621.yaml

@@ -0,0 +1,5 @@
+pr: 127621
+summary: Fix error message when changing the password for a user in the file realm
+area: Security
+type: bug
+issues: []

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportChangePasswordAction.java

@@ -11,35 +11,57 @@
 import org.elasticsearch.action.ActionType;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.HandledTransportAction;
+import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.injection.guice.Inject;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
 import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.action.user.ChangePasswordRequest;
+import org.elasticsearch.xpack.core.security.authc.Realm;
+import org.elasticsearch.xpack.core.security.authc.esnative.ClientReservedRealm;
+import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
+import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.Realms;
 import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
+import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
 
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 import java.util.Locale;
+import java.util.Set;
+import java.util.concurrent.CountDownLatch;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import static org.elasticsearch.xpack.core.security.user.UsernamesField.ELASTIC_NAME;
+import static org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.USER_NOT_FOUND_MESSAGE;
 
 public class TransportChangePasswordAction extends HandledTransportAction<ChangePasswordRequest, ActionResponse.Empty> {
 
     public static final ActionType<ActionResponse.Empty> TYPE = new ActionType<>("cluster:admin/xpack/security/user/change_password");
     private final Settings settings;
     private final NativeUsersStore nativeUsersStore;
+    private final Realms realms;
 
     @Inject
     public TransportChangePasswordAction(
         Settings settings,
         TransportService transportService,
         ActionFilters actionFilters,
-        NativeUsersStore nativeUsersStore
+        NativeUsersStore nativeUsersStore,
+        Realms realms
     ) {
         super(TYPE.name(), transportService, actionFilters, ChangePasswordRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
         this.settings = settings;
         this.nativeUsersStore = nativeUsersStore;
+        this.realms = realms;
     }
 
     @Override
@@ -62,6 +84,86 @@ protected void doExecute(Task task, ChangePasswordRequest request, ActionListene
             );
             return;
         }
-        nativeUsersStore.changePassword(request, listener.safeMap(v -> ActionResponse.Empty.INSTANCE));
+
+        // check if user exists in the native realm
+        nativeUsersStore.getUser(username, new ActionListener<>() {
+            @Override
+            public void onResponse(User user) {
+                if (ClientReservedRealm.isReserved(username, settings) == false && user == null) {
+                    List<Realm> nonNativeRealms = realms.getActiveRealms()
+                        .stream()
+                        .filter(t -> Set.of(NativeRealmSettings.TYPE, ReservedRealm.TYPE).contains(t.type()) == false) // Reserved realm is
+                                                                                                                       // implemented in the
+                                                                                                                       // native store
+                        .toList();
+                    if (nonNativeRealms.isEmpty()) {
+                        listener.onFailure(createUserNotFoundException());
+                    }
+                    CountDownLatch latch = new CountDownLatch(nonNativeRealms.size());
+                    List<Exception> realmErrors = Collections.synchronizedList(new ArrayList<>());
+                    nonNativeRealms.forEach(realm -> {
+                        // we should check if this request is mistakenly trying to reset a user in some other realm
+                        realm.lookupUser(username, new ActionListener<>() {
+                            @Override
+                            public void onResponse(User user) {
+                                if (user != null) {
+                                    ValidationException validationException = new ValidationException();
+                                    validationException.addValidationError(
+                                        "user ["
+                                            + username
+                                            + "] is a(n)"
+                                            + realm
+                                            + " user and cannot be managed via this API."
+                                            + (ELASTIC_NAME.equalsIgnoreCase(username)
+                                                ? " To update the '" + ELASTIC_NAME + "' user in a cloud deployment, use the console."
+                                                : "")
+                                    );
+                                    onFailure(validationException);
+                                } else {
+                                    onFailure(null);
+                                }
+                            }
+
+                            @Override
+                            public void onFailure(Exception e) {
+                                if (e != null) {
+                                    realmErrors.add(e);
+                                }
+                                latch.countDown();
+                            }
+                        });
+                    });
+                    try {
+                        latch.await();
+                        // combine errors across realms
+                        ValidationException validationException = new ValidationException();
+                        List<String> errors = realmErrors.stream()
+                            .map(t -> ((ValidationException) t).validationErrors())
+                            .flatMap((Function<List<String>, Stream<String>>) Collection::stream)
+                            .collect(Collectors.toList());
+                        validationException.addValidationErrors(errors);
+                        listener.onFailure(validationException);
+                    } catch (InterruptedException e) {
+                        logger.info("Interrupted while waiting for user lookups across realms", e);
+                        listener.onFailure(e);
+                    }
+                } else {
+                    // safe to proceed
+                    nativeUsersStore.changePassword(request, listener.safeMap(v -> ActionResponse.Empty.INSTANCE));
+                }
+            }
+
+            @Override
+            public void onFailure(Exception e) {
+                listener.onFailure(e);
+            }
+        });
+
+    }
+
+    private static ValidationException createUserNotFoundException() {
+        ValidationException validationException = new ValidationException();
+        validationException.addValidationError(USER_NOT_FOUND_MESSAGE);
+        return validationException;
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.java

@@ -82,6 +82,7 @@ public class NativeUsersStore {
 
     public static final String USER_DOC_TYPE = "user";
     public static final String RESERVED_USER_TYPE = "reserved-user";
+    public static final String USER_NOT_FOUND_MESSAGE = "user must exist in order to change password";
     private static final Logger logger = LogManager.getLogger(NativeUsersStore.class);
 
     private final Settings settings;
@@ -240,7 +241,7 @@ private void getUserAndPassword(final String user, final ActionListener<UserAndP
                 () -> executeAsyncWithOrigin(
                     client.threadPool().getThreadContext(),
                     SECURITY_ORIGIN,
-                    client.prepareGet(SECURITY_MAIN_ALIAS, getIdForUser(USER_DOC_TYPE, user)).request(),
+                    client.prepareGet(SECURITY_MAIN_ALIAS, getIdForUser(getDocType(user), user)).request(),
                     new ActionListener<GetResponse>() {
                         @Override
                         public void onResponse(GetResponse response) {
@@ -279,12 +280,7 @@ public void onFailure(Exception t) {
      */
     public void changePassword(final ChangePasswordRequest request, final ActionListener<Void> listener) {
         final String username = request.username();
-        final String docType;
-        if (ClientReservedRealm.isReserved(username, settings)) {
-            docType = RESERVED_USER_TYPE;
-        } else {
-            docType = USER_DOC_TYPE;
-        }
+        final String docType = getDocType(username);
 
         securityIndex.forCurrentProject().prepareIndexIfNeededThenExecute(listener::onFailure, () -> {
             executeAsyncWithOrigin(
@@ -316,7 +312,7 @@ public void onFailure(Exception e) {
                             } else {
                                 logger.debug(() -> format("failed to change password for user [%s]", request.username()), e);
                                 ValidationException validationException = new ValidationException();
-                                validationException.addValidationError("user must exist in order to change password");
+                                validationException.addValidationError(USER_NOT_FOUND_MESSAGE);
                                 listener.onFailure(validationException);
                             }
                         } else {
@@ -329,6 +325,16 @@ public void onFailure(Exception e) {
         });
     }
 
+    private String getDocType(String username) {
+        final String docType;
+        if (ClientReservedRealm.isReserved(username, settings)) {
+            docType = RESERVED_USER_TYPE;
+        } else {
+            docType = USER_DOC_TYPE;
+        }
+        return docType;
+    }
+
     /**
      * Asynchronous method to create the elastic superuser with the given password hash. The cache for the user will be
      * cleared after the document has been indexed.