update interfaces to enhance access to meter registry

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.telemetry.TelemetryProvider;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
@@ -63,6 +64,9 @@ interface SecurityComponents {
 
         /** Provides the ability to access project-scoped data from the global scope **/
         ProjectResolver projectResolver();
+
+        /** Provides the ability to access the APM tracer and meter registry **/
+        TelemetryProvider telemetryProvider();
     }
 
     /**

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -823,6 +823,9 @@ public void toXContentFragment(XContentBuilder builder) throws IOException {
             apiKeyField.put("managed_by", CredentialManagedBy.CLOUD.getDisplayName());
             builder.field("api_key", Collections.unmodifiableMap(apiKeyField));
         }
+        if (metadata.containsKey("managed_by")) {
+            builder.field("managed_by", metadata.get("managed_by"));
+        }
     }
 
     public static Authentication getAuthenticationFromCrossClusterAccessMetadata(Authentication authentication) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/apikey/CustomAuthenticator.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.user.User;
 
 /**
  * An extension point to provide a custom authenticator implementation. For example, a custom API key or a custom OAuth2
@@ -28,4 +29,6 @@ public interface CustomAuthenticator {
 
     void authenticate(@Nullable AuthenticationToken token, ActionListener<AuthenticationResult<Authentication>> listener);
 
+    Authentication getAuthentication(AuthenticationResult<User> result, String nodeName);
+
 }

x-pack/plugin/security/src/main/java/module-info.java

@@ -76,6 +76,7 @@
     exports org.elasticsearch.xpack.security.support to org.elasticsearch.internal.security;
     exports org.elasticsearch.xpack.security.authz.store to org.elasticsearch.internal.security;
     exports org.elasticsearch.xpack.security.authc.service;
+    exports org.elasticsearch.xpack.security.metric;
 
     provides org.elasticsearch.index.SlowLogFieldProvider with org.elasticsearch.xpack.security.slowlog.SecuritySlowLogFieldProvider;
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -854,7 +854,8 @@ Collection<Object> createComponents(
             clusterService,
             resourceWatcherService,
             userRoleMapper,
-            projectResolver
+            projectResolver,
+            telemetryProvider
         );
         Map<String, Realm.Factory> realmFactories = new HashMap<>(
             InternalRealms.getFactories(

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/PluggableAuthenticatorChain.java

@@ -8,13 +8,15 @@
 package org.elasticsearch.xpack.security.authc;
 
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.xpack.core.common.IteratingActionListener;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.apikey.CustomAuthenticator;
 
 import java.util.List;
 import java.util.Objects;
+import java.util.function.BiConsumer;
 
 public class PluggableAuthenticatorChain implements Authenticator {
 
@@ -55,28 +57,48 @@ public void authenticate(Context context, ActionListener<AuthenticationResult<Au
         }
         AuthenticationToken token = context.getMostRecentAuthenticationToken();
         if (token != null) {
-            // TODO switch to IteratingActionListener
-            for (CustomAuthenticator customAuthenticator : customAuthenticators) {
-                if (customAuthenticator.supports(token)) {
-                    customAuthenticator.authenticate(token, ActionListener.wrap(response -> {
-                        if (response.isAuthenticated()) {
-                            listener.onResponse(response);
-                        } else if (response.getStatus() == AuthenticationResult.Status.TERMINATE) {
-                            final Exception ex = response.getException();
-                            if (ex == null) {
-                                listener.onFailure(context.getRequest().authenticationFailed(token));
-                            } else {
-                                listener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token));
-                            }
-                        } else if (response.getStatus() == AuthenticationResult.Status.CONTINUE) {
-                            listener.onResponse(AuthenticationResult.notHandled());
-                        }
-                    }, ex -> listener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token))));
-                    return;
-                }
-            }
+            var lis = new IteratingActionListener<>(
+                listener,
+                getAuthConsumer(context),
+                customAuthenticators,
+                context.getThreadContext(),
+                result -> {
+                    if (result == null) {
+                        // all custom authenticators left the token unhandled
+                        return AuthenticationResult.notHandled();
+                    }
+                    return result;
+                },
+                result -> result == null || result.getStatus() == AuthenticationResult.Status.CONTINUE
+            );
+            lis.run();
+            return;
         }
         listener.onResponse(AuthenticationResult.notHandled());
     }
 
+    private BiConsumer<CustomAuthenticator, ActionListener<AuthenticationResult<Authentication>>> getAuthConsumer(Context context) {
+        AuthenticationToken token = context.getMostRecentAuthenticationToken();
+        return (authenticator, iteratingListener) -> {
+            if (authenticator.supports(token)) {
+                authenticator.authenticate(token, ActionListener.wrap(response -> {
+                    if (response.isAuthenticated()) {
+                        iteratingListener.onResponse(response);
+                    } else if (response.getStatus() == AuthenticationResult.Status.TERMINATE) {
+                        final Exception ex = response.getException();
+                        if (ex == null) {
+                            iteratingListener.onFailure(context.getRequest().authenticationFailed(token));
+                        } else {
+                            iteratingListener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token));
+                        }
+                    } else if (response.getStatus() == AuthenticationResult.Status.CONTINUE) {
+                        iteratingListener.onResponse(AuthenticationResult.notHandled());
+                    }
+                }, ex -> iteratingListener.onFailure(context.getRequest().exceptionProcessingRequest(ex, token))));
+            } else {
+                iteratingListener.onResponse(null); // try the next custom authenticator
+            }
+        };
+    }
+
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/InstrumentedSecurityActionListener.java

@@ -42,4 +42,31 @@ public static <R, C> ActionListener<AuthenticationResult<R>> wrapForAuthc(
         }), () -> metrics.recordTime(context, startTimeNano));
     }
 
+    /**
+     * A simpler variant that re-uses the Authentication Result as the context. This can be handy in situations when the attributes that are
+     * of interest are only available after the authentication is completed and not before.
+     * As a natural consequence, there will be no context available at the point of recording start time and in cases of exceptional failure
+     * @param metrics
+     * @param listener
+     * @param <R>
+     * @return
+     */
+    public static <R> ActionListener<AuthenticationResult<R>> wrapForAuthc(
+        final SecurityMetrics<AuthenticationResult<R>> metrics,
+        final ActionListener<AuthenticationResult<R>> listener
+    ) {
+        assert metrics.type().group() == SecurityMetricGroup.AUTHC;
+        final long startTimeNano = metrics.relativeTimeInNanos();
+        return ActionListener.runBefore(ActionListener.wrap(result -> {
+            if (result.isAuthenticated()) {
+                metrics.recordSuccess(result);
+            } else {
+                metrics.recordFailure(result, result.getMessage());
+            }
+            listener.onResponse(result);
+        }, e -> {
+            metrics.recordFailure(null, e.getMessage());
+            listener.onFailure(e);
+        }), () -> metrics.recordTime(null, startTimeNano));
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/metric/SecurityMetricType.java

@@ -19,6 +19,25 @@ public enum SecurityMetricType {
         new SecurityMetricInfo("es.security.authc.api_key.time", "Time it took (in nanoseconds) to execute API key authentication.", "ns")
     ),
 
+    CLOUD_AUTHC_API_KEY(
+        SecurityMetricGroup.AUTHC,
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.success.total",
+            "Number of successful cloud API key authentications.",
+            "count"
+        ),
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.failures.total",
+            "Number of failed cloud API key authentications.",
+            "count"
+        ),
+        new SecurityMetricInfo(
+            "es.security.authc.cloud_api_key.time",
+            "Time it took (in nanoseconds) to execute cloud API key authentication.",
+            "ns"
+        )
+    ),
+
     AUTHC_SERVICE_ACCOUNT(
         SecurityMetricGroup.AUTHC,
         new SecurityMetricInfo(

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ExtensionComponents.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.telemetry.TelemetryProvider;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.SecurityExtension;
@@ -27,21 +28,24 @@ public final class ExtensionComponents implements SecurityExtension.SecurityComp
     private final ResourceWatcherService resourceWatcherService;
     private final UserRoleMapper roleMapper;
     private final ProjectResolver projectResolver;
+    private final TelemetryProvider telemetryProvider;
 
     public ExtensionComponents(
         Environment environment,
         Client client,
         ClusterService clusterService,
         ResourceWatcherService resourceWatcherService,
         UserRoleMapper roleMapper,
-        ProjectResolver projectResolver
+        ProjectResolver projectResolver,
+        TelemetryProvider telemetryProvider
     ) {
         this.environment = environment;
         this.client = client;
         this.clusterService = clusterService;
         this.resourceWatcherService = resourceWatcherService;
         this.roleMapper = roleMapper;
         this.projectResolver = projectResolver;
+        this.telemetryProvider = telemetryProvider;
     }
 
     @Override
@@ -83,4 +87,9 @@ public UserRoleMapper roleMapper() {
     public ProjectResolver projectResolver() {
         return projectResolver;
     }
+
+    @Override
+    public TelemetryProvider telemetryProvider() {
+        return telemetryProvider;
+    }
 }