Add handling for secondary X-Client-Authentication header (elastic#140634)

This PR extends `SecondaryAuthenticator` to support passing of
`X-Client-Authentication` header as                 
`es-secondary-x-client-authentication`. This allows secondary
authentication to work with custom authenticators that     require
additional `X-Client-Authentication`  header along with the standard
`Authorization` header.

Author: slobodanadamovic

server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java

@@ -783,6 +783,7 @@ public void sanitizeHeaders() {
             .removeIf(
                 entry -> entry.getKey().equalsIgnoreCase("authorization")
                     || entry.getKey().equalsIgnoreCase("es-secondary-authorization")
+                    || entry.getKey().equalsIgnoreCase("es-secondary-x-client-authentication")
                     || entry.getKey().equalsIgnoreCase("ES-Client-Authentication")
                     || entry.getKey().equalsIgnoreCase("X-Client-Authentication")
             );

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1676,6 +1676,7 @@ public Collection<RestHeaderDefinition> getRestHeaders() {
         Set<RestHeaderDefinition> headers = new HashSet<>();
         headers.add(new RestHeaderDefinition(UsernamePasswordToken.BASIC_AUTH_HEADER, false));
         headers.add(new RestHeaderDefinition(SecondaryAuthenticator.SECONDARY_AUTH_HEADER_NAME, false));
+        headers.add(new RestHeaderDefinition(SecondaryAuthenticator.SECONDARY_X_CLIENT_AUTH_HEADER_NAME, false));
         if (XPackSettings.AUDIT_ENABLED.get(settings)) {
             headers.add(new RestHeaderDefinition(AuditTrail.X_FORWARDED_FOR_HEADER, true));
         }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticator.java

@@ -24,6 +24,7 @@
 import org.elasticsearch.xpack.security.audit.AuditTrailService;
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
 
+import java.util.Map;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
 
@@ -37,6 +38,14 @@ public class SecondaryAuthenticator {
      */
     public static final String SECONDARY_AUTH_HEADER_NAME = "es-secondary-authorization";
 
+    /**
+     * Header name for secondary client authentication credentials.
+     * Used by authenticators that require additional [@code X-Client-Authentication} header along with the Authorization header.
+     */
+    public static final String SECONDARY_X_CLIENT_AUTH_HEADER_NAME = "es-secondary-x-client-authentication";
+
+    private static final String X_CLIENT_AUTHENTICATION = "X-Client-Authentication";
+
     private static final Logger logger = LogManager.getLogger(SecondaryAuthenticator.class);
     private final SecurityContext securityContext;
     private final AuthenticationService authenticationService;
@@ -110,6 +119,8 @@ private void authenticate(Consumer<ActionListener<Authentication>> authenticate,
             return;
         }
 
+        final Map<String, String> additionalHeaders = mapAdditionalSecondaryAuthHeaders(threadContext);
+
         final Supplier<ThreadContext.StoredContext> originalContext = threadContext.newRestorableContext(false);
         final ActionListener<Authentication> authenticationListener = new ContextPreservingActionListener<>(
             originalContext,
@@ -133,7 +144,34 @@ private void authenticate(Consumer<ActionListener<Authentication>> authenticate,
                 UsernamePasswordToken.BASIC_AUTH_HEADER
             );
             threadContext.putHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, header);
+
+            if (false == additionalHeaders.isEmpty()) {
+                threadContext.putHeader(additionalHeaders);
+            }
+
             authenticate.accept(authenticationListener);
         }
     }
+
+    /**
+     * Extracts additional secondary authentication headers from the thread context.
+     * These headers are mapped from their secondary header names to the actual header names
+     * expected by authenticators.
+     *
+     * @param threadContext the thread context to extract headers from
+     * @return a map of header names to values for additional secondary auth headers, empty if none found
+     */
+    private Map<String, String> mapAdditionalSecondaryAuthHeaders(ThreadContext threadContext) {
+        final String secondaryXClientAuthHeader = threadContext.getHeader(SECONDARY_X_CLIENT_AUTH_HEADER_NAME);
+        if (Strings.hasText(secondaryXClientAuthHeader)) {
+            logger.trace(
+                "found additional secondary [{}] header, placing it in the [{}] header",
+                SECONDARY_X_CLIENT_AUTH_HEADER_NAME,
+                X_CLIENT_AUTHENTICATION
+            );
+            return Map.of(X_CLIENT_AUTHENTICATION, secondaryXClientAuthHeader);
+        }
+
+        return Map.of();
+    }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticatorTests.java

@@ -64,18 +64,20 @@
 import org.junit.Before;
 import org.mockito.Mockito;
 
-import java.nio.charset.StandardCharsets;
 import java.time.Clock;
-import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
 
+import static org.elasticsearch.test.ActionListenerUtils.anyActionListener;
+import static org.elasticsearch.test.rest.ESRestTestCase.basicAuthHeaderValue;
 import static org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator.SECONDARY_AUTH_HEADER_NAME;
+import static org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator.SECONDARY_X_CLIENT_AUTH_HEADER_NAME;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doAnswer;
@@ -259,11 +261,7 @@ private SecondaryAuthentication assertAuthenticateWithBasicAuthentication(Consum
         final SecureString password = new SecureString(randomAlphaOfLengthBetween(8, 24).toCharArray());
         realm.defineUser(user, password);
 
-        threadPool.getThreadContext()
-            .putHeader(
-                SECONDARY_AUTH_HEADER_NAME,
-                "Basic " + Base64.getEncoder().encodeToString((user + ":" + password).getBytes(StandardCharsets.UTF_8))
-            );
+        threadPool.getThreadContext().putHeader(SECONDARY_AUTH_HEADER_NAME, basicAuthHeaderValue(user, password));
 
         final PlainActionFuture<SecondaryAuthentication> future = new PlainActionFuture<>();
         final AtomicReference<ThreadContext.StoredContext> listenerContext = new AtomicReference<>();
@@ -273,8 +271,8 @@ private SecondaryAuthentication assertAuthenticateWithBasicAuthentication(Consum
         }, e -> future.onFailure(e)));
 
         final SecondaryAuthentication secondaryAuthentication = future.result();
-        assertThat(secondaryAuthentication, Matchers.notNullValue());
-        assertThat(secondaryAuthentication.getAuthentication(), Matchers.notNullValue());
+        assertThat(secondaryAuthentication, notNullValue());
+        assertThat(secondaryAuthentication.getAuthentication(), notNullValue());
         assertThat(secondaryAuthentication.getAuthentication().getEffectiveSubject().getUser().principal(), equalTo(user));
         assertThat(secondaryAuthentication.getAuthentication().getAuthenticatingSubject().getRealm().getName(), equalTo(realm.name()));
 
@@ -303,10 +301,7 @@ private void assertAuthenticateWithIncorrectPassword(Consumer<ActionListener<Sec
         realm.defineUser(user, password);
 
         threadPool.getThreadContext()
-            .putHeader(
-                SECONDARY_AUTH_HEADER_NAME,
-                "Basic " + Base64.getEncoder().encodeToString((user + ":NOT-" + password).getBytes(StandardCharsets.UTF_8))
-            );
+            .putHeader(SECONDARY_AUTH_HEADER_NAME, basicAuthHeaderValue(user, new SecureString("NOT-" + password)));
 
         final PlainActionFuture<SecondaryAuthentication> future = new PlainActionFuture<>();
         final AtomicReference<ThreadContext.StoredContext> listenerContext = new AtomicReference<>();
@@ -354,10 +349,72 @@ public void testAuthenticateUsingBearerToken() throws Exception {
         authenticator.authenticate(AuthenticateAction.NAME, request, future);
 
         final SecondaryAuthentication secondaryAuthentication = future.result();
-        assertThat(secondaryAuthentication, Matchers.notNullValue());
-        assertThat(secondaryAuthentication.getAuthentication(), Matchers.notNullValue());
+        assertThat(secondaryAuthentication, notNullValue());
+        assertThat(secondaryAuthentication.getAuthentication(), notNullValue());
         assertThat(secondaryAuthentication.getAuthentication().getEffectiveSubject().getUser(), equalTo(user));
         assertThat(secondaryAuthentication.getAuthentication().getAuthenticationType(), equalTo(AuthenticationType.TOKEN));
     }
 
+    public void testSecondaryXClientAuthHeaderIsPlacedInThreadContext() throws Exception {
+        final String xClientAuthValue = randomAlphaOfLengthBetween(20, 40);
+        final String capturedHeader = authenticateAndCaptureXClientAuthHeader(xClientAuthValue);
+        assertThat(capturedHeader, equalTo(xClientAuthValue));
+    }
+
+    public void testSecondaryXClientAuthHeaderIsNotPlacedWhenNotProvided() throws Exception {
+        final String capturedHeader = authenticateAndCaptureXClientAuthHeader(randomBoolean() ? null : "");
+        assertThat(capturedHeader, nullValue());
+    }
+
+    private String authenticateAndCaptureXClientAuthHeader(String xClientAuthValue) throws Exception {
+        final AtomicReference<String> capturedHeader = new AtomicReference<>();
+        final Authentication authentication = AuthenticationTestHelper.builder()
+            .user(new User(randomAlphaOfLengthBetween(6, 12)))
+            .realmRef(new RealmRef("test_realm", "dummy", "node1"))
+            .build(false);
+
+        final AuthenticationService mockAuthService = mock(AuthenticationService.class);
+        boolean useTransportRequest = randomBoolean();
+        if (useTransportRequest) {
+            doAnswer(invocation -> {
+                capturedHeader.set(threadPool.getThreadContext().getHeader("X-Client-Authentication"));
+                @SuppressWarnings("unchecked")
+                ActionListener<Authentication> listener = (ActionListener<Authentication>) invocation.getArguments()[3];
+                listener.onResponse(authentication);
+                return null;
+            }).when(mockAuthService).authenticate(any(String.class), any(TransportRequest.class), any(Boolean.class), anyActionListener());
+        } else {
+            doAnswer(invocation -> {
+                capturedHeader.set(threadPool.getThreadContext().getHeader("X-Client-Authentication"));
+                @SuppressWarnings("unchecked")
+                ActionListener<Authentication> listener = (ActionListener<Authentication>) invocation.getArguments()[2];
+                listener.onResponse(authentication);
+                return null;
+            }).when(mockAuthService).authenticate(any(), any(Boolean.class), anyActionListener());
+        }
+
+        final SecondaryAuthenticator mockAuthenticator = new SecondaryAuthenticator(
+            securityContext,
+            mockAuthService,
+            new AuditTrailService(null, null)
+        );
+
+        threadPool.getThreadContext()
+            .putHeader(SECONDARY_AUTH_HEADER_NAME, basicAuthHeaderValue(randomAlphanumericOfLength(5), randomSecureStringOfLength(5)));
+
+        if (xClientAuthValue != null) {
+            threadPool.getThreadContext().putHeader(SECONDARY_X_CLIENT_AUTH_HEADER_NAME, xClientAuthValue);
+        }
+
+        final PlainActionFuture<SecondaryAuthentication> future = new PlainActionFuture<>();
+        if (useTransportRequest) {
+            mockAuthenticator.authenticate(AuthenticateAction.NAME, AuthenticateRequest.INSTANCE, future);
+        } else {
+            mockAuthenticator.authenticateAndAttachToContext(new FakeRestRequest(), future);
+        }
+
+        assertThat(future.result(), notNullValue());
+        return capturedHeader.get();
+    }
+
 }