Merge branch 'main' into ia-fix-eis-endpoints

Author: jonathan-buttner

docs/changelog/137598.yaml

@@ -0,0 +1,6 @@
+pr: 137598
+summary: Improve SAML error handling by adding metadata
+area: Authentication
+type: enhancement
+issues:
+ - 128179

docs/changelog/138876.yaml

@@ -0,0 +1,5 @@
+pr: 138876
+summary: "Use doc values skipper for @timestamp in synthetic `_id` postings #138568"
+area: TSDB
+type: enhancement
+issues: []

server/src/main/java/module-info.java

@@ -396,10 +396,10 @@
         to
             org.elasticsearch.inference,
             org.elasticsearch.metering,
-            org.elasticsearch.stateless,
             org.elasticsearch.settings.secure,
             org.elasticsearch.serverless.constants,
             org.elasticsearch.serverless.apifiltering,
+            org.elasticsearch.serverless.stateless,
             org.elasticsearch.internal.security,
             org.elasticsearch.xpack.gpu;
 

server/src/main/java/org/elasticsearch/index/codec/tsdb/TSDBSyntheticIdFieldsProducer.java

@@ -373,6 +373,25 @@ private int findFirstDocWithTsIdOrdinalEqualTo(int tsIdOrd) throws IOException {
             return DocIdSetIterator.NO_MORE_DOCS;
         }
 
+        /**
+         * Skip as many documents as possible after a given document ID to find the first document ID matching the timestamp.
+         *
+         * @param timestamp the timestamp to match
+         * @param minDocID the min. document ID
+         * @return a docID to start scanning documents from in order to find the first document ID matching the provided timestamp
+         * @throws IOException if any I/O exception occurs
+         */
+        private int skipDocIDForTimestamp(long timestamp, int minDocID) throws IOException {
+            var skipper = docValuesProducer.getSkipper(timestampFieldInfo);
+            assert skipper != null;
+            if (skipper.minValue() > timestamp || timestamp > skipper.maxValue()) {
+                return DocIdSetIterator.NO_MORE_DOCS;
+            }
+            skipper.advance(minDocID);
+            skipper.advance(timestamp, Long.MAX_VALUE);
+            return Math.max(minDocID, skipper.minDocID(0));
+        }
+
         private int getTsIdValueCount() throws IOException {
             if (tsIdDocValues == null) {
                 tsIdDocValues = docValuesProducer.getSorted(tsIdFieldInfo);
@@ -483,32 +502,37 @@ public SeekStatus seekCeil(BytesRef id) throws IOException {
                 return SeekStatus.END;
             }
 
-            // _tsid found, extract the timestamp
-            final long timestamp = TsidExtractingIdFieldMapper.extractTimestampFromSyntheticId(id);
-
-            // Find the first document matching the _tsid
-            final int startDocID = docValues.findFirstDocWithTsIdOrdinalEqualTo(tsIdOrd);
+            // Find the first document ID matching the _tsid
+            int startDocID = docValues.findFirstDocWithTsIdOrdinalEqualTo(tsIdOrd);
             assert startDocID >= 0 : startDocID;
 
-            int docID = startDocID;
-            int docTsIdOrd = tsIdOrd;
-            long docTimestamp;
-
-            // Iterate over documents to find the first one matching the timestamp
-            for (; docID < maxDocs; docID++) {
-                docTimestamp = docValues.docTimestamp(docID);
-                if (startDocID < docID) {
-                    // After the first doc, we need to check again if _tsid matches
-                    docTsIdOrd = docValues.docTsIdOrdinal(docID);
-                }
-                if (docTsIdOrd == tsIdOrd && docTimestamp == timestamp) {
-                    // It's a match!
-                    current = new SyntheticTerm(docID, tsIdOrd, tsId, docTimestamp, docValues.docRoutingHash(docID));
-                    return SeekStatus.FOUND;
-                }
-                // Remaining docs don't match, stop here
-                if (tsIdOrd < docTsIdOrd || docTimestamp < timestamp) {
-                    break;
+            if (startDocID != DocIdSetIterator.NO_MORE_DOCS) {
+                // _tsid found, extract the timestamp
+                final long timestamp = TsidExtractingIdFieldMapper.extractTimestampFromSyntheticId(id);
+
+                startDocID = docValues.skipDocIDForTimestamp(timestamp, startDocID);
+                if (startDocID != DocIdSetIterator.NO_MORE_DOCS) {
+                    int docID = startDocID;
+                    int docTsIdOrd = tsIdOrd;
+                    long docTimestamp;
+
+                    // Iterate over documents to find the first one matching the timestamp
+                    for (; docID < maxDocs; docID++) {
+                        docTimestamp = docValues.docTimestamp(docID);
+                        if (startDocID < docID) {
+                            // After the first doc, we need to check again if _tsid matches
+                            docTsIdOrd = docValues.docTsIdOrdinal(docID);
+                        }
+                        if (docTsIdOrd == tsIdOrd && docTimestamp == timestamp) {
+                            // It's a match!
+                            current = new SyntheticTerm(docID, tsIdOrd, tsId, docTimestamp, docValues.docRoutingHash(docID));
+                            return SeekStatus.FOUND;
+                        }
+                        // Remaining docs don't match, stop here
+                        if (tsIdOrd < docTsIdOrd || docTimestamp < timestamp) {
+                            break;
+                        }
+                    }
                 }
             }
             current = NO_MORE_DOCS;

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/external/http/HttpClient.java

@@ -28,7 +28,6 @@
 import java.io.IOException;
 import java.util.Objects;
 import java.util.concurrent.CancellationException;
-import java.util.concurrent.atomic.AtomicReference;
 
 import static org.elasticsearch.core.Strings.format;
 import static org.elasticsearch.xpack.inference.InferencePlugin.INFERENCE_RESPONSE_THREAD_POOL_NAME;
@@ -39,14 +38,7 @@
 public class HttpClient implements Closeable {
     private static final Logger logger = LogManager.getLogger(HttpClient.class);
 
-    enum Status {
-        CREATED,
-        STARTED,
-        STOPPED
-    }
-
     private final CloseableHttpAsyncClient client;
-    private final AtomicReference<Status> status = new AtomicReference<>(Status.CREATED);
     private final ThreadPool threadPool;
     private final HttpSettings settings;
     private final ThrottlerManager throttlerManager;
@@ -127,15 +119,10 @@ private static CloseableHttpAsyncClient createAsyncClient(
     }
 
     public void start() {
-        if (status.compareAndSet(Status.CREATED, Status.STARTED)) {
-            client.start();
-        }
+        client.start();
     }
 
     public void send(HttpRequest request, HttpClientContext context, ActionListener<HttpResult> listener) throws IOException {
-        // The caller must call start() first before attempting to send a request
-        assert status.get() == Status.STARTED : "call start() before attempting to send a request";
-
         SocketAccess.doPrivileged(() -> client.execute(request.httpRequestBase(), context, new FutureCallback<>() {
             @Override
             public void completed(HttpResponse response) {
@@ -145,7 +132,7 @@ public void completed(HttpResponse response) {
             @Override
             public void failed(Exception ex) {
                 throttlerManager.warn(logger, format("Request from inference entity id [%s] failed", request.inferenceEntityId()), ex);
-                failUsingResponseThread(ex, listener);
+                failUsingResponseThread(getException(ex), listener);
             }
 
             @Override
@@ -179,10 +166,22 @@ private void failUsingResponseThread(Exception exception, ActionListener<?> list
         threadPool.executor(INFERENCE_RESPONSE_THREAD_POOL_NAME).execute(() -> listener.onFailure(exception));
     }
 
-    public void stream(HttpRequest request, HttpContext context, ActionListener<StreamingHttpResult> listener) throws IOException {
-        // The caller must call start() first before attempting to send a request
-        assert status.get() == Status.STARTED : "call start() before attempting to send a request";
+    private static Exception getException(Exception e) {
+        if (e instanceof CancellationException cancellationException) {
+            return createNotRunningException(cancellationException);
+        }
 
+        return e;
+    }
+
+    private static IllegalStateException createNotRunningException(Exception exception) {
+        // If the http client isn't running, it is either not started yet, in which case we have a bug somewhere because
+        // it should always be started as part of the inference plugin startup, or it is stopped meaning the node is shutting down.
+        // If we're shutting down, the user should retry the request, and hopefully it'll hit a node that isn't shutting down.
+        return new IllegalStateException("Http client is not running, please retry the request", exception);
+    }
+
+    public void stream(HttpRequest request, HttpContext context, ActionListener<StreamingHttpResult> listener) throws IOException {
         var streamingProcessor = new StreamingHttpResultPublisher(threadPool, settings, listener);
 
         SocketAccess.doPrivileged(() -> client.execute(request.requestProducer(), streamingProcessor, context, new FutureCallback<>() {
@@ -193,7 +192,7 @@ public void completed(Void response) {
 
             @Override
             public void failed(Exception ex) {
-                threadPool.executor(INFERENCE_RESPONSE_THREAD_POOL_NAME).execute(() -> streamingProcessor.failed(ex));
+                threadPool.executor(INFERENCE_RESPONSE_THREAD_POOL_NAME).execute(() -> streamingProcessor.failed(getException(ex)));
             }
 
             @Override
@@ -212,7 +211,6 @@ public void cancelled() {
 
     @Override
     public void close() throws IOException {
-        status.set(Status.STOPPED);
         client.close();
     }
 }

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/external/http/HttpClientTests.java

@@ -22,6 +22,7 @@
 import org.apache.http.nio.reactor.IOReactorException;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.support.PlainActionFuture;
+import org.elasticsearch.action.support.TestPlainActionFuture;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.ByteSizeValue;
@@ -33,7 +34,6 @@
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xcontent.XContentType;
 import org.elasticsearch.xpack.inference.external.request.HttpRequest;
-import org.elasticsearch.xpack.inference.external.request.HttpRequestTests;
 import org.junit.After;
 import org.junit.Before;
 
@@ -47,6 +47,7 @@
 import static org.elasticsearch.xpack.inference.Utils.inferenceUtilityExecutors;
 import static org.elasticsearch.xpack.inference.Utils.mockClusterService;
 import static org.elasticsearch.xpack.inference.logging.ThrottlerManagerTests.mockThrottlerManager;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
@@ -102,13 +103,12 @@ public void testSend_MockServerReceivesRequest() throws Exception {
 
     public void testSend_ThrowsErrorIfCalledBeforeStart() throws Exception {
         try (var httpClient = HttpClient.create(emptyHttpSettings(), threadPool, createConnectionManager(), mockThrottlerManager())) {
-            PlainActionFuture<HttpResult> listener = new PlainActionFuture<>();
-            var thrownException = expectThrows(
-                AssertionError.class,
-                () -> httpClient.send(HttpRequestTests.createMock("inferenceEntityId"), HttpClientContext.create(), listener)
-            );
+            var listener = new TestPlainActionFuture<HttpResult>();
+            var httpPost = createHttpPost(webServer.getPort(), "key", "value");
+            httpClient.send(httpPost, HttpClientContext.create(), listener);
+            var thrownException = expectThrows(IllegalStateException.class, () -> listener.actionGet(TimeValue.THIRTY_SECONDS));
 
-            assertThat(thrownException.getMessage(), is("call start() before attempting to send a request"));
+            assertThat(thrownException.getMessage(), containsString("Http client is not running, please retry the request"));
         }
     }
 

x-pack/plugin/security/qa/saml-rest-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlInResponseToIT.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc.saml;
+
+import org.apache.http.util.EntityUtils;
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.test.rest.ObjectPath;
+import org.elasticsearch.xcontent.json.JsonXContent;
+
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasEntry;
+import static org.hamcrest.Matchers.hasKey;
+import static org.hamcrest.Matchers.is;
+
+public class SamlInResponseToIT extends SamlRestTestCase {
+
+    private static final int REALM_NUMBER = 1;
+
+    public void testInResponseTo_matchingValues() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        String requestId = generateRandomRequestId();
+        var response = authUser(username, requestId, requestId);
+        assertThat(response, hasKey("access_token"));
+    }
+
+    public void testInResponseTo_requestAndTokenHaveDifferentValues() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        String requestIdFromRequest = generateRandomRequestId();
+        String requestIdFromToken = generateDifferentRandomRequestId(requestIdFromRequest);
+
+        var exception = expectThrows(ResponseException.class, () -> authUser(username, requestIdFromRequest, requestIdFromToken));
+        assertThat(exception.getResponse().getStatusLine().getStatusCode(), is(401));
+        String errorEntity = EntityUtils.toString(exception.getResponse().getEntity());
+        assertThat(errorEntity, containsString("\"security.saml.unsolicited_in_response_to\":\"" + requestIdFromToken + "\""));
+    }
+
+    public void testInResponseTo_requestNullTokenNotNull() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        String requestIdFromToken = generateRandomRequestId();
+
+        var exception = expectThrows(ResponseException.class, () -> authUser(username, null, requestIdFromToken));
+        assertThat(exception.getResponse().getStatusLine().getStatusCode(), is(401));
+        String errorEntity = EntityUtils.toString(exception.getResponse().getEntity());
+        assertThat(errorEntity, containsString("\"security.saml.unsolicited_in_response_to\":\"" + requestIdFromToken + "\""));
+    }
+
+    public void testInResponseTo_requestNotNullTokenNull() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        String requestIdFromRequest = generateRandomRequestId();
+
+        var response = authUser(username, requestIdFromRequest, null);
+        assertThat(response, hasKey("access_token"));
+    }
+
+    public void testInResponseTo_requestNullTokenNull() throws Exception {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        var response = authUser(username, null, null);
+        assertThat(response, hasKey("access_token"));
+    }
+
+    private String generateRandomRequestId() {
+        return randomAlphaOfLength(1) + randomAlphanumericOfLength(random().nextInt(10));
+    }
+
+    private String generateDifferentRandomRequestId(String existingId) {
+        String newId;
+        do {
+            newId = generateRandomRequestId();
+        } while (newId.equals(existingId));
+        return newId;
+    }
+
+    private Map<String, Object> authUser(String username, String inResponseToFromHeader, String inResponseToInSamlToken) throws Exception {
+
+        var httpsAddress = getAcsHttpsAddress();
+        var message = new SamlResponseBuilder().spEntityId("https://sp" + REALM_NUMBER + ".example.org/")
+            .idpEntityId(getIdpEntityId(REALM_NUMBER))
+            .acs(new URL("https://" + httpsAddress.getHostName() + ":" + httpsAddress.getPort() + "/acs/" + REALM_NUMBER))
+            .attribute("urn:oid:2.5.4.3", username)
+            .sign(getDataPath(SAML_SIGNING_CRT), getDataPath(SAML_SIGNING_KEY), new char[0])
+            .inResponseTo(inResponseToInSamlToken)
+            .asString();
+
+        final Map<String, Object> body = new HashMap<>();
+        body.put("content", Base64.getEncoder().encodeToString(message.getBytes(StandardCharsets.UTF_8)));
+        body.put("realm", getSamlRealmName(REALM_NUMBER));
+        if (inResponseToFromHeader != null) {
+            body.put("ids", inResponseToFromHeader);
+        }
+
+        var req = new Request("POST", "_security/saml/authenticate");
+        req.setJsonEntity(Strings.toString(JsonXContent.contentBuilder().map(body)));
+        var resp = entityAsMap(client().performRequest(req));
+        assertThat(resp, hasEntry("username", username));
+        assertThat(ObjectPath.evaluate(resp, "authentication.authentication_realm.name"), equalTo(getSamlRealmName(REALM_NUMBER)));
+        return resp;
+    }
+}

x-pack/plugin/security/qa/saml-rest-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/authc/saml/SamlResponseBuilder.java

@@ -122,6 +122,11 @@ public SamlResponseBuilder attribute(String name, String value) {
         return this;
     }
 
+    public SamlResponseBuilder inResponseTo(String requestId) {
+        this.inResponseTo = requestId;
+        return this;
+    }
+
     public SamlResponseBuilder sign(Path certPath, Path keyPath, char[] keyPassword) throws GeneralSecurityException, IOException {
         var privateKey = PemUtils.readPrivateKey(keyPath, () -> keyPassword);
         var certificates = PemUtils.readCertificates(List.of(certPath));