Extract principal from certificate RDN (elastic#137230)

Add support for RDN attribute value principal extraction in PKI Realm.

This allows extracting the principal from a specific RDN attribute
(e.g., CN, OU) in the client certificate, improving flexibility in
identifying users based on certificate details.

Author: ebarlas

docs/changelog/137230.yaml

@@ -0,0 +1,5 @@
+pr: 137230
+summary: Principal Extraction from Certificate RDN Attribute Value in PKI Realm
+area: Security
+type: bug
+issues: []

docs/reference/elasticsearch/configuration-reference/security-settings.md

@@ -769,6 +769,18 @@ In addition to the [settings that are valid for all realms](#ref-realm-settings)
 `username_pattern`
 :   ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) The regular expression pattern used to extract the username from the certificate DN. The username is used for auditing and logging. The username can also be used with the [role mapping API](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) and [authorization delegation](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation.md). The first match group is the used as the username. Defaults to `CN=(.*?)(?:,|$)`.
 
+    This setting is ignored if either `username_rdn_oid` or `username_rdn_name` is set.
+
+`username_rdn_oid`
+:   ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) The relative distinguished name (RDN) attribute OID used to extract the username from the certificate DN. The username is used for auditing and logging. The username can also be used with the [role mapping API](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) and [authorization delegation](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation.md). The value of the most specific RDN matching this attribute OID is used as the username.
+
+    This setting takes precedent over `username_pattern`. You cannot use this setting and `username_rdn_name` at the same time.
+
+`username_rdn_name`
+:   ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) The relative distinguished name (RDN) attribute name used to extract the username from the certificate DN. The username is used for auditing and logging. The username can also be used with the [role mapping API](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) and [authorization delegation](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation.md). The value of the most specific RDN matching this attribute name is used as the username.
+
+    This setting takes precedent over `username_pattern`. You cannot use this setting and `username_rdn_oid` at the same time.
+
 `certificate_authorities`
 :   ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) List of paths to the PEM certificate files that should be used to authenticate a user’s certificate as trusted. Defaults to the trusted certificates configured for SSL. This setting cannot be used with `truststore.path`.
 

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/DerParser.java

@@ -36,21 +36,22 @@ public final class DerParser {
     private static final int CONSTRUCTED = 0x20;
 
     // Tag and data types
-    static final class Type {
-        static final int INTEGER = 0x02;
-        static final int OCTET_STRING = 0x04;
-        static final int OBJECT_OID = 0x06;
-        static final int SEQUENCE = 0x10;
-        static final int NUMERIC_STRING = 0x12;
-        static final int PRINTABLE_STRING = 0x13;
-        static final int VIDEOTEX_STRING = 0x15;
-        static final int IA5_STRING = 0x16;
-        static final int GRAPHIC_STRING = 0x19;
-        static final int ISO646_STRING = 0x1A;
-        static final int GENERAL_STRING = 0x1B;
-        static final int UTF8_STRING = 0x0C;
-        static final int UNIVERSAL_STRING = 0x1C;
-        static final int BMP_STRING = 0x1E;
+    public static final class Type {
+        public static final int INTEGER = 0x02;
+        public static final int OCTET_STRING = 0x04;
+        public static final int OBJECT_OID = 0x06;
+        public static final int SEQUENCE = 0x10;
+        public static final int SET = 0x11;
+        public static final int NUMERIC_STRING = 0x12;
+        public static final int PRINTABLE_STRING = 0x13;
+        public static final int VIDEOTEX_STRING = 0x15;
+        public static final int IA5_STRING = 0x16;
+        public static final int GRAPHIC_STRING = 0x19;
+        public static final int ISO646_STRING = 0x1A;
+        public static final int GENERAL_STRING = 0x1B;
+        public static final int UTF8_STRING = 0x0C;
+        public static final int UNIVERSAL_STRING = 0x1C;
+        public static final int BMP_STRING = 0x1E;
     }
 
     private InputStream derInputStream;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/pki/PkiRealmSettings.java

@@ -6,6 +6,10 @@
  */
 package org.elasticsearch.xpack.core.security.authc.pki;
 
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.schema.AttributeTypeDefinition;
+import com.unboundid.ldap.sdk.schema.Schema;
+
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.core.TimeValue;
@@ -29,6 +33,33 @@ public final class PkiRealmSettings {
         key -> new Setting<>(key, DEFAULT_USERNAME_PATTERN, s -> Pattern.compile(s, Pattern.CASE_INSENSITIVE), Setting.Property.NodeScope)
     );
 
+    public static final Setting.AffixSetting<String> USERNAME_RDN_OID_SETTING = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "username_rdn_oid",
+        key -> Setting.simpleString(key, Setting.Property.NodeScope)
+    );
+
+    public static final Setting.AffixSetting<String> USERNAME_RDN_NAME_SETTING = Setting.affixKeySetting(
+        RealmSettings.realmSettingPrefix(TYPE),
+        "username_rdn_name",
+        key -> new Setting<>(key, (String) null, s -> {
+            if (s == null) {
+                return "";
+            }
+            Schema schema;
+            try {
+                schema = Schema.getDefaultStandardSchema();
+            } catch (LDAPException e) {
+                throw new IllegalStateException("Unexpected error occurred obtaining default LDAP schema", e);
+            }
+            AttributeTypeDefinition atd = schema.getAttributeType(s);
+            if (atd == null) {
+                throw new IllegalArgumentException("Unknown RDN name [" + s + "] for setting [" + key + "]");
+            }
+            return atd.getOID();
+        }, Setting.Property.NodeScope)
+    );
+
     private static final TimeValue DEFAULT_TTL = TimeValue.timeValueMinutes(20);
     public static final Setting.AffixSetting<TimeValue> CACHE_TTL_SETTING = Setting.affixKeySetting(
         RealmSettings.realmSettingPrefix(TYPE),
@@ -75,6 +106,8 @@ private PkiRealmSettings() {}
     public static Set<Setting.AffixSetting<?>> getSettings() {
         Set<Setting.AffixSetting<?>> settings = new HashSet<>();
         settings.add(USERNAME_PATTERN_SETTING);
+        settings.add(USERNAME_RDN_OID_SETTING);
+        settings.add(USERNAME_RDN_NAME_SETTING);
         settings.add(CACHE_TTL_SETTING);
         settings.add(CACHE_MAX_USERS_SETTING);
         settings.add(DELEGATION_ENABLED_SETTING);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

@@ -12,6 +12,7 @@
 import org.elasticsearch.common.cache.Cache;
 import org.elasticsearch.common.cache.CacheBuilder;
 import org.elasticsearch.common.hash.MessageDigests;
+import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.common.ssl.SslConfiguration;
 import org.elasticsearch.common.ssl.SslTrustConfig;
 import org.elasticsearch.common.util.concurrent.ReleasableLock;
@@ -51,6 +52,7 @@
 
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
 
 import static org.elasticsearch.core.Strings.format;
 
@@ -76,6 +78,7 @@ public class PkiRealm extends Realm implements CachingRealm {
 
     private final X509TrustManager trustManager;
     private final Pattern principalPattern;
+    private final String principalRdnOid;
     private final UserRoleMapper roleMapper;
     private final Cache<BytesKey, User> cache;
     private DelegatedAuthorizationSupport delegatedRealms;
@@ -91,6 +94,18 @@ public PkiRealm(RealmConfig config, ResourceWatcherService watcherService, UserR
         this.delegationEnabled = config.getSetting(PkiRealmSettings.DELEGATION_ENABLED_SETTING);
         this.trustManager = trustManagers(config);
         this.principalPattern = config.getSetting(PkiRealmSettings.USERNAME_PATTERN_SETTING);
+        String rdnOid = config.getSetting(PkiRealmSettings.USERNAME_RDN_OID_SETTING);
+        String rdnOidFromName = config.getSetting(PkiRealmSettings.USERNAME_RDN_NAME_SETTING);
+        if (false == rdnOid.isEmpty() && false == rdnOidFromName.isEmpty()) {
+            throw new SettingsException(
+                "Both ["
+                    + config.getConcreteSetting(PkiRealmSettings.USERNAME_RDN_OID_SETTING).getKey()
+                    + "] and ["
+                    + config.getConcreteSetting(PkiRealmSettings.USERNAME_RDN_NAME_SETTING).getKey()
+                    + "] are set. Only one of these settings can be configured."
+            );
+        }
+        this.principalRdnOid = false == rdnOid.isEmpty() ? rdnOid : (false == rdnOidFromName.isEmpty() ? rdnOidFromName : null);
         this.roleMapper = roleMapper;
         this.roleMapper.clearRealmCacheOnChange(this);
         this.cache = CacheBuilder.<BytesKey, User>builder()
@@ -133,7 +148,7 @@ public X509AuthenticationToken token(ThreadContext context) {
         // validation). In this case the principal should be set by the realm that completes the authentication. But in the common case,
         // where a single PKI realm is configured, there is no risk of eagerly parsing the principal before authentication and it also
         // maintains BWC.
-        String parsedPrincipal = getPrincipalFromSubjectDN(principalPattern, token, logger);
+        String parsedPrincipal = getPrincipalFromToken(token);
         if (parsedPrincipal == null) {
             return null;
         }
@@ -164,7 +179,7 @@ public void authenticate(AuthenticationToken authToken, ActionListener<Authentic
                 // parse the principal again after validating the cert chain, and do not rely on the token.principal one, because that could
                 // be set by a different realm that failed trusted chain validation. We SHOULD NOT parse the principal BEFORE this step, but
                 // we do it for BWC purposes. Changing this is a breaking change.
-                final String principal = getPrincipalFromSubjectDN(principalPattern, token, logger);
+                final String principal = getPrincipalFromToken(token);
                 if (principal == null) {
                     logger.debug(
                         () -> format(
@@ -231,6 +246,24 @@ public void lookupUser(String username, ActionListener<User> listener) {
         listener.onResponse(null);
     }
 
+    String getPrincipalFromToken(X509AuthenticationToken token) {
+        return principalRdnOid != null
+            ? getPrincipalFromRdnAttribute(principalRdnOid, token, logger)
+            : getPrincipalFromSubjectDN(principalPattern, token, logger);
+    }
+
+    static String getPrincipalFromRdnAttribute(String principalRdnOid, X509AuthenticationToken token, Logger logger) {
+        X500Principal certPrincipal = token.credentials()[0].getSubjectX500Principal();
+        String principal = RdnFieldExtractor.extract(certPrincipal.getEncoded(), principalRdnOid);
+        if (principal == null) {
+            logger.debug(
+                () -> format("the extracted principal from DN [%s] using RDN OID [%s] is empty", certPrincipal.toString(), principalRdnOid)
+            );
+            return null;
+        }
+        return principal;
+    }
+
     static String getPrincipalFromSubjectDN(Pattern principalPattern, X509AuthenticationToken token, Logger logger) {
         String dn = token.credentials()[0].getSubjectX500Principal().toString();
         Matcher matcher = principalPattern.matcher(dn);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/RdnFieldExtractor.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.authc.pki;
+
+import org.elasticsearch.common.ssl.DerParser;
+
+import java.io.IOException;
+
+/**
+ * Utility class to extract RDN field values from X500 principal DER encoding.
+ */
+public class RdnFieldExtractor {
+
+    public static String extract(byte[] encoded, String oid) {
+        try {
+            return doExtract(encoded, oid);
+        } catch (IOException | IllegalStateException e) {
+            return null; // invalid encoding
+        }
+    }
+
+    private static String doExtract(byte[] encoded, String oid) throws IOException {
+        DerParser parser = new DerParser(encoded);
+
+        DerParser.Asn1Object dnSequence = parser.readAsn1Object(DerParser.Type.SEQUENCE);
+        DerParser sequenceParser = dnSequence.getParser();
+
+        String value = null;
+
+        while (true) {
+            try {
+                DerParser.Asn1Object rdnSet = sequenceParser.readAsn1Object(DerParser.Type.SET); // throws IOException on EOF
+                DerParser setParser = rdnSet.getParser();
+
+                while (true) {
+                    try {
+                        DerParser.Asn1Object attrSeq = setParser.readAsn1Object(DerParser.Type.SEQUENCE);  // throws IOException on EOF
+                        DerParser attrParser = attrSeq.getParser();
+
+                        String attrOid = attrParser.readAsn1Object().getOid();
+                        DerParser.Asn1Object attrValue = attrParser.readAsn1Object();
+                        if (oid.equals(attrOid)) {
+                            value = attrValue.getString(); // retain last (most-significant) occurrence
+                        }
+                    } catch (IOException e) {
+                        break; // RDN SET EOF
+                    }
+                }
+            } catch (IOException e) {
+                break; // DN SEQUENCE EOF
+            }
+        }
+
+        return value;
+    }
+
+}

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.common.ssl.SslConfigException;
 import org.elasticsearch.common.util.CollectionUtils;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
@@ -230,7 +231,7 @@ private AuthenticationResult<User> authenticate(X509AuthenticationToken token, P
     }
 
     public void testCustomUsernamePatternMatches() throws Exception {
-        final Settings settings = Settings.builder()
+        Settings settings = Settings.builder()
             .put(globalSettings)
             .put("xpack.security.authc.realms.pki.my_pki.username_pattern", "OU=(.*?),")
             .build();
@@ -249,6 +250,74 @@ public void testCustomUsernamePatternMatches() throws Exception {
         assertThat(user.roles().length, is(0));
     }
 
+    public void testRdnOidMatches() throws Exception {
+        Settings settings = Settings.builder()
+            .put(globalSettings)
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_oid", "2.5.4.11")
+            .build();
+        ThreadContext threadContext = new ThreadContext(settings);
+        X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+        UserRoleMapper roleMapper = buildRoleMapper();
+        PkiRealm realm = buildRealm(roleMapper, settings);
+        threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
+
+        X509AuthenticationToken token = realm.token(threadContext);
+        User user = authenticate(token, realm).getValue();
+        assertThat(user, is(notNullValue()));
+        assertThat(user.principal(), is("elasticsearch"));
+    }
+
+    public void testRdnOidNameMatches() throws Exception {
+        Settings settings = Settings.builder()
+            .put(globalSettings)
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_name", "OU")
+            .build();
+        ThreadContext threadContext = new ThreadContext(settings);
+        X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+        UserRoleMapper roleMapper = buildRoleMapper();
+        PkiRealm realm = buildRealm(roleMapper, settings);
+        threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
+
+        X509AuthenticationToken token = realm.token(threadContext);
+        User user = authenticate(token, realm).getValue();
+        assertThat(user, is(notNullValue()));
+        assertThat(user.principal(), is("elasticsearch"));
+    }
+
+    public void testRdnOidNameNotMatches() throws Exception {
+        Settings settings = Settings.builder()
+            .put(globalSettings)
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_name", "UID")
+            .build();
+        ThreadContext threadContext = new ThreadContext(settings);
+        X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+        UserRoleMapper roleMapper = buildRoleMapper();
+        PkiRealm realm = buildRealm(roleMapper, settings);
+        threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
+
+        X509AuthenticationToken token = realm.token(threadContext);
+        assertThat(token, is(nullValue()));
+    }
+
+    public void testRdnOidNameUnknown() {
+        Settings settings = Settings.builder()
+            .put(globalSettings)
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_name", "UNKNOWN_OID_NAME")
+            .build();
+        UserRoleMapper roleMapper = buildRoleMapper();
+        assertThrows(IllegalArgumentException.class, () -> buildRealm(roleMapper, settings));
+    }
+
+    public void testRedundantRdnOidSettings() {
+        Settings settings = Settings.builder()
+            .put(globalSettings)
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_oid", "2.5.4.3")
+            .put("xpack.security.authc.realms.pki.my_pki.username_rdn_name", "UID")
+            .build();
+        UserRoleMapper roleMapper = buildRoleMapper();
+        assertThrows(SettingsException.class, () -> buildRealm(roleMapper, settings));
+    }
+
     public void testCustomUsernamePatternMismatchesAndNullToken() throws Exception {
         final Settings settings = Settings.builder()
             .put(globalSettings)