From 28528b787288df057c3c13f4d67cdc84136bb621 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Wed, 2 Nov 2022 12:46:33 +1100 Subject: [PATCH] Ensure PKI's delegated_by_realm metadata respect run-as (#91173) (#91241) When delegated PKI authentication is used, the delegatee's realm name is added as a metadata field. This realm name should be the effective subject's realm instead of that of the authenticating subject. This PR ensures this is the case. --- docs/changelog/91173.yaml | 5 +++++ .../xpack/security/authc/pki/PkiRealm.java | 2 +- .../security/authc/pki/PkiRealmTests.java | 20 +++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 docs/changelog/91173.yaml diff --git a/docs/changelog/91173.yaml b/docs/changelog/91173.yaml new file mode 100644 index 0000000000000..8d86b125a3bdf --- /dev/null +++ b/docs/changelog/91173.yaml @@ -0,0 +1,5 @@ +pr: 91173 +summary: Ensure PKI's `delegated_by_realm` metadata respect run-as +area: Authentication +type: bug +issues: [] diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 92b2666dc51c4..83eb2bc05aa7a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -214,7 +214,7 @@ private void buildUser(X509AuthenticationToken token, String principal, ActionLi "pki_delegated_by_user", token.getDelegateeAuthentication().getUser().principal(), "pki_delegated_by_realm", - token.getDelegateeAuthentication().getAuthenticatedBy().getName() + token.getDelegateeAuthentication().getEffectiveSubject().getRealm().getName() ); } else { metadata = Map.of("pki_dn", token.dn()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index 388e95987aec5..092ee92fc0ba5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -414,6 +414,26 @@ public void testAuthenticationDelegationSuccess() throws Exception { assertThat(result.getValue().roles().length, is(0)); assertThat(result.getValue().metadata().get("pki_delegated_by_user"), is("mockup_delegate_username")); assertThat(result.getValue().metadata().get("pki_delegated_by_realm"), is("mockup_delegate_realm")); + + // Delegatee is run-as + final Authentication runAsAuthentication = AuthenticationTestHelper.builder().realm().build(true); + assertThat(runAsAuthentication.isRunAs(), is(true)); + delegatedToken = X509AuthenticationToken.delegated(new X509Certificate[] { certificate }, runAsAuthentication); + realmWithDelegation.expireAll(); // clear the cache so the user is built again + result = authenticate(delegatedToken, realmWithDelegation); + assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS)); + assertThat(result.getValue(), is(notNullValue())); + assertThat(result.getValue().principal(), is("Elasticsearch Test Node")); + assertThat(result.getValue().roles(), is(notNullValue())); + assertThat(result.getValue().roles().length, is(0)); + assertThat( + result.getValue().metadata().get("pki_delegated_by_user"), + is(runAsAuthentication.getEffectiveSubject().getUser().principal()) + ); + assertThat( + result.getValue().metadata().get("pki_delegated_by_realm"), + is(runAsAuthentication.getEffectiveSubject().getRealm().getName()) + ); } public void testAuthenticationDelegationFailure() throws Exception {