From 49852ba1aac8a2044789608797c80fc2188a7aa8 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 28 Oct 2022 16:17:22 +1100 Subject: [PATCH 1/2] Ensure PKI's delegated_by_realm metadata respect run-as When delegated PKI authentication is used, the delegatee's realm name is added as a metadata field. This realm name should be the effective subject's realm instead of that of the authenticating subject. This PR ensures this is the case. --- .../xpack/security/authc/pki/PkiRealm.java | 3 +-- .../security/authc/pki/PkiRealmTests.java | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java index 141395f5a2524..93d70d831fa7b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java @@ -214,8 +214,7 @@ private void buildUser(X509AuthenticationToken token, String principal, ActionLi "pki_delegated_by_user", token.getDelegateeAuthentication().getEffectiveSubject().getUser().principal(), "pki_delegated_by_realm", - // TODO: this should be the realm of effective subject - token.getDelegateeAuthentication().getAuthenticatingSubject().getRealm().getName() + token.getDelegateeAuthentication().getEffectiveSubject().getRealm().getName() ); } else { metadata = Map.of("pki_dn", token.dn()); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java index 388e95987aec5..092ee92fc0ba5 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java @@ -414,6 +414,26 @@ public void testAuthenticationDelegationSuccess() throws Exception { assertThat(result.getValue().roles().length, is(0)); assertThat(result.getValue().metadata().get("pki_delegated_by_user"), is("mockup_delegate_username")); assertThat(result.getValue().metadata().get("pki_delegated_by_realm"), is("mockup_delegate_realm")); + + // Delegatee is run-as + final Authentication runAsAuthentication = AuthenticationTestHelper.builder().realm().build(true); + assertThat(runAsAuthentication.isRunAs(), is(true)); + delegatedToken = X509AuthenticationToken.delegated(new X509Certificate[] { certificate }, runAsAuthentication); + realmWithDelegation.expireAll(); // clear the cache so the user is built again + result = authenticate(delegatedToken, realmWithDelegation); + assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS)); + assertThat(result.getValue(), is(notNullValue())); + assertThat(result.getValue().principal(), is("Elasticsearch Test Node")); + assertThat(result.getValue().roles(), is(notNullValue())); + assertThat(result.getValue().roles().length, is(0)); + assertThat( + result.getValue().metadata().get("pki_delegated_by_user"), + is(runAsAuthentication.getEffectiveSubject().getUser().principal()) + ); + assertThat( + result.getValue().metadata().get("pki_delegated_by_realm"), + is(runAsAuthentication.getEffectiveSubject().getRealm().getName()) + ); } public void testAuthenticationDelegationFailure() throws Exception { From c483690f217598408413cc127ec3a84d9fb2cdd1 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Fri, 28 Oct 2022 16:21:38 +1100 Subject: [PATCH 2/2] Update docs/changelog/91173.yaml --- docs/changelog/91173.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/changelog/91173.yaml diff --git a/docs/changelog/91173.yaml b/docs/changelog/91173.yaml new file mode 100644 index 0000000000000..8d86b125a3bdf --- /dev/null +++ b/docs/changelog/91173.yaml @@ -0,0 +1,5 @@ +pr: 91173 +summary: Ensure PKI's `delegated_by_realm` metadata respect run-as +area: Authentication +type: bug +issues: []