diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java index aefff7ba2afce..bead91fb89a07 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java @@ -222,14 +222,6 @@ public Version getVersion() { return effectiveSubject.getVersion(); } - /** - * Use {@code getAuthenticatingSubject().getMetadata()} instead. - */ - @Deprecated - public Map getMetadata() { - return authenticatingSubject.getMetadata(); - } - /** * Returns a new {@code Authentication}, like this one, but which is compatible with older version nodes. * This is commonly employed when the {@code Authentication} is serialized across cluster nodes with mixed versions. @@ -510,7 +502,7 @@ public void writeTo(StreamOutput out) throws IOException { out.writeBoolean(false); } out.writeVInt(type.ordinal()); - out.writeGenericMap(getMetadata()); + out.writeGenericMap(getAuthenticatingSubject().getMetadata()); } /** @@ -575,9 +567,9 @@ public void toXContentFragment(XContentBuilder builder) throws IOException { builder.field(User.Fields.FULL_NAME.getPreferredName(), user.fullName()); builder.field(User.Fields.EMAIL.getPreferredName(), user.email()); if (isServiceAccount()) { - final String tokenName = (String) getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD); + final String tokenName = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD); assert tokenName != null : "token name cannot be null"; - final String tokenSource = (String) getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD); + final String tokenSource = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD); assert tokenSource != null : "token source cannot be null"; builder.field( User.Fields.TOKEN.getPreferredName(), @@ -612,8 +604,8 @@ public void toXContentFragment(XContentBuilder builder) throws IOException { builder.endObject(); builder.field(User.Fields.AUTHENTICATION_TYPE.getPreferredName(), getAuthenticationType().name().toLowerCase(Locale.ROOT)); if (isApiKey()) { - final String apiKeyId = (String) getMetadata().get(AuthenticationField.API_KEY_ID_KEY); - final String apiKeyName = (String) getMetadata().get(AuthenticationField.API_KEY_NAME_KEY); + final String apiKeyId = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY); + final String apiKeyName = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_NAME_KEY); if (apiKeyName == null) { builder.field("api_key", Map.of("id", apiKeyId)); } else { @@ -641,7 +633,8 @@ private void assertInternalConsistency() { } // Assert API key metadata - assert (false == isAuthenticatedAsApiKey()) || (this.getMetadata().get(AuthenticationField.API_KEY_ID_KEY) != null) + assert (false == isAuthenticatedAsApiKey()) + || (getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY) != null) : "API KEY authentication requires metadata to contain API KEY id, and the value must be non-null."; // Assert domain assignment @@ -910,7 +903,7 @@ private static RealmRef maybeRewriteRealmRef(Version streamVersion, RealmRef rea @SuppressWarnings("unchecked") private static Map maybeRewriteMetadataForApiKeyRoleDescriptors(Version streamVersion, Authentication authentication) { - Map metadata = authentication.getMetadata(); + Map metadata = authentication.getAuthenticatingSubject().getMetadata(); // If authentication user is an API key or a token created by an API key, // regardless whether it has run-as, the metadata must contain API key role descriptors if (authentication.isAuthenticatedAsApiKey()) { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java index 42975182c4106..330365d76af41 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java @@ -159,7 +159,9 @@ private static boolean checkIfUserIsOwnerOfApiKeys( private static boolean isCurrentAuthenticationUsingSameApiKeyIdFromRequest(Authentication authentication, String apiKeyId) { if (authentication.isApiKey()) { // API key id from authentication must match the id from request - final String authenticatedApiKeyId = (String) authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY); + final String authenticatedApiKeyId = (String) authentication.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_ID_KEY); if (Strings.hasText(apiKeyId)) { return apiKeyId.equals(authenticatedApiKeyId); } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java index 43b11630647f9..3070643518c4b 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java @@ -459,7 +459,9 @@ private void assertCanAccessResources(Authentication authentication0, Authentica public void testToXContentWithApiKey() throws IOException { final String apiKeyId = randomAlphaOfLength(20); final Authentication authentication1 = randomApiKeyAuthentication(randomUser(), apiKeyId); - final String apiKeyName = (String) authentication1.getMetadata().get(AuthenticationField.API_KEY_NAME_KEY); + final String apiKeyName = (String) authentication1.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_NAME_KEY); runWithAuthenticationToXContent( authentication1, m -> assertThat( @@ -474,10 +476,12 @@ public void testToXContentWithApiKey() throws IOException { public void testToXContentWithServiceAccount() throws IOException { final Authentication authentication1 = randomServiceAccountAuthentication(); - final String tokenName = (String) authentication1.getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD); + final String tokenName = (String) authentication1.getAuthenticatingSubject() + .getMetadata() + .get(ServiceAccountSettings.TOKEN_NAME_FIELD); final String tokenType = ServiceAccountSettings.REALM_TYPE + "_" - + authentication1.getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD); + + authentication1.getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD); runWithAuthenticationToXContent( authentication1, m -> assertThat(m, hasEntry("token", Map.of("name", tokenName, "type", tokenType))) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java index 8b46e65ae097e..441d0afae04a1 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java @@ -1608,8 +1608,13 @@ LogEntryBuilder withAuthentication(Authentication authentication) { logEntry.with(PRINCIPAL_FIELD_NAME, authentication.getUser().principal()); logEntry.with(AUTHENTICATION_TYPE_FIELD_NAME, authentication.getAuthenticationType().toString()); if (authentication.isApiKey()) { - logEntry.with(API_KEY_ID_FIELD_NAME, (String) authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY)); - String apiKeyName = (String) authentication.getMetadata().get(AuthenticationField.API_KEY_NAME_KEY); + logEntry.with( + API_KEY_ID_FIELD_NAME, + (String) authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY) + ); + String apiKeyName = (String) authentication.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_NAME_KEY); if (apiKeyName != null) { logEntry.with(API_KEY_NAME_FIELD_NAME, apiKeyName); } @@ -1644,10 +1649,15 @@ LogEntryBuilder withAuthentication(Authentication authentication) { } // TODO: service token info is logged in a separate authentication field (#84394) if (authentication.isAuthenticatedWithServiceAccount()) { - logEntry.with(SERVICE_TOKEN_NAME_FIELD_NAME, (String) authentication.getMetadata().get(TOKEN_NAME_FIELD)) + logEntry.with( + SERVICE_TOKEN_NAME_FIELD_NAME, + (String) authentication.getAuthenticatingSubject().getMetadata().get(TOKEN_NAME_FIELD) + ) .with( SERVICE_TOKEN_TYPE_FIELD_NAME, - ServiceAccountSettings.REALM_TYPE + "_" + authentication.getMetadata().get(TOKEN_SOURCE_FIELD) + ServiceAccountSettings.REALM_TYPE + + "_" + + authentication.getAuthenticatingSubject().getMetadata().get(TOKEN_SOURCE_FIELD) ); } return this; diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java index e602e1ef4a77d..bfdd60125749a 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.java @@ -98,7 +98,9 @@ private static String authenticatedUserDescription(Authentication authentication + authentication.getAuthenticatingSubject().getUser().principal() + "]"; if (authentication.isAuthenticatedAsApiKey()) { - final String apiKeyId = (String) authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY); + final String apiKeyId = (String) authentication.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_ID_KEY); assert apiKeyId != null : "api key id must be present in the metadata"; userText = "API key id [" + apiKeyId + "] of " + userText; } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java index af6f9961316a4..20099e585abbf 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/RBACEngine.java @@ -211,7 +211,9 @@ static boolean checkSameUserPermissions(String action, TransportRequest request, } else if (request instanceof GetApiKeyRequest getApiKeyRequest) { if (authentication.isApiKey()) { // if the authentication is an API key then the request must also contain same API key id - String authenticatedApiKeyId = (String) authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY); + String authenticatedApiKeyId = (String) authentication.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_ID_KEY); if (Strings.hasText(getApiKeyRequest.getApiKeyId())) { // An API key requires manage_api_key privilege or higher to view any limited-by role descriptors return getApiKeyRequest.getApiKeyId().equals(authenticatedApiKeyId) && false == getApiKeyRequest.withLimitedBy(); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java index d2195791db086..40b55626a1154 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java @@ -147,11 +147,17 @@ public IngestDocument execute(IngestDocument ingestDocument) throws Exception { final Map apiKeyField = existingApiKeyField instanceof Map ? (Map) existingApiKeyField : new HashMap<>(); - if (authentication.getMetadata().containsKey(AuthenticationField.API_KEY_NAME_KEY)) { - apiKeyField.put("name", authentication.getMetadata().get(AuthenticationField.API_KEY_NAME_KEY)); + if (authentication.getAuthenticatingSubject().getMetadata().containsKey(AuthenticationField.API_KEY_NAME_KEY)) { + apiKeyField.put( + "name", + authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_NAME_KEY) + ); } - if (authentication.getMetadata().containsKey(AuthenticationField.API_KEY_ID_KEY)) { - apiKeyField.put("id", authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY)); + if (authentication.getAuthenticatingSubject().getMetadata().containsKey(AuthenticationField.API_KEY_ID_KEY)) { + apiKeyField.put( + "id", + authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY) + ); } final Map apiKeyMetadata = ApiKeyService.getApiKeyMetadata(authentication); if (false == apiKeyMetadata.isEmpty()) { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.java index fe450f523e908..410cae32e2aff 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.java @@ -69,7 +69,9 @@ public static ApiKeyBoolQueryBuilder build(QueryBuilder queryBuilder, @Nullable if (authentication != null) { if (authentication.isApiKey()) { - final String apiKeyId = (String) authentication.getMetadata().get(AuthenticationField.API_KEY_ID_KEY); + final String apiKeyId = (String) authentication.getAuthenticatingSubject() + .getMetadata() + .get(AuthenticationField.API_KEY_ID_KEY); assert apiKeyId != null : "api key id must be present in the metadata"; finalQuery.filter(QueryBuilders.idsQuery().addIds(apiKeyId)); } else { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityContextTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityContextTests.java index 2dd6bbd0cbd34..25d27fd44d323 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityContextTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/SecurityContextTests.java @@ -194,18 +194,18 @@ public void testExecuteAfterRewritingAuthenticationWillConditionallyRewriteNewAp Authentication authentication = securityContext.getAuthentication(); assertEquals( Map.of("a role", Map.of("cluster", List.of("all"))), - authentication.getMetadata().get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY) + authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY) ); assertEquals( Map.of("limitedBy role", Map.of("cluster", List.of("all"))), - authentication.getMetadata().get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) + authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) ); }, Version.V_7_8_0); // If target is new node, no need to rewrite the new style API key metadata securityContext.executeAfterRewritingAuthentication(originalCtx -> { Authentication authentication = securityContext.getAuthentication(); - assertSame(original.getMetadata(), authentication.getMetadata()); + assertSame(original.getAuthenticatingSubject().getMetadata(), authentication.getAuthenticatingSubject().getMetadata()); }, VersionUtils.randomVersionBetween(random(), VERSION_API_KEY_ROLES_AS_BYTES, Version.CURRENT)); } @@ -213,15 +213,21 @@ public void testExecuteAfterRewritingAuthenticationWillConditionallyRewriteOldAp final Authentication original = AuthenticationTestHelper.builder().apiKey().version(Version.V_7_8_0).build(); // original authentication has the old style of role descriptor maps - assertThat(original.getMetadata().get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY), instanceOf(Map.class)); - assertThat(original.getMetadata().get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), instanceOf(Map.class)); + assertThat( + original.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY), + instanceOf(Map.class) + ); + assertThat( + original.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), + instanceOf(Map.class) + ); original.writeToContext(threadContext); // If target is old node, no need to rewrite old style API key metadata securityContext.executeAfterRewritingAuthentication(originalCtx -> { Authentication authentication = securityContext.getAuthentication(); - assertSame(original.getMetadata(), authentication.getMetadata()); + assertSame(original.getAuthenticatingSubject().getMetadata(), authentication.getAuthenticatingSubject().getMetadata()); }, Version.V_7_8_0); // If target is new node, ensure old map style API key metadata is rewritten to bytesreference @@ -229,11 +235,15 @@ public void testExecuteAfterRewritingAuthenticationWillConditionallyRewriteOldAp Authentication authentication = securityContext.getAuthentication(); List.of(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) .forEach(key -> { - assertThat(authentication.getMetadata().get(key), instanceOf(BytesReference.class)); + assertThat(authentication.getAuthenticatingSubject().getMetadata().get(key), instanceOf(BytesReference.class)); assertThat( - XContentHelper.convertToMap((BytesReference) authentication.getMetadata().get(key), false, XContentType.JSON).v2(), - equalTo(original.getMetadata().get(key)) + XContentHelper.convertToMap( + (BytesReference) authentication.getAuthenticatingSubject().getMetadata().get(key), + false, + XContentType.JSON + ).v2(), + equalTo(original.getAuthenticatingSubject().getMetadata().get(key)) ); }); }, VersionUtils.randomVersionBetween(random(), VERSION_API_KEY_ROLES_AS_BYTES, Version.CURRENT)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java index 6a4541f52ae90..924cce58d4879 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/action/user/TransportAuthenticateActionTests.java @@ -156,7 +156,7 @@ public void onFailure(Exception e) { assertThat(auth.getLookedUpBy(), sameInstance(auth.getLookedUpBy())); assertThat(auth.getVersion(), sameInstance(auth.getVersion())); assertThat(auth.getAuthenticationType(), sameInstance(auth.getAuthenticationType())); - assertThat(auth.getMetadata(), sameInstance(auth.getMetadata())); + assertThat(auth.getAuthenticatingSubject().getMetadata(), sameInstance(auth.getAuthenticatingSubject().getMetadata())); } else { assertThat(responseRef.get().authentication(), sameInstance(authentication)); } @@ -200,7 +200,7 @@ public void onFailure(Exception e) { assertThat(auth.getLookedUpBy(), sameInstance(auth.getLookedUpBy())); assertThat(auth.getVersion(), sameInstance(auth.getVersion())); assertThat(auth.getAuthenticationType(), sameInstance(auth.getAuthenticationType())); - assertThat(auth.getMetadata(), sameInstance(auth.getMetadata())); + assertThat(auth.getAuthenticatingSubject().getMetadata(), sameInstance(auth.getAuthenticatingSubject().getMetadata())); } else { assertThat(responseRef.get().authentication(), sameInstance(authentication)); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java index 2362e29d0aa11..6be44638b4828 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java @@ -1298,7 +1298,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, filteredRealm)); auditTrail.accessGranted(randomAlphaOfLength(8), authentication, "_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessGranted message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1315,7 +1317,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, unfilteredRealm)); auditTrail.accessGranted(randomAlphaOfLength(8), authentication, "_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessGranted message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1354,7 +1358,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, filteredRealm)); auditTrail.accessGranted(randomAlphaOfLength(8), authentication, "internal:_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessGranted internal message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1371,7 +1377,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, unfilteredRealm)); auditTrail.accessGranted(randomAlphaOfLength(8), authentication, "internal:_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessGranted internal message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1389,7 +1397,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, filteredRealm)); auditTrail.accessDenied(randomAlphaOfLength(8), authentication, "_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessDenied message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1406,7 +1416,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, unfilteredRealm)); auditTrail.accessDenied(randomAlphaOfLength(8), authentication, "_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessDenied message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1445,7 +1457,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, filteredRealm)); auditTrail.accessDenied(randomAlphaOfLength(8), authentication, "internal:_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessDenied internal message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1462,7 +1476,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, unfilteredRealm)); auditTrail.accessDenied(randomAlphaOfLength(8), authentication, "internal:_action", request, authzInfo(new String[] { "role1" })); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("AccessDenied internal message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1498,7 +1514,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, filteredRealm)); auditTrail.tamperedRequest(randomAlphaOfLength(8), authentication, "_action", request); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("Tampered message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { @@ -1515,7 +1533,9 @@ public void testRealmsFilter() throws Exception { : createApiKeyAuthentication(apiKeyService, createAuthentication(user, authUser, unfilteredRealm)); auditTrail.tamperedRequest(randomAlphaOfLength(8), authentication, "_action", request); if (authentication.getAuthenticationType() == Authentication.AuthenticationType.API_KEY - && false == authentication.getMetadata().containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { + && false == authentication.getAuthenticatingSubject() + .getMetadata() + .containsKey(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) { if (filterMissingRealm) { assertThat("Tampered message: not filtered out by the missing realm filter", logOutput.size(), is(0)); } else { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java index 774c5defb4329..e3d7ae248286c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java @@ -2100,10 +2100,15 @@ public void testAccessDenied() throws Exception { .put(LoggingAuditTrail.REQUEST_NAME_FIELD_NAME, request.getClass().getSimpleName()) .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId); if (authentication.isAuthenticatedWithServiceAccount()) { - checkedFields.put(LoggingAuditTrail.SERVICE_TOKEN_NAME_FIELD_NAME, (String) authentication.getMetadata().get(TOKEN_NAME_FIELD)) + checkedFields.put( + LoggingAuditTrail.SERVICE_TOKEN_NAME_FIELD_NAME, + (String) authentication.getAuthenticatingSubject().getMetadata().get(TOKEN_NAME_FIELD) + ) .put( LoggingAuditTrail.SERVICE_TOKEN_TYPE_FIELD_NAME, - ServiceAccountSettings.REALM_TYPE + "_" + authentication.getMetadata().get(TOKEN_SOURCE_FIELD) + ServiceAccountSettings.REALM_TYPE + + "_" + + authentication.getAuthenticatingSubject().getMetadata().get(TOKEN_SOURCE_FIELD) ); } checkedArrayFields.put(PRINCIPAL_ROLES_FIELD_NAME, (String[]) authorizationInfo.asMap().get(PRINCIPAL_ROLES_FIELD_NAME)); @@ -2875,13 +2880,15 @@ private static void authentication(Authentication authentication, MapBuilder roleFuture = new PlainActionFuture<>(); compositeRolesStore.getRole(authentication.getEffectiveSubject(), roleFuture); @@ -1614,23 +1614,23 @@ public void testApiKeyAuthUsesApiKeyServiceWithScopedRole() throws Exception { if (version == Version.CURRENT) { verify(apiKeyService).parseRoleDescriptorsBytes( apiKeyId, - (BytesReference) authentication.getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), + (BytesReference) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), RoleReference.ApiKeyRoleType.ASSIGNED ); verify(apiKeyService).parseRoleDescriptorsBytes( apiKeyId, - (BytesReference) authentication.getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), + (BytesReference) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), RoleReference.ApiKeyRoleType.LIMITED_BY ); } else { verify(apiKeyService).parseRoleDescriptors( apiKeyId, - (Map) authentication.getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), + (Map) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_ROLE_DESCRIPTORS_KEY), RoleReference.ApiKeyRoleType.ASSIGNED ); verify(apiKeyService).parseRoleDescriptors( apiKeyId, - (Map) authentication.getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), + (Map) authentication.getAuthenticatingSubject().getMetadata().get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), RoleReference.ApiKeyRoleType.LIMITED_BY ); }