Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated Authentication#getUser #91069

Merged
merged 3 commits into from
Oct 25, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ private void hasCancelTaskPrivilegeAsync(Consumer<Boolean> consumer) {
final Authentication current = store.getSecurityContext().getAuthentication();
if (current != null) {
HasPrivilegesRequest req = new HasPrivilegesRequest();
req.username(current.getUser().principal());
req.username(current.getEffectiveSubject().getUser().principal());
req.clusterPrivileges(ClusterPrivilegeResolver.CANCEL_TASK.name());
req.indexPrivileges(new RoleDescriptor.IndicesPrivileges[] {});
req.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[] {});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public User requireUser() {
@Nullable
public User getUser() {
Authentication authentication = getAuthentication();
return authentication == null ? null : authentication.getUser();
return authentication == null ? null : authentication.getEffectiveSubject().getUser();
}

/** Returns the authentication information, or null if the current request has no authentication info. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public OpenIdConnectAuthenticateResponse(
String refreshTokenString,
TimeValue expiresIn
) {
this.principal = authentication.getUser().principal();
this.principal = authentication.getEffectiveSubject().getUser().principal();
;
this.accessTokenString = accessTokenString;
this.refreshTokenString = refreshTokenString;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public SamlAuthenticateResponse(StreamInput in) throws IOException {
}

public SamlAuthenticateResponse(Authentication authentication, String tokenString, String refreshToken, TimeValue expiresIn) {
this.principal = authentication.getUser().principal();
this.principal = authentication.getEffectiveSubject().getUser().principal();
this.realm = authentication.getAuthenticatedBy().getName();
this.tokenString = tokenString;
this.refreshToken = refreshToken;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,6 @@ public boolean isRunAs() {
return authenticatingSubject != effectiveSubject;
}

/**
* Use {@code getEffectiveSubject().getUser()} instead.
*/
@Deprecated
public User getUser() {
return effectiveSubject.getUser();
}

/**
* Use {@code getAuthenticatingSubject().getRealm()} instead.
*/
Expand Down Expand Up @@ -321,8 +313,8 @@ public Authentication token() {
public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser) {
final boolean shouldAddAnonymousRoleNames = anonymousUser != null
&& anonymousUser.enabled()
&& false == anonymousUser.equals(getUser())
&& false == User.isInternal(getUser())
&& false == anonymousUser.equals(getEffectiveSubject().getUser())
&& false == User.isInternal(getEffectiveSubject().getUser())
&& false == isApiKey()
&& false == isServiceAccount();

Expand All @@ -334,7 +326,7 @@ public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUs
if (anonymousUser.roles().length == 0) {
throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
}
final String[] allRoleNames = ArrayUtils.concat(getUser().roles(), anonymousUser.roles());
final String[] allRoleNames = ArrayUtils.concat(getEffectiveSubject().getUser().roles(), anonymousUser.roles());

if (isRunAs()) {
final User user = effectiveSubject.getUser();
Expand Down Expand Up @@ -433,7 +425,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {

// There is no reason for internal users to run-as. This check prevents either internal user itself
// or a token created for it (though no such thing in current code) to run-as.
if (User.isInternal(getUser())) {
if (User.isInternal(getEffectiveSubject().getUser())) {
return false;
}

Expand All @@ -449,7 +441,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
// Also, if anonymous access is disabled or anonymous username, roles are changed after the token is created.
// Should we still consider the token being created by an anonymous user which is now different from the new
// anonymous user?
if (getUser().equals(anonymousUser)) {
if (getEffectiveSubject().getUser().equals(anonymousUser)) {
assert ANONYMOUS_REALM_TYPE.equals(getAuthenticatingSubject().getRealm().getType())
&& ANONYMOUS_REALM_NAME.equals(getAuthenticatingSubject().getRealm().getName());
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ public Authentication getAuthentication() {
}

public User getUser() {
return authentication.getUser();
return authentication.getEffectiveSubject().getUser();
}

public <T> T execute(Function<ThreadContext.StoredContext, T> body) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ private static boolean checkIfUserIsOwnerOfApiKeys(
} else if (ownedByAuthenticatedUser) {
return true;
} else if (Strings.hasText(username) && Strings.hasText(realmName)) {
if (false == username.equals(authentication.getUser().principal())) {
if (false == username.equals(authentication.getEffectiveSubject().getUser().principal())) {
return false;
}
RealmDomain domain = authentication.getSourceRealm().getDomain();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ public static String getUsernameFromWatch(Watch watch) throws IOException {
String header = watch.status().getHeaders().get(AuthenticationField.AUTHENTICATION_KEY);
if (header != null) {
Authentication auth = AuthenticationContextSerializer.decode(header);
return auth.getUser().principal();
return auth.getEffectiveSubject().getUser().principal();
}
}
return null;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -455,14 +455,14 @@ public void testGetPersistableSafeSecurityHeaders() throws IOException {
headers2.get(AuthenticationField.AUTHENTICATION_KEY)
);
assertThat(rewrittenAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
assertThat(rewrittenAuth.getUser(), equalTo(authentication.getUser()));
assertThat(rewrittenAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
}
if (hasSecondaryAuthHeader) {
final Authentication rewrittenSecondaryAuth = AuthenticationContextSerializer.decode(
headers2.get(SecondaryAuthentication.THREAD_CTX_KEY)
);
assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
assertThat(rewrittenSecondaryAuth.getUser(), equalTo(authentication.getUser()));
assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ private static User stripRoles(User user) {
}

public static String randomInternalUsername() {
return builder().internal().build(false).getUser().principal();
return builder().internal().build(false).getEffectiveSubject().getUser().principal();
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -146,8 +146,8 @@ public void testClusterStarted() {
final AuthenticateResponse authenticate = client().execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet(10, TimeUnit.SECONDS);
assertThat(authenticate.authentication(), notNullValue());
assertThat(authenticate.authentication().getUser(), notNullValue());
assertThat(authenticate.authentication().getUser().enabled(), is(true));
assertThat(authenticate.authentication().getEffectiveSubject().getUser(), notNullValue());
assertThat(authenticate.authentication().getEffectiveSubject().getUser().enabled(), is(true));
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,7 @@ public void testOperationsOnReservedUsers() throws Exception {
AuthenticateResponse authenticateResponse = client().filterWithHeader(
Collections.singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword()))
).execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE).get();
assertThat(authenticateResponse.authentication().getUser().principal(), is(username));
assertThat(authenticateResponse.authentication().getEffectiveSubject().getUser().principal(), is(username));
assertThat(authenticateResponse.authentication().getAuthenticatedBy().getName(), equalTo("reserved"));
assertThat(authenticateResponse.authentication().getAuthenticatedBy().getType(), equalTo("reserved"));
assertNull(authenticateResponse.authentication().getLookedUpBy());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,10 @@ public void testValidateSearchContext() throws Exception {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
threadContext.putTransient(
AUTHORIZATION_INFO_KEY,
(AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
(AuthorizationInfo) () -> Collections.singletonMap(
PRINCIPAL_ROLES_FIELD_NAME,
authentication.getEffectiveSubject().getUser().roles()
)
);
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
SearchContextMissingException expected = expectThrows(
Expand All @@ -179,7 +182,7 @@ public void testValidateSearchContext() throws Exception {
eq(authentication),
eq("action"),
eq(request),
authzInfoRoles(authentication.getUser().roles())
authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
);
}

Expand Down Expand Up @@ -216,7 +219,10 @@ public void testValidateSearchContext() throws Exception {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
threadContext.putTransient(
AUTHORIZATION_INFO_KEY,
(AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
(AuthorizationInfo) () -> Collections.singletonMap(
PRINCIPAL_ROLES_FIELD_NAME,
authentication.getEffectiveSubject().getUser().roles()
)
);
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
SearchContextMissingException expected = expectThrows(
Expand All @@ -230,7 +236,7 @@ public void testValidateSearchContext() throws Exception {
eq(authentication),
eq("action"),
eq(request),
authzInfoRoles(authentication.getUser().roles())
authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
);
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {
);
final AuthenticateResponse authenticateResponse1 = apiKeyClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet();
assertThat(authenticateResponse1.authentication().getUser().principal(), equalTo("_xpack_security"));
assertThat(authenticateResponse1.authentication().getEffectiveSubject().getUser().principal(), equalTo("_xpack_security"));

final KibanaEnrollmentResponse kibanaEnrollmentResponse = apiKeyClient.execute(
KibanaEnrollmentAction.INSTANCE,
Expand All @@ -115,6 +115,6 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {

final AuthenticateResponse authenticateResponse2 = kibanaClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet();
assertThat(authenticateResponse2.authentication().getUser().principal(), equalTo("elastic/kibana"));
assertThat(authenticateResponse2.authentication().getEffectiveSubject().getUser().principal(), equalTo("elastic/kibana"));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ protected void doExecute(Task task, GetApiKeyRequest request, ActionListener<Get
assert username == null;
assert realms == null;
// restrict username and realm to current authenticated user.
username = authentication.getUser().principal();
username = authentication.getEffectiveSubject().getUser().principal();
realms = ApiKeyService.getOwnersRealmNames(authentication);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ protected void doExecute(Task task, InvalidateApiKeyRequest request, ActionListe
assert username == null;
assert realms == null;
// restrict username and realm to current authenticated user.
username = authentication.getUser().principal();
username = authentication.getEffectiveSubject().getUser().principal();
realms = ApiKeyService.getOwnersRealmNames(authentication);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
if (logger.isTraceEnabled()) {
logger.trace(
"OpenID Connect Logout for user [{}] and token [{}...{}]",
authentication.getUser().principal(),
authentication.getEffectiveSubject().getUser().principal(),
token.substring(0, 8),
token.substring(token.length() - 8)
);
Expand Down Expand Up @@ -103,7 +103,7 @@ private void validateAuthenticationAndMetadata(Authentication authentication, Ma
if (authentication == null) {
throw new ElasticsearchSecurityException("No active authentication");
}
final User user = authentication.getUser();
final User user = authentication.getEffectiveSubject().getUser();
if (user == null) {
throw new ElasticsearchSecurityException("No active user");
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ protected void doExecute(Task task, SamlLogoutRequest request, ActionListener<Sa
if (logger.isTraceEnabled()) {
logger.trace(
"SAML Logout User [{}], Token [{}...{}]",
authentication.getUser().principal(),
authentication.getEffectiveSubject().getUser().principal(),
token.substring(0, 8),
token.substring(token.length() - 8)
);
Expand All @@ -91,7 +91,7 @@ private SamlLogoutResponse buildResponse(Authentication authentication, Map<Stri
if (authentication == null) {
throw SamlUtils.samlException("No active authentication");
}
final User user = authentication.getUser();
final User user = authentication.getEffectiveSubject().getUser();
if (user == null) {
throw SamlUtils.samlException("No active user");
}
Expand Down
Loading