diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java index 85ce83baa373b..d643ea99ab638 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java @@ -70,6 +70,22 @@ * Authentication is serialized and travels across the cluster nodes as the sub-requests are handled, * and can also be cached by long-running jobs that continue to act on behalf of the user, beyond * the lifetime of the original request. + * + * The authentication consists of two {@link Subject}s + * + * If {@link #isRunAs()} is {@code false}, the two {@link Subject}s will be the same object. + * + * Authentication also has a {@link #type} that indicates which mechanism the {@link #authenticatingSubject} + * uses to perform the authentication. + * + * The Authentication's version is its {@link Subject}'s version, i.e. {@code getEffectiveSubject().getVersion()}. + * It is guaranteed that the versions are identical for the two Subjects. Hence {@code getAuthenticatingSubject().getVersion()} + * will give out the same result. But using {@code getEffectiveSubject()} is more idiomatic since most callers + * of this class should just need to know about the {@link #effectiveSubject}. That is, often times, the caller + * begins with {@code authentication.getEffectiveSubject()} for interrogating an Authentication object. */ public final class Authentication implements ToXContentObject { @@ -167,22 +183,8 @@ public boolean isRunAs() { return authenticatingSubject != effectiveSubject; } - /** - * Get the realm where the effective user comes from. - * The effective user is the es-security-runas-user if present or the authenticated user. - * - * Use {@code getEffectiveSubject().getRealm()} instead. - */ - @Deprecated - public RealmRef getSourceRealm() { - // TODO: This code retains the existing behaviour which is slightly wrong because - // when run-as lookup fails, the effectiveSubject will have a null realm. In this - // case, the code returns the authenticatingSubject's realm. This is wrong in theory - // because it is not the intention of this method. In practice, it does not matter - // because failed lookup will be rejected at authZ time. But fixing it causes test - // failures. So leave it for now. - final RealmRef sourceRealm = effectiveSubject.getRealm(); - return sourceRealm == null ? authenticatingSubject.getRealm() : sourceRealm; + public boolean isFailedRunAs() { + return isRunAs() && effectiveSubject.getRealm() == null; } /** @@ -228,9 +230,6 @@ public Authentication maybeRewriteForOlderVersion(Version olderVersion) { ); } - if (isAssignedToDomain() && false == newAuthentication.isAssignedToDomain()) { - logger.info("Rewriting authentication [" + this + "] without domain"); - } return newAuthentication; } @@ -262,7 +261,6 @@ public Authentication runAs(User runAs, @Nullable RealmRef lookupRealmRef) { public Authentication token() { assert false == isServiceAccount(); final Authentication newTokenAuthentication = new Authentication(effectiveSubject, authenticatingSubject, AuthenticationType.TOKEN); - assert Objects.equals(getDomain(), newTokenAuthentication.getDomain()); return newTokenAuthentication; } @@ -325,14 +323,15 @@ public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUs } } + // Package private for tests /** * Returns {@code true} if the effective user belongs to a realm under a domain. - * See also {@link #getDomain()} and {@link #getSourceRealm()}. */ - public boolean isAssignedToDomain() { + boolean isAssignedToDomain() { return getDomain() != null; } + // Package private for tests /** * Returns the {@link RealmDomain} that the effective user belongs to. * A user belongs to a realm which in turn belongs to a domain. @@ -340,8 +339,12 @@ public boolean isAssignedToDomain() { * The same username can be authenticated by different realms (e.g. with different credential types), * but resources created across realms cannot be accessed unless the realms are also part of the same domain. */ - public @Nullable RealmDomain getDomain() { - return getSourceRealm().getDomain(); + @Nullable + RealmDomain getDomain() { + if (isFailedRunAs()) { + return null; + } + return getEffectiveSubject().getRealm().getDomain(); } public boolean isAuthenticatedWithServiceAccount() { @@ -861,6 +864,7 @@ public static Authentication newApiKeyAuthentication(AuthenticationResult private static RealmRef maybeRewriteRealmRef(Version streamVersion, RealmRef realmRef) { if (realmRef != null && realmRef.getDomain() != null && streamVersion.before(VERSION_REALM_DOMAINS)) { + logger.info("Rewriting realm [" + realmRef + "] without domain"); // security domain erasure new RealmRef(realmRef.getName(), realmRef.getType(), realmRef.getNodeName(), null); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java index 9368666019d7d..14b563fcc4780 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java @@ -145,11 +145,11 @@ private static boolean checkIfUserIsOwnerOfApiKeys( if (false == username.equals(authentication.getEffectiveSubject().getUser().principal())) { return false; } - RealmDomain domain = authentication.getSourceRealm().getDomain(); + RealmDomain domain = authentication.getEffectiveSubject().getRealm().getDomain(); if (domain != null) { return domain.realms().stream().anyMatch(realmIdentifier -> realmName.equals(realmIdentifier.getName())); } else { - return realmName.equals(authentication.getSourceRealm().getName()); + return realmName.equals(authentication.getEffectiveSubject().getRealm().getName()); } } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java index abfb0e5e61903..7971b7cd30de8 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java @@ -377,7 +377,12 @@ public Authentication build() { return build(ESTestCase.randomBoolean()); } - public Authentication build(boolean runAsIfNotAlready) { + /** + * @param maybeRunAsIfNotAlready If the authentication is *not* run-as and the subject is a realm user, it will be transformed + * into a run-as authentication by moving the realm user to be the run-as user. The authenticating + * subject can be either a realm user or an API key (in general any subject type that can run-as). + */ + public Authentication build(boolean maybeRunAsIfNotAlready) { if (authenticatingAuthentication != null) { if (user == null) { user = randomUser(); @@ -402,7 +407,7 @@ public Authentication build(boolean runAsIfNotAlready) { realmRef = randomRealmRef(isRealmUnderDomain == null ? ESTestCase.randomBoolean() : isRealmUnderDomain); } assert false == SYNTHETIC_REALM_TYPES.contains(realmRef.getType()) : "use dedicate methods for synthetic realms"; - if (runAsIfNotAlready) { + if (maybeRunAsIfNotAlready) { authentication = builder().runAs().user(user).realmRef(realmRef).build(); } else { authentication = Authentication.newRealmAuthentication(user, realmRef); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java index 8f8f82fc84d03..7ddc0f91c8b8f 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java @@ -40,28 +40,14 @@ public class AuthenticationTests extends ESTestCase { - public void testWillGetLookedUpByWhenItExists() { - final RealmRef authenticatedBy = new RealmRef("auth_by", "auth_by_type", "node"); - final RealmRef lookedUpBy = new RealmRef("lookup_by", "lookup_by_type", "node"); - final Authentication authentication = AuthenticationTestHelper.builder() - .user(new User("not-user")) - .realmRef(authenticatedBy) - .runAs() - .user(new User("user")) - .realmRef(lookedUpBy) - .build(); - - assertEquals(lookedUpBy, authentication.getSourceRealm()); - } - - public void testWillGetAuthenticateByWhenLookupIsNull() { - final RealmRef authenticatedBy = new RealmRef("auth_by", "auth_by_type", "node"); - final Authentication authentication = AuthenticationTestHelper.builder() - .user(new User("user")) - .realmRef(authenticatedBy) - .build(false); - - assertEquals(authenticatedBy, authentication.getSourceRealm()); + public void testIsFailedRunAs() { + final Authentication failedAuthentication = randomRealmAuthentication(randomBoolean()).runAs(randomUser(), null); + assertTrue(failedAuthentication.isRunAs()); + assertTrue(failedAuthentication.isFailedRunAs()); + + final Authentication authentication = AuthenticationTestHelper.builder().realm().runAs().build(); + assertTrue(authentication.isRunAs()); + assertFalse(authentication.isFailedRunAs()); } public void testCanAccessResourcesOf() { diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index e18a8a6ea011c..4fda6d853229f 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -1748,7 +1748,11 @@ public static String getCreatorRealmName(final Authentication authentication) { } else { // TODO we should use the effective subject realm here but need to handle the failed lookup scenario, in which the realm may be // `null`. Since this method is used in audit logging, this requires some care. - return authentication.getSourceRealm().getName(); + if (authentication.isFailedRunAs()) { + return authentication.getAuthenticatingSubject().getRealm().getName(); + } else { + return authentication.getEffectiveSubject().getRealm().getName(); + } } } @@ -1791,7 +1795,11 @@ public static String getCreatorRealmType(final Authentication authentication) { } else { // TODO we should use the effective subject realm here but need to handle the failed lookup scenario, in which the realm may be // `null`. Since this method is used in audit logging, this requires some care. - return authentication.getSourceRealm().getType(); + if (authentication.isFailedRunAs()) { + return authentication.getAuthenticatingSubject().getRealm().getType(); + } else { + return authentication.getEffectiveSubject().getRealm().getType(); + } } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index 993dd666702bf..2488c9b120344 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -1805,12 +1805,13 @@ static BytesReference createTokenDocument( } builder.endObject().endObject(); } + final Authentication.RealmRef userTokenEffectiveRealm = userToken.getAuthentication().getEffectiveSubject().getRealm(); builder.startObject("access_token") .field("invalidated", false) .field("user_token", userToken) - .field("realm", userToken.getAuthentication().getSourceRealm().getName()); - if (userToken.getAuthentication().getSourceRealm().getDomain() != null) { - builder.field("realm_domain", userToken.getAuthentication().getSourceRealm().getDomain()); + .field("realm", userTokenEffectiveRealm.getName()); + if (userTokenEffectiveRealm.getDomain() != null) { + builder.field("realm_domain", userTokenEffectiveRealm.getDomain()); } builder.endObject().endObject(); return BytesReference.bytes(builder); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java index 134931160c2f8..36a0b7667a7a5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.java @@ -47,6 +47,7 @@ import org.elasticsearch.xpack.core.security.action.service.TokenInfo; import org.elasticsearch.xpack.core.security.action.service.TokenInfo.TokenSource; import org.elasticsearch.xpack.core.security.authc.Authentication; +import org.elasticsearch.xpack.core.security.authc.Subject; import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.security.authc.service.ServiceAccount.ServiceAccountId; import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken.ServiceAccountTokenId; @@ -269,15 +270,16 @@ private XContentBuilder newDocument(Authentication authentication, ServiceAccoun .field("creation_time", clock.instant().toEpochMilli()) .field("enabled", true); { + final Subject effectiveSubject = authentication.getEffectiveSubject(); builder.startObject("creator") - .field("principal", authentication.getEffectiveSubject().getUser().principal()) - .field("full_name", authentication.getEffectiveSubject().getUser().fullName()) - .field("email", authentication.getEffectiveSubject().getUser().email()) - .field("metadata", authentication.getEffectiveSubject().getUser().metadata()) - .field("realm", authentication.getSourceRealm().getName()) - .field("realm_type", authentication.getSourceRealm().getType()); - if (authentication.getSourceRealm().getDomain() != null) { - builder.field("realm_domain", authentication.getSourceRealm().getDomain()); + .field("principal", effectiveSubject.getUser().principal()) + .field("full_name", effectiveSubject.getUser().fullName()) + .field("email", effectiveSubject.getUser().email()) + .field("metadata", effectiveSubject.getUser().metadata()) + .field("realm", effectiveSubject.getRealm().getName()) + .field("realm_type", effectiveSubject.getRealm().getType()); + if (effectiveSubject.getRealm().getDomain() != null) { + builder.field("realm_domain", effectiveSubject.getRealm().getDomain()); } builder.endObject(); } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java index c65f75b1deb80..ee3496b91aff5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.java @@ -68,8 +68,11 @@ public boolean isOperatorUser(Authentication authentication) { // If not null, it will be compared exactly as well. // The special handling for realm name is because there can only be one file or native realm and it does // not matter what the name is. + final Authentication.RealmRef realm = authentication.getEffectiveSubject().getRealm(); + if (realm == null) { + return false; + } return operatorUsersDescriptor.groups.stream().anyMatch(group -> { - final Authentication.RealmRef realm = authentication.getSourceRealm(); final boolean match = group.usernames.contains(authentication.getEffectiveSubject().getUser().principal()) && group.authenticationType == authentication.getAuthenticationType() && realm.getType().equals(group.realmType) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java index e458d4ef7666e..fcd6601360a96 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java @@ -2019,7 +2019,7 @@ public void testAccessGrantedInternalSystemAction() throws Exception { .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "access_granted") .put(LoggingAuditTrail.AUTHENTICATION_TYPE_FIELD_NAME, authentication.getAuthenticationType().toString()) .put(LoggingAuditTrail.PRINCIPAL_FIELD_NAME, systemUser.principal()) - .put(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getSourceRealm().getName()) + .put(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getEffectiveSubject().getRealm().getName()) .put(LoggingAuditTrail.ACTION_FIELD_NAME, "internal:_action") .put(LoggingAuditTrail.REQUEST_NAME_FIELD_NAME, request.getClass().getSimpleName()) .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index a9c7b14afa6e1..b7a1cfd05d5ae 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -1512,8 +1512,8 @@ public void testGetCreatorRealm() { // Realm final Authentication authentication3 = AuthenticationTests.randomRealmAuthentication(randomBoolean()); - assertThat(ApiKeyService.getCreatorRealmName(authentication3), equalTo(authentication3.getSourceRealm().getName())); - assertThat(ApiKeyService.getCreatorRealmType(authentication3), equalTo(authentication3.getSourceRealm().getType())); + assertThat(ApiKeyService.getCreatorRealmName(authentication3), equalTo(authentication3.getEffectiveSubject().getRealm().getName())); + assertThat(ApiKeyService.getCreatorRealmType(authentication3), equalTo(authentication3.getEffectiveSubject().getRealm().getType())); // Realm run-as final Authentication authentication4 = authentication3.runAs(AuthenticationTests.randomUser(), lookupRealmRef); @@ -1526,8 +1526,19 @@ public void testGetCreatorRealm() { AuthenticationTests.randomAnonymousAuthentication(), AuthenticationTests.randomInternalAuthentication() ); - assertThat(ApiKeyService.getCreatorRealmName(authentication5), equalTo(authentication5.getSourceRealm().getName())); - assertThat(ApiKeyService.getCreatorRealmType(authentication5), equalTo(authentication5.getSourceRealm().getType())); + assertThat(ApiKeyService.getCreatorRealmName(authentication5), equalTo(authentication5.getEffectiveSubject().getRealm().getName())); + assertThat(ApiKeyService.getCreatorRealmType(authentication5), equalTo(authentication5.getEffectiveSubject().getRealm().getType())); + + // Failed run-as returns authenticating subject's realm + final Authentication authentication6 = authentication3.runAs(AuthenticationTests.randomUser(), null); + assertThat( + ApiKeyService.getCreatorRealmName(authentication6), + equalTo(authentication6.getAuthenticatingSubject().getRealm().getName()) + ); + assertThat( + ApiKeyService.getCreatorRealmType(authentication6), + equalTo(authentication6.getAuthenticatingSubject().getRealm().getType()) + ); } public void testGetOwnersRealmNames() { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java index fdc2a613c8ad9..ac604fb7a5ead 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java @@ -388,7 +388,7 @@ public void testTokenFirstMissingSecondFound() throws Exception { service.authenticate("action", transportRequest, true, ActionListener.wrap(authentication -> { assertThat(threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY), is(authenticationResult)); assertThat(threadContext.getTransient(AuthenticationField.AUTHENTICATION_KEY), is(authentication)); - assertThat(authentication.getDomain(), is(secondDomain)); + assertThat(authentication.getEffectiveSubject().getRealm().getDomain(), is(secondDomain)); verify(auditTrail).authenticationSuccess(anyString(), eq(authentication), eq("action"), eq(transportRequest)); setCompletedToTrue(completed); }, this::logAndFail)); @@ -992,7 +992,7 @@ public void testAuthenticateTransportContextAndHeader() throws Exception { assertThat(authentication, notNullValue()); assertThat(authentication.getEffectiveSubject().getUser(), sameInstance(user1)); assertThat(authentication.getAuthenticationType(), is(AuthenticationType.REALM)); - assertThat(authentication.getDomain(), is(firstDomain)); + assertThat(authentication.getEffectiveSubject().getRealm().getDomain(), is(firstDomain)); assertThreadContextContainsAuthentication(authentication); authRef.set(authentication); authHeaderRef.set(threadContext.getHeader(AuthenticationField.AUTHENTICATION_KEY)); @@ -1270,7 +1270,7 @@ public void testAnonymousUserRest() throws Exception { assertThat(result, notNullValue()); assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance((Object) anonymousUser)); assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.ANONYMOUS)); - assertThat(result.v1().getDomain(), nullValue()); + assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue()); assertThreadContextContainsAuthentication(result.v1()); assertThat(expectAuditRequestId(threadContext), is(result.v2())); verify(auditTrail).authenticationSuccess(result.v2(), result.v1(), request); @@ -1345,7 +1345,7 @@ public void testAnonymousUserTransportNoDefaultUser() throws Exception { assertThat(expectAuditRequestId(threadContext), is(result.v2())); assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance(anonymousUser)); assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.ANONYMOUS)); - assertThat(result.v1().getDomain(), nullValue()); + assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue()); assertThreadContextContainsAuthentication(result.v1()); verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext)); }); @@ -1382,7 +1382,7 @@ public void testAnonymousUserTransportWithDefaultUser() throws Exception { assertThat(expectAuditRequestId(threadContext), is(result.v2())); assertThat(result.v1().getEffectiveSubject().getUser(), sameInstance(SystemUser.INSTANCE)); assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.INTERNAL)); - assertThat(result.v1().getDomain(), nullValue()); + assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue()); assertThreadContextContainsAuthentication(result.v1()); verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext)); }); @@ -2133,7 +2133,7 @@ public void testApiKeyAuth() { assertThat(result.v1().getEffectiveSubject().getUser().fullName(), is("john doe")); assertThat(result.v1().getEffectiveSubject().getUser().email(), is("john@doe.com")); assertThat(result.v1().getAuthenticationType(), is(AuthenticationType.API_KEY)); - assertThat(result.v1().getDomain(), nullValue()); + assertThat(result.v1().getEffectiveSubject().getRealm().getDomain(), nullValue()); verify(operatorPrivilegesService).maybeMarkOperatorUser(eq(result.v1()), eq(threadContext)); }); } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java index cb4279f15316d..f536a696a8e23 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStoreTests.java @@ -218,8 +218,8 @@ public void testCreateToken() throws ExecutionException, InterruptedException { assertThat(creatorMap.get("full_name"), equalTo(authentication.getEffectiveSubject().getUser().fullName())); assertThat(creatorMap.get("email"), equalTo(authentication.getEffectiveSubject().getUser().email())); assertThat(creatorMap.get("metadata"), equalTo(authentication.getEffectiveSubject().getUser().metadata())); - assertThat(creatorMap.get("realm"), equalTo(authentication.getSourceRealm().getName())); - assertThat(creatorMap.get("realm_type"), equalTo(authentication.getSourceRealm().getType())); + assertThat(creatorMap.get("realm"), equalTo(authentication.getEffectiveSubject().getRealm().getName())); + assertThat(creatorMap.get("realm_type"), equalTo(authentication.getEffectiveSubject().getRealm().getType())); final CreateServiceAccountTokenResponse createServiceAccountTokenResponse1 = future1.get(); assertNotNull(createServiceAccountTokenResponse1); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java index 73393beaae50b..d7f994d7499fe 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilderTests.java @@ -73,10 +73,15 @@ public void testQueryForDomainAuthentication() { apiKeysQuery.filter().get(1), is(QueryBuilders.termQuery("creator.principal", authentication.getEffectiveSubject().getUser().principal())) ); - if (authentication.getDomain().realms().size() == 1) { + if (authentication.getEffectiveSubject().getRealm().getDomain().realms().size() == 1) { assertThat( apiKeysQuery.filter().get(2), - is(QueryBuilders.termQuery("creator.realm", authentication.getDomain().realms().stream().findFirst().get().getName())) + is( + QueryBuilders.termQuery( + "creator.realm", + authentication.getEffectiveSubject().getRealm().getDomain().realms().stream().findFirst().get().getName() + ) + ) ); } else { assertThat(apiKeysQuery.filter().get(2), instanceOf(BoolQueryBuilder.class)); @@ -84,7 +89,7 @@ public void testQueryForDomainAuthentication() { assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).mustNot().size(), is(0)); assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).filter().size(), is(0)); assertThat(((BoolQueryBuilder) apiKeysQuery.filter().get(2)).minimumShouldMatch(), is("1")); - for (RealmConfig.RealmIdentifier realmIdentifier : authentication.getDomain().realms()) { + for (RealmConfig.RealmIdentifier realmIdentifier : authentication.getEffectiveSubject().getRealm().getDomain().realms()) { assertThat( ((BoolQueryBuilder) apiKeysQuery.filter().get(2)).should(), hasItem(QueryBuilders.termQuery("creator.realm", realmIdentifier.getName()))