Switch Kerberos authentication provider to a dedicated _kerberos gr…

…ant. Introduce `Tokens` for common access/refresh token tasks. (#39366) (#40101)

* Switch Kerberos authentication provider to a dedicated `_kerberos` grant. Introduce `Tokens` for common access/refresh token tasks.

* Review#1: improve/fix code comments, properly log the case when token invalidation failed.

x-pack/legacy/plugins/security/server/lib/authentication/authenticator.ts

@@ -22,6 +22,7 @@ import { DeauthenticationResult } from './deauthentication_result';
 import { Session } from './session';
 import { LoginAttempt } from './login_attempt';
 import { AuthenticationProviderSpecificOptions } from './providers/base';
+import { Tokens } from './tokens';
 
 interface ProviderSession {
   provider: string;
@@ -56,15 +57,18 @@ function assertRequest(request: Legacy.Request) {
  */
 function getProviderOptions(server: Legacy.Server) {
   const config = server.config();
+  const client = getClient(server);
+  const log = server.log.bind(server);
 
   return {
-    client: getClient(server),
-    log: server.log.bind(server),
+    client,
+    log,
 
     protocol: server.info.protocol,
     hostname: config.get<string>('server.host'),
     port: config.get<number>('server.port'),
     basePath: config.get<string>('server.basePath'),
+    tokens: new Tokens({ client, log }),
 
     ...config.get('xpack.security.public'),
   };

x-pack/legacy/plugins/security/server/lib/authentication/providers/base.mock.ts

@@ -4,19 +4,24 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { stub } from 'sinon';
+import { stub, createStubInstance } from 'sinon';
+import { Tokens } from '../tokens';
 import { AuthenticationProviderOptions } from './base';
 
 export function mockAuthenticationProviderOptions(
-  providerOptions: Partial<AuthenticationProviderOptions> = {}
+  providerOptions: Partial<Pick<AuthenticationProviderOptions, 'basePath'>> = {}
 ) {
+  const client = { callWithRequest: stub(), callWithInternalUser: stub() };
+  const log = stub();
+
   return {
     hostname: 'test-hostname',
     port: 1234,
     protocol: 'test-protocol',
-    client: { callWithRequest: stub(), callWithInternalUser: stub() },
-    log: stub(),
+    client,
+    log,
     basePath: '/base-path',
+    tokens: createStubInstance(Tokens),
     ...providerOptions,
   };
 }

x-pack/legacy/plugins/security/server/lib/authentication/providers/base.ts

@@ -8,6 +8,7 @@ import { Legacy } from 'kibana';
 import { AuthenticationResult } from '../authentication_result';
 import { DeauthenticationResult } from '../deauthentication_result';
 import { LoginAttempt } from '../login_attempt';
+import { Tokens } from '../tokens';
 
 /**
  * Describes a request complemented with `loginAttempt` method.
@@ -26,6 +27,7 @@ export interface AuthenticationProviderOptions {
   basePath: string;
   client: Legacy.Plugins.elasticsearch.Cluster;
   log: (tags: string[], message: string) => void;
+  tokens: PublicMethodsOf<Tokens>;
 }
 
 /**

x-pack/legacy/plugins/security/server/lib/authentication/providers/basic.test.ts

@@ -24,7 +24,7 @@ describe('BasicAuthenticationProvider', () => {
     let callWithRequest: sinon.SinonStub;
     beforeEach(() => {
       const providerOptions = mockAuthenticationProviderOptions();
-      callWithRequest = providerOptions.client.callWithRequest as sinon.SinonStub;
+      callWithRequest = providerOptions.client.callWithRequest;
       provider = new BasicAuthenticationProvider(providerOptions);
     });