User Profile - Use only realmType for file and native realms (#84205)

ywangd · web-flow · commit 883b3129f343 · 2022-02-24T11:29:43.000+11:00
When locating existing profile document for the given authentication, use only realm type to search for file and native realms. This is because there can only ever be a single file or native realm and it does not matter what name it takes. Relates: #83570
diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/profile/ProfileDomainSingleNodeTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/profile/ProfileDomainSingleNodeTests.java
@@ -20,6 +20,8 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmDomain;
 import org.elasticsearch.xpack.core.security.authc.Subject;
+import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
+import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.time.Instant;
@@ -212,6 +214,41 @@ public void testGetProfileByAuthenticationDomainless() {
         assertThat(future3.actionGet(), nullValue());
     }
 
+    public void testGetProfileByAuthenticationWillNotCheckRealmNameForFileOrNativeRealm() {
+        // File and native realms are under the same domain, activate the profile from either the realm
+        final Profile profile1;
+        if (randomBoolean()) {
+            profile1 = doActivateProfile(RAC_USER_NAME, TEST_PASSWORD_SECURE_STRING);
+        } else {
+            profile1 = doActivateProfile(RAC_USER_NAME, NATIVE_RAC_USER_PASSWORD);
+        }
+        final ProfileService profileService = node().injector().getInstance(ProfileService.class);
+
+        final String realmName = randomAlphaOfLengthBetween(3, 8);
+        final String realmType = randomBoolean() ? FileRealmSettings.TYPE : NativeRealmSettings.TYPE;
+        final RealmDomain realmDomain = new RealmDomain(
+            randomAlphaOfLengthBetween(3, 8),
+            Set.of(
+                new RealmConfig.RealmIdentifier(realmType, realmName),
+                new RealmConfig.RealmIdentifier(
+                    FileRealmSettings.TYPE.equals(realmType) ? NativeRealmSettings.TYPE : FileRealmSettings.TYPE,
+                    randomAlphaOfLengthBetween(3, 8)
+                )
+            )
+        );
+        final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef(
+            realmName,
+            realmType,
+            randomAlphaOfLengthBetween(3, 8),
+            realmDomain
+        );
+        final Authentication authentication1 = Authentication.newRealmAuthentication(new User(RAC_USER_NAME), authenticatedBy);
+
+        final PlainActionFuture<Profile> future1 = new PlainActionFuture<>();
+        profileService.activateProfile(authentication1, future1);
+        assertThat(future1.actionGet().uid(), equalTo(profile1.uid()));
+    }
+
     private String indexDocument() {
         final String uid = randomAlphaOfLength(20);
         final String source = ProfileServiceTests.SAMPLE_PROFILE_DOCUMENT_TEMPLATE.formatted(uid, Instant.now().toEpochMilli());
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/profile/ProfileService.java
@@ -54,6 +54,8 @@
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationContext;
 import org.elasticsearch.xpack.core.security.authc.Subject;
+import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
+import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;
 
@@ -98,7 +100,6 @@ public void getProfile(String uid, @Nullable Set<String> dataKeys, ActionListene
     }
 
     // TODO: with request when we take request body for profile activation
-
     /**
      * Create a new profile or update an existing profile for the user of the given Authentication.
      * @param authentication This is the object from which the profile will be created or updated.
@@ -259,8 +260,10 @@ void getVersionedDocument(Subject subject, ActionListener<VersionedDocument> lis
             final BoolQueryBuilder boolQuery = QueryBuilders.boolQuery()
                 .filter(QueryBuilders.termQuery("user_profile.user.username", subject.getUser().principal()));
             if (subject.getRealm().getDomain() == null) {
-                boolQuery.filter(QueryBuilders.termQuery("user_profile.user.realm.name", subject.getRealm().getName()))
-                    .filter(QueryBuilders.termQuery("user_profile.user.realm.type", subject.getRealm().getType()));
+                boolQuery.filter(QueryBuilders.termQuery("user_profile.user.realm.type", subject.getRealm().getType()));
+                if (false == isFileOrNativeRealm(subject.getRealm().getType())) {
+                    boolQuery.filter(QueryBuilders.termQuery("user_profile.user.realm.name", subject.getRealm().getName()));
+                }
             } else {
                 logger.debug(
                     () -> new ParameterizedMessage(
@@ -271,11 +274,12 @@ void getVersionedDocument(Subject subject, ActionListener<VersionedDocument> lis
                     )
                 );
                 subject.getRealm().getDomain().realms().forEach(realmIdentifier -> {
-                    boolQuery.should(
-                        QueryBuilders.boolQuery()
-                            .filter(QueryBuilders.termQuery("user_profile.user.realm.name", realmIdentifier.getName()))
-                            .filter(QueryBuilders.termQuery("user_profile.user.realm.type", realmIdentifier.getType()))
-                    );
+                    final BoolQueryBuilder perRealmQuery = QueryBuilders.boolQuery()
+                        .filter(QueryBuilders.termQuery("user_profile.user.realm.type", realmIdentifier.getType()));
+                    if (false == isFileOrNativeRealm(realmIdentifier.getType())) {
+                        perRealmQuery.filter(QueryBuilders.termQuery("user_profile.user.realm.name", realmIdentifier.getName()));
+                    }
+                    boolQuery.should(perRealmQuery);
                 });
                 boolQuery.minimumShouldMatch(1);
             }
@@ -489,6 +493,10 @@ private ProfileDocument updateWithSubject(ProfileDocument doc, Subject subject)
         );
     }
 
+    private boolean isFileOrNativeRealm(String realmType) {
+        return FileRealmSettings.TYPE.equals(realmType) || NativeRealmSettings.TYPE.equals(realmType);
+    }
+
     // Package private for testing
     record VersionedDocument(ProfileDocument doc, long primaryTerm, long seqNo) {
 
