Add manage_own_api_key cluster privilege

Yogesh Gaikwad · Yogesh Gaikwad · commit aa623c352b1d · 2019-08-20T18:04:10.000+10:00
This commit adds `manage_own_api_key` cluster privilege which
only allows api key cluster actions on API keys owned by the
current authenticated user.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@@ -103,6 +103,8 @@ public class ClusterPrivilegeResolver {
     public static final NamedClusterPrivilege MANAGE_SLM = new ActionClusterPrivilege("manage_slm", MANAGE_SLM_PATTERN);
     public static final NamedClusterPrivilege READ_SLM = new ActionClusterPrivilege("read_slm", READ_SLM_PATTERN);
 
+    public static final NamedClusterPrivilege MANAGE_OWN_API_KEY = ManageOwnApiKeyClusterPrivilege.INSTANCE;
+
     private static final Map<String, NamedClusterPrivilege> VALUES = Stream.of(
         NONE,
         ALL,
@@ -131,7 +133,8 @@ public class ClusterPrivilegeResolver {
         MANAGE_ILM,
         READ_ILM,
         MANAGE_SLM,
-        READ_SLM).collect(Collectors.toUnmodifiableMap(NamedClusterPrivilege::name, Function.identity()));
+        READ_SLM,
+        MANAGE_OWN_API_KEY).collect(Collectors.toUnmodifiableMap(NamedClusterPrivilege::name, Function.identity()));
 
     /**
      * Resolves a {@link NamedClusterPrivilege} from a given name if it exists.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java
@@ -0,0 +1,88 @@
+/*
+ *
+ *  Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ *  or more contributor license agreements. Licensed under the Elastic License;
+ *  you may not use this file except in compliance with the Elastic License.
+ *
+ */
+
+package org.elasticsearch.xpack.core.security.authz.privilege;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
+import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
+import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyRequest;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
+import org.elasticsearch.xpack.core.security.support.Automatons;
+
+import java.util.function.BiPredicate;
+import java.util.function.Predicate;
+
+/**
+ * Named cluster privilege for managing API keys owned by the current authenticated user.
+ */
+public class ManageOwnApiKeyClusterPrivilege implements NamedClusterPrivilege {
+    public static final ManageOwnApiKeyClusterPrivilege INSTANCE = new ManageOwnApiKeyClusterPrivilege();
+    private static final Predicate<String> ACTION_PREDICATE = Automatons.predicate("cluster:admin/xpack/security/api_key/*");
+    private final String name;
+    private final BiPredicate<TransportRequest, Authentication> requestAuthnPredicate;
+
+    private ManageOwnApiKeyClusterPrivilege() {
+        this.name = "manage_own_api_key";
+        this.requestAuthnPredicate = (request, authentication) -> {
+            if (request instanceof CreateApiKeyRequest) {
+                return true;
+            } else if (request instanceof GetApiKeyRequest) {
+                final GetApiKeyRequest getApiKeyRequest = (GetApiKeyRequest) request;
+                return checkIfUserIsOwnerOfApiKeys(authentication, getApiKeyRequest.getApiKeyId(), getApiKeyRequest.getUserName(),
+                    getApiKeyRequest.getRealmName());
+            } else if (request instanceof InvalidateApiKeyRequest) {
+                final InvalidateApiKeyRequest invalidateApiKeyRequest = (InvalidateApiKeyRequest) request;
+                return checkIfUserIsOwnerOfApiKeys(authentication, invalidateApiKeyRequest.getId(), invalidateApiKeyRequest.getUserName(),
+                    invalidateApiKeyRequest.getRealmName());
+            }
+            return false;
+        };
+    }
+
+    private boolean checkIfUserIsOwnerOfApiKeys(Authentication authentication, String apiKeyId, String username, String realmName) {
+        if (isCurrentAuthenticationUsingSameApiKeyIdFromRequest(authentication, apiKeyId)) {
+            return true;
+        } else {
+            /*
+             * TODO ygaikwad we need to think on how we can propagate appropriate error message to the end user when username, realm name
+             *   is missing. This is similar to the problem of propagating proper error messages in case of access denied.
+             */
+            String authenticatedUserPrincipal = authentication.getUser().principal();
+            String authenticatedUserRealm = authentication.getAuthenticatedBy().getName();
+            if (Strings.hasText(username) && Strings.hasText(realmName)) {
+                return username.equals(authenticatedUserPrincipal) && realmName.equals(authenticatedUserRealm);
+            }
+        }
+        return false;
+    }
+
+    private boolean isCurrentAuthenticationUsingSameApiKeyIdFromRequest(Authentication authentication, String apiKeyId) {
+        // TODO ygaikwad replace with constants after merging other change
+        if (authentication.getAuthenticatedBy().getType().equals("_es_api_key")) {
+            // API key id from authentication must match the id from request
+            String authenticatedApiKeyId = (String) authentication.getMetadata().get("_security_api_key_id");
+            if (Strings.hasText(apiKeyId)) {
+                return apiKeyId.equals(authenticatedApiKeyId);
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public String name() {
+        return name;
+    }
+
+    @Override
+    public ClusterPermission.Builder buildPermission(ClusterPermission.Builder builder) {
+        return builder.add(this, ACTION_PREDICATE, requestAuthnPredicate);
+    }
+}
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilegeTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilegeTests.java
@@ -0,0 +1,88 @@
+/*
+ *
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ *
+ */
+
+package org.elasticsearch.xpack.core.security.authz.privilege;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
+import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyRequest;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
+import org.elasticsearch.xpack.core.security.user.User;
+
+import java.util.Map;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class ManageOwnApiKeyClusterPrivilegeTests extends ESTestCase {
+
+    public void testActionRequestAuthenticationBasedPredicateWhenAuthenticatingWithApiKey() {
+        final ClusterPermission clusterPermission =
+            ManageOwnApiKeyClusterPrivilege.INSTANCE.buildPermission(ClusterPermission.builder()).build();
+        {
+            final String apiKeyId = randomAlphaOfLengthBetween(4, 7);
+            final Authentication authentication = createMockAuthentication("_es_api_key", "_es_api_key",
+                Map.of("_security_api_key_id", apiKeyId));
+            final TransportRequest request = randomFrom(GetApiKeyRequest.usingApiKeyId(apiKeyId, randomBoolean()),
+                InvalidateApiKeyRequest.usingApiKeyId(apiKeyId, randomBoolean()));
+
+            assertTrue(clusterPermission.check("cluster:admin/xpack/security/api_key/get", request, authentication));
+            assertTrue(clusterPermission.check("cluster:admin/xpack/security/api_key/invalidate", request, authentication));
+            assertFalse(clusterPermission.check("cluster:admin/something", request, authentication));
+        }
+        {
+            final String apiKeyId = randomAlphaOfLengthBetween(4, 7);
+            final Authentication authentication = createMockAuthentication("_es_api_key", "_es_api_key",
+                Map.of("_security_api_key_id", randomAlphaOfLength(7)));
+            final TransportRequest request = randomFrom(GetApiKeyRequest.usingApiKeyId(apiKeyId, randomBoolean()),
+                InvalidateApiKeyRequest.usingApiKeyId(apiKeyId, randomBoolean()));
+
+            assertFalse(clusterPermission.check("cluster:admin/xpack/security/api_key/get", request, authentication));
+            assertFalse(clusterPermission.check("cluster:admin/xpack/security/api_key/invalidate", request, authentication));
+        }
+    }
+
+    public void testActionRequestAuthenticationBasedPredicateWhenRequestContainsUsernameAndRealmName() {
+        final ClusterPermission clusterPermission =
+            ManageOwnApiKeyClusterPrivilege.INSTANCE.buildPermission(ClusterPermission.builder()).build();
+        {
+            final Authentication authentication = createMockAuthentication("realm1", "native", Map.of());
+            final TransportRequest request = randomFrom(GetApiKeyRequest.usingRealmAndUserName("realm1", "joe"),
+                InvalidateApiKeyRequest.usingRealmAndUserName("realm1", "joe"));
+
+            assertTrue(clusterPermission.check("cluster:admin/xpack/security/api_key/get", request, authentication));
+            assertTrue(clusterPermission.check("cluster:admin/xpack/security/api_key/invalidate", request, authentication));
+            assertFalse(clusterPermission.check("cluster:admin/something", request, authentication));
+        }
+        {
+            final Authentication authentication = createMockAuthentication("realm1", "native", Map.of());
+            final TransportRequest request = randomFrom(
+                GetApiKeyRequest.usingRealmAndUserName("realm1", randomAlphaOfLength(7)),
+                GetApiKeyRequest.usingRealmAndUserName(randomAlphaOfLength(5), "joe"),
+                InvalidateApiKeyRequest.usingRealmAndUserName("realm1", randomAlphaOfLength(7)),
+                InvalidateApiKeyRequest.usingRealmAndUserName(randomAlphaOfLength(5), "joe"));
+
+            assertFalse(clusterPermission.check("cluster:admin/xpack/security/api_key/get", request, authentication));
+            assertFalse(clusterPermission.check("cluster:admin/xpack/security/api_key/invalidate", request, authentication));
+        }
+    }
+
+    private Authentication createMockAuthentication(String realmName, String realmType, Map<String, Object> metadata) {
+        final User user = new User("joe");
+        final Authentication authentication = mock(Authentication.class);
+        final Authentication.RealmRef authenticatedBy = mock(Authentication.RealmRef.class);
+        when(authentication.getUser()).thenReturn(user);
+        when(authentication.getAuthenticatedBy()).thenReturn(authenticatedBy);
+        when(authenticatedBy.getName()).thenReturn(realmName);
+        when(authenticatedBy.getType()).thenReturn(realmType);
+        when(authentication.getMetadata()).thenReturn(metadata);
+        return authentication;
+    }
+}
