Remove dep com.nimbusds:nimbus-jose-jwt from module org.elasticsearch…

….xcore (#110565)

The types from com.nimbusds.jwt are almost not needed in x-pack/plugin/core.
They're only needed in module org.elasticsearch.security, x-pack:plugin:security project.

x-pack/plugin/core/build.gradle

@@ -51,7 +51,6 @@ dependencies {
 
   // security deps
   api 'com.unboundid:unboundid-ldapsdk:6.0.3'
-  api "com.nimbusds:nimbus-jose-jwt:9.23"
 
   implementation project(":x-pack:plugin:core:template-resources")
 
@@ -135,27 +134,7 @@ tasks.named("thirdPartyAudit").configure {
     //commons-logging provided dependencies
     'javax.servlet.ServletContextEvent',
     'javax.servlet.ServletContextListener',
-    'javax.jms.Message',
-    // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
-    'com.google.crypto.tink.subtle.Ed25519Sign',
-    'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
-    'com.google.crypto.tink.subtle.Ed25519Verify',
-    'com.google.crypto.tink.subtle.X25519',
-    'com.google.crypto.tink.subtle.XChaCha20Poly1305',
-    // optional dependencies for nimbus-jose-jwt
-    'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
-    'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
-    'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
-    'org.bouncycastle.cert.X509CertificateHolder',
-    'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder',
-    'org.bouncycastle.crypto.InvalidCipherTextException',
-    'org.bouncycastle.crypto.engines.AESEngine',
-    'org.bouncycastle.crypto.modes.GCMBlockCipher',
-    'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider',
-    'org.bouncycastle.jce.provider.BouncyCastleProvider',
-    'org.bouncycastle.openssl.PEMKeyPair',
-    'org.bouncycastle.openssl.PEMParser',
-    'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
+    'javax.jms.Message'
   )
 }
 

x-pack/plugin/core/src/main/java/module-info.java

@@ -22,7 +22,6 @@
     requires unboundid.ldapsdk;
     requires org.elasticsearch.tdigest;
     requires org.elasticsearch.xcore.templates;
-    requires com.nimbusds.jose.jwt;
 
     exports org.elasticsearch.index.engine.frozen;
     exports org.elasticsearch.license;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/Grant.java

@@ -7,19 +7,13 @@
 
 package org.elasticsearch.xpack.core.security.action;
 
-import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.TransportVersions;
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.common.settings.SecureString;
-import org.elasticsearch.rest.RestStatus;
-import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.support.BearerToken;
-import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 
 import java.io.IOException;
 
@@ -136,30 +130,6 @@ public void setClientAuthentication(ClientAuthentication clientAuthentication) {
         this.clientAuthentication = clientAuthentication;
     }
 
-    public AuthenticationToken getAuthenticationToken() {
-        assert validate(null) == null : "grant is invalid";
-        return switch (type) {
-            case PASSWORD_GRANT_TYPE -> new UsernamePasswordToken(username, password);
-            case ACCESS_TOKEN_GRANT_TYPE -> {
-                SecureString clientAuthentication = this.clientAuthentication != null ? this.clientAuthentication.value() : null;
-                AuthenticationToken token = JwtAuthenticationToken.tryParseJwt(accessToken, clientAuthentication);
-                if (token != null) {
-                    yield token;
-                }
-                if (clientAuthentication != null) {
-                    clientAuthentication.close();
-                    throw new ElasticsearchSecurityException(
-                        "[client_authentication] not supported with the supplied access_token type",
-                        RestStatus.BAD_REQUEST
-                    );
-                }
-                // here we effectively assume it's an ES access token (from the {@code TokenService})
-                yield new BearerToken(accessToken);
-            }
-            default -> throw new ElasticsearchSecurityException("the grant type [{}] is not supported", type);
-        };
-    }
-
     public ActionRequestValidationException validate(ActionRequestValidationException validationException) {
         if (type == null) {
             validationException = addValidationError("[grant_type] is required", validationException);

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmSingleNodeTests.java

@@ -52,7 +52,6 @@
 import org.elasticsearch.xpack.core.security.action.user.AuthenticateResponse;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.Realm;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.security.LocalStateSecurity;
 import org.elasticsearch.xpack.security.Security;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/TransportGrantAction.java

@@ -7,24 +7,33 @@
 
 package org.elasticsearch.xpack.security.action;
 
+import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.ElasticsearchStatusException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.TransportAction;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.core.security.action.Grant;
 import org.elasticsearch.xpack.core.security.action.GrantRequest;
 import org.elasticsearch.xpack.core.security.action.user.AuthenticateAction;
 import org.elasticsearch.xpack.core.security.action.user.AuthenticateRequest;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
+import org.elasticsearch.xpack.core.security.authc.support.BearerToken;
+import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
+import org.elasticsearch.xpack.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.security.authz.AuthorizationService;
 
+import static org.elasticsearch.xpack.core.security.action.Grant.ACCESS_TOKEN_GRANT_TYPE;
+import static org.elasticsearch.xpack.core.security.action.Grant.PASSWORD_GRANT_TYPE;
+
 public abstract class TransportGrantAction<Request extends GrantRequest, Response extends ActionResponse> extends TransportAction<
     Request,
     Response> {
@@ -50,7 +59,7 @@ public TransportGrantAction(
     @Override
     public final void doExecute(Task task, Request request, ActionListener<Response> listener) {
         try (ThreadContext.StoredContext ignore = threadContext.stashContext()) {
-            final AuthenticationToken authenticationToken = request.getGrant().getAuthenticationToken();
+            final AuthenticationToken authenticationToken = getAuthenticationToken(request.getGrant());
             assert authenticationToken != null : "authentication token must not be null";
 
             final String runAsUsername = request.getGrant().getRunAsUsername();
@@ -109,4 +118,30 @@ protected abstract void doExecuteWithGrantAuthentication(
         Authentication authentication,
         ActionListener<Response> listener
     );
+
+    public static AuthenticationToken getAuthenticationToken(Grant grant) {
+        assert grant.validate(null) == null : "grant is invalid";
+        return switch (grant.getType()) {
+            case PASSWORD_GRANT_TYPE -> new UsernamePasswordToken(grant.getUsername(), grant.getPassword());
+            case ACCESS_TOKEN_GRANT_TYPE -> {
+                SecureString clientAuthentication = grant.getClientAuthentication() != null
+                    ? grant.getClientAuthentication().value()
+                    : null;
+                AuthenticationToken token = JwtAuthenticationToken.tryParseJwt(grant.getAccessToken(), clientAuthentication);
+                if (token != null) {
+                    yield token;
+                }
+                if (clientAuthentication != null) {
+                    clientAuthentication.close();
+                    throw new ElasticsearchSecurityException(
+                        "[client_authentication] not supported with the supplied access_token type",
+                        RestStatus.BAD_REQUEST
+                    );
+                }
+                // here we effectively assume it's an ES access token (from the {@code TokenService})
+                yield new BearerToken(grant.getAccessToken());
+            }
+            default -> throw new ElasticsearchSecurityException("the grant type [{}] is not supported", grant.getType());
+        };
+    }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwkSetLoader.java

@@ -22,7 +22,6 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 
 import java.io.IOException;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwkValidateUtil.java

@@ -24,7 +24,6 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 
 import java.nio.charset.StandardCharsets;
 import java.security.PublicKey;

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtAuthenticationToken.java → x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticationToken.java

@@ -4,7 +4,7 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-package org.elasticsearch.xpack.core.security.authc.jwt;
+package org.elasticsearch.xpack.security.authc.jwt;
 
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.java

@@ -19,7 +19,6 @@
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java

@@ -31,9 +31,7 @@
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
 import org.elasticsearch.xpack.core.security.support.CacheIteratorHelper;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.java

@@ -35,14 +35,13 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Stream;
 
-import static org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil.toStringRedactSignature;
+import static org.elasticsearch.xpack.security.authc.jwt.JwtUtil.toStringRedactSignature;
 
 public interface JwtSignatureValidator extends Releasable {
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/jwt/JwtUtil.java → x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-package org.elasticsearch.xpack.core.security.authc.jwt;
+package org.elasticsearch.xpack.security.authc.jwt;
 
 import com.nimbusds.jose.JWSObject;
 import com.nimbusds.jose.jwk.JWK;
@@ -47,6 +47,7 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
+import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 
 import java.io.InputStream;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.java

@@ -91,9 +91,9 @@
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
+import org.elasticsearch.xpack.security.authc.jwt.JwtUtil;
 
 import java.io.IOException;
 import java.net.URI;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticatorTests.java

@@ -24,7 +24,6 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.junit.Before;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtIssuer.java

@@ -14,7 +14,6 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.io.Closeable;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmAuthenticateTests.java

@@ -25,7 +25,6 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.security.user.User;
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmGenerateTests.java

@@ -23,7 +23,6 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings;
 import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
 import org.elasticsearch.xpack.core.security.user.User;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmInspector.java

@@ -11,7 +11,6 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 import org.elasticsearch.xpack.core.security.authc.support.ClaimSetting;
 
 import java.net.URI;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealmTestCase.java

@@ -28,7 +28,6 @@
 import org.elasticsearch.xpack.core.security.authc.Realm;
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.ClientAuthenticationType;
 import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtilTests.java

@@ -10,7 +10,6 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
-import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;