Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add extensionName() to security extension #79329

Merged
merged 5 commits into from
Oct 19, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -115,4 +115,8 @@ default AuthenticationFailureHandler getAuthenticationFailureHandler(SecurityCom
default AuthorizationEngine getAuthorizationEngine(Settings settings) {
return null;
}

default String extensionName() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: why not just name() since the word extension is already part of the class name?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because I didn't think it would be as clear to people implementing security extensions what "name" was supposed to be, and what behaviour it should have.
extensionName is self describing

return getClass().getName();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.env.Environment;
Expand Down Expand Up @@ -651,37 +652,15 @@ auditTrailService, failureHandler, threadPool, anonymousUser, getAuthorizationEn
}

private AuthorizationEngine getAuthorizationEngine() {
AuthorizationEngine authorizationEngine = null;
String extensionName = null;
for (SecurityExtension extension : securityExtensions) {
final AuthorizationEngine extensionEngine = extension.getAuthorizationEngine(settings);
if (extensionEngine != null && authorizationEngine != null) {
throw new IllegalStateException("Extensions [" + extensionName + "] and [" + extension.toString() + "] "
+ "both set an authorization engine");
}
authorizationEngine = extensionEngine;
extensionName = extension.toString();
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This old code was buggy.
If you have 3 extensions "a", "b", "c" and "a" & "b" both return an engine (but "c" doesn't) then the result would depend on the order of the extension list.

  • "a" "b" "c" ⇒ exception
  • "a" "c" "b" ⇒ return the engine from "b"

Because we set authorizationEngine and extensionName to the current extension in the list, even if that extension didn't return an engine.

}

if (authorizationEngine != null) {
logger.debug("Using authorization engine from extension [" + extensionName + "]");
}
return authorizationEngine;
return findValueFromExtensions("authorization engine", extension -> extension.getAuthorizationEngine(settings));
}

private AuthenticationFailureHandler createAuthenticationFailureHandler(final Realms realms,
final SecurityExtension.SecurityComponents components) {
AuthenticationFailureHandler failureHandler = null;
String extensionName = null;
for (SecurityExtension extension : securityExtensions) {
AuthenticationFailureHandler extensionFailureHandler = extension.getAuthenticationFailureHandler(components);
if (extensionFailureHandler != null && failureHandler != null) {
throw new IllegalStateException("Extensions [" + extensionName + "] and [" + extension.toString() + "] "
+ "both set an authentication failure handler");
}
failureHandler = extensionFailureHandler;
extensionName = extension.toString();
}
AuthenticationFailureHandler failureHandler = findValueFromExtensions(
"authentication failure handler",
extension -> extension.getAuthenticationFailureHandler(components)
);
if (failureHandler == null) {
logger.debug("Using default authentication failure handler");
Supplier<Map<String, List<String>>> headersSupplier = () -> {
Expand Down Expand Up @@ -718,12 +697,49 @@ private AuthenticationFailureHandler createAuthenticationFailureHandler(final Re
getLicenseState().addListener(() -> {
finalDefaultFailureHandler.setHeaders(headersSupplier.get());
});
} else {
logger.debug("Using authentication failure handler from extension [" + extensionName + "]");
}
return failureHandler;
}

/**
* Calls the provided function for each configured extension and return the value that was generated by the extensions.
* If multiple extensions provide a value, throws {@link IllegalStateException}.
* If no extensions provide a value (or if there are no extensions) returns {@code null}.
*/
@Nullable
private <T> T findValueFromExtensions(String valueType, Function<SecurityExtension, T> method) {
T foundValue = null;
String fromExtension = null;
for (SecurityExtension extension : securityExtensions) {
final T extensionValue = method.apply(extension);
if (extensionValue == null) {
continue;
}
if (foundValue == null) {
foundValue = extensionValue;
fromExtension = extension.extensionName();
}
else {
tvernum marked this conversation as resolved.
Show resolved Hide resolved
throw new IllegalStateException(
"Extensions ["
+ fromExtension
+ "] and ["
+ extension.extensionName()
+ "] "
+ " both attempted to provide a value for ["
+ valueType
+ "]"
);
}
}
if (foundValue == null) {
return null;
} else {
logger.debug("Using [{}] [{}] from extension [{}]", valueType, foundValue, fromExtension);
return foundValue;
}
}

@Override
public Settings additionalSettings() {
return additionalSettings(settings, enabled);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ public class ExampleSecurityExtension implements SecurityExtension {
});
}

@Override
public String extensionName() {
return "example";
}

@Override
public Map<String, Realm.Factory> getRealms(SecurityComponents components) {
return Map.ofEntries(
Expand Down