Refactor Token Service (elastic#39808)

This refactoring is in the context of the work related to moving security
tokens to a new index. In that regard, the Token Service has to work with
token documents stored in any of the two indices, albeit only as a transient
situation. I reckoned the added complexity as unmanageable,
hence this refactoring.

This is incomplete, as it fails to address the goal of minimizing .security accesses,
but I have stopped because otherwise it would've become a full blown rewrite
(if not already). I will follow-up with more targeted PRs.

In addition to being a true refactoring, some 400 errors moved to 500. Furthermore,
more stringed validation of various return result, has been implemented, notably the
one of the token document creation.

Author: albertzaharovits

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

@@ -61,13 +61,13 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
                 }
                 assert authentication != null : "authentication should never be null at this point";
                 final Map<String, Object> tokenMeta = (Map<String, Object>) result.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
-                tokenService.createUserToken(authentication, originatingAuthentication,
-                        ActionListener.wrap(tuple -> {
+                tokenService.createOAuth2Tokens(authentication, originatingAuthentication,
+                        tokenMeta, true, ActionListener.wrap(tuple -> {
                             final String tokenString = tokenService.getAccessTokenAsString(tuple.v1());
                             final TimeValue expiresIn = tokenService.getExpirationDelay();
                             listener.onResponse(
                                     new SamlAuthenticateResponse(authentication.getUser().principal(), tokenString, tuple.v2(), expiresIn));
-                        }, listener::onFailure), tokenMeta, true);
+                        }, listener::onFailure));
             }, e -> {
                 logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e);
                 listener.onFailure(e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionAction.java

@@ -91,7 +91,7 @@ private void findAndInvalidateTokens(SamlRealm realm, SamlLogoutRequestHandler.R
             return;
         }
 
-        tokenService.findActiveTokensForRealm(realm.name(), ActionListener.wrap(tokens -> {
+        tokenService.findActiveTokensForRealm(realm.name(), containsMetadata(tokenMetadata), ActionListener.wrap(tokens -> {
                 logger.debug("Found [{}] token pairs to invalidate for SAML metadata [{}]", tokens.size(), tokenMetadata);
                 if (tokens.isEmpty()) {
                     listener.onResponse(0);
@@ -101,7 +101,7 @@ private void findAndInvalidateTokens(SamlRealm realm, SamlLogoutRequestHandler.R
                     tokens.forEach(tuple -> invalidateTokenPair(tuple, groupedListener));
                 }
             }, listener::onFailure
-        ), containsMetadata(tokenMetadata));
+        ));
     }
 
     private void invalidateTokenPair(Tuple<UserToken, String> tokenPair, ActionListener<TokensInvalidationResult> listener) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutAction.java

@@ -28,7 +28,6 @@
 import org.elasticsearch.xpack.security.authc.saml.SamlUtils;
 import org.opensaml.saml.saml2.core.LogoutRequest;
 
-import java.io.IOException;
 import java.util.Map;
 
 /**
@@ -73,7 +72,7 @@ protected void doExecute(Task task, SamlLogoutRequest request, ActionListener<Sa
                             ));
                         }, listener::onFailure
                 ));
-            } catch (IOException | ElasticsearchException e) {
+            } catch (ElasticsearchException e) {
                 logger.debug("Internal exception during SAML logout", e);
                 listener.onFailure(e);
             }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java

@@ -21,7 +21,6 @@
 import org.elasticsearch.xpack.security.authc.AuthenticationService;
 import org.elasticsearch.xpack.security.authc.TokenService;
 
-import java.io.IOException;
 import java.util.Collections;
 
 /**
@@ -86,19 +85,15 @@ private void authenticateAndCreateToken(CreateTokenRequest request, ActionListen
     }
 
     private void createToken(CreateTokenRequest request, Authentication authentication, Authentication originatingAuth,
-                             boolean includeRefreshToken, ActionListener<CreateTokenResponse> listener) {
-        try {
-            tokenService.createUserToken(authentication, originatingAuth, ActionListener.wrap(tuple -> {
-                final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
-                final String scope = getResponseScopeValue(request.getScope());
-
-                final CreateTokenResponse response =
-                    new CreateTokenResponse(tokenStr, tokenService.getExpirationDelay(), scope, tuple.v2());
-                listener.onResponse(response);
-            }, listener::onFailure), Collections.emptyMap(), includeRefreshToken);
-        } catch (IOException e) {
-            listener.onFailure(e);
-        }
+            boolean includeRefreshToken, ActionListener<CreateTokenResponse> listener) {
+        tokenService.createOAuth2Tokens(authentication, originatingAuth, Collections.emptyMap(), includeRefreshToken,
+                ActionListener.wrap(tuple -> {
+                    final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
+                    final String scope = getResponseScopeValue(request.getScope());
+                    final CreateTokenResponse response = new CreateTokenResponse(tokenStr, tokenService.getExpirationDelay(), scope,
+                            tuple.v2());
+                    listener.onResponse(response);
+                }, listener::onFailure));
     }
 
     static String getResponseScopeValue(String requestScope) {