Skip to content

Commit 2f80b73

Browse files
Refactor Token Service (elastic#39808)
This refactoring is in the context of the work related to moving security tokens to a new index. In that regard, the Token Service has to work with token documents stored in any of the two indices, albeit only as a transient situation. I reckoned the added complexity as unmanageable, hence this refactoring. This is incomplete, as it fails to address the goal of minimizing .security accesses, but I have stopped because otherwise it would've become a full blown rewrite (if not already). I will follow-up with more targeted PRs. In addition to being a true refactoring, some 400 errors moved to 500. Furthermore, more stringed validation of various return result, has been implemented, notably the one of the token document creation.
1 parent 244e675 commit 2f80b73

11 files changed

+512
-485
lines changed

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,13 +61,13 @@ protected void doExecute(Task task, SamlAuthenticateRequest request, ActionListe
6161
}
6262
assert authentication != null : "authentication should never be null at this point";
6363
final Map<String, Object> tokenMeta = (Map<String, Object>) result.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
64-
tokenService.createUserToken(authentication, originatingAuthentication,
65-
ActionListener.wrap(tuple -> {
64+
tokenService.createOAuth2Tokens(authentication, originatingAuthentication,
65+
tokenMeta, true, ActionListener.wrap(tuple -> {
6666
final String tokenString = tokenService.getAccessTokenAsString(tuple.v1());
6767
final TimeValue expiresIn = tokenService.getExpirationDelay();
6868
listener.onResponse(
6969
new SamlAuthenticateResponse(authentication.getUser().principal(), tokenString, tuple.v2(), expiresIn));
70-
}, listener::onFailure), tokenMeta, true);
70+
}, listener::onFailure));
7171
}, e -> {
7272
logger.debug(() -> new ParameterizedMessage("SamlToken [{}] could not be authenticated", saml), e);
7373
listener.onFailure(e);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionAction.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ private void findAndInvalidateTokens(SamlRealm realm, SamlLogoutRequestHandler.R
9191
return;
9292
}
9393

94-
tokenService.findActiveTokensForRealm(realm.name(), ActionListener.wrap(tokens -> {
94+
tokenService.findActiveTokensForRealm(realm.name(), containsMetadata(tokenMetadata), ActionListener.wrap(tokens -> {
9595
logger.debug("Found [{}] token pairs to invalidate for SAML metadata [{}]", tokens.size(), tokenMetadata);
9696
if (tokens.isEmpty()) {
9797
listener.onResponse(0);
@@ -101,7 +101,7 @@ private void findAndInvalidateTokens(SamlRealm realm, SamlLogoutRequestHandler.R
101101
tokens.forEach(tuple -> invalidateTokenPair(tuple, groupedListener));
102102
}
103103
}, listener::onFailure
104-
), containsMetadata(tokenMetadata));
104+
));
105105
}
106106

107107
private void invalidateTokenPair(Tuple<UserToken, String> tokenPair, ActionListener<TokensInvalidationResult> listener) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutAction.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@
2828
import org.elasticsearch.xpack.security.authc.saml.SamlUtils;
2929
import org.opensaml.saml.saml2.core.LogoutRequest;
3030

31-
import java.io.IOException;
3231
import java.util.Map;
3332

3433
/**
@@ -73,7 +72,7 @@ protected void doExecute(Task task, SamlLogoutRequest request, ActionListener<Sa
7372
));
7473
}, listener::onFailure
7574
));
76-
} catch (IOException | ElasticsearchException e) {
75+
} catch (ElasticsearchException e) {
7776
logger.debug("Internal exception during SAML logout", e);
7877
listener.onFailure(e);
7978
}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.java

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121
import org.elasticsearch.xpack.security.authc.AuthenticationService;
2222
import org.elasticsearch.xpack.security.authc.TokenService;
2323

24-
import java.io.IOException;
2524
import java.util.Collections;
2625

2726
/**
@@ -86,19 +85,15 @@ private void authenticateAndCreateToken(CreateTokenRequest request, ActionListen
8685
}
8786

8887
private void createToken(CreateTokenRequest request, Authentication authentication, Authentication originatingAuth,
89-
boolean includeRefreshToken, ActionListener<CreateTokenResponse> listener) {
90-
try {
91-
tokenService.createUserToken(authentication, originatingAuth, ActionListener.wrap(tuple -> {
92-
final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
93-
final String scope = getResponseScopeValue(request.getScope());
94-
95-
final CreateTokenResponse response =
96-
new CreateTokenResponse(tokenStr, tokenService.getExpirationDelay(), scope, tuple.v2());
97-
listener.onResponse(response);
98-
}, listener::onFailure), Collections.emptyMap(), includeRefreshToken);
99-
} catch (IOException e) {
100-
listener.onFailure(e);
101-
}
88+
boolean includeRefreshToken, ActionListener<CreateTokenResponse> listener) {
89+
tokenService.createOAuth2Tokens(authentication, originatingAuth, Collections.emptyMap(), includeRefreshToken,
90+
ActionListener.wrap(tuple -> {
91+
final String tokenStr = tokenService.getAccessTokenAsString(tuple.v1());
92+
final String scope = getResponseScopeValue(request.getScope());
93+
final CreateTokenResponse response = new CreateTokenResponse(tokenStr, tokenService.getExpirationDelay(), scope,
94+
tuple.v2());
95+
listener.onResponse(response);
96+
}, listener::onFailure));
10297
}
10398

10499
static String getResponseScopeValue(String requestScope) {

0 commit comments

Comments
 (0)