Adding authentication information to access token create APIs (#62490)

* Adding authentication information to access token create APIs

Adding authentication object to following APIs:
/_security/oauth2/token
/_security/delegate_pki
/_security/saml/authenticate
/_security/oidc/authenticate

Resolves: #59685
(cherry picked from commit 51dbd9e)

* Addressing PR commends, fixing tests

* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)

Addressing PR comments

* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)

Update version check

* Returning tokenGroups attribute as SID string instead of byte array (AD metadata)

Update version check

* Addressing more PR comments

* Adding more to integration tests + some small fixes

Author: BigPandaToo

client/rest-high-level/src/main/java/org/elasticsearch/client/security/AuthenticateResponse.java

@@ -22,6 +22,8 @@
 import org.elasticsearch.client.security.user.User;
 import org.elasticsearch.common.ParseField;
 import org.elasticsearch.common.xcontent.ConstructingObjectParser;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentParser;
 
 import java.io.IOException;
@@ -38,7 +40,7 @@
  * user object contains all user metadata which Elasticsearch uses to map roles,
  * etc.
  */
-public final class AuthenticateResponse {
+public final class AuthenticateResponse implements ToXContentObject {
 
     static final ParseField USERNAME = new ParseField("username");
     static final ParseField ROLES = new ParseField("roles");
@@ -123,6 +125,27 @@ public String getAuthenticationType() {
         return authenticationType;
     }
 
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+            .field("username", user.getUsername())
+            .field("roles", user.getRoles())
+            .field("metadata", user.getMetadata())
+            .field("full_name", user.getFullName())
+            .field("email", user.getEmail())
+            .field("enabled", enabled);
+        builder.startObject("authentication_realm")
+            .field("name", authenticationRealm.name)
+            .field("type", authenticationRealm.type);
+        builder.endObject();
+        builder.startObject("lookup_realm")
+            .field("name", lookupRealm == null? authenticationRealm.name: lookupRealm.name)
+            .field("type", lookupRealm == null? authenticationRealm.type: lookupRealm.type);
+        builder.endObject();
+            builder.field("authentication_type", authenticationType);
+        return builder.endObject();
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

client/rest-high-level/src/main/java/org/elasticsearch/client/security/CreateTokenResponse.java

@@ -42,15 +42,17 @@ public final class CreateTokenResponse {
     private final String scope;
     private final String refreshToken;
     private final String kerberosAuthenticationResponseToken;
+    private final AuthenticateResponse authenticationResponse;
 
     public CreateTokenResponse(String accessToken, String type, TimeValue expiresIn, String scope, String refreshToken,
-                               String kerberosAuthenticationResponseToken) {
+                               String kerberosAuthenticationResponseToken, AuthenticateResponse authenticationResponse) {
         this.accessToken = accessToken;
         this.type = type;
         this.expiresIn = expiresIn;
         this.scope = scope;
         this.refreshToken = refreshToken;
         this.kerberosAuthenticationResponseToken = kerberosAuthenticationResponseToken;
+        this.authenticationResponse = authenticationResponse;
     }
 
     public String getAccessToken() {
@@ -77,6 +79,8 @@ public String getKerberosAuthenticationResponseToken() {
         return kerberosAuthenticationResponseToken;
     }
 
+    public AuthenticateResponse getAuthenticationResponse() { return authenticationResponse; }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {
@@ -91,17 +95,19 @@ public boolean equals(Object o) {
             Objects.equals(expiresIn, that.expiresIn) &&
             Objects.equals(scope, that.scope) &&
             Objects.equals(refreshToken, that.refreshToken) &&
-            Objects.equals(kerberosAuthenticationResponseToken, that.kerberosAuthenticationResponseToken);
+            Objects.equals(kerberosAuthenticationResponseToken, that.kerberosAuthenticationResponseToken)&&
+            Objects.equals(authenticationResponse, that.authenticationResponse);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(accessToken, type, expiresIn, scope, refreshToken, kerberosAuthenticationResponseToken);
+        return Objects.hash(accessToken, type, expiresIn, scope, refreshToken, kerberosAuthenticationResponseToken, authenticationResponse);
     }
 
     private static final ConstructingObjectParser<CreateTokenResponse, Void> PARSER = new ConstructingObjectParser<>(
             "create_token_response", true, args -> new CreateTokenResponse((String) args[0], (String) args[1],
-                    TimeValue.timeValueSeconds((Long) args[2]), (String) args[3], (String) args[4], (String) args[5]));
+                    TimeValue.timeValueSeconds((Long) args[2]), (String) args[3], (String) args[4], (String) args[5],
+                    (AuthenticateResponse) args[6]));
 
     static {
         PARSER.declareString(constructorArg(), new ParseField("access_token"));
@@ -110,6 +116,7 @@ public int hashCode() {
         PARSER.declareStringOrNull(optionalConstructorArg(), new ParseField("scope"));
         PARSER.declareStringOrNull(optionalConstructorArg(), new ParseField("refresh_token"));
         PARSER.declareStringOrNull(optionalConstructorArg(), new ParseField("kerberos_authentication_response_token"));
+        PARSER.declareObject(constructorArg(), (p, c) -> AuthenticateResponse.fromXContent(p), new ParseField("authentication"));
     }
 
     public static CreateTokenResponse fromXContent(XContentParser parser) throws IOException {

client/rest-high-level/src/main/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponse.java

@@ -34,11 +34,14 @@ public final class DelegatePkiAuthenticationResponse {
     private final String accessToken;
     private final String type;
     private final TimeValue expiresIn;
+    private final AuthenticateResponse authenticationResponse;
 
-    public DelegatePkiAuthenticationResponse(String accessToken, String type, TimeValue expiresIn) {
+    public DelegatePkiAuthenticationResponse(String accessToken, String type, TimeValue expiresIn,
+                                             AuthenticateResponse authenticationResponse) {
         this.accessToken = accessToken;
         this.type = type;
         this.expiresIn = expiresIn;
+        this.authenticationResponse = authenticationResponse;
     }
 
     public String getAccessToken() {
@@ -53,6 +56,8 @@ public TimeValue getExpiresIn() {
         return expiresIn;
     }
 
+    public AuthenticateResponse getAuthenticationResponse() { return authenticationResponse; }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {
@@ -64,22 +69,26 @@ public boolean equals(Object o) {
         final DelegatePkiAuthenticationResponse that = (DelegatePkiAuthenticationResponse) o;
         return Objects.equals(accessToken, that.accessToken) &&
             Objects.equals(type, that.type) &&
-            Objects.equals(expiresIn, that.expiresIn);
+            Objects.equals(expiresIn, that.expiresIn) &&
+            Objects.equals(authenticationResponse, that.authenticationResponse);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(accessToken, type, expiresIn);
+        return Objects.hash(accessToken, type, expiresIn, authenticationResponse);
     }
 
+    @SuppressWarnings("unchecked")
     private static final ConstructingObjectParser<DelegatePkiAuthenticationResponse, Void> PARSER = new ConstructingObjectParser<>(
             "delegate_pki_response", true,
-            args -> new DelegatePkiAuthenticationResponse((String) args[0], (String) args[1], TimeValue.timeValueSeconds((Long) args[2])));
+            args -> new DelegatePkiAuthenticationResponse((String) args[0], (String) args[1], TimeValue.timeValueSeconds((Long) args[2]),
+                (AuthenticateResponse) args[3]));
 
     static {
         PARSER.declareString(constructorArg(), new ParseField("access_token"));
         PARSER.declareString(constructorArg(), new ParseField("type"));
         PARSER.declareLong(constructorArg(), new ParseField("expires_in"));
+        PARSER.declareObject(constructorArg(), (p, c) -> AuthenticateResponse.fromXContent(p), new ParseField("authentication"));
     }
 
     public static DelegatePkiAuthenticationResponse fromXContent(XContentParser parser) throws IOException {

client/rest-high-level/src/test/java/org/elasticsearch/client/security/CreateTokenResponseTests.java

@@ -18,6 +18,7 @@
  */
 package org.elasticsearch.client.security;
 
+import org.elasticsearch.client.security.user.User;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentBuilder;
@@ -26,6 +27,7 @@
 import org.elasticsearch.test.ESTestCase;
 
 import java.io.IOException;
+import java.util.Arrays;
 
 import static org.hamcrest.Matchers.equalTo;
 
@@ -38,6 +40,10 @@ public void testFromXContent() throws IOException {
         final String scope = randomBoolean() ? null : randomAlphaOfLength(4);
         final String type = randomAlphaOfLength(6);
         final String kerberosAuthenticationResponseToken = randomBoolean() ? null : randomAlphaOfLength(7);
+        final AuthenticateResponse authenticateResponse = new AuthenticateResponse(new User(randomAlphaOfLength(7),
+            Arrays.asList( randomAlphaOfLength(9) )),
+            true, new AuthenticateResponse.RealmInfo(randomAlphaOfLength(5), randomAlphaOfLength(7) ),
+            new AuthenticateResponse.RealmInfo(randomAlphaOfLength(5), randomAlphaOfLength(5) ), "realm");
 
         final XContentType xContentType = randomFrom(XContentType.values());
         final XContentBuilder builder = XContentFactory.contentBuilder(xContentType);
@@ -54,6 +60,7 @@ public void testFromXContent() throws IOException {
         if (kerberosAuthenticationResponseToken != null) {
             builder.field("kerberos_authentication_response_token", kerberosAuthenticationResponseToken);
         }
+        builder.field("authentication", authenticateResponse);
         builder.endObject();
         BytesReference xContent = BytesReference.bytes(builder);
 
@@ -64,5 +71,6 @@ public void testFromXContent() throws IOException {
         assertThat(response.getType(), equalTo(type));
         assertThat(response.getExpiresIn(), equalTo(expiresIn));
         assertThat(response.getKerberosAuthenticationResponseToken(), equalTo(kerberosAuthenticationResponseToken));
+        assertThat(response.getAuthenticationResponse(), equalTo(authenticateResponse));
     }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/security/DelegatePkiAuthenticationResponseTests.java

@@ -19,14 +19,21 @@
 
 package org.elasticsearch.client.security;
 
+import org.elasticsearch.Version;
 import org.elasticsearch.client.AbstractResponseTestCase;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.client.security.DelegatePkiAuthenticationResponse;
 import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.user.User;
 
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
 
+import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 
 public class DelegatePkiAuthenticationResponseTests extends
@@ -37,7 +44,8 @@ public class DelegatePkiAuthenticationResponseTests extends
     protected org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse createServerTestInstance(
         XContentType xContentType) {
         return new org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse(randomAlphaOfLength(6),
-                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"));
+                TimeValue.parseTimeValue(randomTimeValue(), getClass().getSimpleName() + ".expiresIn"),
+                createAuthentication());
     }
 
     @Override
@@ -51,5 +59,52 @@ protected void assertInstances(org.elasticsearch.xpack.core.security.action.Dele
         assertThat(serverTestInstance.getAccessToken(), is(clientInstance.getAccessToken()));
         assertThat(serverTestInstance.getExpiresIn(), is(clientInstance.getExpiresIn()));
         assertThat(clientInstance.getType(), is("Bearer"));
+        AuthenticateResponse serverAuthenticationResponse = createServerAuthenticationResponse(serverTestInstance.getAuthentication());
+        User user = serverTestInstance.getAuthentication().getUser();
+        assertThat(serverAuthenticationResponse, equalTo(clientInstance.getAuthenticationResponse()));
+    }
+
+    protected Authentication createAuthentication() {
+        final String username = randomAlphaOfLengthBetween(1, 4);
+        final String[] roles = generateRandomStringArray(4, 4, false, true);
+        final Map<String, Object> metadata;
+        metadata = new HashMap<>();
+        if (randomBoolean()) {
+            metadata.put("string", null);
+        } else {
+            metadata.put("string", randomAlphaOfLengthBetween(0, 4));
+        }
+        if (randomBoolean()) {
+            metadata.put("string_list", null);
+        } else {
+            metadata.put("string_list", Arrays.asList(generateRandomStringArray(4, 4, false, true)));
+        }
+        final String fullName = randomFrom(random(), null, randomAlphaOfLengthBetween(0, 4));
+        final String email = randomFrom(random(), null, randomAlphaOfLengthBetween(0, 4));
+        final boolean enabled = randomBoolean();
+        final String authenticationRealmName = randomAlphaOfLength(5);
+        final String authenticationRealmType = randomFrom("file", "native", "ldap", "active_directory", "saml", "kerberos");
+        final String lookupRealmName = randomAlphaOfLength(5);
+        final String lookupRealmType = randomFrom("file", "native", "ldap", "active_directory", "saml", "kerberos");
+        final String nodeName = randomAlphaOfLengthBetween(1, 10);
+        final Authentication.AuthenticationType authenticationType = randomFrom(Authentication.AuthenticationType.values());
+        return new Authentication(
+            new User(username, roles, fullName, email, metadata, true),
+            new Authentication.RealmRef(authenticationRealmName, authenticationRealmType, nodeName),
+            new Authentication.RealmRef(lookupRealmName, lookupRealmType, nodeName), Version.CURRENT, authenticationType, metadata);
+    }
+
+    AuthenticateResponse createServerAuthenticationResponse(Authentication authentication){
+        User user = authentication.getUser();
+        org.elasticsearch.client.security.user.User cUser = new org.elasticsearch.client.security.user.User(user.principal(),
+            Arrays.asList(user.roles()), user.metadata(), user.fullName(), user.email());
+        AuthenticateResponse.RealmInfo authenticatedBy = new AuthenticateResponse.RealmInfo(authentication.getAuthenticatedBy().getName(),
+            authentication.getAuthenticatedBy().getType());
+        AuthenticateResponse.RealmInfo lookedUpBy = new AuthenticateResponse.RealmInfo(authentication.getLookedUpBy() == null?
+            authentication.getAuthenticatedBy().getName(): authentication.getLookedUpBy().getName(),
+            authentication.getLookedUpBy() == null?
+                authentication.getAuthenticatedBy().getType(): authentication.getLookedUpBy().getType());
+        return new AuthenticateResponse(cUser, user.enabled(), authenticatedBy, lookedUpBy,
+            authentication.getAuthenticationType().toString().toLowerCase(Locale.ROOT));
     }
 }

docs/java-rest/high-level/security/create-token.asciidoc

@@ -49,6 +49,8 @@ The returned `CreateTokenResponse` contains the following properties:
 `scope`:: The scope of the token. May be `null`.
 `refreshToken`:: A secondary "refresh" token that may be used to extend
  the life of an access token. May be `null`.
+`authentication`:: This is the authentication object for the newly created token. See also
+<<{upid}-authenticate-response, authenticate response>> for details.
 
 ["source","java",subs="attributes,callouts,macros"]
 --------------------------------------------------
@@ -83,4 +85,4 @@ include-tagged::{doc-tests}/SecurityDocumentationIT.java[create-token-execute-li
 --------------------------------------------------
 <1> Called when the execution is successfully completed. The response is
 provided as an argument
-<2> Called in case of failure. The raised exception is provided as an argument
+<2> Called in case of failure. The raised exception is provided as an argument

docs/java-rest/high-level/security/delegate-pki-authentication.asciidoc

@@ -52,6 +52,8 @@ The returned +{response}+ contains the following properties:
 `type`:: The type of the token, this is always `"Bearer"`.
 `expiresIn`:: The length of time (in seconds) until the token will expire.
    The token will be considered invalid after that time.
+`authentication`:: This is the authentication object for the newly created token. See also
+<<{upid}-authenticate-response, authenticate response>> for details.
 
 ["source","java",subs="attributes,callouts,macros"]
 --------------------------------------------------

x-pack/docs/en/rest-api/security/delegate-pki-authentication.asciidoc

@@ -89,7 +89,28 @@ Which returns the following response:
 {
   "access_token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
   "type" : "Bearer",
-  "expires_in" : 1200
+  "expires_in" : 1200,
+  "authentication" : {
+    "username" : "Elasticsearch Test Client",
+    "roles" : [ ],
+    "full_name" : null,
+    "email" : null,
+    "metadata" : {
+      "pki_dn" : "O=org, OU=Elasticsearch, CN=Elasticsearch Test Client",
+      "pki_delegated_by_user" : "test_admin",
+      "pki_delegated_by_realm" : "file"
+      },
+    "enabled" : true,
+    "authentication_realm" : {
+      "name" : "pki1",
+      "type" : "pki"
+      },
+    "lookup_realm" : {
+      "name" : "pki1",
+      "type" : "pki"
+      },
+    "authentication_type" : "realm"
+  }
 }
 --------------------------------------------------
 // TESTRESPONSE[s/dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==/$body.access_token/]