address feedback

jkakavas · jkakavas · commit 4e0788e52bfb · 2019-02-11T20:11:02.000+02:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationRequest.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/oidc/OpenIdConnectPrepareAuthenticationRequest.java
@@ -30,6 +30,7 @@ public class OpenIdConnectPrepareAuthenticationRequest extends ActionRequest {
      * issuer to the UA needs to be redirected for authentication
      */
     private String issuer;
+    private String loginHint;
     private String state;
     private String nonce;
 
@@ -49,6 +50,11 @@ public String getIssuer() {
         return issuer;
     }
 
+    public String getLoginHint() {
+        return loginHint;
+    }
+
+
     public void setRealmName(String realmName) {
         this.realmName = realmName;
     }
@@ -65,13 +71,18 @@ public void setNonce(String nonce) {
         this.nonce = nonce;
     }
 
+    public void setLoginHint(String loginHint) {
+        this.loginHint = loginHint;
+    }
+
     public OpenIdConnectPrepareAuthenticationRequest() {
     }
 
     public OpenIdConnectPrepareAuthenticationRequest(StreamInput in) throws IOException {
         super.readFrom(in);
         realmName = in.readOptionalString();
         issuer = in.readOptionalString();
+        loginHint = in.readOptionalString();
         state = in.readOptionalString();
         nonce = in.readOptionalString();
     }
@@ -93,6 +104,7 @@ public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeOptionalString(realmName);
         out.writeOptionalString(issuer);
+        out.writeOptionalString(loginHint);
         out.writeOptionalString(state);
         out.writeOptionalString(nonce);
     }
@@ -103,7 +115,8 @@ public void readFrom(StreamInput in) {
     }
 
     public String toString() {
-        return "{realmName=" + realmName + ", issuer=" + issuer +", state=" + state + ", nonce=" + nonce + "}";
+        return "{realmName=" + realmName + ", issuer=" + issuer + ", login_hint=" +
+            loginHint + ", state=" + state + ", nonce=" + nonce + "}";
     }
 
 }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectPrepareAuthenticationAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectPrepareAuthenticationAction.java
@@ -61,17 +61,19 @@ protected void doExecute(Task task, OpenIdConnectPrepareAuthenticationRequest re
         }
 
         if (realm instanceof OpenIdConnectRealm) {
-            prepareAuthenticationResponse((OpenIdConnectRealm) realm, request.getState(), request.getNonce(), listener);
+            prepareAuthenticationResponse((OpenIdConnectRealm) realm, request.getState(), request.getNonce(), request.getLoginHint(),
+                listener);
         } else {
             listener.onFailure(
                 new ElasticsearchSecurityException("Cannot find OpenID Connect realm with name [{}]", request.getRealmName()));
         }
     }
 
-    private void prepareAuthenticationResponse(OpenIdConnectRealm realm, String state, String nonce,
+    private void prepareAuthenticationResponse(OpenIdConnectRealm realm, String state, String nonce, String loginHint,
                                                ActionListener<OpenIdConnectPrepareAuthenticationResponse> listener) {
         try {
-            final OpenIdConnectPrepareAuthenticationResponse authenticationResponse = realm.buildAuthenticationRequestUri(state, nonce);
+            final OpenIdConnectPrepareAuthenticationResponse authenticationResponse =
+                realm.buildAuthenticationRequestUri(state, nonce, loginHint);
             listener.onResponse(authenticationResponse);
         } catch (ElasticsearchException e) {
             listener.onFailure(e);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java
@@ -294,23 +294,26 @@ private static String require(RealmConfig config, Setting.AffixSetting<String> s
      *
      * @param existingState An existing state that can be reused or null if we need to generate one
      * @param existingNonce An existing nonce that can be reused or null if we need to generate one
+     * @param loginHint A String with a login hint to add to the authentication request in case of a 3rd party initiated login
      *
      * @return an {@link OpenIdConnectPrepareAuthenticationResponse}
      */
     public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri(@Nullable String existingState,
-                                                                                    @Nullable String existingNonce) {
+                                                                                    @Nullable String existingNonce,
+                                                                                    @Nullable String loginHint) {
         final State state = existingState != null ? new State(existingState) : new State();
         final Nonce nonce = existingNonce != null ? new Nonce(existingNonce) : new Nonce();
-        final AuthenticationRequest authenticationRequest = new AuthenticationRequest(
-            opConfiguration.getAuthorizationEndpoint(),
-            rpConfiguration.getResponseType(),
+        final AuthenticationRequest.Builder builder = new AuthenticationRequest.Builder(rpConfiguration.getResponseType(),
             rpConfiguration.getRequestedScope(),
             rpConfiguration.getClientId(),
-            rpConfiguration.getRedirectUri(),
-            state,
-            nonce);
-
-        return new OpenIdConnectPrepareAuthenticationResponse(authenticationRequest.toURI().toString(),
+            rpConfiguration.getRedirectUri())
+            .endpointURI(opConfiguration.getAuthorizationEndpoint())
+            .state(state)
+            .nonce(nonce);
+        if (Strings.hasText(loginHint)) {
+            builder.loginHint(loginHint);
+        }
+        return new OpenIdConnectPrepareAuthenticationResponse(builder.build().toURI().toString(),
             state.getValue(), nonce.getValue());
     }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java
@@ -162,15 +162,15 @@ public void testBuildRelyingPartyConfigWithoutOpenIdScope() {
                 Arrays.asList("scope1", "scope2"));
         final OpenIdConnectRealm realm = new OpenIdConnectRealm(buildConfig(settingsBuilder.build()), null,
             null);
-        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null);
+        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null);
         final String state = response.getState();
         final String nonce = response.getNonce();
         assertThat(response.getAuthenticationRequestUrl(),
             equalTo("https://op.example.com/login?scope=scope1+scope2+openid&response_type=code" +
                 "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my"));
     }
 
-    public void testBuilidingAuthenticationRequest() {
+    public void testBuildingAuthenticationRequest() {
         final Settings.Builder settingsBuilder = Settings.builder()
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT), "https://op.example.com/login")
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT), "https://op.example.com/token")
@@ -185,7 +185,7 @@ public void testBuilidingAuthenticationRequest() {
                 Arrays.asList("openid", "scope1", "scope2"));
         final OpenIdConnectRealm realm = new OpenIdConnectRealm(buildConfig(settingsBuilder.build()), null,
             null);
-        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null);
+        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null);
         final String state = response.getState();
         final String nonce = response.getNonce();
         assertThat(response.getAuthenticationRequestUrl(),
@@ -194,7 +194,7 @@ public void testBuilidingAuthenticationRequest() {
     }
 
 
-    public void testBuilidingAuthenticationRequestWithDefaultScope() {
+    public void testBuildingAuthenticationRequestWithDefaultScope() {
         final Settings.Builder settingsBuilder = Settings.builder()
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT), "https://op.example.com/login")
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT), "https://op.example.com/token")
@@ -207,14 +207,14 @@ public void testBuilidingAuthenticationRequestWithDefaultScope() {
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.RP_RESPONSE_TYPE), "code");
         final OpenIdConnectRealm realm = new OpenIdConnectRealm(buildConfig(settingsBuilder.build()), null,
             null);
-        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null);
+        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(null, null, null);
         final String state = response.getState();
         final String nonce = response.getNonce();
         assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" +
             "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my"));
     }
 
-    public void testBuilidingAuthenticationRequestWithExistingStateAndNonce() {
+    public void testBuildingAuthenticationRequestWithExistingStateAndNonce() {
         final Settings.Builder settingsBuilder = Settings.builder()
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT), "https://op.example.com/login")
             .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT), "https://op.example.com/token")
@@ -229,12 +229,35 @@ public void testBuilidingAuthenticationRequestWithExistingStateAndNonce() {
             null);
         final String state = new State().getValue();
         final String nonce = new Nonce().getValue();
-        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(state, nonce);
+        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(state, nonce, null);
 
         assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?scope=openid&response_type=code" +
             "&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" + state + "&nonce=" + nonce + "&client_id=rp-my"));
     }
 
+    public void testBuildingAuthenticationRequestWithLoginHint() {
+        final Settings.Builder settingsBuilder = Settings.builder()
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT), "https://op.example.com/login")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT), "https://op.example.com/token")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_ISSUER), "https://op.example.com")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_NAME), "the op")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.OP_JWKSET_PATH), "https://op.example.com/jwks.json")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.PRINCIPAL_CLAIM.getClaim()), "sub")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.RP_REDIRECT_URI), "https://rp.my.com/cb")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.RP_CLIENT_ID), "rp-my")
+            .put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.RP_RESPONSE_TYPE), "code");
+        final OpenIdConnectRealm realm = new OpenIdConnectRealm(buildConfig(settingsBuilder.build()), null,
+            null);
+        final String state = new State().getValue();
+        final String nonce = new Nonce().getValue();
+        final String thehint = randomAlphaOfLength(8);
+        final OpenIdConnectPrepareAuthenticationResponse response = realm.buildAuthenticationRequestUri(state, nonce, thehint);
+
+        assertThat(response.getAuthenticationRequestUrl(), equalTo("https://op.example.com/login?login_hint=" + thehint +
+            "&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Frp.my.com%2Fcb&state=" +
+            state + "&nonce=" + nonce + "&client_id=rp-my"));
+    }
+
     private AuthenticationResult authenticateWithOidc(UserRoleMapper roleMapper, boolean notPopulateMetadata, boolean useAuthorizingRealm)
         throws Exception {
 

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ public class OpenIdConnectPrepareAuthenticationRequest extends ActionRequest {`
`30`	`30`	`* issuer to the UA needs to be redirected for authentication`
`31`	`31`	`*/`
`32`	`32`	`private String issuer;`
	`33`	`+ private String loginHint;`
`33`	`34`	`private String state;`
`34`	`35`	`private String nonce;`
`35`	`36`
`@@ -49,6 +50,11 @@ public String getIssuer() {`
`49`	`50`	`return issuer;`
`50`	`51`	`}`
`51`	`52`
	`53`	`+ public String getLoginHint() {`
	`54`	`+ return loginHint;`
	`55`	`+ }`
	`56`	`+`
	`57`	`+`
`52`	`58`	`public void setRealmName(String realmName) {`
`53`	`59`	`this.realmName = realmName;`
`54`	`60`	`}`
`@@ -65,13 +71,18 @@ public void setNonce(String nonce) {`
`65`	`71`	`this.nonce = nonce;`
`66`	`72`	`}`
`67`	`73`
	`74`	`+ public void setLoginHint(String loginHint) {`
	`75`	`+ this.loginHint = loginHint;`
	`76`	`+ }`
	`77`	`+`
`68`	`78`	`public OpenIdConnectPrepareAuthenticationRequest() {`
`69`	`79`	`}`
`70`	`80`
`71`	`81`	`public OpenIdConnectPrepareAuthenticationRequest(StreamInput in) throws IOException {`
`72`	`82`	`super.readFrom(in);`
`73`	`83`	`realmName = in.readOptionalString();`
`74`	`84`	`issuer = in.readOptionalString();`
	`85`	`+ loginHint = in.readOptionalString();`
`75`	`86`	`state = in.readOptionalString();`
`76`	`87`	`nonce = in.readOptionalString();`
`77`	`88`	`}`
`@@ -93,6 +104,7 @@ public void writeTo(StreamOutput out) throws IOException {`
`93`	`104`	`super.writeTo(out);`
`94`	`105`	`out.writeOptionalString(realmName);`
`95`	`106`	`out.writeOptionalString(issuer);`
	`107`	`+ out.writeOptionalString(loginHint);`
`96`	`108`	`out.writeOptionalString(state);`
`97`	`109`	`out.writeOptionalString(nonce);`
`98`	`110`	`}`
`@@ -103,7 +115,8 @@ public void readFrom(StreamInput in) {`
`103`	`115`	`}`
`104`	`116`
`105`	`117`	`public String toString() {`
`106`		`- return "{realmName=" + realmName + ", issuer=" + issuer +", state=" + state + ", nonce=" + nonce + "}";`
	`118`	`+ return "{realmName=" + realmName + ", issuer=" + issuer + ", login_hint=" +`
	`119`	`+ loginHint + ", state=" + state + ", nonce=" + nonce + "}";`
`107`	`120`	`}`
`108`	`121`
`109`	`122`	`}`