From 1ef61a59ff86cd57e0b0f637bd86908562ce1b6c Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 24 Oct 2019 08:52:09 +0300 Subject: [PATCH] Add populate_user_metadata in OIDC realm (#48357) Make populate_user_metadata configuration parameter available in the OpenID Connect authentication realm Resolves: #48217 --- .../security/authc/oidc/OpenIdConnectRealmSettings.java | 4 ++-- .../xpack/security/authc/oidc/OpenIdConnectRealmTests.java | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java index d4d45ef0a3cbc..90a98d29217dd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/oidc/OpenIdConnectRealmSettings.java @@ -150,8 +150,8 @@ public static Set> getSettings() { final Set> set = Sets.newHashSet( RP_CLIENT_ID, RP_REDIRECT_URI, RP_RESPONSE_TYPE, RP_REQUESTED_SCOPES, RP_CLIENT_SECRET, RP_SIGNATURE_ALGORITHM, RP_POST_LOGOUT_REDIRECT_URI, OP_AUTHORIZATION_ENDPOINT, OP_TOKEN_ENDPOINT, OP_USERINFO_ENDPOINT, - OP_ENDSESSION_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH, HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT, - HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS, ALLOWED_CLOCK_SKEW); + OP_ENDSESSION_ENDPOINT, OP_ISSUER, OP_JWKSET_PATH, POPULATE_USER_METADATA, HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, + HTTP_SOCKET_TIMEOUT, HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS, ALLOWED_CLOCK_SKEW); set.addAll(DelegatedAuthorizationSettings.getSettings(TYPE)); set.addAll(RealmSettings.getStandardSettings(TYPE)); set.addAll(SSLConfigurationSettings.getRealmSettings(TYPE)); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java index 8b0a435101a0a..58e3a69da5be4 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java @@ -23,7 +23,6 @@ import org.elasticsearch.xpack.core.security.authc.Realm; import org.elasticsearch.xpack.core.security.authc.RealmConfig; import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings; -import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings; import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings; import org.elasticsearch.xpack.core.security.user.User; import org.elasticsearch.xpack.security.authc.support.MockLookupRealm; @@ -87,7 +86,9 @@ public void testAuthentication() throws Exception { assertThat(result.getUser().email(), equalTo("cbarton@shield.gov")); assertThat(result.getUser().fullName(), equalTo("Clinton Barton")); assertThat(result.getUser().roles(), arrayContainingInAnyOrder("kibana_user", "role1")); - if (notPopulateMetadata == false) { + if (notPopulateMetadata) { + assertThat(result.getUser().metadata().size(), equalTo(0)); + } else { assertThat(result.getUser().metadata().get("oidc(iss)"), equalTo("https://op.company.org")); assertThat(result.getUser().metadata().get("oidc(name)"), equalTo("Clinton Barton")); } @@ -308,7 +309,7 @@ private AuthenticationResult authenticateWithOidc(String principal, UserRoleMapp final Settings.Builder builder = getBasicRealmSettings(); if (notPopulateMetadata) { - builder.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.POPULATE_USER_METADATA), + builder.put(getFullSettingKey(REALM_NAME, OpenIdConnectRealmSettings.POPULATE_USER_METADATA), false); } if (useAuthorizingRealm) {