Skip to content

Commit

Permalink
Remove deprecated Authentication#getUser (#91069)
Browse files Browse the repository at this point in the history
This PR removes the deprecated Authentication#getUser method and
replaces its usages with #getEffectiveSubject#getUser.

Relates: #88494
  • Loading branch information
ywangd authored Oct 25, 2022
1 parent ffdc341 commit d3a781c
Show file tree
Hide file tree
Showing 53 changed files with 186 additions and 159 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ private void hasCancelTaskPrivilegeAsync(Consumer<Boolean> consumer) {
final Authentication current = store.getSecurityContext().getAuthentication();
if (current != null) {
HasPrivilegesRequest req = new HasPrivilegesRequest();
req.username(current.getUser().principal());
req.username(current.getEffectiveSubject().getUser().principal());
req.clusterPrivileges(ClusterPrivilegeResolver.CANCEL_TASK.name());
req.indexPrivileges(new RoleDescriptor.IndicesPrivileges[] {});
req.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[] {});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public User requireUser() {
@Nullable
public User getUser() {
Authentication authentication = getAuthentication();
return authentication == null ? null : authentication.getUser();
return authentication == null ? null : authentication.getEffectiveSubject().getUser();
}

/** Returns the authentication information, or null if the current request has no authentication info. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public OpenIdConnectAuthenticateResponse(
String refreshTokenString,
TimeValue expiresIn
) {
this.principal = authentication.getUser().principal();
this.principal = authentication.getEffectiveSubject().getUser().principal();
;
this.accessTokenString = accessTokenString;
this.refreshTokenString = refreshTokenString;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public SamlAuthenticateResponse(StreamInput in) throws IOException {
}

public SamlAuthenticateResponse(Authentication authentication, String tokenString, String refreshToken, TimeValue expiresIn) {
this.principal = authentication.getUser().principal();
this.principal = authentication.getEffectiveSubject().getUser().principal();
this.realm = authentication.getAuthenticatedBy().getName();
this.tokenString = tokenString;
this.refreshToken = refreshToken;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,14 +167,6 @@ public boolean isRunAs() {
return authenticatingSubject != effectiveSubject;
}

/**
* Use {@code getEffectiveSubject().getUser()} instead.
*/
@Deprecated
public User getUser() {
return effectiveSubject.getUser();
}

/**
* Use {@code getAuthenticatingSubject().getRealm()} instead.
*/
Expand Down Expand Up @@ -313,8 +305,8 @@ public Authentication token() {
public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser) {
final boolean shouldAddAnonymousRoleNames = anonymousUser != null
&& anonymousUser.enabled()
&& false == anonymousUser.equals(getUser())
&& false == User.isInternal(getUser())
&& false == anonymousUser.equals(getEffectiveSubject().getUser())
&& false == User.isInternal(getEffectiveSubject().getUser())
&& false == isApiKey()
&& false == isServiceAccount();

Expand All @@ -326,7 +318,7 @@ public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUs
if (anonymousUser.roles().length == 0) {
throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
}
final String[] allRoleNames = ArrayUtils.concat(getUser().roles(), anonymousUser.roles());
final String[] allRoleNames = ArrayUtils.concat(getEffectiveSubject().getUser().roles(), anonymousUser.roles());

if (isRunAs()) {
final User user = effectiveSubject.getUser();
Expand Down Expand Up @@ -425,7 +417,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {

// There is no reason for internal users to run-as. This check prevents either internal user itself
// or a token created for it (though no such thing in current code) to run-as.
if (User.isInternal(getUser())) {
if (User.isInternal(getEffectiveSubject().getUser())) {
return false;
}

Expand All @@ -441,7 +433,7 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
// Also, if anonymous access is disabled or anonymous username, roles are changed after the token is created.
// Should we still consider the token being created by an anonymous user which is now different from the new
// anonymous user?
if (getUser().equals(anonymousUser)) {
if (getEffectiveSubject().getUser().equals(anonymousUser)) {
assert ANONYMOUS_REALM_TYPE.equals(getAuthenticatingSubject().getRealm().getType())
&& ANONYMOUS_REALM_NAME.equals(getAuthenticatingSubject().getRealm().getName());
return false;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ public Authentication getAuthentication() {
}

public User getUser() {
return authentication.getUser();
return authentication.getEffectiveSubject().getUser();
}

public <T> T execute(Function<ThreadContext.StoredContext, T> body) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ private static boolean checkIfUserIsOwnerOfApiKeys(
} else if (ownedByAuthenticatedUser) {
return true;
} else if (Strings.hasText(username) && Strings.hasText(realmName)) {
if (false == username.equals(authentication.getUser().principal())) {
if (false == username.equals(authentication.getEffectiveSubject().getUser().principal())) {
return false;
}
RealmDomain domain = authentication.getSourceRealm().getDomain();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ public static String getUsernameFromWatch(Watch watch) throws IOException {
String header = watch.status().getHeaders().get(AuthenticationField.AUTHENTICATION_KEY);
if (header != null) {
Authentication auth = AuthenticationContextSerializer.decode(header);
return auth.getUser().principal();
return auth.getEffectiveSubject().getUser().principal();
}
}
return null;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -455,14 +455,14 @@ public void testGetPersistableSafeSecurityHeaders() throws IOException {
headers2.get(AuthenticationField.AUTHENTICATION_KEY)
);
assertThat(rewrittenAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
assertThat(rewrittenAuth.getUser(), equalTo(authentication.getUser()));
assertThat(rewrittenAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
}
if (hasSecondaryAuthHeader) {
final Authentication rewrittenSecondaryAuth = AuthenticationContextSerializer.decode(
headers2.get(SecondaryAuthentication.THREAD_CTX_KEY)
);
assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getVersion(), equalTo(previousVersion));
assertThat(rewrittenSecondaryAuth.getUser(), equalTo(authentication.getUser()));
assertThat(rewrittenSecondaryAuth.getEffectiveSubject().getUser(), equalTo(authentication.getEffectiveSubject().getUser()));
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ private static User stripRoles(User user) {
}

public static String randomInternalUsername() {
return builder().internal().build(false).getUser().principal();
return builder().internal().build(false).getEffectiveSubject().getUser().principal();
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -146,8 +146,8 @@ public void testClusterStarted() {
final AuthenticateResponse authenticate = client().execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet(10, TimeUnit.SECONDS);
assertThat(authenticate.authentication(), notNullValue());
assertThat(authenticate.authentication().getUser(), notNullValue());
assertThat(authenticate.authentication().getUser().enabled(), is(true));
assertThat(authenticate.authentication().getEffectiveSubject().getUser(), notNullValue());
assertThat(authenticate.authentication().getEffectiveSubject().getUser().enabled(), is(true));
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,7 @@ public void testOperationsOnReservedUsers() throws Exception {
AuthenticateResponse authenticateResponse = client().filterWithHeader(
Collections.singletonMap("Authorization", basicAuthHeaderValue(username, getReservedPassword()))
).execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE).get();
assertThat(authenticateResponse.authentication().getUser().principal(), is(username));
assertThat(authenticateResponse.authentication().getEffectiveSubject().getUser().principal(), is(username));
assertThat(authenticateResponse.authentication().getAuthenticatedBy().getName(), equalTo("reserved"));
assertThat(authenticateResponse.authentication().getAuthenticatedBy().getType(), equalTo("reserved"));
assertNull(authenticateResponse.authentication().getLookedUpBy());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,10 @@ public void testValidateSearchContext() throws Exception {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
threadContext.putTransient(
AUTHORIZATION_INFO_KEY,
(AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
(AuthorizationInfo) () -> Collections.singletonMap(
PRINCIPAL_ROLES_FIELD_NAME,
authentication.getEffectiveSubject().getUser().roles()
)
);
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
SearchContextMissingException expected = expectThrows(
Expand All @@ -179,7 +182,7 @@ public void testValidateSearchContext() throws Exception {
eq(authentication),
eq("action"),
eq(request),
authzInfoRoles(authentication.getUser().roles())
authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
);
}

Expand Down Expand Up @@ -216,7 +219,10 @@ public void testValidateSearchContext() throws Exception {
threadContext.putTransient(ORIGINATING_ACTION_KEY, "action");
threadContext.putTransient(
AUTHORIZATION_INFO_KEY,
(AuthorizationInfo) () -> Collections.singletonMap(PRINCIPAL_ROLES_FIELD_NAME, authentication.getUser().roles())
(AuthorizationInfo) () -> Collections.singletonMap(
PRINCIPAL_ROLES_FIELD_NAME,
authentication.getEffectiveSubject().getUser().roles()
)
);
final InternalScrollSearchRequest request = new InternalScrollSearchRequest();
SearchContextMissingException expected = expectThrows(
Expand All @@ -230,7 +236,7 @@ public void testValidateSearchContext() throws Exception {
eq(authentication),
eq("action"),
eq(request),
authzInfoRoles(authentication.getUser().roles())
authzInfoRoles(authentication.getEffectiveSubject().getUser().roles())
);
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {
);
final AuthenticateResponse authenticateResponse1 = apiKeyClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet();
assertThat(authenticateResponse1.authentication().getUser().principal(), equalTo("_xpack_security"));
assertThat(authenticateResponse1.authentication().getEffectiveSubject().getUser().principal(), equalTo("_xpack_security"));

final KibanaEnrollmentResponse kibanaEnrollmentResponse = apiKeyClient.execute(
KibanaEnrollmentAction.INSTANCE,
Expand All @@ -115,6 +115,6 @@ public void testKibanaEnrollmentTokenCreation() throws Exception {

final AuthenticateResponse authenticateResponse2 = kibanaClient.execute(AuthenticateAction.INSTANCE, AuthenticateRequest.INSTANCE)
.actionGet();
assertThat(authenticateResponse2.authentication().getUser().principal(), equalTo("elastic/kibana"));
assertThat(authenticateResponse2.authentication().getEffectiveSubject().getUser().principal(), equalTo("elastic/kibana"));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ protected void doExecute(Task task, GetApiKeyRequest request, ActionListener<Get
assert username == null;
assert realms == null;
// restrict username and realm to current authenticated user.
username = authentication.getUser().principal();
username = authentication.getEffectiveSubject().getUser().principal();
realms = ApiKeyService.getOwnersRealmNames(authentication);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ protected void doExecute(Task task, InvalidateApiKeyRequest request, ActionListe
assert username == null;
assert realms == null;
// restrict username and realm to current authenticated user.
username = authentication.getUser().principal();
username = authentication.getEffectiveSubject().getUser().principal();
realms = ApiKeyService.getOwnersRealmNames(authentication);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ protected void doExecute(Task task, OpenIdConnectLogoutRequest request, ActionLi
if (logger.isTraceEnabled()) {
logger.trace(
"OpenID Connect Logout for user [{}] and token [{}...{}]",
authentication.getUser().principal(),
authentication.getEffectiveSubject().getUser().principal(),
token.substring(0, 8),
token.substring(token.length() - 8)
);
Expand Down Expand Up @@ -103,7 +103,7 @@ private void validateAuthenticationAndMetadata(Authentication authentication, Ma
if (authentication == null) {
throw new ElasticsearchSecurityException("No active authentication");
}
final User user = authentication.getUser();
final User user = authentication.getEffectiveSubject().getUser();
if (user == null) {
throw new ElasticsearchSecurityException("No active user");
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ protected void doExecute(Task task, SamlLogoutRequest request, ActionListener<Sa
if (logger.isTraceEnabled()) {
logger.trace(
"SAML Logout User [{}], Token [{}...{}]",
authentication.getUser().principal(),
authentication.getEffectiveSubject().getUser().principal(),
token.substring(0, 8),
token.substring(token.length() - 8)
);
Expand All @@ -91,7 +91,7 @@ private SamlLogoutResponse buildResponse(Authentication authentication, Map<Stri
if (authentication == null) {
throw SamlUtils.samlException("No active authentication");
}
final User user = authentication.getUser();
final User user = authentication.getEffectiveSubject().getUser();
if (user == null) {
throw SamlUtils.samlException("No active user");
}
Expand Down
Loading

0 comments on commit d3a781c

Please sign in to comment.