Introduce PKI authentication provider.

src/core/server/http/http_server.mocks.ts

@@ -18,6 +18,7 @@
  */
 import { Request } from 'hapi';
 import { merge } from 'lodash';
+import { Socket } from 'net';
 
 import querystring from 'querystring';
 
@@ -37,6 +38,7 @@ interface RequestFixtureOptions {
   query?: Record<string, any>;
   path?: string;
   method?: RouteMethod;
+  socket?: Socket;
 }
 
 function createKibanaRequestMock({
@@ -46,6 +48,7 @@ function createKibanaRequestMock({
   body = {},
   query = {},
   method = 'get',
+  socket = new Socket(),
 }: RequestFixtureOptions = {}) {
   const queryString = querystring.stringify(query);
   return KibanaRequest.from(
@@ -63,7 +66,7 @@ function createKibanaRequestMock({
       },
       route: { settings: {} },
       raw: {
-        req: {},
+        req: { socket },
       },
     } as any,
     {

x-pack/legacy/server/lib/esjs_shield_plugin.js

@@ -516,5 +516,21 @@
         fmt: '/_security/api_key',
       },
     });
+
+    /**
+     * Gets an access token in exchange to the certificate chain for the target subject distinguished name.
+     *
+     * @param {string[]} x509_certificate_chain An ordered array of base64-encoded (Section 4 of RFC4648 - not
+     * base64url-encoded) DER PKIX certificate values.
+     *
+     * @returns {{access_token: string, type: string, expires_in: number}}
+     */
+    shield.delegatePKI = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_security/delegate_pki',
+      },
+    });
   };
 }));

x-pack/plugins/security/server/authentication/authenticator.ts

@@ -25,6 +25,7 @@ import {
   SAMLAuthenticationProvider,
   TokenAuthenticationProvider,
   OIDCAuthenticationProvider,
+  PKIAuthenticationProvider,
   isSAMLRequestQuery,
 } from './providers';
 import { AuthenticationResult } from './authentication_result';
@@ -98,6 +99,7 @@ const providerMap = new Map<
   ['saml', SAMLAuthenticationProvider],
   ['token', TokenAuthenticationProvider],
   ['oidc', OIDCAuthenticationProvider],
+  ['pki', PKIAuthenticationProvider],
 ]);
 
 function assertRequest(request: KibanaRequest) {

x-pack/plugins/security/server/authentication/providers/base.mock.ts

@@ -7,12 +7,20 @@
 import sinon from 'sinon';
 import { ScopedClusterClient } from '../../../../../../src/core/server';
 import { Tokens } from '../tokens';
-import { loggingServiceMock, httpServiceMock } from '../../../../../../src/core/server/mocks';
+import {
+  loggingServiceMock,
+  httpServiceMock,
+  elasticsearchServiceMock,
+} from '../../../../../../src/core/server/mocks';
 
 export type MockAuthenticationProviderOptions = ReturnType<
   typeof mockAuthenticationProviderOptions
 >;
 
+export type MockAuthenticationProviderOptionsWithJest = ReturnType<
+  typeof mockAuthenticationProviderOptionsWithJest
+>;
+
 export function mockScopedClusterClient(
   client: MockAuthenticationProviderOptions['client'],
   requestMatcher: sinon.SinonMatcher = sinon.match.any
@@ -34,3 +42,16 @@ export function mockAuthenticationProviderOptions() {
     tokens: sinon.createStubInstance(Tokens),
   };
 }
+
+// Will be renamed to mockAuthenticationProviderOptions as soon as we migrate all providers tests to Jest.
+export function mockAuthenticationProviderOptionsWithJest() {
+  const basePath = httpServiceMock.createSetupContract().basePath;
+  basePath.get.mockReturnValue('/base-path');
+
+  return {
+    client: elasticsearchServiceMock.createClusterClient(),
+    logger: loggingServiceMock.create().get(),
+    basePath,
+    tokens: { refresh: jest.fn(), invalidate: jest.fn() },
+  };
+}

x-pack/plugins/security/server/authentication/providers/index.ts

@@ -14,3 +14,4 @@ export { KerberosAuthenticationProvider } from './kerberos';
 export { SAMLAuthenticationProvider, isSAMLRequestQuery } from './saml';
 export { TokenAuthenticationProvider } from './token';
 export { OIDCAuthenticationProvider, OIDCAuthenticationFlow } from './oidc';
+export { PKIAuthenticationProvider } from './pki';