retain all user information for a run as request

In the authentication service, we currently only copy the username and roles of the
user that was authenticated but we should instead preserve all of their information
in the newly created user object. This change does that through the user of a new
constructor in the user class that takes in both users.

Closes elastic/elasticsearch#3877

Original commit: elastic/x-pack-elasticsearch@7455078841

elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticationService.java

@@ -283,7 +283,7 @@ public class AuthenticationService extends AbstractComponent {
                         User runAsUser = realm.lookupUser(runAsUsername);
                         if (runAsUser != null) {
                             lookedupBy = new RealmRef(realm.name(), realm.type(), nodeName);
-                            user = new User(user.principal(), user.roles(), runAsUser);
+                            user = new User(user, runAsUser);
                             return user;
                         }
                     }

elasticsearch/src/main/java/org/elasticsearch/xpack/security/user/User.java

@@ -43,6 +43,10 @@ public class User implements ToXContent {
         this(username, roles, null, null, null, true, runAs);
     }
 
+    public User(User user, User runAs) {
+        this(user.principal(), user.roles(), user.fullName(), user.email(), user.metadata(), user.enabled(), runAs);
+    }
+
     public User(String username, String[] roles, String fullName, String email, Map<String, Object> metadata, boolean enabled) {
         this.username = username;
         this.roles = roles == null ? Strings.EMPTY_ARRAY : roles;

elasticsearch/src/test/java/org/elasticsearch/xpack/security/authc/AuthenticationServiceTests.java

@@ -629,7 +629,9 @@ public class AuthenticationServiceTests extends ESTestCase {
         threadContext.putHeader(AuthenticationService.RUN_AS_USER_HEADER, "run_as");
         when(secondRealm.token(threadContext)).thenReturn(token);
         when(secondRealm.supports(token)).thenReturn(true);
-        when(secondRealm.authenticate(token)).thenReturn(new User("lookup user", new String[]{"user"}));
+        final User user = new User("lookup user", new String[]{"user"}, "lookup user", "lookup@foo.foo",
+                Collections.singletonMap("foo", "bar"), true);
+        when(secondRealm.authenticate(token)).thenReturn(user);
         when(secondRealm.lookupUser("run_as")).thenReturn(new User("looked up user", new String[]{"some role"}));
         when(secondRealm.userLookupSupported()).thenReturn(true);
 
@@ -646,6 +648,11 @@ public class AuthenticationServiceTests extends ESTestCase {
         assertThat(authenticated.runAs(), is(notNullValue()));
         assertThat(authenticated.principal(), is("lookup user"));
         assertThat(authenticated.roles(), arrayContaining("user"));
+        assertEquals(user.metadata(), authenticated.metadata());
+        assertEquals(user.email(), authenticated.email());
+        assertEquals(user.enabled(), authenticated.enabled());
+        assertEquals(user.fullName(), authenticated.fullName());
+
         assertThat(authenticated.runAs().principal(), is("looked up user"));
         assertThat(authenticated.runAs().roles(), arrayContaining("some role"));
         assertThreadContextContainsAuthentication(result);