Security: cache users in PKI realm (elastic/x-pack-elasticsearch#4428)

The PKI realm has never been a caching realm as the need had not
presented itself until now. The PKI realm relies on role mappings to
map the DN from a certificate to roles so that the users have the
appropriate access permissions. Without caching, this role mapping will
happen on every request. For file based role mappings, this is not an
issue as the mappings are based on equality checks for the DN.

However, the design of the API based role mappings allows for more
complex matches. These matches are implemented using automata, which
are built on every request that needs role mappings. Building automata
is an expensive operation and in combination with the PKI realm's lack
of caching leads to a significant performance impact.

The change in this commit makes the PkiRealm a caching realm using the
same pattern as other caching realms. The cache provided by
elasticsearch core is used to map the fingerprint of a certificate to
the user that was resolved from this certificate. The semantics of
modifications to this cache during iteration requires that we use a
read-write lock to protect access. There can be multiple concurrent
modifications and retrievals but iteration must be protected from any
attempts to modify the cache.

Additionally, some PKI tests were converted to single node tests as
part of this change. One test only used a single node and the other did
not require multiple nodes.

relates elastic/x-pack-elasticsearch#4406

Original commit: elastic/x-pack-elasticsearch@214772e1c1
This commit is contained in:
Jay Modi 2018-04-20 09:53:47 -06:00 committed by GitHub
parent cdf41cffd8
commit 91ab88e86e
11 changed files with 212 additions and 82 deletions

View File

@ -6,7 +6,8 @@ remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the `cache.ttl`,
`cache.max_users`, and `cache.hash_algo` realm settings.
NOTE: PKI realms do not use the user cache.
NOTE: PKI realms do not cache user credentials but do cache the resolved user
object to avoid unnecessarily needing to perform role mapping on each request.
The cached user credentials are hashed in memory. By default, {security} uses a
salted `sha-256` hash algorithm. You can use a different hashing algorithm by

View File

@ -640,6 +640,15 @@ Specifies the {xpack-ref}/security-files.html[location] of the
{xpack-ref}/mapping-roles.html[YAML role mapping configuration file].
Defaults to `CONFIG_DIR/x-pack/role_mapping.yml`.
`cache.ttl`::
Specifies the time-to-live for cached user entries. Use the
standard Elasticsearch {ref}/common-options.html#time-units[time units]).
Defaults to `20m`.
`cache.max_users`::
Specifies the maximum number of user entries that the cache can contain.
Defaults to `100000`.
[[ref-saml-settings]]
[float]
===== SAML Realm Settings

View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.core.security.authc.pki;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.xpack.core.security.authc.support.mapper.CompositeRoleMapperSettings;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
@ -18,6 +19,11 @@ public final class PkiRealmSettings {
public static final String DEFAULT_USERNAME_PATTERN = "CN=(.*?)(?:,|$)";
public static final Setting<Pattern> USERNAME_PATTERN_SETTING = new Setting<>("username_pattern", DEFAULT_USERNAME_PATTERN,
s -> Pattern.compile(s, Pattern.CASE_INSENSITIVE), Setting.Property.NodeScope);
private static final TimeValue DEFAULT_TTL = TimeValue.timeValueMinutes(20);
public static final Setting<TimeValue> CACHE_TTL_SETTING = Setting.timeSetting("cache.ttl", DEFAULT_TTL, Setting.Property.NodeScope);
private static final int DEFAULT_MAX_USERS = 100_000; //100k users
public static final Setting<Integer> CACHE_MAX_USERS_SETTING = Setting.intSetting("cache.max_users", DEFAULT_MAX_USERS,
Setting.Property.NodeScope);
public static final SSLConfigurationSettings SSL_SETTINGS = SSLConfigurationSettings.withoutPrefix();
private PkiRealmSettings() {}
@ -28,6 +34,8 @@ public final class PkiRealmSettings {
public static Set<Setting<?>> getSettings() {
Set<Setting<?>> settings = new HashSet<>();
settings.add(USERNAME_PATTERN_SETTING);
settings.add(CACHE_TTL_SETTING);
settings.add(CACHE_MAX_USERS_SETTING);
settings.add(SSL_SETTINGS.truststorePath);
settings.add(SSL_SETTINGS.truststorePassword);

View File

@ -0,0 +1,49 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.security.authc;
import org.apache.lucene.util.BytesRef;
import org.apache.lucene.util.StringHelper;
import java.util.Arrays;
/**
* Simple wrapper around bytes so that it can be used as a cache key. The hashCode is computed
* once upon creation and cached.
*/
public class BytesKey {
final byte[] bytes;
private final int hashCode;
public BytesKey(byte[] bytes) {
this.bytes = bytes;
this.hashCode = StringHelper.murmurhash3_x86_32(bytes, 0, bytes.length, StringHelper.GOOD_FAST_HASH_SEED);
}
@Override
public int hashCode() {
return hashCode;
}
@Override
public boolean equals(Object other) {
if (other == null) {
return false;
}
if (other instanceof BytesKey == false) {
return false;
}
BytesKey otherBytes = (BytesKey) other;
return Arrays.equals(otherBytes.bytes, bytes);
}
@Override
public String toString() {
return new BytesRef(bytes).toString();
}
}

View File

@ -1165,44 +1165,6 @@ public final class TokenService extends AbstractComponent {
}
}
/**
* Simple wrapper around bytes so that it can be used as a cache key. The hashCode is computed
* once upon creation and cached.
*/
static class BytesKey {
final byte[] bytes;
private final int hashCode;
BytesKey(byte[] bytes) {
this.bytes = bytes;
this.hashCode = StringHelper.murmurhash3_x86_32(bytes, 0, bytes.length, StringHelper.GOOD_FAST_HASH_SEED);
}
@Override
public int hashCode() {
return hashCode;
}
@Override
public boolean equals(Object other) {
if (other == null) {
return false;
}
if (other instanceof BytesKey == false) {
return false;
}
BytesKey otherBytes = (BytesKey) other;
return Arrays.equals(otherBytes.bytes, bytes);
}
@Override
public String toString() {
return new BytesRef(bytes).toString();
}
}
/**
* Creates a new key unless present that is newer than the current active key and returns the corresponding metadata. Note:
* this method doesn't modify the metadata used in this token service. See {@link #refreshMetaData(TokenMetaData)}

View File

@ -11,8 +11,12 @@ import org.apache.logging.log4j.util.Supplier;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.ResourceWatcherService;
@ -25,32 +29,52 @@ import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.CertUtils;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
import org.elasticsearch.xpack.security.authc.BytesKey;
import org.elasticsearch.xpack.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.CompositeRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
import javax.net.ssl.X509TrustManager;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class PkiRealm extends Realm {
public class PkiRealm extends Realm implements CachingRealm {
public static final String PKI_CERT_HEADER_NAME = "__SECURITY_CLIENT_CERTIFICATE";
// For client based cert validation, the auth type must be specified but UNKNOWN is an acceptable value
private static final String AUTH_TYPE = "UNKNOWN";
// the lock is used in an odd manner; when iterating over the cache we cannot have modifiers other than deletes using
// the iterator but when not iterating we can modify the cache without external locking. When making normal modifications to the cache
// the read lock is obtained so that we can allow concurrent modifications; however when we need to iterate over the keys or values of
// the cache the write lock must obtained to prevent any modifications
private final ReleasableLock readLock;
private final ReleasableLock writeLock;
{
final ReadWriteLock iterationLock = new ReentrantReadWriteLock();
readLock = new ReleasableLock(iterationLock.readLock());
writeLock = new ReleasableLock(iterationLock.writeLock());
}
private final X509TrustManager trustManager;
private final Pattern principalPattern;
private final UserRoleMapper roleMapper;
private final Cache<BytesKey, User> cache;
public PkiRealm(RealmConfig config, ResourceWatcherService watcherService, NativeRoleMappingStore nativeRoleMappingStore) {
this(config, new CompositeRoleMapper(PkiRealmSettings.TYPE, config, watcherService, nativeRoleMappingStore));
@ -62,6 +86,10 @@ public class PkiRealm extends Realm {
this.trustManager = trustManagers(config);
this.principalPattern = PkiRealmSettings.USERNAME_PATTERN_SETTING.get(config.settings());
this.roleMapper = roleMapper;
this.cache = CacheBuilder.<BytesKey, User>builder()
.setExpireAfterWrite(PkiRealmSettings.CACHE_TTL_SETTING.get(config.settings()))
.setMaximumWeight(PkiRealmSettings.CACHE_MAX_USERS_SETTING.get(config.settings()))
.build();
}
@Override
@ -77,18 +105,28 @@ public class PkiRealm extends Realm {
@Override
public void authenticate(AuthenticationToken authToken, ActionListener<AuthenticationResult> listener) {
X509AuthenticationToken token = (X509AuthenticationToken)authToken;
if (isCertificateChainTrusted(trustManager, token, logger) == false) {
listener.onResponse(AuthenticationResult.unsuccessful("Certificate for " + token.dn() + " is not trusted", null));
} else {
final Map<String, Object> metadata = Collections.singletonMap("pki_dn", token.dn());
final UserRoleMapper.UserData user = new UserRoleMapper.UserData(token.principal(),
token.dn(), Collections.emptySet(), metadata, this.config);
roleMapper.resolveRoles(user, ActionListener.wrap(
roles -> listener.onResponse(AuthenticationResult.success(
new User(token.principal(), roles.toArray(new String[roles.size()]), null, null, metadata, true)
)),
listener::onFailure
));
try {
final BytesKey fingerprint = computeFingerprint(token.credentials()[0]);
User user = cache.get(fingerprint);
if (user != null) {
listener.onResponse(AuthenticationResult.success(user));
} else if (isCertificateChainTrusted(trustManager, token, logger) == false) {
listener.onResponse(AuthenticationResult.unsuccessful("Certificate for " + token.dn() + " is not trusted", null));
} else {
final Map<String, Object> metadata = Collections.singletonMap("pki_dn", token.dn());
final UserRoleMapper.UserData userData = new UserRoleMapper.UserData(token.principal(),
token.dn(), Collections.emptySet(), metadata, this.config);
roleMapper.resolveRoles(userData, ActionListener.wrap(roles -> {
final User computedUser =
new User(token.principal(), roles.toArray(new String[roles.size()]), null, null, metadata, true);
try (ReleasableLock ignored = readLock.acquire()) {
cache.put(fingerprint, computedUser);
}
listener.onResponse(AuthenticationResult.success(computedUser));
}, listener::onFailure));
}
} catch (CertificateEncodingException e) {
listener.onResponse(AuthenticationResult.unsuccessful("Certificate for " + token.dn() + " has encoding issues", e));
}
}
@ -196,4 +234,29 @@ public class PkiRealm extends Realm {
}
}
@Override
public void expire(String username) {
try (ReleasableLock ignored = writeLock.acquire()) {
Iterator<User> userIterator = cache.values().iterator();
while (userIterator.hasNext()) {
if (userIterator.next().principal().equals(username)) {
userIterator.remove();
// do not break since there is no guarantee username is unique in this realm
}
}
}
}
@Override
public void expireAll() {
try (ReleasableLock ignored = readLock.acquire()) {
cache.invalidateAll();
}
}
private static BytesKey computeFingerprint(X509Certificate certificate) throws CertificateEncodingException {
MessageDigest digest = MessageDigests.sha256();
digest.update(certificate.getEncoded());
return new BytesKey(digest.digest());
}
}

View File

@ -12,6 +12,7 @@ import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.MockSecureSettings;
import org.elasticsearch.common.settings.SecureString;
@ -167,6 +168,12 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase {
return builder.build();
}
protected Settings transportClientSettings() {
return Settings.builder()
.put(customSecuritySettingsSource.transportClientSettings())
.build();
}
@Override
protected Collection<Class<? extends Plugin>> getPlugins() {
return customSecuritySettingsSource.nodePlugins();
@ -271,14 +278,19 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase {
return getRestClient(client());
}
protected RestClient createRestClient(RestClientBuilder.HttpClientConfigCallback httpClientConfigCallback, String protocol) {
return createRestClient(client(), httpClientConfigCallback, protocol);
}
private static synchronized RestClient getRestClient(Client client) {
if (restClient == null) {
restClient = createRestClient(client);
restClient = createRestClient(client, null, "http");
}
return restClient;
}
private static RestClient createRestClient(Client client) {
private static RestClient createRestClient(Client client, RestClientBuilder.HttpClientConfigCallback httpClientConfigCallback,
String protocol) {
NodesInfoResponse nodesInfoResponse = client.admin().cluster().prepareNodesInfo().get();
assertFalse(nodesInfoResponse.hasFailures());
assertEquals(nodesInfoResponse.getNodes().size(), 1);
@ -286,7 +298,11 @@ public abstract class SecuritySingleNodeTestCase extends ESSingleNodeTestCase {
assertNotNull(node.getHttp());
TransportAddress publishAddress = node.getHttp().address().publishAddress();
InetSocketAddress address = publishAddress.address();
final HttpHost host = new HttpHost(NetworkAddress.format(address.getAddress()), address.getPort(), "http");
return RestClient.builder(host).build();
final HttpHost host = new HttpHost(NetworkAddress.format(address.getAddress()), address.getPort(), protocol);
RestClientBuilder builder = RestClient.builder(host);
if (httpClientConfigCallback != null) {
builder.setHttpClientConfigCallback(httpClientConfigCallback);
}
return builder.build();
}
}

View File

@ -51,7 +51,6 @@ import org.elasticsearch.xpack.core.security.authc.TokenMetaData;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.watcher.watch.ClockMock;
import org.elasticsearch.xpack.security.SecurityLifecycleService;
import org.elasticsearch.xpack.security.authc.TokenService.BytesKey;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;

View File

@ -19,9 +19,8 @@ import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySingleNodeTestCase;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.core.TestXPackTransportClient;
import org.elasticsearch.xpack.core.common.socket.SocketAccess;
@ -50,15 +49,14 @@ import static org.hamcrest.Matchers.is;
/**
* Test authentication via PKI on both REST and Transport layers
*/
@ClusterScope(numClientNodes = 0, supportsDedicatedMasters = false, numDataNodes = 1)
public class PkiAuthenticationTests extends SecurityIntegTestCase {
public class PkiAuthenticationTests extends SecuritySingleNodeTestCase {
@Override
protected Settings nodeSettings(int nodeOrdinal) {
protected Settings nodeSettings() {
SSLClientAuth sslClientAuth = randomBoolean() ? SSLClientAuth.REQUIRED : SSLClientAuth.OPTIONAL;
Settings.Builder builder = Settings.builder()
.put(super.nodeSettings(nodeOrdinal))
.put(super.nodeSettings())
.put(NetworkModule.HTTP_ENABLED.getKey(), true)
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", sslClientAuth)
@ -80,11 +78,18 @@ public class PkiAuthenticationTests extends SecurityIntegTestCase {
return true;
}
@Override
protected boolean enableWarningsCheck() {
// the transport client uses deprecated SSL settings since we do not know what to do about
// secure settings for the transport client
return false;
}
public void testTransportClientCanAuthenticateViaPki() {
Settings.Builder builder = Settings.builder();
addSSLSettingsForStore(builder, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks", "testnode");
try (TransportClient client = createTransportClient(builder.build())) {
client.addTransportAddress(randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()));
client.addTransportAddress(randomFrom(node().injector().getInstance(Transport.class).boundAddress().boundAddresses()));
IndexResponse response = client.prepareIndex("foo", "bar").setSource("pki", "auth").get();
assertEquals(DocWriteResponse.Result.CREATED, response.getResult());
}
@ -96,7 +101,7 @@ public class PkiAuthenticationTests extends SecurityIntegTestCase {
*/
public void testTransportClientAuthenticationFailure() {
try (TransportClient client = createTransportClient(Settings.EMPTY)) {
client.addTransportAddress(randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()));
client.addTransportAddress(randomFrom(node().injector().getInstance(Transport.class).boundAddress().boundAddresses()));
client.prepareIndex("foo", "bar").setSource("pki", "auth").get();
fail("transport client should not have been able to authenticate");
} catch (NoNodeAvailableException e) {
@ -153,14 +158,14 @@ public class PkiAuthenticationTests extends SecurityIntegTestCase {
Settings.Builder builder = Settings.builder().put(clientSettings, false)
.put(additionalSettings)
.put("cluster.name", internalCluster().getClusterName());
.put("cluster.name", node().settings().get("cluster.name"));
builder.remove(SecurityField.USER_SETTING.getKey());
builder.remove("request.headers.Authorization");
return new TestXPackTransportClient(builder.build(), LocalStateSecurity.class);
}
private String getNodeUrl() {
TransportAddress transportAddress = randomFrom(internalCluster().getInstance(HttpServerTransport.class)
TransportAddress transportAddress = randomFrom(node().injector().getInstance(HttpServerTransport.class)
.boundAddress().boundAddresses());
final InetSocketAddress inetSocketAddress = transportAddress.address();
return String.format(Locale.ROOT, "https://%s/", NetworkAddress.format(inetSocketAddress));

View File

@ -13,9 +13,9 @@ import org.elasticsearch.client.RestClient;
import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.SecurityIntegTestCase;
import org.elasticsearch.test.SecuritySettingsSource;
import org.elasticsearch.test.SecuritySettingsSourceField;
import org.elasticsearch.test.SecuritySingleNodeTestCase;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.ssl.SSLClientAuth;
import org.junit.BeforeClass;
@ -31,7 +31,7 @@ import java.security.SecureRandom;
import static org.hamcrest.Matchers.is;
public class PkiOptionalClientAuthTests extends SecurityIntegTestCase {
public class PkiOptionalClientAuthTests extends SecuritySingleNodeTestCase {
private static int randomClientPort;
@ -41,11 +41,11 @@ public class PkiOptionalClientAuthTests extends SecurityIntegTestCase {
}
@Override
protected Settings nodeSettings(int nodeOrdinal) {
protected Settings nodeSettings() {
String randomClientPortRange = randomClientPort + "-" + (randomClientPort+100);
Settings.Builder builder = Settings.builder()
.put(super.nodeSettings(nodeOrdinal))
.put(super.nodeSettings())
.put(NetworkModule.HTTP_ENABLED.getKey(), true)
.put("xpack.security.http.ssl.enabled", true)
.put("xpack.security.http.ssl.client_authentication", SSLClientAuth.OPTIONAL)
@ -74,12 +74,8 @@ public class PkiOptionalClientAuthTests extends SecurityIntegTestCase {
public void testRestClientWithoutClientCertificate() throws Exception {
SSLIOSessionStrategy sessionStrategy = new SSLIOSessionStrategy(getSSLContext());
try (RestClient restClient = createRestClient(httpClientBuilder -> httpClientBuilder.setSSLStrategy(sessionStrategy), "https")) {
try {
restClient.performRequest("GET", "_nodes");
fail("request should have failed");
} catch(ResponseException e) {
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
}
ResponseException e = expectThrows(ResponseException.class, () -> restClient.performRequest("GET", "_nodes"));
assertThat(e.getResponse().getStatusLine().getStatusCode(), is(401));
Response response = restClient.performRequest("GET", "_nodes",
new BasicHeader(UsernamePasswordToken.BASIC_AUTH_HEADER,

View File

@ -48,6 +48,8 @@ import static org.hamcrest.Matchers.notNullValue;
import static org.hamcrest.Matchers.nullValue;
import static org.mockito.Mockito.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
public class PkiRealmTests extends ESTestCase {
@ -84,18 +86,19 @@ public class PkiRealmTests extends ESTestCase {
}
public void testAuthenticateBasedOnCertToken() throws Exception {
assertSuccessfulAuthentiation(Collections.emptySet());
assertSuccessfulAuthentication(Collections.emptySet());
}
public void testAuthenticateWithRoleMapping() throws Exception {
final Set<String> roles = new HashSet<>();
roles.add("admin");
roles.add("kibana_user");
assertSuccessfulAuthentiation(roles);
assertSuccessfulAuthentication(roles);
}
private void assertSuccessfulAuthentiation(Set<String> roles) throws Exception {
private void assertSuccessfulAuthentication(Set<String> roles) throws Exception {
String dn = "CN=Elasticsearch Test Node,";
final String expectedUsername = "Elasticsearch Test Node";
X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
X509AuthenticationToken token = new X509AuthenticationToken(new X509Certificate[] { certificate }, "Elasticsearch Test Node", dn);
UserRoleMapper roleMapper = mock(UserRoleMapper.class);
@ -118,10 +121,29 @@ public class PkiRealmTests extends ESTestCase {
assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS));
User user = result.getUser();
assertThat(user, is(notNullValue()));
assertThat(user.principal(), is("Elasticsearch Test Node"));
assertThat(user.principal(), is(expectedUsername));
assertThat(user.roles(), is(notNullValue()));
assertThat(user.roles().length, is(roles.size()));
assertThat(user.roles(), arrayContainingInAnyOrder(roles.toArray()));
final boolean testCaching = randomBoolean();
final boolean invalidate = testCaching && randomBoolean();
if (testCaching) {
if (invalidate) {
if (randomBoolean()) {
realm.expireAll();
} else {
realm.expire(expectedUsername);
}
}
future = new PlainActionFuture<>();
realm.authenticate(token, future);
assertEquals(AuthenticationResult.Status.SUCCESS, future.actionGet().getStatus());
assertEquals(user, future.actionGet().getUser());
}
final int numTimes = invalidate ? 2 : 1;
verify(roleMapper, times(numTimes)).resolveRoles(any(UserRoleMapper.UserData.class), any(ActionListener.class));
}
public void testCustomUsernamePattern() throws Exception {