Populate OpenIDConnect metadata collections (#50893)

The OpenIdConnectRealm had a bug which would cause it not to populate
User metadata for collections contained in the user JWT claims.

This commit fixes that bug.

Backport of: #50521
This commit is contained in:
Tim Vernum 2020-01-13 18:02:22 +11:00 committed by GitHub
parent fa116a6d26
commit 985c95dcca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 2 deletions

View File

@ -49,6 +49,7 @@ import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
@ -218,7 +219,7 @@ public class OpenIdConnectRealm extends Realm implements Releasable {
*/ */
Set<Map.Entry> allowedEntries = claimsMap.entrySet().stream().filter(entry -> { Set<Map.Entry> allowedEntries = claimsMap.entrySet().stream().filter(entry -> {
Object v = entry.getValue(); Object v = entry.getValue();
return (v instanceof String || v instanceof Boolean || v instanceof Number || v instanceof Collections); return (v instanceof String || v instanceof Boolean || v instanceof Number || v instanceof Collection);
}).collect(Collectors.toSet()); }).collect(Collectors.toSet());
for (Map.Entry entry : allowedEntries) { for (Map.Entry entry : allowedEntries) {
userMetadata.put("oidc(" + entry.getKey() + ")", entry.getValue()); userMetadata.put("oidc(" + entry.getKey() + ")", entry.getValue());

View File

@ -16,7 +16,6 @@ import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.env.TestEnvironment;
import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse; import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse; import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult; import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
@ -31,6 +30,7 @@ import org.hamcrest.Matchers;
import org.junit.Before; import org.junit.Before;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.Date; import java.util.Date;
import java.util.HashSet; import java.util.HashSet;
@ -43,6 +43,7 @@ import static java.time.Instant.now;
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
import static org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.CONTEXT_TOKEN_DATA; import static org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.CONTEXT_TOKEN_DATA;
import static org.hamcrest.Matchers.arrayContainingInAnyOrder; import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
import static org.hamcrest.Matchers.contains;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.instanceOf;
@ -91,6 +92,10 @@ public class OpenIdConnectRealmTests extends OpenIdConnectTestCase {
} else { } else {
assertThat(result.getUser().metadata().get("oidc(iss)"), equalTo("https://op.company.org")); assertThat(result.getUser().metadata().get("oidc(iss)"), equalTo("https://op.company.org"));
assertThat(result.getUser().metadata().get("oidc(name)"), equalTo("Clinton Barton")); assertThat(result.getUser().metadata().get("oidc(name)"), equalTo("Clinton Barton"));
final Object groups = result.getUser().metadata().get("oidc(groups)");
assertThat(groups, notNullValue());
assertThat(groups, instanceOf(Collection.class));
assertThat((Collection<?>) groups, contains("group1", "group2", "groups3"));
} }
} }