test: add a simple test for reserved realm authentication

See elastic/elasticsearch#2089

Original commit: elastic/x-pack-elasticsearch@1bede0a206

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java

@@ -131,4 +131,20 @@ public class ReservedRealmTests extends ESTestCase {
 
         assertThat(ReservedRealm.users(), containsInAnyOrder((User) XPackUser.INSTANCE, KibanaUser.INSTANCE));
     }
+
+    public void testFailedAuthentication() {
+        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
+        // maybe cache a successful auth
+        if (randomBoolean()) {
+            User user = reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("changeme".toCharArray())));
+            assertThat(user, sameInstance(XPackUser.INSTANCE));
+        }
+
+        try {
+            reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("foobar".toCharArray())));
+            fail("authentication should throw an exception otherwise we may allow others to impersonate reserved users...");
+        } catch (ElasticsearchSecurityException e) {
+            assertThat(e.getMessage(), containsString("failed to authenticate"));
+        }
+    }
 }