Support mustache templates in role mappings (#40571)

This adds a new `role_templates` field to role mappings that is an
alternative to the existing roles field.

These templates are evaluated at runtime to determine which roles should be
granted to a user.
For example, it is possible to specify:

    "role_templates": [
      { "template":{ "source": "_user_{{username}}" } }
    ]

which would mean that every user is assigned to their own role based on
their username.

You may not specify both roles and role_templates in the same role
mapping.

This commit adds support for templates to the role mapping API, the role
mapping engine, the Java high level rest client, and Elasticsearch
documentation.

Due to the lack of caching in our role mapping store, it is currently
inefficient to use a large number of templated role mappings. This will be
addressed in a future change.

Backport of: #39984, #40504

Author: tvernum

client/rest-high-level/src/main/java/org/elasticsearch/client/security/ExpressionRoleMapping.java

@@ -29,8 +29,10 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import static org.elasticsearch.common.xcontent.ConstructingObjectParser.constructorArg;
+import static org.elasticsearch.common.xcontent.ConstructingObjectParser.optionalConstructorArg;
 
 /**
  * A representation of a single role-mapping.
@@ -42,20 +44,22 @@ public final class ExpressionRoleMapping {
 
     @SuppressWarnings("unchecked")
     static final ConstructingObjectParser<ExpressionRoleMapping, String> PARSER = new ConstructingObjectParser<>("role-mapping", true,
-            (args, name) -> new ExpressionRoleMapping(name, (RoleMapperExpression) args[0], (List<String>) args[1],
-                    (Map<String, Object>) args[2], (boolean) args[3]));
+        (args, name) -> new ExpressionRoleMapping(name, (RoleMapperExpression) args[0], (List<String>) args[1],
+            (List<TemplateRoleName>) args[2], (Map<String, Object>) args[3], (boolean) args[4]));
 
     static {
         PARSER.declareField(constructorArg(), (parser, context) -> RoleMapperExpressionParser.fromXContent(parser), Fields.RULES,
                 ObjectParser.ValueType.OBJECT);
-        PARSER.declareStringArray(constructorArg(), Fields.ROLES);
+        PARSER.declareStringArray(optionalConstructorArg(), Fields.ROLES);
+        PARSER.declareObjectArray(optionalConstructorArg(), (parser, ctx) -> TemplateRoleName.fromXContent(parser), Fields.ROLE_TEMPLATES);
         PARSER.declareField(constructorArg(), XContentParser::map, Fields.METADATA, ObjectParser.ValueType.OBJECT);
         PARSER.declareBoolean(constructorArg(), Fields.ENABLED);
     }
 
     private final String name;
     private final RoleMapperExpression expression;
     private final List<String> roles;
+    private final List<TemplateRoleName> roleTemplates;
     private final Map<String, Object> metadata;
     private final boolean enabled;
 
@@ -70,10 +74,11 @@ public final class ExpressionRoleMapping {
      * @param enabled a flag when {@code true} signifies the role mapping is active
      */
     public ExpressionRoleMapping(final String name, final RoleMapperExpression expr, final List<String> roles,
-            final Map<String, Object> metadata, boolean enabled) {
+                                 final List<TemplateRoleName> templates, final Map<String, Object> metadata, boolean enabled) {
         this.name = name;
         this.expression = expr;
-        this.roles = Collections.unmodifiableList(roles);
+        this.roles = roles == null ? Collections.emptyList() : Collections.unmodifiableList(roles);
+        this.roleTemplates = templates == null ? Collections.emptyList() : Collections.unmodifiableList(templates);
         this.metadata = (metadata == null) ? Collections.emptyMap() : Collections.unmodifiableMap(metadata);
         this.enabled = enabled;
     }
@@ -90,6 +95,10 @@ public List<String> getRoles() {
         return roles;
     }
 
+    public List<TemplateRoleName> getRoleTemplates() {
+        return roleTemplates;
+    }
+
     public Map<String, Object> getMetadata() {
         return metadata;
     }
@@ -99,53 +108,26 @@ public boolean isEnabled() {
     }
 
     @Override
-    public int hashCode() {
-        final int prime = 31;
-        int result = 1;
-        result = prime * result + (enabled ? 1231 : 1237);
-        result = prime * result + ((expression == null) ? 0 : expression.hashCode());
-        result = prime * result + ((metadata == null) ? 0 : metadata.hashCode());
-        result = prime * result + ((name == null) ? 0 : name.hashCode());
-        result = prime * result + ((roles == null) ? 0 : roles.hashCode());
-        return result;
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        final ExpressionRoleMapping that = (ExpressionRoleMapping) o;
+        return this.enabled == that.enabled &&
+            Objects.equals(this.name, that.name) &&
+            Objects.equals(this.expression, that.expression) &&
+            Objects.equals(this.roles, that.roles) &&
+            Objects.equals(this.roleTemplates, that.roleTemplates) &&
+            Objects.equals(this.metadata, that.metadata);
     }
 
     @Override
-    public boolean equals(Object obj) {
-        if (this == obj)
-            return true;
-        if (obj == null)
-            return false;
-        if (getClass() != obj.getClass())
-            return false;
-        final ExpressionRoleMapping other = (ExpressionRoleMapping) obj;
-        if (enabled != other.enabled)
-            return false;
-        if (expression == null) {
-            if (other.expression != null)
-                return false;
-        } else if (!expression.equals(other.expression))
-            return false;
-        if (metadata == null) {
-            if (other.metadata != null)
-                return false;
-        } else if (!metadata.equals(other.metadata))
-            return false;
-        if (name == null) {
-            if (other.name != null)
-                return false;
-        } else if (!name.equals(other.name))
-            return false;
-        if (roles == null) {
-            if (other.roles != null)
-                return false;
-        } else if (!roles.equals(other.roles))
-            return false;
-        return true;
+    public int hashCode() {
+        return Objects.hash(name, expression, roles, roleTemplates, metadata, enabled);
     }
 
     public interface Fields {
         ParseField ROLES = new ParseField("roles");
+        ParseField ROLE_TEMPLATES = new ParseField("role_templates");
         ParseField ENABLED = new ParseField("enabled");
         ParseField RULES = new ParseField("rules");
         ParseField METADATA = new ParseField("metadata");

client/rest-high-level/src/main/java/org/elasticsearch/client/security/PutRoleMappingRequest.java

@@ -40,22 +40,34 @@ public final class PutRoleMappingRequest implements Validatable, ToXContentObjec
     private final String name;
     private final boolean enabled;
     private final List<String> roles;
+    private final List<TemplateRoleName> roleTemplates;
     private final RoleMapperExpression rules;
 
     private final Map<String, Object> metadata;
     private final RefreshPolicy refreshPolicy;
 
+    @Deprecated
     public PutRoleMappingRequest(final String name, final boolean enabled, final List<String> roles, final RoleMapperExpression rules,
-            @Nullable final Map<String, Object> metadata, @Nullable final RefreshPolicy refreshPolicy) {
+                                 @Nullable final Map<String, Object> metadata, @Nullable final RefreshPolicy refreshPolicy) {
+        this(name, enabled, roles, Collections.emptyList(), rules, metadata, refreshPolicy);
+    }
+
+    public PutRoleMappingRequest(final String name, final boolean enabled, final List<String> roles, final List<TemplateRoleName> templates,
+                                 final RoleMapperExpression rules, @Nullable final Map<String, Object> metadata,
+                                 @Nullable final RefreshPolicy refreshPolicy) {
         if (Strings.hasText(name) == false) {
             throw new IllegalArgumentException("role-mapping name is missing");
         }
         this.name = name;
         this.enabled = enabled;
-        if (roles == null || roles.isEmpty()) {
-            throw new IllegalArgumentException("role-mapping roles are missing");
+        this.roles = Collections.unmodifiableList(Objects.requireNonNull(roles, "role-mapping roles cannot be null"));
+        this.roleTemplates = Collections.unmodifiableList(Objects.requireNonNull(templates, "role-mapping role_templates cannot be null"));
+        if (this.roles.isEmpty() && this.roleTemplates.isEmpty()) {
+            throw new IllegalArgumentException("in a role-mapping, one of roles or role_templates is required");
+        }
+        if (this.roles.isEmpty() == false && this.roleTemplates.isEmpty() == false) {
+            throw new IllegalArgumentException("in a role-mapping, cannot specify both roles and role_templates");
         }
-        this.roles = Collections.unmodifiableList(roles);
         this.rules = Objects.requireNonNull(rules, "role-mapping rules are missing");
         this.metadata = (metadata == null) ? Collections.emptyMap() : metadata;
         this.refreshPolicy = (refreshPolicy == null) ? RefreshPolicy.getDefault() : refreshPolicy;
@@ -73,6 +85,10 @@ public List<String> getRoles() {
         return roles;
     }
 
+    public List<TemplateRoleName> getRoleTemplates() {
+        return roleTemplates;
+    }
+
     public RoleMapperExpression getRules() {
         return rules;
     }
@@ -87,7 +103,7 @@ public RefreshPolicy getRefreshPolicy() {
 
     @Override
     public int hashCode() {
-        return Objects.hash(name, enabled, refreshPolicy, roles, rules, metadata);
+        return Objects.hash(name, enabled, refreshPolicy, roles, roleTemplates, rules, metadata);
     }
 
     @Override
@@ -104,21 +120,22 @@ public boolean equals(Object obj) {
         final PutRoleMappingRequest other = (PutRoleMappingRequest) obj;
 
         return (enabled == other.enabled) &&
-               (refreshPolicy == other.refreshPolicy) &&
-               Objects.equals(name, other.name) &&
-               Objects.equals(roles, other.roles) &&
-               Objects.equals(rules, other.rules) &&
-               Objects.equals(metadata, other.metadata);
+            (refreshPolicy == other.refreshPolicy) &&
+            Objects.equals(name, other.name) &&
+            Objects.equals(roles, other.roles) &&
+            Objects.equals(roleTemplates, other.roleTemplates) &&
+            Objects.equals(rules, other.rules) &&
+            Objects.equals(metadata, other.metadata);
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
         builder.startObject();
         builder.field("enabled", enabled);
         builder.field("roles", roles);
+        builder.field("role_templates", roleTemplates);
         builder.field("rules", rules);
         builder.field("metadata", metadata);
         return builder.endObject();
     }
-
 }

client/rest-high-level/src/main/java/org/elasticsearch/client/security/TemplateRoleName.java

@@ -0,0 +1,117 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.security;
+
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.xcontent.ConstructingObjectParser;
+import org.elasticsearch.common.xcontent.ObjectParser;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.common.xcontent.XContentParserUtils;
+import org.elasticsearch.common.xcontent.XContentType;
+
+import java.io.IOException;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Objects;
+
+import static org.elasticsearch.common.xcontent.ConstructingObjectParser.optionalConstructorArg;
+
+/**
+ * A role name that uses a dynamic template.
+ */
+public class TemplateRoleName implements ToXContentObject {
+
+    private static final ConstructingObjectParser<TemplateRoleName, Void> PARSER = new ConstructingObjectParser<>("template-role-name",
+        true, args -> new TemplateRoleName((String) args[0], (Format) args[1]));
+
+    static {
+        PARSER.declareString(ConstructingObjectParser.constructorArg(), Fields.TEMPLATE);
+        PARSER.declareField(optionalConstructorArg(), Format::fromXContent, Fields.FORMAT, ObjectParser.ValueType.STRING);
+    }
+    private final String template;
+    private final Format format;
+
+    public TemplateRoleName(String template, Format format) {
+        this.template = Objects.requireNonNull(template);
+        this.format = Objects.requireNonNull(format);
+    }
+
+    public TemplateRoleName(Map<String, Object> template, Format format) throws IOException {
+        this(Strings.toString(XContentBuilder.builder(XContentType.JSON.xContent()).map(template)), format);
+    }
+
+    public String getTemplate() {
+        return template;
+    }
+
+    public Format getFormat() {
+        return format;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final TemplateRoleName that = (TemplateRoleName) o;
+        return Objects.equals(this.template, that.template) &&
+            this.format == that.format;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(template, format);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject()
+            .field(Fields.TEMPLATE.getPreferredName(), template)
+            .field(Fields.FORMAT.getPreferredName(), format.name().toLowerCase(Locale.ROOT))
+            .endObject();
+    }
+
+    static TemplateRoleName fromXContent(XContentParser parser) throws IOException {
+        XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, parser.currentToken(), parser::getTokenLocation);
+        return PARSER.parse(parser, null);
+    }
+
+
+    public enum Format {
+        STRING, JSON;
+
+        private static Format fromXContent(XContentParser parser) throws IOException {
+            XContentParserUtils.ensureExpectedToken(XContentParser.Token.VALUE_STRING, parser.currentToken(), parser::getTokenLocation);
+            return Format.valueOf(parser.text().toUpperCase(Locale.ROOT));
+        }
+    }
+
+    public interface Fields {
+        ParseField TEMPLATE = new ParseField("template");
+        ParseField FORMAT = new ParseField("format");
+    }
+
+}

client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityRequestConvertersTests.java

@@ -141,8 +141,8 @@ public void testPutRoleMapping() throws IOException {
                 .addExpression(FieldRoleMapperExpression.ofUsername(username))
                 .addExpression(FieldRoleMapperExpression.ofGroups(groupname))
                 .build();
-        final PutRoleMappingRequest putRoleMappingRequest = new PutRoleMappingRequest(roleMappingName, true, Collections.singletonList(
-                rolename), rules, null, refreshPolicy);
+        final PutRoleMappingRequest putRoleMappingRequest = new PutRoleMappingRequest(roleMappingName, true,
+            Collections.singletonList(rolename), Collections.emptyList(), rules, null, refreshPolicy);
 
         final Request request = SecurityRequestConverters.putRoleMapping(putRoleMappingRequest);