Build role for remote access authentication (#93316)

This PR adds support for building roles for remote_access
authentication instances, under the new remote cluster security model.

This change is stand-alone and not wired up to active code flows yet. A
proof of concept in #92089 highlights how the model change in this PR
fits into the broader context of the fulfilling cluster processing
cross cluster requests.

Author: n1v0lg

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RemoteAccessAuthentication.java

@@ -10,6 +10,7 @@
 import org.apache.lucene.util.BytesRef;
 import org.elasticsearch.TransportVersion;
 import org.elasticsearch.common.bytes.AbstractBytesReference;
+import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
@@ -148,6 +149,8 @@ public Map<String, Object> copyWithRemoteAccessEntries(final Map<String, Object>
     }
 
     public static final class RoleDescriptorsBytes extends AbstractBytesReference {
+
+        public static final RoleDescriptorsBytes EMPTY = new RoleDescriptorsBytes(new BytesArray("{}"));
         private final BytesReference rawBytes;
 
         public RoleDescriptorsBytes(BytesReference rawBytes) {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Subject.java

@@ -19,6 +19,8 @@
 import org.elasticsearch.xpack.core.security.user.AnonymousUser;
 import org.elasticsearch.xpack.core.security.user.User;
 
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -105,8 +107,7 @@ public RoleReferenceIntersection getRoleReferenceIntersection(@Nullable Anonymou
             case SERVICE_ACCOUNT:
                 return new RoleReferenceIntersection(new RoleReference.ServiceAccountRoleReference(user.principal()));
             case REMOTE_ACCESS:
-                assert false : "unsupported subject type: [" + type + "]";
-                throw new UnsupportedOperationException("unsupported subject type: [" + type + "]");
+                return buildRoleReferencesForRemoteAccess();
             default:
                 assert false : "unknown subject type: [" + type + "]";
                 throw new IllegalStateException("unknown subject type: [" + type + "]");
@@ -231,6 +232,27 @@ private RoleReferenceIntersection buildRoleReferencesForApiKey() {
         );
     }
 
+    private RoleReferenceIntersection buildRoleReferencesForRemoteAccess() {
+        final List<RoleReference> roleReferences = new ArrayList<>(4);
+        @SuppressWarnings("unchecked")
+        final List<RemoteAccessAuthentication.RoleDescriptorsBytes> remoteAccessRoleDescriptorsBytes = (List<
+            RemoteAccessAuthentication.RoleDescriptorsBytes>) metadata.get(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY);
+        if (remoteAccessRoleDescriptorsBytes.isEmpty()) {
+            // If the remote access role descriptors are empty, the remote user has no privileges. We need to add an empty role to restrict
+            // access of the overall intersection accordingly
+            roleReferences.add(new RoleReference.RemoteAccessRoleReference(RemoteAccessAuthentication.RoleDescriptorsBytes.EMPTY));
+        } else {
+            // TODO handle this once we support API keys as querying subjects
+            assert remoteAccessRoleDescriptorsBytes.size() == 1
+                : "only a singleton list of remote access role descriptors bytes is supported";
+            for (RemoteAccessAuthentication.RoleDescriptorsBytes roleDescriptorsBytes : remoteAccessRoleDescriptorsBytes) {
+                roleReferences.add(new RoleReference.RemoteAccessRoleReference(roleDescriptorsBytes));
+            }
+        }
+        roleReferences.addAll(buildRoleReferencesForApiKey().getRoleReferences());
+        return new RoleReferenceIntersection(List.copyOf(roleReferences));
+    }
+
     private static boolean isEmptyRoleDescriptorsBytes(BytesReference roleDescriptorsBytes) {
         return roleDescriptorsBytes == null || (roleDescriptorsBytes.length() == 2 && "{}".equals(roleDescriptorsBytes.utf8ToString()));
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptorsIntersection.java

@@ -26,6 +26,10 @@ public record RoleDescriptorsIntersection(Collection<Set<RoleDescriptor>> roleDe
 
     public static RoleDescriptorsIntersection EMPTY = new RoleDescriptorsIntersection(Collections.emptyList());
 
+    public RoleDescriptorsIntersection(RoleDescriptor roleDescriptor) {
+        this(List.of(Set.of(roleDescriptor)));
+    }
+
     public RoleDescriptorsIntersection(StreamInput in) throws IOException {
         this(in.readImmutableList(inner -> inner.readSet(RoleDescriptor::new)));
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/RoleReference.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.hash.MessageDigests;
+import org.elasticsearch.xpack.core.security.authc.RemoteAccessAuthentication;
 
 import java.util.HashSet;
 import java.util.List;
@@ -116,6 +117,38 @@ public ApiKeyRoleType getRoleType() {
         }
     }
 
+    final class RemoteAccessRoleReference implements RoleReference {
+
+        private final RemoteAccessAuthentication.RoleDescriptorsBytes roleDescriptorsBytes;
+        private RoleKey id = null;
+
+        public RemoteAccessRoleReference(RemoteAccessAuthentication.RoleDescriptorsBytes roleDescriptorsBytes) {
+            this.roleDescriptorsBytes = roleDescriptorsBytes;
+        }
+
+        @Override
+        public RoleKey id() {
+            // Hashing can be expensive. memorize the result in case the method is called multiple times.
+            if (id == null) {
+                final String roleDescriptorsHash = MessageDigests.toHexString(
+                    MessageDigests.digest(roleDescriptorsBytes, MessageDigests.sha256())
+                );
+                id = new RoleKey(Set.of("remote_access:" + roleDescriptorsHash), "remote_access");
+            }
+            return id;
+        }
+
+        @Override
+        public void resolve(RoleReferenceResolver resolver, ActionListener<RolesRetrievalResult> listener) {
+            resolver.resolveRemoteAccessRoleReference(this, listener);
+        }
+
+        public RemoteAccessAuthentication.RoleDescriptorsBytes getRoleDescriptorsBytes() {
+            return roleDescriptorsBytes;
+        }
+
+    }
+
     /**
      * Same as {@link ApiKeyRoleReference} but for BWC purpose (prior to v7.9.0)
      */

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/RoleReferenceResolver.java

@@ -25,4 +25,9 @@ void resolveBwcApiKeyRoleReference(
     );
 
     void resolveServiceAccountRoleReference(ServiceAccountRoleReference roleReference, ActionListener<RolesRetrievalResult> listener);
+
+    void resolveRemoteAccessRoleReference(
+        RoleReference.RemoteAccessRoleReference remoteAccessRoleReference,
+        ActionListener<RolesRetrievalResult> listener
+    );
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java

@@ -237,43 +237,46 @@ public static String randomInternalRoleName() {
         );
     }
 
-    public static RemoteAccessAuthentication randomRemoteAccessAuthentication() {
+    public static RemoteAccessAuthentication randomRemoteAccessAuthentication(RoleDescriptorsIntersection roleDescriptorsIntersection) {
         try {
             // TODO add apikey() once we have querying-cluster-side API key support
             final Authentication authentication = ESTestCase.randomFrom(
                 AuthenticationTestHelper.builder().realm(),
                 AuthenticationTestHelper.builder().internal(SystemUser.INSTANCE)
             ).build();
-            return new RemoteAccessAuthentication(
-                authentication,
-                new RoleDescriptorsIntersection(
-                    List.of(
-                        // TODO randomize to add a second set once we have querying-cluster-side API key support
-                        Set.of(
-                            new RoleDescriptor(
-                                "a",
-                                null,
-                                new RoleDescriptor.IndicesPrivileges[] {
-                                    RoleDescriptor.IndicesPrivileges.builder()
-                                        .indices("index1")
-                                        .privileges("read", "read_cross_cluster")
-                                        .build() },
-                                null,
-                                null,
-                                null,
-                                null,
-                                null,
-                                null
-                            )
-                        )
-                    )
-                )
-            );
+            return new RemoteAccessAuthentication(authentication, roleDescriptorsIntersection);
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
 
+    public static RemoteAccessAuthentication randomRemoteAccessAuthentication() {
+        return randomRemoteAccessAuthentication(
+            new RoleDescriptorsIntersection(
+                List.of(
+                    // TODO randomize to add a second set once we have querying-cluster-side API key support
+                    Set.of(
+                        new RoleDescriptor(
+                            "_remote_user",
+                            null,
+                            new RoleDescriptor.IndicesPrivileges[] {
+                                RoleDescriptor.IndicesPrivileges.builder()
+                                    .indices("index1")
+                                    .privileges("read", "read_cross_cluster")
+                                    .build() },
+                            null,
+                            null,
+                            null,
+                            null,
+                            null,
+                            null
+                        )
+                    )
+                )
+            )
+        );
+    }
+
     public static class AuthenticationTestBuilder {
         private TransportVersion transportVersion;
         private Authentication authenticatingAuthentication;

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java

@@ -16,6 +16,7 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.TransportVersionUtils;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ApiKeyRoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.BwcApiKeyRoleReference;
@@ -35,7 +36,10 @@
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_REALM_NAME;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_REALM_TYPE;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY;
+import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.REMOTE_ACCESS_REALM_NAME;
+import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.REMOTE_ACCESS_REALM_TYPE;
 import static org.elasticsearch.xpack.core.security.authc.Subject.FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14;
+import static org.elasticsearch.xpack.core.security.authz.store.RoleReference.RemoteAccessRoleReference;
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.equalTo;
@@ -145,6 +149,81 @@ public void testGetRoleReferencesForApiKey() {
         }
     }
 
+    public void testGetRoleReferencesForRemoteAccess() {
+        Map<String, Object> authMetadata = new HashMap<>();
+        final String apiKeyId = randomAlphaOfLength(12);
+        authMetadata.put(AuthenticationField.API_KEY_ID_KEY, apiKeyId);
+        authMetadata.put(AuthenticationField.API_KEY_NAME_KEY, randomBoolean() ? null : randomAlphaOfLength(12));
+        final BytesReference roleBytes = new BytesArray("""
+            {"role":{"indices":[{"names":["index*"],"privileges":["read"]}]}}""");
+        final BytesReference limitedByRoleBytes = new BytesArray("""
+            {"limited-by-role":{"indices":[{"names":["*"],"privileges":["all"]}]}}""");
+
+        final boolean emptyRoleBytes = randomBoolean();
+
+        authMetadata.put(
+            AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY,
+            emptyRoleBytes ? randomFrom(Arrays.asList(null, new BytesArray("{}"))) : roleBytes
+        );
+        authMetadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, limitedByRoleBytes);
+
+        final RemoteAccessAuthentication remoteAccessAuthentication = randomBoolean()
+            ? AuthenticationTestHelper.randomRemoteAccessAuthentication(RoleDescriptorsIntersection.EMPTY)
+            : AuthenticationTestHelper.randomRemoteAccessAuthentication();
+        authMetadata = remoteAccessAuthentication.copyWithRemoteAccessEntries(authMetadata);
+
+        final Subject subject = new Subject(
+            new User("joe"),
+            new Authentication.RealmRef(REMOTE_ACCESS_REALM_NAME, REMOTE_ACCESS_REALM_TYPE, "node"),
+            TransportVersion.CURRENT,
+            authMetadata
+        );
+
+        final RoleReferenceIntersection roleReferenceIntersection = subject.getRoleReferenceIntersection(getAnonymousUser());
+        final List<RoleReference> roleReferences = roleReferenceIntersection.getRoleReferences();
+        if (emptyRoleBytes) {
+            assertThat(roleReferences, contains(isA(RemoteAccessRoleReference.class), isA(ApiKeyRoleReference.class)));
+
+            final RemoteAccessRoleReference remoteAccessRoleReference = (RemoteAccessRoleReference) roleReferences.get(0);
+            assertThat(
+                remoteAccessRoleReference.getRoleDescriptorsBytes(),
+                equalTo(
+                    remoteAccessAuthentication.getRoleDescriptorsBytesList().isEmpty()
+                        ? RemoteAccessAuthentication.RoleDescriptorsBytes.EMPTY
+                        : remoteAccessAuthentication.getRoleDescriptorsBytesList().get(0)
+                )
+            );
+
+            final ApiKeyRoleReference roleReference = (ApiKeyRoleReference) roleReferences.get(1);
+            assertThat(roleReference.getApiKeyId(), equalTo(apiKeyId));
+            assertThat(roleReference.getRoleDescriptorsBytes(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
+
+        } else {
+            assertThat(
+                roleReferences,
+                contains(isA(RemoteAccessRoleReference.class), isA(ApiKeyRoleReference.class), isA(ApiKeyRoleReference.class))
+            );
+
+            final RemoteAccessRoleReference remoteAccessRoleReference = (RemoteAccessRoleReference) roleReferences.get(0);
+            assertThat(
+                remoteAccessRoleReference.getRoleDescriptorsBytes(),
+                equalTo(
+                    remoteAccessAuthentication.getRoleDescriptorsBytesList().isEmpty()
+                        ? RemoteAccessAuthentication.RoleDescriptorsBytes.EMPTY
+                        : remoteAccessAuthentication.getRoleDescriptorsBytesList().get(0)
+                )
+            );
+
+            final ApiKeyRoleReference roleReference = (ApiKeyRoleReference) roleReferences.get(1);
+            assertThat(roleReference.getApiKeyId(), equalTo(apiKeyId));
+            assertThat(roleReference.getRoleDescriptorsBytes(), equalTo(authMetadata.get(API_KEY_ROLE_DESCRIPTORS_KEY)));
+
+            final ApiKeyRoleReference limitedByRoleReference = (ApiKeyRoleReference) roleReferences.get(2);
+            assertThat(limitedByRoleReference.getApiKeyId(), equalTo(apiKeyId));
+            assertThat(limitedByRoleReference.getRoleDescriptorsBytes(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
+        }
+    }
+
     public void testGetRoleReferencesForApiKeyBwc() {
         Map<String, Object> authMetadata = new HashMap<>();
         final String apiKeyId = randomAlphaOfLength(12);

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/RoleReferenceTests.java

@@ -10,6 +10,7 @@
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.hash.MessageDigests;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.security.authc.RemoteAccessAuthentication;
 
 import java.util.Set;
 
@@ -65,6 +66,18 @@ public void testApiKeyRoleReference() {
         assertThat(roleKey.getSource(), equalTo("apikey_" + apiKeyRoleType));
     }
 
+    public void testRemoteAccessRoleReference() {
+        final var roleDescriptorsBytes = new RemoteAccessAuthentication.RoleDescriptorsBytes(new BytesArray(randomAlphaOfLength(50)));
+        final var remoteAccessRoleReference = new RoleReference.RemoteAccessRoleReference(roleDescriptorsBytes);
+
+        final RoleKey roleKey = remoteAccessRoleReference.id();
+        assertThat(
+            roleKey.getNames(),
+            hasItem("remote_access:" + MessageDigests.toHexString(MessageDigests.digest(roleDescriptorsBytes, MessageDigests.sha256())))
+        );
+        assertThat(roleKey.getSource(), equalTo("remote_access"));
+    }
+
     public void testServiceAccountRoleReference() {
         final String principal = randomAlphaOfLength(8) + "/" + randomAlphaOfLength(8);
         final RoleReference.ServiceAccountRoleReference serviceAccountRoleReference = new RoleReference.ServiceAccountRoleReference(

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/RoleDescriptorStore.java

@@ -132,6 +132,21 @@ public void resolveServiceAccountRoleReference(
         }));
     }
 
+    @Override
+    public void resolveRemoteAccessRoleReference(
+        RoleReference.RemoteAccessRoleReference remoteAccessRoleReference,
+        ActionListener<RolesRetrievalResult> listener
+    ) {
+        final Set<RoleDescriptor> roleDescriptors = remoteAccessRoleReference.getRoleDescriptorsBytes().toRoleDescriptors();
+        if (roleDescriptors.isEmpty()) {
+            listener.onResponse(RolesRetrievalResult.EMPTY);
+            return;
+        }
+        final RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
+        rolesRetrievalResult.addDescriptors(Set.copyOf(roleDescriptors));
+        listener.onResponse(rolesRetrievalResult);
+    }
+
     private void resolveRoleNames(Set<String> roleNames, ActionListener<RolesRetrievalResult> listener) {
         roleDescriptors(roleNames, ActionListener.wrap(rolesRetrievalResult -> {
             logDeprecatedRoles(rolesRetrievalResult.getRoleDescriptors());