From 4a1feff3aeaf84b73ad510dc67dec1cc3157fa0b Mon Sep 17 00:00:00 2001
From: Albert Zaharovits <albert.zaharovits@elastic.co>
Date: Wed, 24 Jul 2019 18:38:29 +0300
Subject: [PATCH] PKIRealm with delegation enabled requires token service

---
 .../xpack/security/authc/pki/PkiRealm.java         |  8 +++++++-
 .../xpack/security/authc/pki/PkiRealmTests.java    | 14 ++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
index 98839a4841c97..74fa858567b5a 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
@@ -20,6 +20,7 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.core.XPackSettings;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
 import org.elasticsearch.xpack.core.security.authc.Realm;
@@ -30,6 +31,7 @@
 import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.security.authc.BytesKey;
+import org.elasticsearch.xpack.security.authc.TokenService;
 import org.elasticsearch.xpack.security.authc.support.CachingRealm;
 import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
 import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
@@ -85,6 +87,11 @@ public PkiRealm(RealmConfig config, ResourceWatcherService watcherService, Nativ
     // pkg private for testing
     PkiRealm(RealmConfig config, UserRoleMapper roleMapper) {
         super(config);
+        this.delegationEnabled = config.getSetting(PkiRealmSettings.DELEGATION_ENABLED_SETTING);
+        if (delegationEnabled && (false == TokenService.isTokenServiceEnabled(config.settings()))) {
+            throw new IllegalStateException("PKI realms with delegation enabled require that the token service be enabled as well ("
+                    + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + ")");
+        }
         this.trustManager = trustManagers(config);
         this.principalPattern = config.getSetting(PkiRealmSettings.USERNAME_PATTERN_SETTING);
         this.roleMapper = roleMapper;
@@ -94,7 +101,6 @@ public PkiRealm(RealmConfig config, ResourceWatcherService watcherService, Nativ
                 .setMaximumWeight(config.getSetting(PkiRealmSettings.CACHE_MAX_USERS_SETTING))
                 .build();
         this.delegatedRealms = null;
-        this.delegationEnabled = config.getSetting(PkiRealmSettings.DELEGATION_ENABLED_SETTING);
     }
 
     @Override
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
index e4d30796b1b55..1a980534a3570 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
@@ -250,6 +250,19 @@ public void testVerificationUsingATruststore() throws Exception {
         assertThat(user.roles().length, is(0));
     }
 
+    public void testAuthenticationDelegationFailsWithoutTokenService() throws Exception {
+        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+        Settings settings = Settings.builder()
+                .put(globalSettings)
+                .put("xpack.security.authc.realms.pki.my_pki.delegation.enabled", true)
+                .build();
+        IllegalStateException e = expectThrows(IllegalStateException.class,
+                () -> new PkiRealm(new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), settings,
+                        TestEnvironment.newEnvironment(globalSettings), threadContext), mock(UserRoleMapper.class)));
+        assertThat(e.getMessage(), is("PKI realms with delegation enabled require that"
+                + " the token service be enabled as well (xpack.security.authc.token.enabled)"));
+    }
+
     public void testAuthenticationDelegationSuccess() throws Exception {
         X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         X509AuthenticationToken delegatedToken = new X509AuthenticationToken(new X509Certificate[] { certificate }, true);
@@ -262,6 +275,7 @@ public void testAuthenticationDelegationSuccess() throws Exception {
                 .put("xpack.security.authc.realms.pki.my_pki.truststore.path",
                         getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
                 .put("xpack.security.authc.realms.pki.my_pki.delegation.enabled", true)
+                .put("xpack.security.authc.token.enabled", true)
                 .setSecureSettings(secureSettings)
                 .build();
         PkiRealm realmWithDelegation = buildRealm(roleMapper, settings);