PKI realm usage stats includes delegation

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java

@@ -317,6 +317,17 @@ public void expireAll() {
         }
     }
 
+    @Override
+    public void usageStats(ActionListener<Map<String, Object>> listener) {
+        super.usageStats(ActionListener.wrap(stats -> {
+            stats.put("has_truststore", trustManager != null);
+            stats.put("has_delegated_realms", delegatedRealms != null);
+            stats.put("principal_pattern", principalPattern.pattern());
+            stats.put("is_authentication_delegated", delegationEnabled);
+            listener.onResponse(stats);
+        }, listener::onFailure));
+    }
+
     private static BytesKey computeFingerprint(X509Certificate certificate) throws CertificateEncodingException {
         MessageDigest digest = MessageDigests.sha256();
         digest.update(certificate.getEncoded());

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java

@@ -40,6 +40,7 @@
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
 
@@ -72,11 +73,12 @@ public void setup() throws Exception {
         when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
     }
 
-    public void testTokenSupport() {
+    public void testTokenSupport() throws Exception {
         RealmConfig config = new RealmConfig(new RealmConfig.RealmIdentifier("pki", "my_pki"), globalSettings,
                 TestEnvironment.newEnvironment(globalSettings), new ThreadContext(globalSettings));
         PkiRealm realm = new PkiRealm(config, mock(UserRoleMapper.class));
 
+        assertRealmUsageStats(realm, false, false, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, false);
         assertThat(realm.supports(null), is(false));
         assertThat(realm.supports(new UsernamePasswordToken("", new SecureString(new char[0]))), is(false));
         assertThat(realm.supports(new X509AuthenticationToken(new X509Certificate[0], randomBoolean())), is(true));
@@ -115,7 +117,6 @@ private void assertSuccessfulAuthentication(Set<String> roles) throws Exception
         final String expectedUsername = PkiRealm.getPrincipalFromSubjectDN(Pattern.compile(PkiRealmSettings.DEFAULT_USERNAME_PATTERN),
                 token, NoOpLogger.INSTANCE);
         final AuthenticationResult result = authenticate(token, realm);
-        final PlainActionFuture<AuthenticationResult> future;
         assertThat(result.getStatus(), is(AuthenticationResult.Status.SUCCESS));
         User user = result.getUser();
         assertThat(user, is(notNullValue()));
@@ -200,6 +201,7 @@ public void testCustomUsernamePatternMatches() throws Exception {
         X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         UserRoleMapper roleMapper = buildRoleMapper();
         PkiRealm realm = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realm, false, true, "OU=(.*?),", false);
         threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
 
         X509AuthenticationToken token = realm.token(threadContext);
@@ -219,6 +221,7 @@ public void testCustomUsernamePatternMismatchesAndNullToken() throws Exception {
         X509Certificate certificate = readCert(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
         UserRoleMapper roleMapper = buildRoleMapper();
         PkiRealm realm = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realm, false, true, "OU=(mismatch.*?),", false);
         threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
 
         X509AuthenticationToken token = realm.token(threadContext);
@@ -239,6 +242,7 @@ public void testVerificationUsingATruststore() throws Exception {
                 .build();
         ThreadContext threadContext = new ThreadContext(globalSettings);
         PkiRealm realm = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realm, true, true, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, false);
 
         threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
 
@@ -265,6 +269,8 @@ public void testAuthenticationDelegationSuccess() throws Exception {
                 .setSecureSettings(secureSettings)
                 .build();
         PkiRealm realmWithDelegation = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realmWithDelegation, true, true, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, true);
+
         AuthenticationResult result = authenticate(delegatedToken, realmWithDelegation);
         assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS));
         assertThat(result.getUser(), is(notNullValue()));
@@ -287,6 +293,7 @@ public void testAuthenticationDelegationFailure() throws Exception {
                 .setSecureSettings(secureSettings)
                 .build();
         PkiRealm realmNoDelegation = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realmNoDelegation, true, true, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, false);
 
         AuthenticationResult result = authenticate(delegatedToken, realmNoDelegation);
         assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.CONTINUE));
@@ -307,6 +314,7 @@ public void testVerificationFailsUsingADifferentTruststore() throws Exception {
                 .build();
         ThreadContext threadContext = new ThreadContext(settings);
         PkiRealm realm = buildRealm(roleMapper, settings);
+        assertRealmUsageStats(realm, true, true, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, false);
 
         threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, new X509Certificate[] { certificate });
 
@@ -419,6 +427,7 @@ public void testDelegatedAuthorization() throws Exception {
             .build();
         final UserRoleMapper roleMapper = buildRoleMapper(Collections.emptySet(), token.dn());
         final PkiRealm pkiRealm = buildRealm(roleMapper, realmSettings, otherRealm);
+        assertRealmUsageStats(pkiRealm, false, true, PkiRealmSettings.DEFAULT_USERNAME_PATTERN, false);
 
         AuthenticationResult result = authenticate(token, pkiRealm);
         assertThat(result.getStatus(), equalTo(AuthenticationResult.Status.SUCCESS));
@@ -443,6 +452,17 @@ public void testX509AuthenticationToken() throws Exception {
         assertThat(e.getMessage(), is("certificates chain array is not ordered"));
     }
 
+    private void assertRealmUsageStats(Realm realm, Boolean hasTruststore, Boolean hasDelegatedRealms, String principalPattern,
+            Boolean isAuthenticationDelegated) throws Exception {
+        final PlainActionFuture<Map<String, Object>> future = new PlainActionFuture<>();
+        realm.usageStats(future);
+        Map<String, Object> usage = future.get();
+        assertThat(usage.get("has_truststore"), is(hasTruststore));
+        assertThat(usage.get("has_delegated_realms"), is(hasDelegatedRealms));
+        assertThat(usage.get("principal_pattern"), is(principalPattern));
+        assertThat(usage.get("is_authentication_delegated"), is(isAuthenticationDelegated));
+    }
+
     static X509Certificate readCert(Path path) throws Exception {
         try (InputStream in = Files.newInputStream(path)) {
             CertificateFactory factory = CertificateFactory.getInstance("X.509");