Send cross cluster api key signature as header (#135674)

This PR is a follow up to
#134137 and
#134893. It adds
serialization and verification of the new header: 

- The signing configurations are now used to generate a signature that's passed as a header for cross cluster api keys.
- The signature headers are deserializaed and validated on the server side and auth fails if the validation fails. 

This PR does not use the certificate identity that was added in
#134604 to verify that the
identity in the passed leaf certificate belongs to the signed cross
cluster API key by matching it against the API key certificate identity
pattern. That will be done in a follow up PR to keep the scope of this
PR manageable.

Author: jfreden

docs/changelog/135674.yaml

@@ -0,0 +1,5 @@
+pr: 135674
+summary: Send cross cluster api key signature as headers
+area: Security
+type: enhancement
+issues: []

server/src/main/resources/transport/definitions/referable/add_cross_cluster_api_key_signature.csv

@@ -0,0 +1 @@
+9191000

server/src/main/resources/transport/upper_bounds/9.3.csv

@@ -1 +1 @@
-reordered_translog_operations,9190000
+add_cross_cluster_api_key_signature,9191000

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/CrossClusterAccessSubjectInfo.java

@@ -76,16 +76,6 @@ public void writeToContext(final ThreadContext ctx) throws IOException {
         ctx.putHeader(CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY, encode());
     }
 
-    public static CrossClusterAccessSubjectInfo readFromContext(final ThreadContext ctx) throws IOException {
-        final String header = ctx.getHeader(CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY);
-        if (header == null) {
-            throw new IllegalArgumentException(
-                "cross cluster access header [" + CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY + "] is required"
-            );
-        }
-        return decode(header);
-    }
-
     public Authentication getAuthentication() {
         return authentication;
     }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/CrossClusterAccessSubjectInfoTests.java

@@ -48,7 +48,9 @@ public void testWriteReadContextRoundtrip() throws IOException {
         );
 
         expectedCrossClusterAccessSubjectInfo.writeToContext(ctx);
-        final CrossClusterAccessSubjectInfo actual = CrossClusterAccessSubjectInfo.readFromContext(ctx);
+        final CrossClusterAccessSubjectInfo actual = CrossClusterAccessSubjectInfo.decode(
+            ctx.getHeader(CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY)
+        );
 
         assertThat(actual.getAuthentication(), equalTo(expectedCrossClusterAccessSubjectInfo.getAuthentication()));
         final List<Set<RoleDescriptor>> roleDescriptorsList = new ArrayList<>();
@@ -70,17 +72,6 @@ public void testRoleDescriptorsBytesToRoleDescriptors() throws IOException {
         assertThat(actualRoleDescriptors, equalTo(expectedRoleDescriptors));
     }
 
-    public void testThrowsOnMissingEntry() {
-        var actual = expectThrows(
-            IllegalArgumentException.class,
-            () -> CrossClusterAccessSubjectInfo.readFromContext(new ThreadContext(Settings.EMPTY))
-        );
-        assertThat(
-            actual.getMessage(),
-            equalTo("cross cluster access header [" + CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY + "] is required")
-        );
-    }
-
     public void testCleanWithValidationForApiKeys() {
         final Map<String, Object> initialMetadata = newHashMapWithRandomMetadata();
         final AuthenticationTestHelper.AuthenticationTestBuilder builder = AuthenticationTestHelper.builder()

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityBWCToRCS2ClusterRestIT.java

@@ -9,6 +9,7 @@
 
 import org.elasticsearch.test.cluster.ElasticsearchCluster;
 import org.elasticsearch.test.cluster.local.distribution.DistributionType;
+import org.elasticsearch.test.cluster.util.resource.Resource;
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.rules.RuleChain;
@@ -54,6 +55,10 @@ public class RemoteClusterSecurityBWCToRCS2ClusterRestIT extends AbstractRemoteC
             .apply(commonClusterConfig)
             .setting("xpack.security.remote_cluster_client.ssl.enabled", "true")
             .setting("xpack.security.remote_cluster_client.ssl.certificate_authorities", "remote-cluster-ca.crt")
+            .configFile("signing.crt", Resource.fromClasspath("signing/signing.crt"))
+            .setting("cluster.remote.my_remote_cluster.signing.certificate", "signing.crt")
+            .configFile("signing.key", Resource.fromClasspath("signing/signing.key"))
+            .setting("cluster.remote.my_remote_cluster.signing.key", "signing.key")
             .keystore("cluster.remote.my_remote_cluster.credentials", () -> {
                 if (API_KEY_MAP_REF.get() == null) {
                     final Map<String, Object> apiKeyMap = createCrossClusterAccessApiKey("""

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityCrossClusterApiKeySigningIT.java

@@ -0,0 +1,230 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.remotecluster;
+
+import io.netty.handler.codec.http.HttpMethod;
+
+import org.elasticsearch.action.search.SearchResponse;
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.RequestOptions;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.core.Strings;
+import org.elasticsearch.search.SearchHit;
+import org.elasticsearch.search.SearchResponseUtils;
+import org.elasticsearch.test.cluster.ElasticsearchCluster;
+import org.elasticsearch.test.cluster.util.resource.Resource;
+import org.junit.ClassRule;
+import org.junit.rules.RuleChain;
+import org.junit.rules.TestRule;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.stream.Collectors;
+
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+
+public class RemoteClusterSecurityCrossClusterApiKeySigningIT extends AbstractRemoteClusterSecurityTestCase {
+
+    private static final AtomicReference<Map<String, Object>> API_KEY_MAP_REF = new AtomicReference<>();
+
+    static {
+        fulfillingCluster = ElasticsearchCluster.local()
+            .name("fulfilling-cluster")
+            .apply(commonClusterConfig)
+            .setting("remote_cluster_server.enabled", "true")
+            .setting("remote_cluster.port", "0")
+            .setting("xpack.security.remote_cluster_server.ssl.enabled", "true")
+            .setting("xpack.security.remote_cluster_server.ssl.key", "remote-cluster.key")
+            .setting("xpack.security.remote_cluster_server.ssl.certificate", "remote-cluster.crt")
+            .configFile("signing_ca.crt", Resource.fromClasspath("signing/root.crt"))
+            .setting("cluster.remote.signing.certificate_authorities", "signing_ca.crt")
+            .keystore("xpack.security.remote_cluster_server.ssl.secure_key_passphrase", "remote-cluster-password")
+            .build();
+
+        queryCluster = ElasticsearchCluster.local()
+            .name("query-cluster")
+            .apply(commonClusterConfig)
+            .setting("xpack.security.remote_cluster_client.ssl.enabled", "true")
+            .setting("xpack.security.remote_cluster_client.ssl.certificate_authorities", "remote-cluster-ca.crt")
+            .configFile("signing.crt", Resource.fromClasspath("signing/signing.crt"))
+            .setting("cluster.remote.my_remote_cluster.signing.certificate", "signing.crt")
+            .configFile("signing.key", Resource.fromClasspath("signing/signing.key"))
+            .setting("cluster.remote.my_remote_cluster.signing.key", "signing.key")
+            .keystore("cluster.remote.my_remote_cluster.credentials", () -> {
+                if (API_KEY_MAP_REF.get() == null) {
+                    final Map<String, Object> apiKeyMap = createCrossClusterAccessApiKey("""
+                        {
+                            "search": [
+                              {
+                                "names": ["index*", "not_found_index"]
+                              }
+                            ]
+                        }""");
+                    API_KEY_MAP_REF.set(apiKeyMap);
+                }
+                return (String) API_KEY_MAP_REF.get().get("encoded");
+            })
+            .keystore("cluster.remote.invalid_remote.credentials", randomEncodedApiKey())
+            .build();
+    }
+
+    @ClassRule
+    // Use a RuleChain to ensure that fulfilling cluster is started before query cluster
+    public static TestRule clusterRule = RuleChain.outerRule(fulfillingCluster).around(queryCluster);
+
+    public void testCrossClusterSearchWithCrossClusterApiKeySigning() throws Exception {
+        indexTestData();
+        assertCrossClusterSearchSuccessfulWithResult();
+
+        // Change the CA to something that doesn't trust the signing cert
+        updateClusterSettingsFulfillingCluster(
+            Settings.builder().put("cluster.remote.signing.certificate_authorities", "transport-ca.crt").build()
+        );
+        assertCrossClusterAuthFail();
+
+        // Update settings on query cluster to ignore unavailable remotes
+        updateClusterSettings(Settings.builder().put("cluster.remote.my_remote_cluster.skip_unavailable", Boolean.toString(true)).build());
+
+        assertCrossClusterSearchSuccessfulWithoutResult();
+
+        // TODO add test for certificate identity configured for API key but no signature provided (should 401)
+
+        // TODO add test for certificate identity not configured for API key but signature provided (should 200)
+
+        // TODO add test for certificate identity not configured for API key but wrong signature provided (should 401)
+
+        // TODO add test for certificate identity regex matching (should 200)
+    }
+
+    private void assertCrossClusterAuthFail() {
+        var responseException = assertThrows(ResponseException.class, () -> simpleCrossClusterSearch(randomBoolean()));
+        assertThat(responseException.getResponse().getStatusLine().getStatusCode(), equalTo(401));
+        assertThat(responseException.getMessage(), containsString("Failed to verify cross cluster api key signature certificate from [("));
+    }
+
+    private void assertCrossClusterSearchSuccessfulWithoutResult() throws IOException {
+        boolean alsoSearchLocally = randomBoolean();
+        final Response response = simpleCrossClusterSearch(alsoSearchLocally);
+        assertOK(response);
+    }
+
+    private void assertCrossClusterSearchSuccessfulWithResult() throws IOException {
+        boolean alsoSearchLocally = randomBoolean();
+        final Response response = simpleCrossClusterSearch(alsoSearchLocally);
+        assertOK(response);
+        final SearchResponse searchResponse;
+        try (var parser = responseAsParser(response)) {
+            searchResponse = SearchResponseUtils.parseSearchResponse(parser);
+        }
+        try {
+            final List<String> actualIndices = Arrays.stream(searchResponse.getHits().getHits())
+                .map(SearchHit::getIndex)
+                .collect(Collectors.toList());
+            if (alsoSearchLocally) {
+                assertThat(actualIndices, containsInAnyOrder("index1", "local_index"));
+            } else {
+                assertThat(actualIndices, containsInAnyOrder("index1"));
+            }
+        } finally {
+            searchResponse.decRef();
+        }
+    }
+
+    private Response simpleCrossClusterSearch(boolean alsoSearchLocally) throws IOException {
+        final var searchRequest = new Request(
+            "GET",
+            String.format(
+                Locale.ROOT,
+                "/%s%s:%s/_search?ccs_minimize_roundtrips=%s",
+                alsoSearchLocally ? "local_index," : "",
+                randomFrom("my_remote_cluster", "*", "my_remote_*"),
+                randomFrom("index1", "*"),
+                randomBoolean()
+            )
+        );
+        return performRequestWithRemoteAccessUser(searchRequest);
+    }
+
+    private void indexTestData() throws Exception {
+        configureRemoteCluster();
+
+        // Fulfilling cluster
+        {
+            // Index some documents, so we can attempt to search them from the querying cluster
+            final Request bulkRequest = new Request("POST", "/_bulk?refresh=true");
+            bulkRequest.setJsonEntity(Strings.format("""
+                { "index": { "_index": "index1" } }
+                { "foo": "bar" }
+                { "index": { "_index": "index2" } }
+                { "bar": "foo" }
+                { "index": { "_index": "prefixed_index" } }
+                { "baz": "fee" }\n"""));
+            assertOK(performRequestAgainstFulfillingCluster(bulkRequest));
+        }
+
+        // Query cluster
+        {
+            // Index some documents, to use them in a mixed-cluster search
+            final var indexDocRequest = new Request("POST", "/local_index/_doc?refresh=true");
+            indexDocRequest.setJsonEntity("{\"local_foo\": \"local_bar\"}");
+            assertOK(client().performRequest(indexDocRequest));
+
+            // Create user role with privileges for remote and local indices
+            final var putRoleRequest = new Request("PUT", "/_security/role/" + REMOTE_SEARCH_ROLE);
+            putRoleRequest.setJsonEntity("""
+                {
+                  "description": "role with privileges for remote and local indices",
+                  "cluster": ["manage_own_api_key"],
+                  "indices": [
+                    {
+                      "names": ["local_index"],
+                      "privileges": ["read"]
+                    }
+                  ],
+                  "remote_indices": [
+                    {
+                      "names": ["index1", "not_found_index", "prefixed_index"],
+                      "privileges": ["read", "read_cross_cluster"],
+                      "clusters": ["my_remote_cluster"]
+                    }
+                  ]
+                }""");
+            assertOK(adminClient().performRequest(putRoleRequest));
+            final var putUserRequest = new Request("PUT", "/_security/user/" + REMOTE_SEARCH_USER);
+            putUserRequest.setJsonEntity("""
+                {
+                  "password": "x-pack-test-password",
+                  "roles" : ["remote_search"]
+                }""");
+            assertOK(adminClient().performRequest(putUserRequest));
+        }
+    }
+
+    private void updateClusterSettingsFulfillingCluster(Settings settings) throws IOException {
+        final var request = newXContentRequest(HttpMethod.PUT, "/_cluster/settings", (builder, params) -> {
+            builder.startObject("persistent");
+            settings.toXContent(builder, params);
+            return builder.endObject();
+        });
+
+        performRequestWithAdminUser(fulfillingClusterClient, request);
+    }
+
+    private Response performRequestWithRemoteAccessUser(final Request request) throws IOException {
+        request.setOptions(RequestOptions.DEFAULT.toBuilder().addHeader("Authorization", basicAuthHeaderValue(REMOTE_SEARCH_USER, PASS)));
+        return client().performRequest(request);
+    }
+}

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/java/org/elasticsearch/xpack/remotecluster/RemoteClusterSecurityFcActionAuthorizationIT.java

@@ -619,7 +619,7 @@ private static MockTransportService startTransport(
                             action,
                             SystemUser.crossClusterAccessSubjectInfo(TransportVersion.current(), nodeName)
                         )
-                    ).writeToContext(threadContext);
+                    ).writeToContext(threadContext, null);
                     connection.sendRequest(requestId, action, request, options);
                 }
             });

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/resources/signing/root.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUPw9V/LIrB5Y+Krhqp1mXhK/BQDIwDQYJKoZIhvcNAQEL
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+cmF0ZWQgQ0EwIBcNMjUwOTE4MDczMzQ2WhgPMjA1MzAyMDMwNzMzNDZaMDQxMjAw
+BgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuQkSVLDqxWT83K+gfljq
+WWL5KQxiN/7XZ8ug6e5b+kY0MZQnaAUWNaj5RFgSMDB+2N6EWJMk5cmDXK7NB/xq
+gTbC/o3o7B9AZMTpu5Wbj8chRBCTTirRaIh79/VdLWDHriIgxGBLdMm/A2b3IW6H
+YeUGUdOszEjytCjslrrktnIMIQHlQQ5o/fSPslCunsm7P+rDyf3GjapflKtpcrIV
+cZKExaaCaqJtQYn66JCyr/ZFmjiTRPjPBcFx2SqAvkPXSK4SghvhKX69K+qDQWjF
+rPx9BUWgLnE00bJ27CCSCRzZ3dTgcZ86ou/2mOJqqpeCMacJGWnn7Cu1P3+LcgjT
+cQIDAQABo1MwUTAdBgNVHQ4EFgQUlL1P7M7/YCDULUeMUHPxDMtHT9swHwYDVR0j
+BBgwFoAUlL1P7M7/YCDULUeMUHPxDMtHT9swDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEATCKw10zkCI21nuNppQZKFbHf/m3IZR9mZYYU0tKBSIy7
+KoCTHZUTadbJuDzJ8eDRiqnUuXHUXNijykEphvfpckNDhb6ty5g707kET3EYDfkh
+S1EKet2clM9DRqqcmFt3cyOmLJE3we7NjrNOuKNiwuXbGrqTTqNkqiiB3gWYOpSM
+uwtCz1Syyl4y5sjocedkikqaeIKtl2htN3tEYd0BfLNVo5hN/syP8WDT6FdpCDpY
+lZ2nqT622KDuusORCMTiC1qgUVR3RghPHy55Jq6Qq1+a1//E/Q9OfCs98JeUnoSp
+W/q1hUVlSN0Edsn1T5LehGMjiH3UVszWvEThUqNHuA==
+-----END CERTIFICATE-----

x-pack/plugin/security/qa/multi-cluster/src/javaRestTest/resources/signing/signing.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIVAIXaEONwJyih5d7KhnPYfqW5eNgKMA0GCSqGSIb3DQEB
+CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
+ZXJhdGVkIENBMCAXDTI1MDkxODA5NDQwMVoYDzIwNTMwMjAzMDk0NDAxWjATMREw
+DwYDVQQDEwhpbnN0YW5jZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AJCOS/v9I34GaRD4BoMpIa/zhL1TBc1tqIDFKDm4Y/g4a+KUMJlaqHFRZkNI35LF
+TkgMkRJUrWEunXJ2wf2A2s+7xWykSoa+nJ2qghwDgBtoSBWSm6I2Hi9n400Mmde/
+xg912NzlfLJZH3la3/w3u7ENUY3GTNLeE5s5CpZAcOk+KQ/2/1Y7TgKPxyhbNtRA
+2whWD862pnJypskQ9UGgB3Zq5h+2llQ2sB367pE77DyvXReKLHfCtA3lmTob6pLm
+fK2cIBEJDwkFaAgrcWH5MwMkn+4v/Xw1PjAI4AVMOge+Rxt6waWxqQIJvOoyccXY
+Vdvo8swUAjMPnR6E/5+bwykCAwEAAaNNMEswHQYDVR0OBBYEFH1XQX26JBIwvu95
+xPhSCqOFrz9IMB8GA1UdIwQYMBaAFJS9T+zO/2Ag1C1HjFBz8QzLR0/bMAkGA1Ud
+EwQCMAAwDQYJKoZIhvcNAQELBQADggEBAIF/LkOYm52Q+buBqGS380HWkNitTLG2
+8qtICtXtLYd9673+c3RNIrW2CGFq3Z3TJ60FNvVT1z6NKiR8ZPUeqN+Avq5qN+dB
+u9SPRFOrszlD6+2ZkNaZyRs2w6NQa6zBZWs0Zp3+ouu4fUEdsa/UmKud6njLaAGA
+Rq8Sc7ckssykh1HKk8dOJt83GlvsBGXKALNv3vfHnMj+5XHC2NzZS5bn1IXWQE5z
+0z5cHHD4NHiuGBnTl7MI8KzrF/Axwc2krsVO7WIQ/GpDVVwrCoKyvNm54GfpIAE/
+ndH7bu9hGVM6swzpAdhQC/HK6Vc0NoGfoARXVRtxuEZmoq2amixHJJU=
+-----END CERTIFICATE-----