Cache API key hashing results on creation time (#74106) (#74161)

The API key hashing result is now cached on the creation time of an API key,
i.e. pre-warm the cache. Previously it is cached when the API key is
authenticated for the first time. Since it is reasonable to assume that an API
key will be used shortly after its creation, this change has following
advantages:

* It removes the need for expensive pbkdf2 hashing computation on
  authentication time and therefore reduces overall server load
* It makes the first authentication faster

We expect all keys to be used, that is, caching on creation time does not
change the total number of keys need to be cached. Hence this PR does not
introduce any extra logic to fine tune whether a key should be cached (for
example, only cache if the load factor is lower than certain threshold etc.).

Author: ywangd

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java

@@ -1003,6 +1003,7 @@ public void testAuthenticationReturns429WhenThreadPoolIsSaturated() throws IOExc
         final Settings settings = internalCluster().getInstance(Settings.class, nodeName);
         final int allocatedProcessors = EsExecutors.allocatedProcessors(settings);
         final ThreadPool threadPool = internalCluster().getInstance(ThreadPool.class, nodeName);
+        final ApiKeyService apiKeyService = internalCluster().getInstance(ApiKeyService.class, nodeName);
 
         final RoleDescriptor descriptor = new RoleDescriptor("auth_only", new String[] { }, null, null);
         final Client client = client().filterWithHeader(
@@ -1016,6 +1017,8 @@ public void testAuthenticationReturns429WhenThreadPoolIsSaturated() throws IOExc
 
         assertNotNull(createApiKeyResponse.getId());
         assertNotNull(createApiKeyResponse.getKey());
+        // Clear the auth cache to force recompute the expensive hash which requires the crypto thread pool
+        apiKeyService.getApiKeyAuthCache().invalidateAll();
 
         final List<NodeInfo> nodeInfos = client().admin().cluster().prepareNodesInfo().get().getNodes().stream()
             .filter(nodeInfo -> nodeInfo.getNode().getName().equals(nodeName))

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java

@@ -286,7 +286,8 @@ private void createApiKeyAndIndexIt(Authentication authentication, CreateApiKeyR
                     Version.V_6_7_0);
         }
 
-        try (XContentBuilder builder = newDocument(apiKey, request.getName(), authentication, roleDescriptorSet, created, expiration,
+        try (XContentBuilder builder = newDocument(apiKey, request.getName(), authentication,
+            roleDescriptorSet, created, expiration,
             request.getRoleDescriptors(), version, request.getMetadata())) {
 
             final IndexRequest indexRequest =
@@ -299,8 +300,13 @@ private void createApiKeyAndIndexIt(Authentication authentication, CreateApiKeyR
             securityIndex.prepareIndexIfNeededThenExecute(listener::onFailure, () ->
                 executeAsyncWithOrigin(client, SECURITY_ORIGIN, BulkAction.INSTANCE, bulkRequest,
                     TransportSingleItemBulkWriteAction.<IndexResponse>wrapBulkResponse(ActionListener.wrap(
-                        indexResponse -> listener.onResponse(
-                            new CreateApiKeyResponse(request.getName(), indexResponse.getId(), apiKey, expiration)),
+                        indexResponse -> {
+                            final ListenableFuture<CachedApiKeyHashResult> listenableFuture = new ListenableFuture<>();
+                            listenableFuture.onResponse(new CachedApiKeyHashResult(true, apiKey));
+                            apiKeyAuthCache.put(indexResponse.getId(), listenableFuture);
+                            listener.onResponse(
+                                new CreateApiKeyResponse(request.getName(), indexResponse.getId(), apiKey, expiration));
+                        },
                         listener::onFailure))));
         } catch (IOException e) {
             listener.onFailure(e);
@@ -311,15 +317,16 @@ private void createApiKeyAndIndexIt(Authentication authentication, CreateApiKeyR
      * package-private for testing
      */
     XContentBuilder newDocument(SecureString apiKey, String name, Authentication authentication, Set<RoleDescriptor> userRoles,
-                                        Instant created, Instant expiration, List<RoleDescriptor> keyRoles,
-                                        Version version, @Nullable Map<String, Object> metadata) throws IOException {
+                                Instant created, Instant expiration, List<RoleDescriptor> keyRoles,
+                                Version version, @Nullable Map<String, Object> metadata) throws IOException {
         XContentBuilder builder = XContentFactory.jsonBuilder();
         builder.startObject()
             .field("doc_type", "api_key")
             .field("creation_time", created.toEpochMilli())
             .field("expiration_time", expiration == null ? null : expiration.toEpochMilli())
             .field("api_key_invalidated", false);
 
+
         byte[] utf8Bytes = null;
         final char[] keyHash = hasher.hash(apiKey);
         try {
@@ -1186,7 +1193,7 @@ final class CachedApiKeyHashResult {
             this.hash = cacheHasher.hash(apiKey);
         }
 
-        private boolean verify(SecureString password) {
+        boolean verify(SecureString password) {
             return hash != null && cacheHasher.verify(password, hash);
         }
     }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java

@@ -10,15 +10,20 @@
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.Version;
 import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.DocWriteRequest;
 import org.elasticsearch.action.bulk.BulkAction;
+import org.elasticsearch.action.bulk.BulkItemResponse;
 import org.elasticsearch.action.bulk.BulkRequest;
+import org.elasticsearch.action.bulk.BulkResponse;
 import org.elasticsearch.action.get.GetRequest;
 import org.elasticsearch.action.index.IndexAction;
 import org.elasticsearch.action.index.IndexRequestBuilder;
+import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
+import org.elasticsearch.common.cache.Cache;
 import org.elasticsearch.common.util.concurrent.ListenableFuture;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.common.settings.SecureString;
@@ -35,6 +40,7 @@
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.common.xcontent.json.JsonXContent;
 import org.elasticsearch.index.get.GetResult;
+import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.test.ClusterServiceUtils;
 import org.elasticsearch.test.ESTestCase;
@@ -170,6 +176,41 @@ public void testCreateApiKeyWillUseBulkAction() {
         verify(client).execute(eq(BulkAction.INSTANCE), any(BulkRequest.class), any());
     }
 
+    public void testCreateApiKeyWillCacheOnCreation() {
+        final Settings settings = Settings.builder().put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true).build();
+        final ApiKeyService service = createApiKeyService(settings);
+        final Authentication authentication = new Authentication(
+            new User(randomAlphaOfLengthBetween(8, 16), "superuser"),
+            new RealmRef(randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8)),
+            null);
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null);
+        when(client.prepareIndex(anyString(), anyString())).thenReturn(new IndexRequestBuilder(client, IndexAction.INSTANCE));
+        when(client.threadPool()).thenReturn(threadPool);
+        final String apiKeyId = randomAlphaOfLength(22);
+        doAnswer(inv -> {
+            final Object[] args = inv.getArguments();
+            @SuppressWarnings("unchecked")
+            final ActionListener<BulkResponse> listener = (ActionListener<BulkResponse>) args[2];
+            final IndexResponse indexResponse = new IndexResponse(
+                new ShardId(INTERNAL_SECURITY_MAIN_INDEX_7, randomAlphaOfLength(22), randomIntBetween(0, 1)),
+                SINGLE_MAPPING_NAME, apiKeyId, randomLongBetween(1, 99), randomLongBetween(1, 99), randomIntBetween(1, 99), true);
+            listener.onResponse(new BulkResponse(new BulkItemResponse[]{
+                new BulkItemResponse(randomInt(), DocWriteRequest.OpType.INDEX, indexResponse)
+            }, randomLongBetween(0, 100)));
+            return null;
+        }).when(client).execute(eq(BulkAction.INSTANCE), any(BulkRequest.class), any());
+
+        final Cache<String, ListenableFuture<CachedApiKeyHashResult>> apiKeyAuthCache = service.getApiKeyAuthCache();
+        assertNull(apiKeyAuthCache.get(apiKeyId));
+        final PlainActionFuture<CreateApiKeyResponse> listener = new PlainActionFuture<>();
+        service.createApiKey(authentication, createApiKeyRequest, org.elasticsearch.core.Set.of(), listener);
+        final CreateApiKeyResponse createApiKeyResponse = listener.actionGet();
+        assertThat(createApiKeyResponse.getId(), equalTo(apiKeyId));
+        final CachedApiKeyHashResult cachedApiKeyHashResult = service.getFromCache(createApiKeyResponse.getId());
+        assertThat(cachedApiKeyHashResult.success, is(true));
+        cachedApiKeyHashResult.verify(createApiKeyResponse.getKey());
+    }
+
     public void testGetCredentialsFromThreadContext() {
         ThreadContext threadContext = threadPool.getThreadContext();
         assertNull(ApiKeyService.getCredentialsFromHeader(threadContext));