[Kerberos] Refactoring and remove configs with defaults (#32152)

This commit does some refactoring to remove support package
and move classes to kerberos package.
That was the only class in that package, so no need for it to be in
separate package.
Changes done to use default values for jaas configuration options
for the ones which we can use defaults.
Fix couple of random failures in tests.
Modified `refreshKrb5Config` to use default value `false` in
KerberosTicketValidator. If the krb5.conf file is modified then we
will need to restart JVM as the config will not be refreshed.
For testing, `refreshKrb5Config` is set to `true` as we keep
changing the kdc port. This is set in SpnegoClient and only for tests.

Author: bizybot

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.java

@@ -20,7 +20,6 @@
 import org.elasticsearch.xpack.core.security.authc.RealmConfig;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTicketValidator;
 import org.elasticsearch.xpack.security.authc.support.CachingRealm;
 import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
 import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/support/KerberosTicketValidator.java renamed to x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.java

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-package org.elasticsearch.xpack.security.authc.kerberos.support;
+package org.elasticsearch.xpack.security.authc.kerberos;
 
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ExceptionsHelper;
@@ -262,8 +262,6 @@ public AppConfigurationEntry[] getAppConfigurationEntry(final String name) {
             options.put("useKeyTab", Boolean.TRUE.toString());
             options.put("storeKey", Boolean.TRUE.toString());
             options.put("doNotPrompt", Boolean.TRUE.toString());
-            options.put("renewTGT", Boolean.FALSE.toString());
-            options.put("refreshKrb5Config", Boolean.TRUE.toString());
             options.put("isInitiator", Boolean.FALSE.toString());
             options.put("debug", Boolean.toString(krbDebug));
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmAuthenticateFailedTests.java

@@ -67,18 +67,17 @@ public void testAuthenticateDifferentFailureScenarios() throws LoginException, G
         final boolean nullKerberosAuthnToken = rarely();
         final KerberosAuthenticationToken kerberosAuthenticationToken =
                 nullKerberosAuthnToken ? null : new KerberosAuthenticationToken(decodedTicket);
-
-        final PlainActionFuture<AuthenticationResult> future = new PlainActionFuture<>();
-        kerberosRealm.authenticate(kerberosAuthenticationToken, future);
-        AuthenticationResult result = future.actionGet();
-        assertThat(result, is(notNullValue()));
         if (nullKerberosAuthnToken) {
-            assertThat(result.getStatus(), is(equalTo(AuthenticationResult.Status.CONTINUE)));
+            expectThrows(AssertionError.class,
+                    () -> kerberosRealm.authenticate(kerberosAuthenticationToken, PlainActionFuture.newFuture()));
         } else {
+            final PlainActionFuture<AuthenticationResult> future = new PlainActionFuture<>();
+            kerberosRealm.authenticate(kerberosAuthenticationToken, future);
+            AuthenticationResult result = future.actionGet();
+            assertThat(result, is(notNullValue()));
             if (validTicket) {
                 final String expectedUsername = maybeRemoveRealmName(username);
-                final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null,
-                        true);
+                final User expectedUser = new User(expectedUsername, roles.toArray(new String[roles.size()]), null, null, null, true);
                 assertSuccessAuthenticationResult(expectedUser, outToken, result);
             } else {
                 assertThat(result.getStatus(), is(equalTo(AuthenticationResult.Status.TERMINATE)));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmBootstrapCheckTests.java

@@ -14,7 +14,6 @@
 import org.elasticsearch.xpack.core.security.authc.RealmSettings;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTestCase;
 
 import java.io.IOException;
 import java.nio.file.Path;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmCacheTests.java

@@ -12,7 +12,6 @@
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTestCase;
 import org.elasticsearch.xpack.security.authc.support.UserRoleMapper.UserData;
 import org.ietf.jgss.GSSException;
 

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmSettingsTests.java

@@ -10,7 +10,6 @@
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTestCase;
 
 import java.io.IOException;
 import java.nio.file.Files;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosRealmTestCase.java

@@ -6,13 +6,12 @@
 
 package org.elasticsearch.xpack.security.authc.kerberos;
 
-import com.google.common.collect.Sets;
-
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.common.collect.Tuple;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.common.util.set.Sets;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.TestThreadPool;
@@ -23,8 +22,6 @@
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
 import org.elasticsearch.xpack.core.security.support.Exceptions;
 import org.elasticsearch.xpack.core.security.user.User;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTestCase;
-import org.elasticsearch.xpack.security.authc.kerberos.support.KerberosTicketValidator;
 import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
 import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
 import org.elasticsearch.xpack.security.support.SecurityIndexManager;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/support/KerberosTestCase.java renamed to x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTestCase.java

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-package org.elasticsearch.xpack.security.authc.kerberos.support;
+package org.elasticsearch.xpack.security.authc.kerberos;
 
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.ExceptionsHelper;
@@ -69,6 +69,7 @@ public abstract class KerberosTestCase extends ESTestCase {
         unsupportedLocaleLanguages.add("hi");
         unsupportedLocaleLanguages.add("uz");
         unsupportedLocaleLanguages.add("fa");
+        unsupportedLocaleLanguages.add("ks");
     }
 
     @BeforeClass

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/support/KerberosTicketValidatorTests.java renamed to x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidatorTests.java

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-package org.elasticsearch.xpack.security.authc.kerberos.support;
+package org.elasticsearch.xpack.security.authc.kerberos;
 
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.collect.Tuple;
@@ -13,6 +13,7 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
+import org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator;
 import org.ietf.jgss.GSSException;
 
 import java.io.IOException;

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/support/SimpleKdcLdapServer.java renamed to x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-package org.elasticsearch.xpack.security.authc.kerberos.support;
+package org.elasticsearch.xpack.security.authc.kerberos;
 
 import com.unboundid.ldap.listener.InMemoryDirectoryServer;
 import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;