From be265dfdfdfce2f32ab453b9ea75cb5b353515f2 Mon Sep 17 00:00:00 2001
From: Tim Vernum <tim@adjective.org>
Date: Mon, 30 Dec 2019 16:51:42 +1100
Subject: [PATCH] Populate OpenIDConnect metadata collections

The OpenIdConnectRealm had a bug which would cause it not to populate
User metadata for collections contained in the user JWT claims.

This commit fixes that bug.

Resolves: #50250
---
 .../xpack/security/authc/oidc/OpenIdConnectRealm.java      | 4 ++--
 .../xpack/security/authc/oidc/OpenIdConnectRealmTests.java | 7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java
index a3bc026e330f2..4e05d82db82f7 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.java
@@ -48,7 +48,7 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.util.Collections;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -215,7 +215,7 @@ private void buildUserFromClaims(JWTClaimsSet claims, ActionListener<Authenticat
                  * We whitelist the Types that we want to parse as metadata from the Claims, explicitly filtering out {@link Date}s
                  */
                 Object v = entry.getValue();
-                return (v instanceof String || v instanceof Boolean || v instanceof Number || v instanceof Collections);
+                return (v instanceof String || v instanceof Boolean || v instanceof Number || v instanceof Collection);
             }).collect(Collectors.toUnmodifiableMap(entry -> "oidc(" + entry.getKey() + ")", Map.Entry::getValue));
         } else {
             userMetadata = Map.of();
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java
index 58e3a69da5be4..5e69378bea0fc 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealmTests.java
@@ -16,7 +16,6 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.license.XPackLicenseState;
-
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
 import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
@@ -31,6 +30,7 @@
 import org.junit.Before;
 
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
@@ -43,6 +43,7 @@
 import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
 import static org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm.CONTEXT_TOKEN_DATA;
 import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
+import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
@@ -91,6 +92,10 @@ public void testAuthentication() throws Exception {
         } else {
             assertThat(result.getUser().metadata().get("oidc(iss)"), equalTo("https://op.company.org"));
             assertThat(result.getUser().metadata().get("oidc(name)"), equalTo("Clinton Barton"));
+            final Object groups = result.getUser().metadata().get("oidc(groups)");
+            assertThat(groups, notNullValue());
+            assertThat(groups, instanceOf(Collection.class));
+            assertThat((Collection<?>) groups, contains("group1", "group2", "groups3"));
         }
     }