[FEATURE] Add support for X509v3 extensions for authentication

[asifabashar]

Is your feature request related to a problem?
Currently there is no option to use X509v3 extensions fields for authentication which allows for enhanced certificate authentication

What solution would you like?
We need functionality to be added to security plugin in OpenSearch , to be able to read "X509v3 Subject Alternative Name: " field from certificate content.
This will use username_attribute field to configure this attribute in config.yaml in opensearch security config. This value in certificate will be compared with role mapped username in Opensearch. This is a request to add "X509v3 Subject Alternative Name: " field as additional possible username_attribute field along with existing possible attributes such as CN and DN.

X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:<generated value >

            Authority Information Access: 
                CA Issuers - URI:<generated value>
                OCSP - URI:<generated value>

            X509v3 Subject Alternative Name: 
                <generated value: this is the field , that can be used for authentication>
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:<generated value>

            X509v3 Subject Key Identifier: 
                 <generated value: this is another field , that can be used for authentication>
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment

Below config block is from config.yaml where, username attribute need to be set to "X509v3 Subject Alternative Name" , then code need to be enhanced in security plugin to use this attribute to compare user along with exiting possible values such as dn or cn.

    clientcert_auth_domain:
        authentication_backend:
          type: "noop"
        description: "Authenticate via SSL client certificates"
        http_authenticator:
          challenge: false
          config:
            username_attribute: null
          type: "clientcert"
        http_enabled: true
        order: 2
        transport_enabled: false

After change, config will also have capability to configure as below username_attribute option.

    clientcert_auth_domain:
        authentication_backend:
          type: "noop"
        description: "Authenticate via SSL client certificates"
        http_authenticator:
          challenge: false
          config:
            username_attribute: "X509v3 Subject Alternative Name"
          type: "clientcert"
        http_enabled: true
        order: 2
        transport_enabled: false

the code should ensure backward compatibility of configuring cn or dn attribute in config.yaml remains intact.

What alternatives have you considered?
The enhanced functionality is not available.

Do you have any additional context?
The additional SAN attributes helps with more granular level authentication and authorization .

[cwperks]

@asifabashar thank you for this feature request. This sounds like it would be a good addition to the plugin. Can I assign this one to you?

[asifabashar]

Thanks @cwperks , you can assign to me.

[laminelam]

Hi @cwperks
This is a duplicate of #4209.
Can you please assign this one to me? Talked to @asifabashar about it. Thanks.