Add integration testing for CrossCluster API Key certificate_identity field

Author: gmjehovich

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/ApiKey.java

@@ -435,6 +435,8 @@ public String toString() {
  + roleDescriptors
  + ", limited_by="
  + limitedBy
+ + ", certificate_identity"
+ + certificateIdentity
  + "]";
  }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/BaseBulkUpdateApiKeyRequest.java

@@ -55,11 +55,12 @@ public boolean equals(Object o) {
  return Objects.equals(getIds(), that.getIds())
  && Objects.equals(metadata, that.metadata)
  && Objects.equals(expiration, that.expiration)
- && Objects.equals(roleDescriptors, that.roleDescriptors);
+ && Objects.equals(roleDescriptors, that.roleDescriptors)
+ && Objects.equals(certificateIdentity, that.certificateIdentity);
  }
 
  @Override
  public int hashCode() {
- return Objects.hash(getIds(), expiration, metadata, roleDescriptors);
+ return Objects.hash(getIds(), expiration, metadata, roleDescriptors, certificateIdentity);
  }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/BulkUpdateApiKeyRequest.java

@@ -18,25 +18,27 @@
 public final class BulkUpdateApiKeyRequest extends BaseBulkUpdateApiKeyRequest {
 
  public static BulkUpdateApiKeyRequest usingApiKeyIds(String... ids) {
- return new BulkUpdateApiKeyRequest(Arrays.stream(ids).toList(), null, null, null);
+ return new BulkUpdateApiKeyRequest(Arrays.stream(ids).toList(), null, null, null, null);
  }
 
  public static BulkUpdateApiKeyRequest wrap(final UpdateApiKeyRequest request) {
  return new BulkUpdateApiKeyRequest(
  List.of(request.getId()),
  request.getRoleDescriptors(),
  request.getMetadata(),
- request.getExpiration()
+ request.getExpiration(),
+ null
  );
  }
 
  public BulkUpdateApiKeyRequest(
  final List<String> ids,
  @Nullable final List<RoleDescriptor> roleDescriptors,
  @Nullable final Map<String, Object> metadata,
- @Nullable final TimeValue expiration
+ @Nullable final TimeValue expiration,
+ @Nullable final String certificateIdentity
  ) {
- super(ids, roleDescriptors, metadata, expiration);
+ super(ids, roleDescriptors, metadata, expiration, null);
  }
 
  @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/BulkUpdateApiKeyRequestTranslator.java

@@ -41,7 +41,8 @@ protected static ConstructingObjectParser<BulkUpdateApiKeyRequest, Void> createP
  (List<String>) a[0],
  (List<RoleDescriptor>) a[1],
  (Map<String, Object>) a[2],
- TimeValue.parseTimeValue((String) a[3], null, "expiration")
+ TimeValue.parseTimeValue((String) a[3], null, "expiration"),
+ null
  )
  );
  parser.declareStringArray(constructorArg(), new ParseField("ids"));

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/UpdateApiKeyRequest.java

@@ -16,14 +16,15 @@
 
 public final class UpdateApiKeyRequest extends BaseSingleUpdateApiKeyRequest {
  public static UpdateApiKeyRequest usingApiKeyId(final String id) {
- return new UpdateApiKeyRequest(id, null, null, null);
+ return new UpdateApiKeyRequest(id, null, null, null, null);
  }
 
  public UpdateApiKeyRequest(
  final String id,
  @Nullable final List<RoleDescriptor> roleDescriptors,
  @Nullable final Map<String, Object> metadata,
- @Nullable final TimeValue expiration
+ @Nullable final TimeValue expiration,
+ @Nullable final String certificateIdentity
  ) {
  super(roleDescriptors, metadata, expiration, id, certificateIdentity);
  }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/UpdateApiKeyRequestTranslator.java

@@ -37,7 +37,8 @@ protected static ConstructingObjectParser<Payload, Void> createParser(
  a -> new Payload(
  (List<RoleDescriptor>) a[0],
  (Map<String, Object>) a[1],
- TimeValue.parseTimeValue((String) a[2], null, "expiration")
+ TimeValue.parseTimeValue((String) a[2], null, "expiration"),
+ (String) a[3]
  )
  );
  parser.declareNamedObjects(optionalConstructorArg(), (p, c, n) -> {
@@ -46,6 +47,7 @@ protected static ConstructingObjectParser<Payload, Void> createParser(
  }, new ParseField("role_descriptors"));
  parser.declareObject(optionalConstructorArg(), (p, c) -> p.map(), new ParseField("metadata"));
  parser.declareString(optionalConstructorArg(), new ParseField("expiration"));
+ parser.declareString(optionalConstructorArg(), new ParseField("certificate_identity"));
  return parser;
  }
 
@@ -59,9 +61,20 @@ public UpdateApiKeyRequest translate(RestRequest request) throws IOException {
  return UpdateApiKeyRequest.usingApiKeyId(apiKeyId);
  }
  final Payload payload = PARSER.parse(request.contentParser(), null);
- return new UpdateApiKeyRequest(apiKeyId, payload.roleDescriptors, payload.metadata, payload.expiration);
+ return new UpdateApiKeyRequest(
+ apiKeyId,
+ payload.roleDescriptors,
+ payload.metadata,
+ payload.expiration,
+ payload.certificateIdentity
+ );
  }
 
- protected record Payload(List<RoleDescriptor> roleDescriptors, Map<String, Object> metadata, TimeValue expiration) {}
+ protected record Payload(
+ List<RoleDescriptor> roleDescriptors,
+ Map<String, Object> metadata,
+ TimeValue expiration,
+ String certificateIdentity
+ ) {}
  }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/UpdateCrossClusterApiKeyRequest.java

@@ -36,9 +36,9 @@ public ApiKey.Type getType() {
  @Override
  public ActionRequestValidationException validate() {
  ActionRequestValidationException validationException = super.validate();
- if (roleDescriptors == null && metadata == null) {
+ if (roleDescriptors == null && metadata == null && certificateIdentity == null) {
  validationException = addValidationError(
- "must update either [access] or [metadata] for cross-cluster API keys",
+ "must update [access] or [metadata] or [certificate_identity] for cross-cluster API keys",
  validationException
  );
  }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/apikey/BulkUpdateApiKeyRequestTests.java

@@ -26,7 +26,7 @@ public void testNullValuesValidForNonIds() {
  }
 
  public void testEmptyIdsNotValid() {
- final var request = new BulkUpdateApiKeyRequest(List.of(), null, null, null);
+ final var request = new BulkUpdateApiKeyRequest(List.of(), null, null, null, null);
  final ActionRequestValidationException ve = request.validate();
  assertNotNull(ve);
  assertThat(ve.validationErrors().size(), equalTo(1));
@@ -41,7 +41,8 @@ public void testMetadataKeyValidation() {
  randomList(1, 5, () -> randomAlphaOfLength(10)),
  null,
  Map.of(reservedKey, metadataValue),
- expiration
+ expiration,
+ null
  );
  final ActionRequestValidationException ve = request.validate();
  assertNotNull(ve);
@@ -76,6 +77,7 @@ public void testRoleDescriptorValidation() {
  )
  ),
  null,
+ null,
  null
  );
  final ActionRequestValidationException ve = request.validate();

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/apikey/UpdateApiKeyRequestTests.java

@@ -23,15 +23,15 @@
 public class UpdateApiKeyRequestTests extends ESTestCase {
 
  public void testNullValuesValidForNonIds() {
- final var request = new UpdateApiKeyRequest("id", null, null, null);
+ final var request = new UpdateApiKeyRequest("id", null, null, null, null);
  assertNull(request.validate());
  }
 
  public void testMetadataKeyValidation() {
  final var reservedKey = "_" + randomAlphaOfLengthBetween(0, 10);
  final var metadataValue = randomAlphaOfLengthBetween(1, 10);
 
- UpdateApiKeyRequest request = new UpdateApiKeyRequest(randomAlphaOfLength(10), null, Map.of(reservedKey, metadataValue), null);
+ UpdateApiKeyRequest request = new UpdateApiKeyRequest(randomAlphaOfLength(10), null, Map.of(reservedKey, metadataValue), null, null);
  final ActionRequestValidationException ve = request.validate();
  assertNotNull(ve);
  assertThat(ve.validationErrors().size(), equalTo(1));
@@ -68,6 +68,7 @@ public void testRoleDescriptorValidation() {
  )
  ),
  null,
+ null,
  null
  );
  final ActionRequestValidationException ve1 = request1.validate();

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/apikey/UpdateCrossClusterApiKeyRequestTests.java

@@ -18,7 +18,7 @@
 public class UpdateCrossClusterApiKeyRequestTests extends ESTestCase {
 
  public void testNotEmptyUpdateValidation() {
- final var request = new UpdateCrossClusterApiKeyRequest(randomAlphaOfLength(10), null, null, null);
+ final var request = new UpdateCrossClusterApiKeyRequest(randomAlphaOfLength(10), null, null, null, null);
  final ActionRequestValidationException ve = request.validate();
  assertThat(ve, notNullValue());
  assertThat(ve.validationErrors(), contains("must update either [access] or [metadata] for cross-cluster API keys"));
@@ -27,7 +27,7 @@ public void testNotEmptyUpdateValidation() {
  public void testMetadataKeyValidation() {
  final var reservedKey = "_" + randomAlphaOfLengthBetween(0, 10);
  final var metadataValue = randomAlphaOfLengthBetween(1, 10);
- final var request = new UpdateCrossClusterApiKeyRequest(randomAlphaOfLength(10), null, Map.of(reservedKey, metadataValue), null);
+ final var request = new UpdateCrossClusterApiKeyRequest(randomAlphaOfLength(10), null, Map.of(reservedKey, metadataValue), null, null);
  final ActionRequestValidationException ve = request.validate();
  assertThat(ve, notNullValue());
  assertThat(ve.validationErrors(), contains("API key metadata keys may not start with [_]"));