Deprecate the id field for the InvalidateApiKey API (#66317)

This PR deprecates the usage of the id field in the payload for the
InvalidateApiKey API. The ids field introduced in #63224 is now the recommended
way for performing (bulk) API key invalidation.

Author: ywangd

client/rest-high-level/src/main/java/org/elasticsearch/client/security/InvalidateApiKeyRequest.java

@@ -26,6 +26,9 @@
 import org.elasticsearch.common.xcontent.XContentBuilder;
 
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.IntStream;
 
 /**
  * Request for invalidating API key(s) so that it can no longer be used
@@ -34,38 +37,62 @@ public final class InvalidateApiKeyRequest implements Validatable, ToXContentObj
 
     private final String realmName;
     private final String userName;
-    private final String id;
+    private final List<String> ids;
     private final String name;
     private final boolean ownedByAuthenticatedUser;
 
     // pkg scope for testing
+    @Deprecated
     InvalidateApiKeyRequest(@Nullable String realmName, @Nullable String userName, @Nullable String apiKeyId,
                             @Nullable String apiKeyName, boolean ownedByAuthenticatedUser) {
-        if (Strings.hasText(realmName) == false && Strings.hasText(userName) == false && Strings.hasText(apiKeyId) == false
-                && Strings.hasText(apiKeyName) == false && ownedByAuthenticatedUser == false) {
-            throwValidationError("One of [api key id, api key name, username, realm name] must be specified if [owner] flag is false");
+        this(realmName, userName, apiKeyName, ownedByAuthenticatedUser, apiKeyIdToIds(apiKeyId));
+    }
+
+    InvalidateApiKeyRequest(@Nullable String realmName, @Nullable String userName,
+                            @Nullable String apiKeyName, boolean ownedByAuthenticatedUser, @Nullable List<String> apiKeyIds) {
+        validateApiKeyIds(apiKeyIds);
+        if (Strings.hasText(realmName) == false && Strings.hasText(userName) == false && apiKeyIds == null
+            && Strings.hasText(apiKeyName) == false && ownedByAuthenticatedUser == false) {
+            throwValidationError("One of [api key id(s), api key name, username, realm name] must be specified if [owner] flag is false");
         }
-        if (Strings.hasText(apiKeyId) || Strings.hasText(apiKeyName)) {
+        if (apiKeyIds != null || Strings.hasText(apiKeyName)) {
             if (Strings.hasText(realmName) || Strings.hasText(userName)) {
                 throwValidationError(
-                        "username or realm name must not be specified when the api key id or api key name is specified");
+                    "username or realm name must not be specified when the api key id(s) or api key name is specified");
             }
         }
         if (ownedByAuthenticatedUser) {
             if (Strings.hasText(realmName) || Strings.hasText(userName)) {
                 throwValidationError("neither username nor realm-name may be specified when invalidating owned API keys");
             }
         }
-        if (Strings.hasText(apiKeyId) && Strings.hasText(apiKeyName)) {
-            throwValidationError("only one of [api key id, api key name] can be specified");
+        if (apiKeyIds != null && Strings.hasText(apiKeyName)) {
+            throwValidationError("only one of [api key id(s), api key name] can be specified");
         }
         this.realmName = realmName;
         this.userName = userName;
-        this.id = apiKeyId;
+        this.ids = apiKeyIds == null ? null : List.copyOf(apiKeyIds);
         this.name = apiKeyName;
         this.ownedByAuthenticatedUser = ownedByAuthenticatedUser;
     }
 
+    private void validateApiKeyIds(@Nullable List<String> apiKeyIds) {
+        if (apiKeyIds != null) {
+            if (apiKeyIds.size() == 0) {
+                throwValidationError("Argument [apiKeyIds] cannot be an empty array");
+            } else {
+                final int[] idxOfBlankIds = IntStream.range(0, apiKeyIds.size())
+                    .filter(i -> Strings.hasText(apiKeyIds.get(i)) == false).toArray();
+                if (idxOfBlankIds.length > 0) {
+                    throwValidationError("Argument [apiKeyIds] must not contain blank id, but got blank "
+                        + (idxOfBlankIds.length == 1 ? "id" : "ids") + " at index "
+                        + (idxOfBlankIds.length == 1 ? "position" : "positions") + ": "
+                        + Arrays.toString(idxOfBlankIds));
+                }
+            }
+        }
+    }
+
     private void throwValidationError(String message) {
         throw new IllegalArgumentException(message);
     }
@@ -78,8 +105,20 @@ public String getUserName() {
         return userName;
     }
 
+    @Deprecated
     public String getId() {
-        return id;
+        if (ids == null) {
+            return null;
+        } else if (ids.size() == 1) {
+            return ids.get(0);
+        } else {
+            throw new IllegalArgumentException("Cannot get a single api key id when multiple ids have been set ["
+                + Strings.collectionToCommaDelimitedString(ids) + "]");
+        }
+    }
+
+    public List<String> getIds() {
+        return ids;
     }
 
     public String getName() {
@@ -96,7 +135,7 @@ public boolean ownedByAuthenticatedUser() {
      * @return {@link InvalidateApiKeyRequest}
      */
     public static InvalidateApiKeyRequest usingRealmName(String realmName) {
-        return new InvalidateApiKeyRequest(realmName, null, null, null, false);
+        return new InvalidateApiKeyRequest(realmName, null, null, false, null);
     }
 
     /**
@@ -105,7 +144,7 @@ public static InvalidateApiKeyRequest usingRealmName(String realmName) {
      * @return {@link InvalidateApiKeyRequest}
      */
     public static InvalidateApiKeyRequest usingUserName(String userName) {
-        return new InvalidateApiKeyRequest(null, userName, null, null, false);
+        return new InvalidateApiKeyRequest(null, userName,  null, false, null);
     }
 
     /**
@@ -115,7 +154,7 @@ public static InvalidateApiKeyRequest usingUserName(String userName) {
      * @return {@link InvalidateApiKeyRequest}
      */
     public static InvalidateApiKeyRequest usingRealmAndUserName(String realmName, String userName) {
-        return new InvalidateApiKeyRequest(realmName, userName, null, null, false);
+        return new InvalidateApiKeyRequest(realmName, userName, null, false, null);
     }
 
     /**
@@ -126,7 +165,18 @@ public static InvalidateApiKeyRequest usingRealmAndUserName(String realmName, St
      * @return {@link InvalidateApiKeyRequest}
      */
     public static InvalidateApiKeyRequest usingApiKeyId(String apiKeyId, boolean ownedByAuthenticatedUser) {
-        return new InvalidateApiKeyRequest(null, null, apiKeyId, null, ownedByAuthenticatedUser);
+        return new InvalidateApiKeyRequest(null, null, null, ownedByAuthenticatedUser, apiKeyIdToIds(apiKeyId));
+    }
+
+    /**
+     * Creates invalidate API key request for given api key ids
+     * @param apiKeyIds api key ids
+     * @param ownedByAuthenticatedUser set {@code true} if the request is only for the API keys owned by current authenticated user else
+     * {@code false}
+     * @return {@link InvalidateApiKeyRequest}
+     */
+    public static InvalidateApiKeyRequest usingApiKeyIds(List<String> apiKeyIds, boolean ownedByAuthenticatedUser) {
+        return new InvalidateApiKeyRequest(null, null, null, ownedByAuthenticatedUser, apiKeyIds);
     }
 
     /**
@@ -137,14 +187,14 @@ public static InvalidateApiKeyRequest usingApiKeyId(String apiKeyId, boolean own
      * @return {@link InvalidateApiKeyRequest}
      */
     public static InvalidateApiKeyRequest usingApiKeyName(String apiKeyName, boolean ownedByAuthenticatedUser) {
-        return new InvalidateApiKeyRequest(null, null, null, apiKeyName, ownedByAuthenticatedUser);
+        return new InvalidateApiKeyRequest(null, null, apiKeyName, ownedByAuthenticatedUser, null);
     }
 
     /**
      * Creates invalidate api key request to invalidate api keys owned by the current authenticated user.
      */
     public static InvalidateApiKeyRequest forOwnedApiKeys() {
-        return new InvalidateApiKeyRequest(null, null, null, null, true);
+        return new InvalidateApiKeyRequest(null, null, null, true, null);
     }
 
     @Override
@@ -156,13 +206,17 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         if (userName != null) {
             builder.field("username", userName);
         }
-        if (id != null) {
-            builder.field("id", id);
+        if (ids != null) {
+            builder.field("ids", ids);
         }
         if (name != null) {
             builder.field("name", name);
         }
         builder.field("owner", ownedByAuthenticatedUser);
         return builder.endObject();
     }
+
+    static List<String> apiKeyIdToIds(@Nullable String apiKeyId) {
+        return Strings.hasText(apiKeyId) ? List.of(apiKeyId) : null;
+    }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java

@@ -2204,6 +2204,24 @@ public void testInvalidateApiKey() throws Exception {
             assertThat(previouslyInvalidatedApiKeyIds.size(), equalTo(0));
         }
 
+        {
+            // tag::invalidate-api-key-ids-request
+            InvalidateApiKeyRequest invalidateApiKeyRequest = InvalidateApiKeyRequest.usingApiKeyIds(
+                Arrays.asList("kI3QZHYBnpSXoDRq1XzR", "ko3SZHYBnpSXoDRqk3zm"), false);
+            // end::invalidate-api-key-ids-request
+
+            InvalidateApiKeyResponse invalidateApiKeyResponse = client.security().invalidateApiKey(invalidateApiKeyRequest,
+                RequestOptions.DEFAULT);
+
+            final List<ElasticsearchException> errors = invalidateApiKeyResponse.getErrors();
+            final List<String> invalidatedApiKeyIds = invalidateApiKeyResponse.getInvalidatedApiKeys();
+            final List<String> previouslyInvalidatedApiKeyIds = invalidateApiKeyResponse.getPreviouslyInvalidatedApiKeys();
+
+            assertTrue(errors.isEmpty());
+            assertThat(invalidatedApiKeyIds.size(), equalTo(0));
+            assertThat(previouslyInvalidatedApiKeyIds.size(), equalTo(0));
+        }
+
         {
             createApiKeyRequest = new CreateApiKeyRequest("k2", roles, expiration, refreshPolicy);
             CreateApiKeyResponse createApiKeyResponse2 = client.security().createApiKey(createApiKeyRequest, RequestOptions.DEFAULT);

client/rest-high-level/src/test/java/org/elasticsearch/client/security/InvalidateApiKeyRequestTests.java

@@ -24,14 +24,24 @@
 
 import java.io.IOException;
 import java.util.Optional;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 
+import static org.elasticsearch.client.security.InvalidateApiKeyRequest.apiKeyIdToIds;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 
 public class InvalidateApiKeyRequestTests extends ESTestCase {
 
     public void testRequestValidation() {
-        InvalidateApiKeyRequest request = InvalidateApiKeyRequest.usingApiKeyId(randomAlphaOfLength(5), randomBoolean());
+        InvalidateApiKeyRequest request;
+        if (randomBoolean()) {
+            request = InvalidateApiKeyRequest.usingApiKeyId(randomAlphaOfLength(5), randomBoolean());
+        } else {
+            request = InvalidateApiKeyRequest.usingApiKeyIds(
+                IntStream.range(1, randomIntBetween(1, 5)).mapToObj(ignored -> randomAlphaOfLength(5)).collect(Collectors.toList()),
+                randomBoolean());
+        }
         Optional<ValidationException> ve = request.validate();
         assertThat(ve.isPresent(), is(false));
         request = InvalidateApiKeyRequest.usingApiKeyName(randomAlphaOfLength(5), randomBoolean());
@@ -61,19 +71,19 @@ public void testRequestValidationFailureScenarios() throws IOException {
                 { "realm", randomNullOrEmptyString(), randomNullOrEmptyString(), randomNullOrEmptyString(), "true" },
                 { randomNullOrEmptyString(), "user", randomNullOrEmptyString(), randomNullOrEmptyString(), "true" } };
         String[] expectedErrorMessages = new String[] {
-                "One of [api key id, api key name, username, realm name] must be specified if [owner] flag is false",
-                "username or realm name must not be specified when the api key id or api key name is specified",
-                "username or realm name must not be specified when the api key id or api key name is specified",
-                "username or realm name must not be specified when the api key id or api key name is specified",
-                "only one of [api key id, api key name] can be specified",
+                "One of [api key id(s), api key name, username, realm name] must be specified if [owner] flag is false",
+                "username or realm name must not be specified when the api key id(s) or api key name is specified",
+                "username or realm name must not be specified when the api key id(s) or api key name is specified",
+                "username or realm name must not be specified when the api key id(s) or api key name is specified",
+                "only one of [api key id(s), api key name] can be specified",
                 "neither username nor realm-name may be specified when invalidating owned API keys",
                 "neither username nor realm-name may be specified when invalidating owned API keys" };
 
         for (int i = 0; i < inputs.length; i++) {
             final int caseNo = i;
             IllegalArgumentException ve = expectThrows(IllegalArgumentException.class,
-                    () -> new InvalidateApiKeyRequest(inputs[caseNo][0], inputs[caseNo][1], inputs[caseNo][2], inputs[caseNo][3],
-                        Boolean.valueOf(inputs[caseNo][4])));
+                    () -> new InvalidateApiKeyRequest(inputs[caseNo][0], inputs[caseNo][1], inputs[caseNo][3],
+                        Boolean.valueOf(inputs[caseNo][4]), apiKeyIdToIds(inputs[caseNo][2])));
             assertNotNull(ve);
             assertThat(ve.getMessage(), equalTo(expectedErrorMessages[caseNo]));
         }

docs/java-rest/high-level/security/invalidate-api-key.asciidoc

@@ -23,10 +23,10 @@ The +{request}+ supports invalidating
 
 . A specific key or all API keys owned by the current authenticated user
 
-===== Specific API key by API key id
+===== Specific API keys by a list of API key ids
 ["source","java",subs="attributes,callouts,macros"]
 --------------------------------------------------
-include-tagged::{doc-tests-file}[invalidate-api-key-id-request]
+include-tagged::{doc-tests-file}[invalidate-api-key-ids-request]
 --------------------------------------------------
 
 ===== Specific API key by API key name
@@ -80,4 +80,4 @@ invalidated.
 ["source","java",subs="attributes,callouts,macros"]
 --------------------------------------------------
 include-tagged::{doc-tests-file}[{api}-response]
---------------------------------------------------
+--------------------------------------------------

x-pack/docs/en/rest-api/security/invalidate-api-keys.asciidoc

@@ -31,6 +31,7 @@ The following parameters can be specified in the body of a DELETE request and
 pertain to invalidating api keys:
 
 `id`::
+deprecated:[7.12.0, "Use ids instead"]
 (Optional, string) An API key id. This parameter cannot be used when any of
 `ids`, `name`, `realm_name` or `username` are used.
 
@@ -56,7 +57,7 @@ by the currently authenticated user. Defaults to false.
 The 'realm_name' or 'username' parameters cannot be specified when this
 parameter is set to 'true' as they are assumed to be the currently authenticated ones.
 
-NOTE: At least one of "id", "name", "username" and "realm_name" must be specified
+NOTE: At least one of "id", "ids", "name", "username" and "realm_name" must be specified
  if "owner" is "false" (default).
 
 [[security-api-invalidate-api-key-response-body]]
@@ -94,30 +95,19 @@ API key information. For example:
 // TESTRESPONSE[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
 // TESTRESPONSE[s/ui2lp2axTNmsyakw9tvNnw/$body.api_key/]
 
-The following example invalidates the API key identified by specified `id`
+The following example invalidates the API key identified by specified `ids`
 immediately:
 
 [source,console]
 --------------------------------------------------
 DELETE /_security/api_key
 {
-  "id" : "VuaCfGcBCdbkQm-e5aOx"
+  "ids" : [ "VuaCfGcBCdbkQm-e5aOx" ]
 }
 --------------------------------------------------
 // TEST[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
 // TEST[continued]
 
-The above request can also be performed using the `ids` field which takes
-a list of API keys for bulk invalidation:
-
-[source,console]
---------------------------------------------------
-DELETE /_security/api_key
-{
-  "ids" : [ "VuaCfGcBCdbkQm-e5aOx" ]
-}
---------------------------------------------------
-
 The following example invalidates the API key identified by specified `name`
 immediately:
 
@@ -151,14 +141,14 @@ DELETE /_security/api_key
 }
 --------------------------------------------------
 
-The following example invalidates the API key identified by the specified `id` if
+The following example invalidates the API key identified by the specified `ids` if
  it is owned by the currently authenticated user immediately:
 
 [source,console]
 --------------------------------------------------
 DELETE /_security/api_key
 {
-  "id" : "VuaCfGcBCdbkQm-e5aOx",
+  "ids" : ["VuaCfGcBCdbkQm-e5aOx"],
   "owner" : "true"
 }
 --------------------------------------------------