Updatable API keys - noop check (#88346)

This PR adds a noop check for API key updates. If we detect a noop
update, i.e., an update that does not result in any changes to the
existing doc, we skip the index step and return updated = false in
the response.

This PR also extends test coverage around various corner cases.

Author: n1v0lg

docs/changelog/88346.yaml

@@ -0,0 +1,5 @@
+pr: 88346
+summary: Updatable API keys - noop check
+area: Security
+type: enhancement
+issues: []

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/RealmDomain.java

@@ -14,6 +14,7 @@
 import org.elasticsearch.xcontent.ParseField;
 import org.elasticsearch.xcontent.ToXContentObject;
 import org.elasticsearch.xcontent.XContentBuilder;
+import org.elasticsearch.xcontent.XContentParser;
 
 import java.io.IOException;
 import java.util.List;
@@ -48,6 +49,10 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
         return builder;
     }
 
+    public static RealmDomain fromXContent(final XContentParser parser) {
+        return REALM_DOMAIN_PARSER.apply(parser, null);
+    }
+
     @Override
     public String toString() {
         return "RealmDomain{" + "name='" + name + '\'' + ", realms=" + realms + '}';

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java

@@ -90,6 +90,36 @@ public static User randomUser() {
         );
     }
 
+    public static User userWithRandomMetadataAndDetails(final String username, final String... roles) {
+        return new User(
+            username,
+            roles,
+            ESTestCase.randomFrom(ESTestCase.randomAlphaOfLengthBetween(1, 10), null),
+            // Not a very realistic email address, but we don't validate this nor rely on correct format, so keeping it simple
+            ESTestCase.randomFrom(ESTestCase.randomAlphaOfLengthBetween(1, 10), null),
+            randomUserMetadata(),
+            true
+        );
+    }
+
+    public static Map<String, Object> randomUserMetadata() {
+        return ESTestCase.randomFrom(
+            Map.of(
+                "employee_id",
+                ESTestCase.randomAlphaOfLength(5),
+                "number",
+                1,
+                "numbers",
+                List.of(1, 3, 5),
+                "extra",
+                Map.of("favorite pizza", "hawaii", "age", 42)
+            ),
+            Map.of(ESTestCase.randomAlphaOfLengthBetween(3, 8), ESTestCase.randomAlphaOfLengthBetween(3, 8)),
+            Map.of(),
+            null
+        );
+    }
+
     public static RealmDomain randomDomain(boolean includeInternal) {
         final Supplier<String> randomRealmTypeSupplier = randomRealmTypeSupplier(includeInternal);
         final Set<RealmConfig.RealmIdentifier> domainRealms = new HashSet<>(

x-pack/plugin/security/qa/security-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java

@@ -198,7 +198,7 @@ public void testGrantApiKeyWithOnlyManageOwnApiKeyPrivilegeFails() throws IOExce
 
     public void testUpdateApiKey() throws IOException {
         final var apiKeyName = "my-api-key-name";
-        final Map<String, String> apiKeyMetadata = Map.of("not", "returned");
+        final Map<String, Object> apiKeyMetadata = Map.of("not", "returned");
         final Map<String, Object> createApiKeyRequestBody = Map.of("name", apiKeyName, "metadata", apiKeyMetadata);
 
         final Request createApiKeyRequest = new Request("POST", "_security/api_key");
@@ -215,7 +215,7 @@ public void testUpdateApiKey() throws IOException {
         assertThat(apiKeyId, not(emptyString()));
         assertThat(apiKeyEncoded, not(emptyString()));
 
-        doTestUpdateApiKey(apiKeyName, apiKeyId, apiKeyEncoded);
+        doTestUpdateApiKey(apiKeyName, apiKeyId, apiKeyEncoded, apiKeyMetadata);
     }
 
     public void testGrantTargetCanUpdateApiKey() throws IOException {
@@ -240,7 +240,7 @@ public void testGrantTargetCanUpdateApiKey() throws IOException {
         assertThat(apiKeyId, not(emptyString()));
         assertThat(apiKeyEncoded, not(emptyString()));
 
-        doTestUpdateApiKey(apiKeyName, apiKeyId, apiKeyEncoded);
+        doTestUpdateApiKey(apiKeyName, apiKeyId, apiKeyEncoded, null);
     }
 
     public void testGrantorCannotUpdateApiKeyOfGrantTarget() throws IOException {
@@ -283,18 +283,26 @@ private void doTestAuthenticationWithApiKey(final String apiKeyName, final Strin
         assertThat(authenticate, hasEntry("api_key", Map.of("id", apiKeyId, "name", apiKeyName)));
     }
 
-    private void doTestUpdateApiKey(String apiKeyName, String apiKeyId, String apiKeyEncoded) throws IOException {
+    private void doTestUpdateApiKey(
+        final String apiKeyName,
+        final String apiKeyId,
+        final String apiKeyEncoded,
+        final Map<String, Object> oldMetadata
+    ) throws IOException {
         final var updateApiKeyRequest = new Request("PUT", "_security/api_key/" + apiKeyId);
-        final Map<String, Object> expectedApiKeyMetadata = Map.of("not", "returned (changed)", "foo", "bar");
-        final Map<String, Object> updateApiKeyRequestBody = Map.of("metadata", expectedApiKeyMetadata);
+        final boolean updated = randomBoolean();
+        final Map<String, Object> expectedApiKeyMetadata = updated ? Map.of("not", "returned (changed)", "foo", "bar") : oldMetadata;
+        final Map<String, Object> updateApiKeyRequestBody = expectedApiKeyMetadata == null
+            ? Map.of()
+            : Map.of("metadata", expectedApiKeyMetadata);
         updateApiKeyRequest.setJsonEntity(XContentTestUtils.convertToXContent(updateApiKeyRequestBody, XContentType.JSON).utf8ToString());
 
         final Response updateApiKeyResponse = doUpdateUsingRandomAuthMethod(updateApiKeyRequest);
 
         assertOK(updateApiKeyResponse);
         final Map<String, Object> updateApiKeyResponseMap = responseAsMap(updateApiKeyResponse);
-        assertTrue((Boolean) updateApiKeyResponseMap.get("updated"));
-        expectMetadata(apiKeyId, expectedApiKeyMetadata);
+        assertEquals(updated, updateApiKeyResponseMap.get("updated"));
+        expectMetadata(apiKeyId, expectedApiKeyMetadata == null ? Map.of() : expectedApiKeyMetadata);
         // validate authentication still works after update
         doTestAuthenticationWithApiKey(apiKeyName, apiKeyId, apiKeyEncoded);
     }