Create API Key on behalf of other user

test/framework/src/main/java/org/elasticsearch/test/ESTestCase.java

@@ -728,6 +728,12 @@ public static String randomRealisticUnicodeOfCodepointLength(int codePoints) {
         return RandomizedTest.randomRealisticUnicodeOfCodepointLength(codePoints);
     }
 
+    /**
+     * @param maxArraySize The maximum number of elements in the random array
+     * @param stringSize The length of each String in the array
+     * @param allowNull Whether the returned array may be null
+     * @param allowEmpty Whether the returned array may be empty (have zero elements)
+     */
     public static String[] generateRandomStringArray(int maxArraySize, int stringSize, boolean allowNull, boolean allowEmpty) {
         if (allowNull && random().nextBoolean()) {
             return null;

test/framework/src/main/java/org/elasticsearch/test/XContentTestUtils.java

@@ -58,6 +58,13 @@ public static Map<String, Object> convertToMap(ToXContent part) throws IOExcepti
         return XContentHelper.convertToMap(BytesReference.bytes(builder), false, builder.contentType()).v2();
     }
 
+    public static BytesReference convertToXContent(Map<String, ?> map, XContentType xContentType) throws IOException {
+        try (XContentBuilder builder = XContentFactory.contentBuilder(xContentType)) {
+            builder.map(map);
+            return BytesReference.bytes(builder);
+        }
+    }
+
 
     /**
      * Compares two maps generated from XContentObjects. The order of elements in arrays is ignored.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequestBuilder.java

@@ -74,11 +74,15 @@ public CreateApiKeyRequestBuilder source(BytesReference source, XContentType xCo
         final NamedXContentRegistry registry = NamedXContentRegistry.EMPTY;
         try (InputStream stream = source.streamInput();
                 XContentParser parser = xContentType.xContent().createParser(registry, LoggingDeprecationHandler.INSTANCE, stream)) {
-            CreateApiKeyRequest createApiKeyRequest = PARSER.parse(parser, null);
+            CreateApiKeyRequest createApiKeyRequest = parse(parser);
             setName(createApiKeyRequest.getName());
             setRoleDescriptors(createApiKeyRequest.getRoleDescriptors());
             setExpiration(createApiKeyRequest.getExpiration());
         }
         return this;
     }
+
+    public static CreateApiKeyRequest parse(XContentParser parser) throws IOException {
+        return PARSER.parse(parser, null);
+    }
 }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/GrantApiKeyAction.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionType;
+
+/**
+ * ActionType for the creation of an API key on behalf of another user
+ * This returns the {@link CreateApiKeyResponse} because the REST output is intended to be identical to the {@link CreateApiKeyAction}.
+ */
+public final class GrantApiKeyAction extends ActionType<CreateApiKeyResponse> {
+
+    public static final String NAME = "cluster:admin/xpack/security/api_key/grant";
+    public static final GrantApiKeyAction INSTANCE = new GrantApiKeyAction();
+
+    private GrantApiKeyAction() {
+        super(NAME, CreateApiKeyResponse::new);
+    }
+
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/GrantApiKeyRequest.java

@@ -0,0 +1,171 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.common.settings.SecureString;
+
+import java.io.IOException;
+import java.util.Objects;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+/**
+ * Request class used for the creation of an API key on behalf of another user.
+ * Logically this is similar to {@link CreateApiKeyRequest}, but is for cases when the user that has permission to call this action
+ * is different to the user for whom the API key should be created
+ */
+public final class GrantApiKeyRequest extends ActionRequest {
+
+    public static final WriteRequest.RefreshPolicy DEFAULT_REFRESH_POLICY = WriteRequest.RefreshPolicy.WAIT_UNTIL;
+    public static final String PASSWORD_GRANT_TYPE = "password";
+    public static final String ACCESS_TOKEN_GRANT_TYPE = "access_token";
+
+    /**
+     * Fields related to the end user authentication
+     */
+    public static class Grant implements Writeable {
+        private String type;
+        private String username;
+        private SecureString password;
+        private SecureString accessToken;
+
+        public Grant() {
+        }
+
+        public Grant(StreamInput in) throws IOException {
+            this.type = in.readString();
+            this.username = in.readOptionalString();
+            this.password = in.readOptionalSecureString();
+            this.accessToken = in.readOptionalSecureString();
+        }
+
+        public void writeTo(StreamOutput out) throws IOException {
+            out.writeString(type);
+            out.writeOptionalString(username);
+            out.writeOptionalSecureString(password);
+            out.writeOptionalSecureString(accessToken);
+        }
+
+        public String getType() {
+            return type;
+        }
+
+        public String getUsername() {
+            return username;
+        }
+
+        public SecureString getPassword() {
+            return password;
+        }
+
+        public SecureString getAccessToken() {
+            return accessToken;
+        }
+
+        public void setType(String type) {
+            this.type = type;
+        }
+
+        public void setUsername(String username) {
+            this.username = username;
+        }
+
+        public void setPassword(SecureString password) {
+            this.password = password;
+        }
+
+        public void setAccessToken(SecureString accessToken) {
+            this.accessToken = accessToken;
+        }
+    }
+
+    private final Grant grant;
+    private CreateApiKeyRequest apiKey;
+    private WriteRequest.RefreshPolicy refreshPolicy;
+
+    public GrantApiKeyRequest() {
+        this.grant = new Grant();
+        this.apiKey = new CreateApiKeyRequest();
+        this.refreshPolicy = DEFAULT_REFRESH_POLICY;
+    }
+
+    public GrantApiKeyRequest(StreamInput in) throws IOException {
+        super(in);
+        this.grant = new Grant(in);
+        this.apiKey = new CreateApiKeyRequest(in);
+        this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        grant.writeTo(out);
+        apiKey.writeTo(out);
+        refreshPolicy.writeTo(out);
+    }
+
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    public void setRefreshPolicy(WriteRequest.RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = Objects.requireNonNull(refreshPolicy, "refresh policy may not be null");
+    }
+
+    public Grant getGrant() {
+        return grant;
+    }
+
+    public CreateApiKeyRequest getApiKeyRequest() {
+        return apiKey;
+    }
+
+    public void setApiKeyRequest(CreateApiKeyRequest apiKeyRequest) {
+        this.apiKey = Objects.requireNonNull(apiKeyRequest, "Cannot set a null api_key");
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = apiKey.validate();
+        if (grant.type == null) {
+            validationException = addValidationError("[grant_type] is required", validationException);
+        } else if (grant.type.equals(PASSWORD_GRANT_TYPE)) {
+            validationException = validateRequiredField("username", grant.username, validationException);
+            validationException = validateRequiredField("password", grant.password, validationException);
+            validationException = validateUnsupportedField("access_token", grant.accessToken, validationException);
+        } else if (grant.type.equals(ACCESS_TOKEN_GRANT_TYPE)) {
+            validationException = validateRequiredField("access_token", grant.accessToken, validationException);
+            validationException = validateUnsupportedField("username", grant.username, validationException);
+            validationException = validateUnsupportedField("password", grant.password, validationException);
+        } else {
+            validationException = addValidationError("grant_type [" + grant.type + "] is not supported", validationException);
+        }
+        return validationException;
+    }
+
+    private ActionRequestValidationException validateRequiredField(String fieldName, CharSequence fieldValue,
+                                                                   ActionRequestValidationException validationException) {
+        if (fieldValue == null || fieldValue.length() == 0) {
+            return addValidationError("[" + fieldName + "] is required for grant_type [" + grant.type + "]", validationException);
+        }
+        return validationException;
+    }
+
+    private ActionRequestValidationException validateUnsupportedField(String fieldName, CharSequence fieldValue,
+                                                                      ActionRequestValidationException validationException) {
+        if (fieldValue != null && fieldValue.length() > 0) {
+            return addValidationError("[" + fieldName + "] is not supported for grant_type [" + grant.type + "]", validationException);
+        }
+        return validationException;
+    }
+}

x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityInBasicRestTestCase.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.security;
+
+import org.elasticsearch.client.RestHighLevelClient;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.test.rest.ESRestTestCase;
+
+import java.util.List;
+
+import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
+
+public abstract class SecurityInBasicRestTestCase extends ESRestTestCase {
+    private RestHighLevelClient highLevelAdminClient;
+
+    @Override
+    protected Settings restAdminSettings() {
+        String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray()));
+        return Settings.builder()
+            .put(ThreadContext.PREFIX + ".Authorization", token)
+            .build();
+    }
+
+    @Override
+    protected Settings restClientSettings() {
+        String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray()));
+        return Settings.builder()
+            .put(ThreadContext.PREFIX + ".Authorization", token)
+            .build();
+    }
+
+    private RestHighLevelClient getHighLevelAdminClient() {
+        if (highLevelAdminClient == null) {
+            highLevelAdminClient = new RestHighLevelClient(
+                adminClient(),
+                ignore -> {
+                },
+                List.of()) {
+            };
+        }
+        return highLevelAdminClient;
+    }
+}

x-pack/plugin/security/qa/security-basic/src/test/java/org/elasticsearch/xpack/security/SecurityWithBasicLicenseIT.java

@@ -11,10 +11,6 @@
 import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.common.collect.Tuple;
-import org.elasticsearch.common.settings.SecureString;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.test.rest.ESRestTestCase;
 import org.elasticsearch.test.rest.yaml.ObjectPath;
 import org.elasticsearch.xpack.security.authc.InternalRealms;
 
@@ -24,29 +20,12 @@
 import java.util.Base64;
 import java.util.Map;
 
-import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.notNullValue;
 
-public class SecurityWithBasicLicenseIT extends ESRestTestCase {
-
-    @Override
-    protected Settings restAdminSettings() {
-        String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray()));
-        return Settings.builder()
-            .put(ThreadContext.PREFIX + ".Authorization", token)
-            .build();
-    }
-
-    @Override
-    protected Settings restClientSettings() {
-        String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray()));
-        return Settings.builder()
-            .put(ThreadContext.PREFIX + ".Authorization", token)
-            .build();
-    }
+public class SecurityWithBasicLicenseIT extends SecurityInBasicRestTestCase {
 
     public void testWithBasicLicense() throws Exception {
         checkLicenseType("basic");

x-pack/plugin/security/qa/security-trial/build.gradle

@@ -0,0 +1,28 @@
+apply plugin: 'elasticsearch.testclusters'
+apply plugin: 'elasticsearch.standalone-rest-test'
+apply plugin: 'elasticsearch.rest-test'
+
+dependencies {
+  testCompile project(path: xpackModule('core'), configuration: 'default')
+  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+}
+
+testClusters.integTest {
+  testDistribution = 'DEFAULT'
+  numberOfNodes = 2
+
+  setting 'xpack.ilm.enabled', 'false'
+  setting 'xpack.ml.enabled', 'false'
+  setting 'xpack.license.self_generated.type', 'trial'
+  setting 'xpack.security.enabled', 'true'
+  setting 'xpack.security.ssl.diagnose.trust', 'true'
+  setting 'xpack.security.http.ssl.enabled', 'false'
+  setting 'xpack.security.transport.ssl.enabled', 'false'
+  setting 'xpack.security.authc.token.enabled', 'true'
+  setting 'xpack.security.authc.api_key.enabled', 'true'
+
+  extraConfigFile 'roles.yml', file('src/test/resources/roles.yml')
+  user username: "admin_user", password: "admin-password"
+  user username: "security_test_user", password: "security-test-password", role: "security_test_role"
+}