HLRest: add xpack put user API

This commit adds a security client to the high level rest client, which
includes an implementation for the put user api. As part of these
changes, the request and response classes were moved to the x-pack
protocol project and licensed under the Apache 2 license.

The PutUserRequest previously performed some validation of the username
that really is more fitting for the server validation. This validation
has been removed to reduce the amount of logic on the client side and
also reduce the number of classes that would need to be moved to the
protocol project. The removed validation now happens in the transport
action.

See elastic#29827

Author: jaymode

client/rest-high-level/build.gradle

@@ -71,6 +71,27 @@ forbiddenApisMain {
   signaturesURLs += [file('src/main/resources/forbidden/rest-high-level-signatures.txt').toURI().toURL()]
 }
 
+integTestRunner {
+  systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user')
+  systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-password')
+}
+
 integTestCluster {
   setting 'xpack.license.self_generated.type', 'trial'
+  setting 'xpack.security.enabled', 'true'
+  setupCommand 'setupDummyUser',
+          'bin/elasticsearch-users',
+          'useradd', System.getProperty('tests.rest.cluster.username', 'test_user'),
+          '-p', System.getProperty('tests.rest.cluster.password', 'test-password'),
+          '-r', 'superuser'
+  waitCondition = { node, ant ->
+    File tmpFile = new File(node.cwd, 'wait.success')
+    ant.get(src: "http://${node.httpUri()}/_cluster/health?wait_for_nodes=>=${numNodes}&wait_for_status=yellow",
+            dest: tmpFile.toString(),
+            username: System.getProperty('tests.rest.cluster.username', 'test_user'),
+            password: System.getProperty('tests.rest.cluster.password', 'test-password'),
+            ignoreerrors: true,
+            retries: 10)
+    return tmpFile.exists()
+  }
 }

client/rest-high-level/src/main/java/org/elasticsearch/client/RequestConverters.java

@@ -109,6 +109,7 @@
 import org.elasticsearch.protocol.xpack.XPackInfoRequest;
 import org.elasticsearch.protocol.xpack.watcher.PutWatchRequest;
 import org.elasticsearch.protocol.xpack.XPackUsageRequest;
+import org.elasticsearch.protocol.xpack.security.PutUserRequest;
 import org.elasticsearch.rest.action.search.RestSearchAction;
 import org.elasticsearch.script.mustache.MultiSearchTemplateRequest;
 import org.elasticsearch.script.mustache.SearchTemplateRequest;
@@ -1139,6 +1140,15 @@ static Request xpackUsage(XPackUsageRequest usageRequest) {
         return request;
     }
 
+    static Request putUser(PutUserRequest putUserRequest) throws IOException {
+        String endpoint = new EndpointBuilder().addPathPartAsIs("_xpack/security/user").addPathPart(putUserRequest.username()).build();
+        Request request = new Request(HttpPut.METHOD_NAME, endpoint);
+        request.setEntity(createEntity(putUserRequest, REQUEST_BODY_CONTENT_TYPE));
+        Params params = new Params(request);
+        params.withRefreshPolicy(putUserRequest.getRefreshPolicy());
+        return request;
+    }
+
     private static HttpEntity createEntity(ToXContent toXContent, XContentType xContentType) throws IOException {
         BytesRef source = XContentHelper.toXContent(toXContent, xContentType, false).toBytesRef();
         return new ByteArrayEntity(source.bytes, source.offset, source.length, createContentType(xContentType));

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityClient.java

@@ -0,0 +1,91 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.protocol.xpack.security.PutUserRequest;
+import org.elasticsearch.protocol.xpack.security.PutUserResponse;
+
+import java.io.IOException;
+
+import static java.util.Collections.emptySet;
+
+/**
+ * A wrapper for the {@link RestHighLevelClient} that provides methods for accessing the Security APIs.
+ * <p>
+ * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api.html">Security APIs on elastic.co</a>
+ */
+public final class SecurityClient {
+
+    private final RestHighLevelClient restHighLevelClient;
+
+    SecurityClient(RestHighLevelClient restHighLevelClient) {
+        this.restHighLevelClient = restHighLevelClient;
+    }
+
+    /**
+     * Create/update a user in the native realm synchronously.
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-users.html">
+     * the docs</a> for more.
+     * @param request the request with the user's information
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @return the response from the put user call
+     * @throws IOException in case there is a problem sending the request or parsing back the response
+     */
+    public PutUserResponse putUser(PutUserRequest request, RequestOptions options) throws IOException {
+        return restHighLevelClient.performRequestAndParseEntity(request, RequestConverters::putUser, options,
+            SecurityClient::parsePutUserResponse, emptySet());
+    }
+
+    /**
+     * Asynchronously create/update a user in the native realm.
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-users.html">
+     * the docs</a> for more.
+     * @param request the request with the user's information
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @param listener the listener to be notified upon request completion
+     */
+    public void putUserAsync(PutUserRequest request, RequestOptions options, ActionListener<PutUserResponse> listener) {
+        restHighLevelClient.performRequestAsyncAndParseEntity(request, RequestConverters::putUser, options,
+            SecurityClient::parsePutUserResponse, listener, emptySet());
+    }
+
+    /**
+     * Parses the rest response from the put user API. The rest API wraps the XContent of the
+     * {@link PutUserResponse} in a field, so this method unwraps this value.
+     *
+     * @param parser the XContent parser for the response body
+     * @return the {@link PutUserResponse} parsed
+     * @throws IOException in case there is a problem parsing the response
+     */
+    private static PutUserResponse parsePutUserResponse(XContentParser parser) throws IOException {
+        XContentParser.Token token;
+        String currentFieldName = null;
+        while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) {
+            if (token == XContentParser.Token.FIELD_NAME) {
+                currentFieldName = parser.currentName();
+            } else if ("user".equals(currentFieldName)) {
+                return PutUserResponse.fromXContent(parser);
+            }
+        }
+        throw new IOException("Failed to parse [put_user_response]");
+    }
+}

client/rest-high-level/src/main/java/org/elasticsearch/client/XPackClient.java

@@ -42,10 +42,12 @@ public final class XPackClient {
 
     private final RestHighLevelClient restHighLevelClient;
     private final WatcherClient watcherClient;
+    private final SecurityClient securityClient;
 
     XPackClient(RestHighLevelClient restHighLevelClient) {
         this.restHighLevelClient = restHighLevelClient;
         this.watcherClient = new WatcherClient(restHighLevelClient);
+        this.securityClient = new SecurityClient(restHighLevelClient);
     }
 
     public WatcherClient watcher() {
@@ -100,4 +102,13 @@ public void usageAsync(XPackUsageRequest request, RequestOptions options, Action
         restHighLevelClient.performRequestAsyncAndParseEntity(request, RequestConverters::xpackUsage, options,
             XPackUsageResponse::fromXContent, listener, emptySet());
     }
+
+    /**
+     * Provides an {@link SecurityClient} which can be used to access the Security APIs.
+     *
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api.html">Security APIs on elastic.co</a>
+     */
+    public SecurityClient security() {
+        return securityClient;
+    }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/ESRestHighLevelClientTestCase.java

@@ -25,6 +25,7 @@
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.ingest.Pipeline;
@@ -33,7 +34,10 @@
 import org.junit.Before;
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.Collections;
+import java.util.Objects;
 
 public abstract class ESRestHighLevelClientTestCase extends ESRestTestCase {
 
@@ -136,4 +140,15 @@ protected static void clusterUpdateSettings(Settings persistentSettings,
         request.transientSettings(transientSettings);
         assertOK(client().performRequest(RequestConverters.clusterPutSettings(request)));
     }
+
+    @Override
+    protected Settings restClientSettings() {
+        final String user = Objects.requireNonNull(System.getProperty("tests.rest.cluster.username"));
+        final String pass = Objects.requireNonNull(System.getProperty("tests.rest.cluster.password"));
+        final String token = "Basic " + Base64.getEncoder().encodeToString((user + ":" + pass).getBytes(StandardCharsets.UTF_8));
+        return Settings.builder()
+            .put(super.restClientSettings())
+            .put(ThreadContext.PREFIX + ".Authorization", token)
+            .build();
+    }
 }

client/rest-high-level/src/test/java/org/elasticsearch/client/RequestConvertersTests.java

@@ -126,6 +126,7 @@
 import org.elasticsearch.index.rankeval.RatedRequest;
 import org.elasticsearch.index.rankeval.RestRankEvalAction;
 import org.elasticsearch.protocol.xpack.XPackInfoRequest;
+import org.elasticsearch.protocol.xpack.security.PutUserRequest;
 import org.elasticsearch.protocol.xpack.watcher.PutWatchRequest;
 import org.elasticsearch.repositories.fs.FsRepository;
 import org.elasticsearch.rest.action.search.RestSearchAction;
@@ -2580,6 +2581,38 @@ public void testXPackPutWatch() throws Exception {
         assertThat(bos.toString("UTF-8"), is(body));
     }
 
+    public void testPutUser() throws IOException {
+        PutUserRequest putUserRequest = new PutUserRequest();
+        putUserRequest.username(randomAlphaOfLengthBetween(4, 12));
+        if (randomBoolean()) {
+            putUserRequest.password(randomAlphaOfLengthBetween(8, 12).toCharArray());
+        }
+        putUserRequest.roles(generateRandomStringArray(randomIntBetween(2, 8), randomIntBetween(8, 16), false, true));
+        putUserRequest.email(randomBoolean() ? null : randomAlphaOfLengthBetween(12, 24));
+        putUserRequest.fullName(randomBoolean() ? null : randomAlphaOfLengthBetween(7, 14));
+        putUserRequest.enabled(randomBoolean());
+        if (randomBoolean()) {
+            Map<String, Object> metadata = new HashMap<>();
+            for (int i = 0; i < randomIntBetween(1, 10); i++) {
+                metadata.put(String.valueOf(i), randomAlphaOfLengthBetween(1, 12));
+            }
+            putUserRequest.metadata(metadata);
+        }
+        putUserRequest.setRefreshPolicy(randomFrom(WriteRequest.RefreshPolicy.values()));
+        final Map<String, String> expectedParams;
+        if (putUserRequest.getRefreshPolicy() != WriteRequest.RefreshPolicy.NONE) {
+            expectedParams = Collections.singletonMap("refresh", putUserRequest.getRefreshPolicy().getValue());
+        } else {
+            expectedParams = Collections.emptyMap();
+        }
+
+        Request request = RequestConverters.putUser(putUserRequest);
+        assertEquals(HttpPut.METHOD_NAME, request.getMethod());
+        assertEquals("/_xpack/security/user/" + putUserRequest.username(), request.getEndpoint());
+        assertEquals(expectedParams, request.getParameters());
+        assertToXContentBody(putUserRequest, request.getEntity());
+    }
+
     /**
      * Randomize the {@link FetchSourceContext} request parameters.
      */

client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/SecurityDocumentationIT.java

@@ -0,0 +1,82 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.documentation;
+
+import org.elasticsearch.action.ActionListener;
+import org.elasticsearch.action.LatchedActionListener;
+import org.elasticsearch.client.ESRestHighLevelClientTestCase;
+import org.elasticsearch.client.RequestOptions;
+import org.elasticsearch.client.RestHighLevelClient;
+import org.elasticsearch.protocol.xpack.security.PutUserRequest;
+import org.elasticsearch.protocol.xpack.security.PutUserResponse;
+
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+public class SecurityDocumentationIT extends ESRestHighLevelClientTestCase {
+
+    public void testPutUser() throws Exception {
+        RestHighLevelClient client = highLevelClient();
+
+        {
+            //tag::x-pack-put-user-execute
+            PutUserRequest request = new PutUserRequest();
+            request.username("example");
+            request.roles("superuser");
+            request.password(new char[] { 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' } );
+            PutUserResponse response = client.xpack().security().putUser(request, RequestOptions.DEFAULT);
+            //end::x-pack-put-user-execute
+
+            //tag::x-pack-put-user-response
+            boolean isCreated = response.created(); // <1>
+            //end::x-pack-put-user-response
+        }
+
+        {
+            PutUserRequest request = new PutUserRequest();
+            request.username("example2");
+            request.roles("superuser");
+            request.password(new char[] { 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' } );
+            // tag::x-pack-put-user-execute-listener
+            ActionListener<PutUserResponse> listener = new ActionListener<PutUserResponse>() {
+                @Override
+                public void onResponse(PutUserResponse response) {
+                    // <1>
+                }
+
+                @Override
+                public void onFailure(Exception e) {
+                    // <2>
+                }
+            };
+            // end::x-pack-put-user-execute-listener
+
+            // Replace the empty listener by a blocking listener in test
+            final CountDownLatch latch = new CountDownLatch(1);
+            listener = new LatchedActionListener<>(listener, latch);
+
+            // tag::x-pack-put-user-execute-async
+            client.xpack().security().putUserAsync(request, RequestOptions.DEFAULT, listener); // <1>
+            // end::x-pack-put-user-execute-async
+
+            assertTrue(latch.await(30L, TimeUnit.SECONDS));
+        }
+    }
+}

docs/java-rest/high-level/x-pack/security/put-user.asciidoc

@@ -0,0 +1,52 @@
+[[java-rest-high-x-pack-security-put-user]]
+=== X-Pack Put User API
+
+[[java-rest-high-x-pack-security-put-user-execution]]
+==== Execution
+
+Creating and updating a user can be performed using the `security().putUser()`
+method:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests}/SecurityDocumentationIT.java[x-pack-put-user-execute]
+--------------------------------------------------
+
+[[java-rest-high-x-pack-security-put-user-response]]
+==== Response
+
+The returned `PutUserResponse` contains a single field, `created`. This field
+serves as an indication if a user was created or if an existing entry was updated.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests}/SecurityDocumentationIT.java[x-pack-put-user-response]
+--------------------------------------------------
+<1> `created` is a boolean indicating whether the user was created or updated
+
+[[java-rest-high-x-pack-security-put-user-async]]
+==== Asynchronous Execution
+
+This request can be executed asynchronously:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests}/WatcherDocumentationIT.java[x-pack-put-user-execute-async]
+--------------------------------------------------
+<1> The `PutUserResponse` to execute and the `ActionListener` to use when
+the execution completes
+
+The asynchronous method does not block and returns immediately. Once the request
+has completed the `ActionListener` is called back using the `onResponse` method
+if the execution successfully completed or using the `onFailure` method if
+it failed.
+
+A typical listener for a `PutUserResponse` looks like:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests}/SecurityDocumentationIT.java[x-pack-put-user-execute-listener]
+--------------------------------------------------
+<1> Called when the execution is successfully completed. The response is
+provided as an argument
+<2> Called in case of failure. The raised exception is provided as an argument