Security: add create api key transport action

In order to support api keys for access to elasticsearch, we need the
ability to generate these api keys. A transport action has been added
along with the request and response objects that allow for the
generation of api keys. The api keys require a name and optionally
allow a role to be specified which defines the amount of access the key
has. Additionally an expiration may also be provided.

This change does not include the restriction that the role needs to be
a subset of the user's permissions, which will be added seperately. As
it exists in this change, the api key is currently not usable which is
another aspect that will come later.

Relates elastic#34383

Author: jaymode

server/src/main/java/org/elasticsearch/common/io/stream/StreamInput.java

@@ -578,6 +578,23 @@ public Object readGenericValue() throws IOException {
         }
     }
 
+    /**
+     * Read an {@link Instant} from the stream with nanosecond resolution
+     */
+    public final Instant readInstant() throws IOException {
+        return Instant.ofEpochSecond(readLong(), readInt());
+    }
+
+    /**
+     * Read an optional {@link Instant} from the stream. Returns <code>null</code> when
+     * no instant is present.
+     */
+    @Nullable
+    public final Instant readOptionalInstant() throws IOException {
+        final boolean present = readBoolean();
+        return present ? readInstant() : null;
+    }
+
     @SuppressWarnings("unchecked")
     private List readArrayList() throws IOException {
         int size = readArraySize();

server/src/main/java/org/elasticsearch/common/io/stream/StreamOutput.java

@@ -55,6 +55,7 @@
 import java.nio.file.FileSystemLoopException;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.NotDirectoryException;
+import java.time.Instant;
 import java.time.ZonedDateTime;
 import java.util.Collection;
 import java.util.Collections;
@@ -560,6 +561,26 @@ public final <K, V> void writeMap(final Map<K, V> map, final Writer<K> keyWriter
         }
     }
 
+    /**
+     * Writes an {@link Instant} to the stream with nanosecond resolution
+     */
+    public final void writeInstant(Instant instant) throws IOException {
+        writeLong(instant.getEpochSecond());
+        writeInt(instant.getNano());
+    }
+
+    /**
+     * Writes an {@link Instant} to the stream, which could possibly be null
+     */
+    public final void writeOptionalInstant(@Nullable Instant instant) throws IOException {
+        if (instant == null) {
+            writeBoolean(false);
+        } else {
+            writeBoolean(true);
+            writeInstant(instant);
+        }
+    }
+
     private static final Map<Class<?>, Writer> WRITERS;
 
     static {

server/src/test/java/org/elasticsearch/common/io/stream/StreamTests.java

@@ -28,6 +28,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.EOFException;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -248,6 +249,37 @@ public void testSetOfLongs() throws IOException {
         assertThat(targetSet, equalTo(sourceSet));
     }
 
+    public void testInstantSerialization() throws IOException {
+        final Instant instant = Instant.now();
+        try (BytesStreamOutput out = new BytesStreamOutput()) {
+            out.writeInstant(instant);
+            try (StreamInput in = out.bytes().streamInput()) {
+                final Instant serialized = in.readInstant();
+                assertEquals(instant, serialized);
+            }
+        }
+    }
+
+    public void testOptionalInstantSerialization() throws IOException {
+        final Instant instant = Instant.now();
+        try (BytesStreamOutput out = new BytesStreamOutput()) {
+            out.writeOptionalInstant(instant);
+            try (StreamInput in = out.bytes().streamInput()) {
+                final Instant serialized = in.readOptionalInstant();
+                assertEquals(instant, serialized);
+            }
+        }
+
+        final Instant missing = null;
+        try (BytesStreamOutput out = new BytesStreamOutput()) {
+            out.writeOptionalInstant(missing);
+            try (StreamInput in = out.bytes().streamInput()) {
+                final Instant serialized = in.readOptionalInstant();
+                assertEquals(missing, serialized);
+            }
+        }
+    }
+
     static final class WriteableString implements Writeable {
         final String string;
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyAction.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.Action;
+
+/**
+ * Action for the creation of an API key
+ */
+public final class CreateApiKeyAction extends Action<CreateApiKeyResponse> {
+
+    public static final String NAME = "cluster:admin/xpack/security/api_key/create";
+    public static final CreateApiKeyAction INSTANCE = new CreateApiKeyAction();
+
+    private CreateApiKeyAction() {
+        super(NAME);
+    }
+
+    @Override
+    public CreateApiKeyResponse newResponse() {
+        return new CreateApiKeyResponse();
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java

@@ -0,0 +1,102 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionRequest;
+import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
+/**
+ * Request class used for the creation of an API key. The request requires a name to be provided
+ * and optionally an expiration time and permission limitation can be provided.
+ */
+public final class CreateApiKeyRequest extends ActionRequest {
+
+    private String name;
+    private TimeValue expiration;
+    private List<RoleDescriptor> roleDescriptors = Collections.emptyList();
+    private WriteRequest.RefreshPolicy refreshPolicy = WriteRequest.RefreshPolicy.WAIT_UNTIL;
+
+    public CreateApiKeyRequest() {}
+
+    public CreateApiKeyRequest(StreamInput in) throws IOException {
+        super(in);
+        this.name = in.readString();
+        this.expiration = in.readOptionalTimeValue();
+        this.roleDescriptors = in.readList(RoleDescriptor::new);
+        this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public TimeValue getExpiration() {
+        return expiration;
+    }
+
+    public void setExpiration(TimeValue expiration) {
+        this.expiration = expiration;
+    }
+
+    public List<RoleDescriptor> getRoleDescriptors() {
+        return roleDescriptors;
+    }
+
+    public void setRoleDescriptors(List<RoleDescriptor> roleDescriptors) {
+        this.roleDescriptors = Objects.requireNonNull(roleDescriptors, "role descriptors may not be null");
+    }
+
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    public void setRefreshPolicy(WriteRequest.RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = Objects.requireNonNull(refreshPolicy, "refresh policy may not be null");
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (Strings.isNullOrEmpty(name)) {
+            validationException = addValidationError("name is required", validationException);
+        } else if (name.length() > 256) {
+            validationException = addValidationError("name may not be more than 256 characters long", validationException);
+        }
+        return validationException;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(name);
+        out.writeOptionalTimeValue(expiration);
+        out.writeList(roleDescriptors);
+        refreshPolicy.writeTo(out);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) {
+        throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequestBuilder.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.client.ElasticsearchClient;
+import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
+
+import java.util.List;
+
+/**
+ * Request builder for populating a {@link CreateApiKeyRequest}
+ */
+public final class CreateApiKeyRequestBuilder extends ActionRequestBuilder<CreateApiKeyRequest, CreateApiKeyResponse> {
+
+    public CreateApiKeyRequestBuilder(ElasticsearchClient client) {
+        super(client, CreateApiKeyAction.INSTANCE, new CreateApiKeyRequest());
+    }
+
+    public CreateApiKeyRequestBuilder setName(String name) {
+        request.setName(name);
+        return this;
+    }
+
+    public CreateApiKeyRequestBuilder setExpiration(TimeValue expiration) {
+        request.setExpiration(expiration);
+        return this;
+    }
+
+    public CreateApiKeyRequestBuilder setRoleDescriptors(List<RoleDescriptor> roleDescriptors) {
+        request.setRoleDescriptors(roleDescriptors);
+        return this;
+    }
+
+    public CreateApiKeyRequestBuilder setRefreshPolicy(WriteRequest.RefreshPolicy refreshPolicy) {
+        request.setRefreshPolicy(refreshPolicy);
+        return this;
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyResponse.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action;
+
+import org.elasticsearch.action.ActionResponse;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.time.Instant;
+
+/**
+ * Response for the successful creation of an api key
+ */
+public final class CreateApiKeyResponse extends ActionResponse {
+
+    private String name;
+    private String key;
+    private Instant expiration;
+
+    CreateApiKeyResponse() {}
+
+    public CreateApiKeyResponse(String name, String key, Instant expiration) {
+        this.name = name;
+        this.key = key;
+        this.expiration = expiration;
+    }
+
+    public CreateApiKeyResponse(StreamInput in) throws IOException {
+        this.name = in.readString();
+        this.key = in.readString();
+        this.expiration = in.readOptionalInstant();
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getKey() {
+        return key;
+    }
+
+    @Nullable
+    public Instant getExpiration() {
+        return expiration;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        super.writeTo(out);
+        out.writeString(name);
+        out.writeString(key);
+        out.writeOptionalInstant(expiration);
+    }
+
+    @Override
+    public void readFrom(StreamInput in) throws IOException {
+        // TODO(jaymode) remove this once transport supports reading writeables
+        //throw new UnsupportedOperationException("usage of Streamable is to be replaced by Writeable");
+        this.name = in.readString();
+        this.key = in.readString();
+        this.expiration = in.readOptionalInstant();
+    }
+}

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/GetRolesResponse.java

@@ -37,7 +37,7 @@ public void readFrom(StreamInput in) throws IOException {
         int size = in.readVInt();
         roles = new RoleDescriptor[size];
         for (int i = 0; i < size; i++) {
-            roles[i] = RoleDescriptor.readFrom(in);
+            roles[i] = new RoleDescriptor(in);
         }
     }
 
@@ -46,7 +46,7 @@ public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeVInt(roles.length);
         for (RoleDescriptor role : roles) {
-            RoleDescriptor.writeTo(role, out);
+            role.writeTo(out);
         }
     }
 }