-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose the invalidation_time field in Get/Query ApiKey APIs #102472
Expose the invalidation_time field in Get/Query ApiKey APIs #102472
Conversation
Hi @jfreden, I've created a changelog YAML for you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking great 👍 discussed a few tweaks on Zoom, will re-review afterwards
f7127ba
to
d23dc60
Compare
Pinging @elastic/es-security (Team:Security) |
@elasticmachine update branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀 Great first PR!
A couple of (not strongly held) nits and smaller tweaks but nothing that needs another round of review.
One easy test coverage boost suggestion:
I'd add an assertion on expiration
to this IT here -- that way we also cover the Query API with an integration test.
docs/changelog/102472.yaml
Outdated
@@ -0,0 +1,5 @@ | |||
pr: 102472 | |||
summary: Expose the `invalidation_time` field in Get/Query `ApiKey` APIs | |||
area: Client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Security/Security
or Security/Authentication
are more appropriate labels since API keys are primarily authentication primitives. If you update the label on the PR, I believe the changelog should get updated automatically.
docs/changelog/102472.yaml
Outdated
@@ -0,0 +1,5 @@ | |||
pr: 102472 | |||
summary: Expose the `invalidation_time` field in Get/Query `ApiKey` APIs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'd go with invalidation
here as well as in ApiKey::toXContent
since that's the user-facing part. I'm added in-line suggestions where I've come across it but may have missed a few parts.
@@ -107,6 +108,7 @@ public ApiKey( | |||
Instant creation, | |||
Instant expiration, | |||
boolean invalidated, | |||
Instant invalidation, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: would mark @Nullable
.field("metadata", (metadata == null ? Map.of() : metadata)); | ||
builder.field("invalidated", invalidated); | ||
if (invalidation != null) { | ||
builder.field("invalidation_time", invalidation.toEpochMilli()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
builder.field("invalidation_time", invalidation.toEpochMilli()); | |
builder.field("invalidation", invalidation.toEpochMilli()); |
@@ -385,6 +419,7 @@ public boolean equals(Object obj) { | |||
PARSER.declareLong(constructorArg(), new ParseField("creation")); | |||
PARSER.declareLong(optionalConstructorArg(), new ParseField("expiration")); | |||
PARSER.declareBoolean(constructorArg(), new ParseField("invalidated")); | |||
PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation_time")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation_time")); | |
PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation")); |
import static org.elasticsearch.xpack.core.security.action.apikey.ApiKeyTests.randomApiKeyInstance; | ||
import static org.hamcrest.Matchers.nullValue; | ||
|
||
public class ApiKeySerializationTests extends AbstractWireSerializingTestCase<ApiKey> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neat!
@@ -192,6 +197,7 @@ public void testToXContent() throws IOException { | |||
"creation": 100000, | |||
"expiration": 10000000, | |||
"invalidated": true, | |||
"invalidation_time": 100000000, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"invalidation_time": 100000000, | |
"invalidation": 100000000, |
private static final String MANAGE_SECURITY_USER = "manage_security_user"; | ||
|
||
@Before | ||
public void createUsers() throws IOException { | ||
createUser(MANAGE_OWN_API_KEY_USER, END_USER_PASSWORD, List.of("manage_own_api_key_role")); | ||
createRole("manage_own_api_key_role", Set.of("manage_own_api_key")); | ||
createUser(MANAGE_API_KEY_USER, END_USER_PASSWORD, List.of("manage_api_key_role")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I don't think we need the new role and user -- either of the existing ones should work here (for sure MANAGE_SECURITY_USER
).
@@ -1677,10 +1677,10 @@ private void indexInvalidation(Collection<String> apiKeyIds, ActionListener<Inva | |||
listener.onFailure(new ElasticsearchSecurityException("No api key ids provided for invalidation")); | |||
} else { | |||
BulkRequestBuilder bulkRequestBuilder = client.prepareBulk(); | |||
final long invalidationTime = clock.instant().toEpochMilli(); | |||
final long invalidation = clock.instant().toEpochMilli(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: sorry, I forgot to mention this bit: I'd stick with invalidationTime
here since it's a different context. Here (i.e., in ApiKeyService
), we do refer to the time values with a time suffix, e.g., creationTime
, expirationTime
.
@@ -1024,7 +1020,7 @@ public void testValidateApiKey() throws Exception { | |||
assertFalse(result.isAuthenticated()); | |||
|
|||
// key is invalidated | |||
apiKeyDoc = buildApiKeyDoc(hash, -1, true); | |||
apiKeyDoc = buildApiKeyDoc(hash, -1, true, -1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could randomize a timestamp here since the key is invalidated (it's not the primary purpose of the test but might as well add that coverage).
51c88a8
to
760cade
Compare
This is a follow up PR from #102472. This adds the ability to use `invalidation` timestamp as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) in the QueryApiKey API.
…102472) This PR exposes `invalidation_time` in responses from [GetApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html) and [QueryApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html) API To address the first half of elastic#92404. As a follow up to this PR `invalidation_time` needs to be supported as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) for the `QueryApiKey` API. There will also be a separate PR to add it to the API docs for [GetApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html) and [QueryApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html).
This is a follow up PR from elastic#102472. This adds the ability to use `invalidation` timestamp as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) in the QueryApiKey API.
This PR exposes
invalidation_time
in responses from GetApiKey and QueryApiKey APITo address the first half of #92404.
As a follow up to this PR
invalidation_time
needs to be supported as a valid query value for theQueryApiKey
API. There will also be a separate PR to add it to the API docs for GetApiKey and QueryApiKey.