Expose the invalidation_time field in Get/Query ApiKey APIs #102472
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jfreden
added
>enhancement
:Security/Client
elasticsearchmachine
added
v8.12.0
external-contributor
|
Hi @jfreden, I've created a changelog YAML for you. |
n1v0lg
removed
the
external-contributor
n1v0lg
reviewed
Nov 22, 2023
jfreden
force-pushed
the
expose-invalidation_time-apikey-apis
branch
from
f7127ba
to
d23dc60
Compare
|
Pinging @elastic/es-security (Team:Security) |
|
@elasticmachine update branch |
n1v0lg
approved these changes
Nov 23, 2023
There was a problem hiding this comment.
LGTM 🚀 Great first PR!
A couple of (not strongly held) nits and smaller tweaks but nothing that needs another round of review.
One easy test coverage boost suggestion:
I'd add an assertion on expiration to this IT here -- that way we also cover the Query API with an integration test.
docs/changelog/102472.yaml
Outdated
| @@ -0,0 +1,5 @@ | |||
| pr: 102472 | |||
| summary: Expose the `invalidation_time` field in Get/Query `ApiKey` APIs | |||
| area: Client | |||
There was a problem hiding this comment.
I think Security/Security or Security/Authentication are more appropriate labels since API keys are primarily authentication primitives. If you update the label on the PR, I believe the changelog should get updated automatically.
docs/changelog/102472.yaml
Outdated
| @@ -0,0 +1,5 @@ | |||
| pr: 102472 | |||
| summary: Expose the `invalidation_time` field in Get/Query `ApiKey` APIs | |||
There was a problem hiding this comment.
Nit: I'd go with invalidation here as well as in ApiKey::toXContent since that's the user-facing part. I'm added in-line suggestions where I've come across it but may have missed a few parts.
| @@ -107,6 +108,7 @@ public ApiKey( | |||
| Instant creation, | |||
| Instant expiration, | |||
| boolean invalidated, | |||
| Instant invalidation, | |||
| .field("metadata", (metadata == null ? Map.of() : metadata)); | ||
| builder.field("invalidated", invalidated); | ||
| if (invalidation != null) { | ||
| builder.field("invalidation_time", invalidation.toEpochMilli()); |
There was a problem hiding this comment.
Suggested change
| builder.field("invalidation_time", invalidation.toEpochMilli()); | |
| builder.field("invalidation", invalidation.toEpochMilli()); |
| @@ -385,6 +419,7 @@ public boolean equals(Object obj) { | |||
| PARSER.declareLong(constructorArg(), new ParseField("creation")); | |||
| PARSER.declareLong(optionalConstructorArg(), new ParseField("expiration")); | |||
| PARSER.declareBoolean(constructorArg(), new ParseField("invalidated")); | |||
| PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation_time")); | |||
There was a problem hiding this comment.
Suggested change
| PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation_time")); | |
| PARSER.declareLong(optionalConstructorArg(), new ParseField("invalidation")); |
| import static org.elasticsearch.xpack.core.security.action.apikey.ApiKeyTests.randomApiKeyInstance; | ||
| import static org.hamcrest.Matchers.nullValue; | ||
|
|
||
| public class ApiKeySerializationTests extends AbstractWireSerializingTestCase<ApiKey> { |
| @@ -192,6 +197,7 @@ public void testToXContent() throws IOException { | |||
| "creation": 100000, | |||
| "expiration": 10000000, | |||
| "invalidated": true, | |||
| "invalidation_time": 100000000, | |||
There was a problem hiding this comment.
Suggested change
| "invalidation_time": 100000000, | |
| "invalidation": 100000000, |
| private static final String MANAGE_SECURITY_USER = "manage_security_user"; | ||
|
|
||
| @Before | ||
| public void createUsers() throws IOException { | ||
| createUser(MANAGE_OWN_API_KEY_USER, END_USER_PASSWORD, List.of("manage_own_api_key_role")); | ||
| createRole("manage_own_api_key_role", Set.of("manage_own_api_key")); | ||
| createUser(MANAGE_API_KEY_USER, END_USER_PASSWORD, List.of("manage_api_key_role")); |
There was a problem hiding this comment.
Nit: I don't think we need the new role and user -- either of the existing ones should work here (for sure MANAGE_SECURITY_USER).
| @@ -1677,10 +1677,10 @@ private void indexInvalidation(Collection<String> apiKeyIds, ActionListener<Inva | |||
| listener.onFailure(new ElasticsearchSecurityException("No api key ids provided for invalidation")); | |||
| } else { | |||
| BulkRequestBuilder bulkRequestBuilder = client.prepareBulk(); | |||
| final long invalidationTime = clock.instant().toEpochMilli(); | |||
| final long invalidation = clock.instant().toEpochMilli(); | |||
There was a problem hiding this comment.
Nit: sorry, I forgot to mention this bit: I'd stick with invalidationTime here since it's a different context. Here (i.e., in ApiKeyService), we do refer to the time values with a time suffix, e.g., creationTime, expirationTime.
| @@ -1024,7 +1020,7 @@ public void testValidateApiKey() throws Exception { | |||
| assertFalse(result.isAuthenticated()); | |||
|
|
|||
| // key is invalidated | |||
| apiKeyDoc = buildApiKeyDoc(hash, -1, true); | |||
| apiKeyDoc = buildApiKeyDoc(hash, -1, true, -1); | |||
There was a problem hiding this comment.
Could randomize a timestamp here since the key is invalidated (it's not the primary purpose of the test but might as well add that coverage).
jfreden
added
:Security/Security
jfreden
added
auto-merge
jfreden
force-pushed
the
expose-invalidation_time-apikey-apis
branch
from
51c88a8
to
760cade
Compare
elasticsearchmachine
pushed a commit
that referenced
this pull request
Nov 27, 2023
This is a follow up PR from #102472. This adds the ability to use `invalidation` timestamp as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) in the QueryApiKey API.
timgrein
pushed a commit
to timgrein/elasticsearch
that referenced
this pull request
Nov 30, 2023
…102472) This PR exposes `invalidation_time` in responses from [GetApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html) and [QueryApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html) API To address the first half of elastic#92404. As a follow up to this PR `invalidation_time` needs to be supported as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) for the `QueryApiKey` API. There will also be a separate PR to add it to the API docs for [GetApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html) and [QueryApiKey](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html).
timgrein
pushed a commit
to timgrein/elasticsearch
that referenced
this pull request
Nov 30, 2023
This is a follow up PR from elastic#102472. This adds the ability to use `invalidation` timestamp as a valid [query value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body) in the QueryApiKey API.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR exposes
invalidation_timein responses from GetApiKey and QueryApiKey APITo address the first half of #92404.
As a follow up to this PR
invalidation_timeneeds to be supported as a valid query value for theQueryApiKeyAPI. There will also be a separate PR to add it to the API docs for GetApiKey and QueryApiKey.