Skip to content

Commit

Permalink
Make API key actions local-only (#107148)
Browse files Browse the repository at this point in the history
Refactoring PR to make create, grant, and update API key actions
local-only. Also ports a profiles action since it relies on the same
base class as grant API key.
  • Loading branch information
n1v0lg authored Apr 10, 2024
1 parent e21f2e3 commit c4a11de
Show file tree
Hide file tree
Showing 31 changed files with 62 additions and 613 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.action.support.TransportAction;
import org.elasticsearch.common.io.stream.StreamOutput;

import java.io.IOException;
Expand All @@ -21,23 +21,17 @@ public GrantRequest() {
this.grant = new Grant();
}

public GrantRequest(StreamInput in) throws IOException {
super(in);
this.grant = new Grant(in);
}

public Grant getGrant() {
return grant;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
grant.writeTo(out);
public ActionRequestValidationException validate() {
return grant.validate(null);
}

@Override
public ActionRequestValidationException validate() {
return grant.validate(null);
public final void writeTo(StreamOutput out) throws IOException {
TransportAction.localOnly();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.support.TransportAction;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.support.MetadataUtils;
Expand All @@ -39,14 +40,6 @@ public AbstractCreateApiKeyRequest() {
this.id = UUIDs.base64UUID(); // because auditing can currently only catch requests but not responses,
}

@SuppressWarnings("this-escape")
public AbstractCreateApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.id = doReadId(in);
}

protected abstract String doReadId(StreamInput in) throws IOException;

public String getId() {
return id;
}
Expand Down Expand Up @@ -102,4 +95,9 @@ public ActionRequestValidationException validate() {
assert refreshPolicy != null : "refresh policy is required";
return validationException;
}

@Override
public final void writeTo(StreamOutput out) throws IOException {
TransportAction.localOnly();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,10 @@
package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Objects;
Expand All @@ -35,11 +32,6 @@ public BaseBulkUpdateApiKeyRequest(
this.ids = Objects.requireNonNull(ids, "API key IDs must not be null");
}

public BaseBulkUpdateApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.ids = in.readStringCollectionAsList();
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = super.validate();
Expand All @@ -49,12 +41,6 @@ public ActionRequestValidationException validate() {
return validationException;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeStringCollection(ids);
}

public List<String> getIds() {
return ids;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,10 @@

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.Objects;
Expand All @@ -32,17 +29,6 @@ public BaseSingleUpdateApiKeyRequest(
this.id = Objects.requireNonNull(id, "API key ID must not be null");
}

public BaseSingleUpdateApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.id = in.readString();
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(id);
}

public String getId() {
return id;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,9 @@

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.action.support.TransportAction;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
Expand Down Expand Up @@ -43,17 +42,6 @@ public BaseUpdateApiKeyRequest(
this.expiration = expiration;
}

public BaseUpdateApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.roleDescriptors = in.readOptionalCollectionAsList(RoleDescriptor::new);
this.metadata = in.readGenericMap();
if (in.getTransportVersion().onOrAfter(TransportVersions.UPDATE_API_KEY_EXPIRATION_TIME_ADDED)) {
expiration = in.readOptionalTimeValue();
} else {
expiration = null;
}
}

public Map<String, Object> getMetadata() {
return metadata;
}
Expand Down Expand Up @@ -90,12 +78,7 @@ public ActionRequestValidationException validate() {
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeOptionalCollection(roleDescriptors);
out.writeGenericMap(metadata);
if (out.getTransportVersion().onOrAfter(TransportVersions.UPDATE_API_KEY_EXPIRATION_TIME_ADDED)) {
out.writeOptionalTimeValue(expiration);
}
public final void writeTo(StreamOutput out) throws IOException {
TransportAction.localOnly();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,10 @@

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -41,10 +39,6 @@ public BulkUpdateApiKeyRequest(
super(ids, roleDescriptors, metadata, expiration);
}

public BulkUpdateApiKeyRequest(StreamInput in) throws IOException {
super(in);
}

@Override
public ApiKey.Type getType() {
return ApiKey.Type.REST;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,12 @@

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.action.role.RoleDescriptorRequestValidator;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

import java.io.IOException;
import java.util.List;
import java.util.Map;

Expand Down Expand Up @@ -55,32 +49,6 @@ public CreateApiKeyRequest(
this.metadata = metadata;
}

public CreateApiKeyRequest(StreamInput in) throws IOException {
super(in);
if (in.getTransportVersion().onOrAfter(TransportVersions.V_7_5_0)) {
this.name = in.readOptionalString();
} else {
this.name = in.readString();
}
this.expiration = in.readOptionalTimeValue();
this.roleDescriptors = in.readCollectionAsImmutableList(RoleDescriptor::new);
this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
if (in.getTransportVersion().onOrAfter(TransportVersions.V_8_0_0)) {
this.metadata = in.readGenericMap();
} else {
this.metadata = null;
}
}

@Override
protected String doReadId(StreamInput in) throws IOException {
if (in.getTransportVersion().onOrAfter(TransportVersions.V_7_10_0)) {
return in.readString();
} else {
return UUIDs.base64UUID();
}
}

@Override
public ApiKey.Type getType() {
return ApiKey.Type.REST;
Expand Down Expand Up @@ -114,23 +82,4 @@ public ActionRequestValidationException validate() {
}
return validationException;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
if (out.getTransportVersion().onOrAfter(TransportVersions.V_7_10_0)) {
out.writeString(id);
}
if (out.getTransportVersion().onOrAfter(TransportVersions.V_7_5_0)) {
out.writeOptionalString(name);
} else {
out.writeString(name);
}
out.writeOptionalTimeValue(expiration);
out.writeCollection(getRoleDescriptors());
refreshPolicy.writeTo(out);
if (out.getTransportVersion().onOrAfter(TransportVersions.V_7_13_0)) {
out.writeGenericMap(metadata);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@
package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Assertions;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
Expand All @@ -37,20 +34,6 @@ public CreateCrossClusterApiKeyRequest(
this.metadata = metadata;
}

public CreateCrossClusterApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.name = in.readString();
this.expiration = in.readOptionalTimeValue();
this.roleDescriptors = in.readCollectionAsImmutableList(RoleDescriptor::new);
this.refreshPolicy = WriteRequest.RefreshPolicy.readFrom(in);
this.metadata = in.readGenericMap();
}

@Override
protected String doReadId(StreamInput in) throws IOException {
return in.readString();
}

@Override
public ApiKey.Type getType() {
return ApiKey.Type.CROSS_CLUSTER;
Expand All @@ -67,17 +50,6 @@ public ActionRequestValidationException validate() {
return super.validate();
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeString(id);
out.writeString(name);
out.writeOptionalTimeValue(expiration);
out.writeCollection(roleDescriptors);
refreshPolicy.writeTo(out);
out.writeGenericMap(metadata);
}

@Override
public boolean equals(Object o) {
if (this == o) return true;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,8 @@

import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.xpack.core.security.action.GrantRequest;

import java.io.IOException;
import java.util.Objects;

/**
Expand All @@ -30,17 +27,6 @@ public GrantApiKeyRequest() {
this.apiKey = new CreateApiKeyRequest();
}

public GrantApiKeyRequest(StreamInput in) throws IOException {
super(in);
this.apiKey = new CreateApiKeyRequest(in);
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
apiKey.writeTo(out);
}

public WriteRequest.RefreshPolicy getRefreshPolicy() {
return apiKey.getRefreshPolicy();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,10 @@

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

import java.io.IOException;
import java.util.List;
import java.util.Map;

Expand All @@ -30,10 +28,6 @@ public UpdateApiKeyRequest(
super(roleDescriptors, metadata, expiration, id);
}

public UpdateApiKeyRequest(StreamInput in) throws IOException {
super(in);
}

@Override
public ApiKey.Type getType() {
return ApiKey.Type.REST;
Expand Down
Loading

0 comments on commit c4a11de

Please sign in to comment.