Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updatable API keys - REST API spec and tests #88270

Merged
merged 208 commits into from
Jul 8, 2022
Merged

Updatable API keys - REST API spec and tests #88270

merged 208 commits into from
Jul 8, 2022

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 5, 2022
edited
Loading

This PR adds REST API spec and YAML test files for the UpdateApiKey
operation.

@n1v0lg n1v0lg changed the title Update API keys - REST API spec and YAML tests Updatable API keys - REST API spec and tests Jul 7, 2022
@n1v0lg n1v0lg marked this pull request as ready for review July 7, 2022 11:14
@n1v0lg n1v0lg added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Jul 7, 2022
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 7, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've created a changelog YAML for you.

@n1v0lg n1v0lg requested a review from ywangd July 7, 2022 11:15
@sethmlarson sethmlarson added the Team:Clients Meta label for clients team label Jul 7, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/clients-team (Team:Clients)

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Jul 7, 2022

@elasticmachine run elasticsearch-ci/part-2 plz. Unrelated failure.

@sethmlarson
Copy link
Contributor

@n1v0lg Looks pretty good so far! Thanks for adding so many YAML tests for this API.

ywangd
ywangd approved these changes Jul 8, 2022
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending stub doc page as suggested below.

docs/changelog/88270.yaml Outdated
@@ -0,0 +1,5 @@
pr: 88270
summary: Updatable API keys - REST API spec and tests
area: Authentication
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious why you picked Authentication. I'd go with the generic Security. It's not great either. I don't have a strong opinion, but would like to know your thoughts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really wasn't sure here. I went with authentication because API keys generally are related to authentication but it's a bit of a stretch for this PR. I think Security might make more sense.

x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/30_update.yml Outdated
Comment on lines 164 to 167
- do:
security.clear_api_key_cache:
ids: "*"
- match: { _nodes.failed: 0 }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should clear API key cache after each test since this does not match the real usage pattern, i.e. it is unlikely that users would clear cache every often. I understand this is copied from 10_basic.yml. But those calls were added when API key cache clearing API was initially introduced. So they intentionally excercise the API. But outside that, there is no need (and actually better not to) call this API.

x-pack/plugin/src/yamlRestTest/resources/rest-api-spec/test/api_key/30_update.yml
@@ -0,0 +1,355 @@
---
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The YAML tests look fine to me. That said, I just noticed two things in Java tests:

  1. There is a bug in ApiKeyIntegTests.testUpdateApiKeyAutoUpdatesUserRoles in that the role definition most often do not change because the putRoleWithClusterPrivileges method only honors the last cluster privilege.
  2. We don't seem to have tests for auto-update user information other than role definition changes, e.g. full_name or email changes. Role name change (as opposed to role definition changes) is not covered either.

@n1v0lg n1v0lg removed the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Jul 8, 2022
@elasticmachine elasticmachine removed the Team:Security Meta label for security team label Jul 8, 2022
@n1v0lg n1v0lg added :Security/Security Security issues without another label Team:Security Meta label for security team labels Jul 8, 2022
@n1v0lg n1v0lg mentioned this pull request Jul 8, 2022
Merged
@n1v0lg n1v0lg merged commit f42b15b into elastic:master Jul 8, 2022
@n1v0lg n1v0lg deleted the updatable-api-keys-rest-spec branch July 8, 2022 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

Assignees

@n1v0lg n1v0lg

Labels
>enhancement :Security/Security Security issues without another label Team:Clients Meta label for clients team Team:Security Meta label for security team v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@n1v0lg @elasticmachine @elasticsearchmachine @sethmlarson @ywangd