[APM] Invalidate keys created by other when user has privileges (#127002

)

* [APM] Invalidate keys created by other when user has privilages

* pr review

x-pack/plugins/apm/server/routes/agent_keys/invalidate_agent_key.ts

@@ -9,17 +9,16 @@ import { ApmPluginRequestHandlerContext } from '../typings';
 export async function invalidateAgentKey({
   context,
   id,
+  isAdmin,
 }: {
   context: ApmPluginRequestHandlerContext;
   id: string;
+  isAdmin: boolean;
 }) {
   const { invalidated_api_keys: invalidatedAgentKeys } =
     await context.core.elasticsearch.client.asCurrentUser.security.invalidateApiKey(
       {
-        body: {
-          ids: [id],
-          owner: true,
-        },
+        body: { ids: [id], owner: !isAdmin },
       }
     );
 

x-pack/plugins/apm/server/routes/agent_keys/route.ts

@@ -70,15 +70,29 @@ const invalidateAgentKeyRoute = createApmServerRoute({
     body: t.type({ id: t.string }),
   }),
   handler: async (resources): Promise<{ invalidatedAgentKeys: string[] }> => {
-    const { context, params } = resources;
-
+    const {
+      context,
+      params,
+      plugins: { security },
+    } = resources;
     const {
       body: { id },
     } = params;
 
+    if (!security) {
+      throw Boom.internal(SECURITY_REQUIRED_MESSAGE);
+    }
+
+    const securityPluginStart = await security.start();
+    const { isAdmin } = await getAgentKeysPrivileges({
+      context,
+      securityPluginStart,
+    });
+
     const invalidatedKeys = await invalidateAgentKey({
       context,
       id,
+      isAdmin,
     });
 
     return invalidatedKeys;