Adding authc.invalidateAPIKeyAsInternalUser (#60717)

* Initial work * Fix type check issues * Fix test failures * Fix ESLint issues * Add back comment * PR feedback Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-03-23 12:39:55 -04:00 · 2020-03-23 12:39:55 -04:00 · 91e8e3e883
parent 21e8cea183
commit 91e8e3e883
6 changed files with 115 additions and 13 deletions
--- a/x-pack/plugins/security/server/authentication/api_keys.test.ts
+++ b/x-pack/plugins/security/server/authentication/api_keys.test.ts
@ -225,4 +225,56 @@ describe('API Keys', () => {
      );
    });
  });
+
+  describe('invalidateAsInternalUser()', () => {
+    it('returns null when security feature is disabled', async () => {
+      mockLicense.isEnabled.mockReturnValue(false);
+      const result = await apiKeys.invalidateAsInternalUser({ id: '123' });
+      expect(result).toBeNull();
+      expect(mockClusterClient.callAsInternalUser).not.toHaveBeenCalled();
+    });
+
+    it('calls callCluster with proper parameters', async () => {
+      mockLicense.isEnabled.mockReturnValue(true);
+      mockClusterClient.callAsInternalUser.mockResolvedValueOnce({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      const result = await apiKeys.invalidateAsInternalUser({ id: '123' });
+      expect(result).toEqual({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.invalidateAPIKey', {
+        body: {
+          id: '123',
+        },
+      });
+    });
+
+    it('Only passes id as a parameter', async () => {
+      mockLicense.isEnabled.mockReturnValue(true);
+      mockClusterClient.callAsInternalUser.mockResolvedValueOnce({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      const result = await apiKeys.invalidateAsInternalUser({
+        id: '123',
+        name: 'abc',
+      } as any);
+      expect(result).toEqual({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.invalidateAPIKey', {
+        body: {
+          id: '123',
+        },
+      });
+    });
+  });
 });
--- a/x-pack/plugins/security/server/authentication/api_keys.ts
+++ b/x-pack/plugins/security/server/authentication/api_keys.ts
@ -193,26 +193,51 @@ export class APIKeys {
   * @param request Request instance.
   * @param params The params to invalidate an API key.
   */
-  async invalidate(
-    request: KibanaRequest,
-    params: InvalidateAPIKeyParams
-  ): Promise<InvalidateAPIKeyResult | null> {
+  async invalidate(request: KibanaRequest, params: InvalidateAPIKeyParams) {
+    if (!this.license.isEnabled()) {
+      return null;
+    }
+
+    this.logger.debug('Trying to invalidate an API key as current user');
+
+    let result: InvalidateAPIKeyResult;
+    try {
+      // User needs `manage_api_key` privilege to use this API
+      result = await this.clusterClient
+        .asScoped(request)
+        .callAsCurrentUser('shield.invalidateAPIKey', {
+          body: {
+            id: params.id,
+          },
+        });
+      this.logger.debug('API key was invalidated successfully as current user');
+    } catch (e) {
+      this.logger.error(`Failed to invalidate API key as current user: ${e.message}`);
+      throw e;
+    }
+
+    return result;
+  }
+
+  /**
+   * Tries to invalidate an API key by using the internal user.
+   * @param params The params to invalidate an API key.
+   */
+  async invalidateAsInternalUser(params: InvalidateAPIKeyParams) {
    if (!this.license.isEnabled()) {
      return null;
    }

    this.logger.debug('Trying to invalidate an API key');

-    // User needs `manage_api_key` privilege to use this API
    let result: InvalidateAPIKeyResult;
    try {
-      result = (await this.clusterClient
-        .asScoped(request)
-        .callAsCurrentUser('shield.invalidateAPIKey', {
-          body: {
-            id: params.id,
-          },
-        })) as InvalidateAPIKeyResult;
+      // Internal user needs `cluster:admin/xpack/security/api_key/invalidate` privilege to use this API
+      result = await this.clusterClient.callAsInternalUser('shield.invalidateAPIKey', {
+        body: {
+          id: params.id,
+        },
+      });
      this.logger.debug('API key was invalidated successfully');
    } catch (e) {
      this.logger.error(`Failed to invalidate API key: ${e.message}`);
--- a/x-pack/plugins/security/server/authentication/index.mock.ts
+++ b/x-pack/plugins/security/server/authentication/index.mock.ts
@ -15,6 +15,7 @@ export const authenticationMock = {
    getCurrentUser: jest.fn(),
    grantAPIKeyAsInternalUser: jest.fn(),
    invalidateAPIKey: jest.fn(),
+    invalidateAPIKeyAsInternalUser: jest.fn(),
    isAuthenticated: jest.fn(),
    getSessionInfo: jest.fn(),
  }),
--- a/x-pack/plugins/security/server/authentication/index.test.ts
+++ b/x-pack/plugins/security/server/authentication/index.test.ts
@ -33,7 +33,7 @@ import {
 import { AuthenticatedUser } from '../../common/model';
 import { ConfigType, createConfig$ } from '../config';
 import { AuthenticationResult } from './authentication_result';
-import { setupAuthentication } from '.';
+import { Authentication, setupAuthentication } from '.';
 import {
  CreateAPIKeyResult,
  CreateAPIKeyParams,
@ -410,4 +410,25 @@ describe('setupAuthentication()', () => {
      expect(apiKeysInstance.invalidate).toHaveBeenCalledWith(request, params);
    });
  });
+
+  describe('invalidateAPIKeyAsInternalUser()', () => {
+    let invalidateAPIKeyAsInternalUser: Authentication['invalidateAPIKeyAsInternalUser'];
+
+    beforeEach(async () => {
+      invalidateAPIKeyAsInternalUser = (await setupAuthentication(mockSetupAuthenticationParams))
+        .invalidateAPIKeyAsInternalUser;
+    });
+
+    it('calls invalidateAPIKeyAsInternalUser with given arguments', async () => {
+      const apiKeysInstance = jest.requireMock('./api_keys').APIKeys.mock.instances[0];
+      const params = {
+        id: '123',
+      };
+      apiKeysInstance.invalidateAsInternalUser.mockResolvedValueOnce({ success: true });
+      await expect(invalidateAPIKeyAsInternalUser(params)).resolves.toEqual({
+        success: true,
+      });
+      expect(apiKeysInstance.invalidateAsInternalUser).toHaveBeenCalledWith(params);
+    });
+  });
 });
--- a/x-pack/plugins/security/server/authentication/index.ts
+++ b/x-pack/plugins/security/server/authentication/index.ts
@ -176,6 +176,8 @@ export async function setupAuthentication({
    grantAPIKeyAsInternalUser: (request: KibanaRequest) => apiKeys.grantAsInternalUser(request),
    invalidateAPIKey: (request: KibanaRequest, params: InvalidateAPIKeyParams) =>
      apiKeys.invalidate(request, params),
+    invalidateAPIKeyAsInternalUser: (params: InvalidateAPIKeyParams) =>
+      apiKeys.invalidateAsInternalUser(params),
    isAuthenticated: (request: KibanaRequest) => http.auth.isAuthenticated(request),
  };
 }
--- a/x-pack/plugins/security/server/plugin.test.ts
+++ b/x-pack/plugins/security/server/plugin.test.ts
@ -76,6 +76,7 @@ describe('Security Plugin', () => {
                  "getSessionInfo": [Function],
                  "grantAPIKeyAsInternalUser": [Function],
                  "invalidateAPIKey": [Function],
+                  "invalidateAPIKeyAsInternalUser": [Function],
                  "isAuthenticated": [Function],
                  "isProviderEnabled": [Function],
                  "login": [Function],