Support prefix search for API key names (#59113) (#59520)

This PR adds minimum support for prefix search of API Key name. It only touches API key name and leave all other query parameters, e.g. realm name, username unchanged.
This commit is contained in:
Yang Wang 2020-07-14 22:06:20 +10:00 committed by GitHub
parent 7dcdaeae49
commit f651487d74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 57 additions and 11 deletions

View File

@ -35,7 +35,7 @@ pertain to retrieving api keys:
`name`::
(Optional, string) An API key name. This parameter cannot be used with any of
`id`, `realm_name` or `username` are used.
`id`, `realm_name` or `username` are used. It supports prefix search with wildcard.
`realm_name`::
(Optional, string) The name of an authentication realm. This parameter cannot be
@ -101,6 +101,14 @@ GET /_security/api_key?name=my-api-key
--------------------------------------------------
// TEST[continued]
API key name supports prefix search by using wildcard:
[source,console]
--------------------------------------------------
GET /_security/api_key?name=my-*
--------------------------------------------------
// TEST[continued]
The following example retrieves all API keys for the `native1` realm:
[source,console]

View File

@ -830,8 +830,12 @@ public class ApiKeyService {
if (Strings.hasText(userName)) {
boolQuery.filter(QueryBuilders.termQuery("creator.principal", userName));
}
if (Strings.hasText(apiKeyName)) {
boolQuery.filter(QueryBuilders.termQuery("name", apiKeyName));
if (Strings.hasText(apiKeyName) && "*".equals(apiKeyName) == false) {
if (apiKeyName.endsWith("*")) {
boolQuery.filter(QueryBuilders.prefixQuery("name", apiKeyName.substring(0, apiKeyName.length() - 1)));
} else {
boolQuery.filter(QueryBuilders.termQuery("name", apiKeyName));
}
}
if (Strings.hasText(apiKeyId)) {
boolQuery.filter(QueryBuilders.termQuery("_id", apiKeyId));

View File

@ -546,14 +546,43 @@ public class ApiKeyIntegTests extends SecurityIntegTestCase {
}
public void testGetApiKeysForApiKeyName() throws InterruptedException, ExecutionException {
List<CreateApiKeyResponse> responses = createApiKeys(1, null);
Client client = client().filterWithHeader(Collections.singletonMap("Authorization", UsernamePasswordToken
.basicAuthHeaderValue(SecuritySettingsSource.TEST_SUPERUSER, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)));
final Map<String, String> headers = Collections.singletonMap(
"Authorization",
UsernamePasswordToken.basicAuthHeaderValue(
SecuritySettingsSource.TEST_SUPERUSER,
SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
final int noOfApiKeys = randomIntBetween(1, 3);
final List<CreateApiKeyResponse> createApiKeyResponses1 = createApiKeys(noOfApiKeys, null);
final List<CreateApiKeyResponse> createApiKeyResponses2 = createApiKeys(
headers, noOfApiKeys, "another-test-key-", null, "monitor");
Client client = client().filterWithHeader(headers);
SecurityClient securityClient = new SecurityClient(client);
PlainActionFuture<GetApiKeyResponse> listener = new PlainActionFuture<>();
List<CreateApiKeyResponse> responses = randomFrom(createApiKeyResponses1, createApiKeyResponses2);
securityClient.getApiKey(GetApiKeyRequest.usingApiKeyName(responses.get(0).getName(), false), listener);
GetApiKeyResponse response = listener.get();
verifyGetResponse(1, responses, response, Collections.singleton(responses.get(0).getId()), null);
verifyGetResponse(1, responses, listener.get(), Collections.singleton(responses.get(0).getId()), null);
PlainActionFuture<GetApiKeyResponse> listener2 = new PlainActionFuture<>();
securityClient.getApiKey(GetApiKeyRequest.usingApiKeyName("test-key*", false), listener2);
verifyGetResponse(noOfApiKeys, createApiKeyResponses1, listener2.get(),
createApiKeyResponses1.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
PlainActionFuture<GetApiKeyResponse> listener3 = new PlainActionFuture<>();
securityClient.getApiKey(GetApiKeyRequest.usingApiKeyName("*", false), listener3);
responses = Stream.concat(createApiKeyResponses1.stream(), createApiKeyResponses2.stream()).collect(Collectors.toList());
verifyGetResponse(2 * noOfApiKeys, responses, listener3.get(),
responses.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
PlainActionFuture<GetApiKeyResponse> listener4 = new PlainActionFuture<>();
securityClient.getApiKey(GetApiKeyRequest.usingApiKeyName("does-not-exist*", false), listener4);
verifyGetResponse(0, Collections.emptyList(), listener4.get(), Collections.emptySet(), null);
PlainActionFuture<GetApiKeyResponse> listener5 = new PlainActionFuture<>();
securityClient.getApiKey(GetApiKeyRequest.usingApiKeyName("another-test-key*", false), listener5);
verifyGetResponse(noOfApiKeys, createApiKeyResponses2, listener5.get(),
createApiKeyResponses2.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
}
public void testGetApiKeysOwnedByCurrentAuthenticatedUser() throws InterruptedException, ExecutionException {
@ -994,13 +1023,18 @@ public class ApiKeyIntegTests extends SecurityIntegTestCase {
private List<CreateApiKeyResponse> createApiKeys(Map<String, String> headers,
int noOfApiKeys, TimeValue expiration, String... clusterPrivileges) {
return createApiKeys(headers, noOfApiKeys, "test-key-", expiration, clusterPrivileges);
}
private List<CreateApiKeyResponse> createApiKeys(Map<String, String> headers,
int noOfApiKeys, String namePrefix, TimeValue expiration, String... clusterPrivileges) {
List<CreateApiKeyResponse> responses = new ArrayList<>();
for (int i = 0; i < noOfApiKeys; i++) {
final RoleDescriptor descriptor = new RoleDescriptor("role", clusterPrivileges, null, null);
Client client = client().filterWithHeader(headers);
SecurityClient securityClient = new SecurityClient(client);
final CreateApiKeyResponse response = securityClient.prepareCreateApiKey()
.setName("test-key-" + randomAlphaOfLengthBetween(5, 9) + i).setExpiration(expiration)
.setName(namePrefix + randomAlphaOfLengthBetween(5, 9) + i).setExpiration(expiration)
.setRoleDescriptors(Collections.singletonList(descriptor)).get();
assertNotNull(response.getId());
assertNotNull(response.getKey());