Merge branch 'master' of https://github.com/elastic/elasticsearch into ql_fields_api_implementation

Author: astefan

.idea/scopes/llrc.xml

@@ -323,10 +323,10 @@ Please follow these formatting guidelines:
   decrease in consistency.
 * Note that Javadoc and block comments i.e. `/* ... */` are not formatted,
   but line comments i.e `// ...` are.
-* There is an implicit rule that negative boolean expressions should use
-  the form `foo == false` instead of `!foo` for better readability of the
-  code. While this isn't strictly enforced, if might get called out in PR
-  reviews as something to change.
+* Negative boolean expressions must use the form `foo == false` instead of
+  `!foo` for better readability of the code. This is enforced via
+  Checkstyle. Conversely, you should not write e.g. `if (foo == true)`, but
+  just `if (foo)`.
 
 #### Editor / IDE Support
 

CONTRIBUTING.md

@@ -153,7 +153,7 @@ public void runRat() {
         // we keep this here, in case someone adds BSD code for some reason, it should never be allowed.
         matchers.add(subStringMatcher("BSD4 ", "Original BSD License (with advertising clause)", "All advertising materials"));
         // Apache
-        matchers.add(subStringMatcher("AL   ", "Apache", "Licensed to Elasticsearch under one or more contributor"));
+        matchers.add(subStringMatcher("AL   ", "Apache", "Licensed to Elasticsearch B.V. under one or more contributor"));
         // Generated resources
         matchers.add(subStringMatcher("GEN  ", "Generated", "ANTLR GENERATED CODE"));
         // Vendored Code

buildSrc/src/main/java/org/elasticsearch/gradle/internal/precommit/LicenseHeadersTask.java

@@ -124,17 +124,17 @@
     </module>
 
     <!-- Forbid using '!' for logical negations in favour of checking against 'false' explicitly. -->
-    <!-- This is disabled for now because there are many violations, hence the rule is reporting at the "warning" severity. -->
-    <!--
+    <!-- This is only reported in the IDE for now because there are many violations -->
     <module name="DescendantToken">
-      <property name="id" value="BooleanNegation" />
-      <property name="tokens" value="EXPR"/>
-      <property name="limitedTokens" value="LNOT"/>
-      <property name="maximumNumber" value="0"/>
-      <property name="maximumDepth" value="1"/>
-      <message key="descendant.token.max" value="Do not negate boolean expressions with '!', but check explicitly with '== false' as it is more explicit"/>
+        <property name="id" value="BooleanNegation" />
+        <property name="tokens" value="EXPR"/>
+        <property name="limitedTokens" value="LNOT"/>
+        <property name="maximumNumber" value="0"/>
+        <property name="maximumDepth" value="2"/>
+        <message
+            key="descendant.token.max"
+            value="Do not negate boolean expressions with '!', but check explicitly with '== false' as it is more explicit"/>
     </module>
-    -->
 
   </module>
 </module>

buildSrc/src/main/resources/checkstyle.xml

@@ -8,18 +8,6 @@
 <!-- Checkstyle config by the `:configureIdeCheckstyle` task.           -->
 
 <module name="IdeFragment">
-    <!-- Forbid using '!' for logical negations in favour of checking against 'false' explicitly. -->
-    <!-- This is only reported in the IDE for now because there are many violations -->
-    <module name="DescendantToken">
-        <property name="id" value="BooleanNegation" />
-        <property name="tokens" value="EXPR"/>
-        <property name="limitedTokens" value="LNOT"/>
-        <property name="maximumNumber" value="0"/>
-        <property name="maximumDepth" value="2"/>
-        <message
-            key="descendant.token.max"
-            value="Do not negate boolean expressions with '!', but check explicitly with '== false' as it is more explicit"/>
-    </module>
 
     <!-- See CONTRIBUTING.md for our guidelines on Javadoc -->
 

buildSrc/src/main/resources/checkstyle_ide_fragment.xml

@@ -52,6 +52,7 @@
 import org.elasticsearch.client.security.GetUserPrivilegesResponse;
 import org.elasticsearch.client.security.GetUsersRequest;
 import org.elasticsearch.client.security.GetUsersResponse;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.HasPrivilegesRequest;
 import org.elasticsearch.client.security.HasPrivilegesResponse;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
@@ -1064,6 +1065,37 @@ public Cancellable invalidateApiKeyAsync(final InvalidateApiKeyRequest request,
                 InvalidateApiKeyResponse::fromXContent, listener, emptySet());
     }
 
+    /**
+     * Create an API Key on behalf of another user.<br>
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-grant-api-key.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to grant an API key
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @return the response from the create API key call
+     * @throws IOException in case there is a problem sending the request or parsing back the response
+     */
+    public CreateApiKeyResponse grantApiKey(final GrantApiKeyRequest request, final RequestOptions options) throws IOException {
+        return restHighLevelClient.performRequestAndParseEntity(request, SecurityRequestConverters::grantApiKey, options,
+            CreateApiKeyResponse::fromXContent, emptySet());
+    }
+
+    /**
+     * Asynchronously creates an API key on behalf of another user.<br>
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-grant-api-key.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to grant an API key
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @param listener the listener to be notified upon request completion
+     * @return cancellable that may be used to cancel the request
+     */
+    public Cancellable grantApiKeyAsync(final GrantApiKeyRequest request, final RequestOptions options,
+                                         final ActionListener<CreateApiKeyResponse> listener) {
+        return restHighLevelClient.performRequestAsyncAndParseEntity(request, SecurityRequestConverters::grantApiKey, options,
+            CreateApiKeyResponse::fromXContent, listener, emptySet());
+    }
+
     /**
      * Get an Elasticsearch access token from an {@code X509Certificate} chain. The certificate chain is that of the client from a mutually
      * authenticated TLS session, and it is validated by the PKI realms with {@code delegation.enabled} toggled to {@code true}.<br>

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityClient.java

@@ -31,6 +31,7 @@
 import org.elasticsearch.client.security.GetRoleMappingsRequest;
 import org.elasticsearch.client.security.GetRolesRequest;
 import org.elasticsearch.client.security.GetUsersRequest;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.HasPrivilegesRequest;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
 import org.elasticsearch.client.security.InvalidateTokenRequest;
@@ -296,6 +297,15 @@ static Request createApiKey(final CreateApiKeyRequest createApiKeyRequest) throw
         return request;
     }
 
+    static Request grantApiKey(final GrantApiKeyRequest grantApiKeyRequest) throws IOException {
+        final Request request = new Request(HttpPost.METHOD_NAME, "/_security/api_key/grant");
+        request.setEntity(createEntity(grantApiKeyRequest, REQUEST_BODY_CONTENT_TYPE));
+        final RequestConverters.Params params = new RequestConverters.Params();
+        params.withRefreshPolicy(grantApiKeyRequest.getApiKeyRequest().getRefreshPolicy());
+        request.addParameters(params.asMap());
+        return request;
+    }
+
     static Request getApiKey(final GetApiKeyRequest getApiKeyRequest) throws IOException {
         final Request request = new Request(HttpGet.METHOD_NAME, "/_security/api_key");
         if (Strings.hasText(getApiKeyRequest.getId())) {

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityRequestConverters.java

@@ -0,0 +1,156 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+package org.elasticsearch.client.security;
+
+import org.elasticsearch.client.Validatable;
+import org.elasticsearch.common.CharArrays;
+import org.elasticsearch.common.xcontent.ToXContentFragment;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Objects;
+
+/**
+ * Request to create a new API Key on behalf of another user.
+ */
+public final class GrantApiKeyRequest implements Validatable, ToXContentObject {
+
+    private final Grant grant;
+    private final CreateApiKeyRequest apiKeyRequest;
+
+    public static class Grant implements ToXContentFragment {
+        private final String grantType;
+        private final String username;
+        private final char[] password;
+        private final String accessToken;
+
+        private Grant(String grantType, String username, char[] password, String accessToken) {
+            this.grantType = Objects.requireNonNull(grantType, "Grant type may not be null");
+            this.username = username;
+            this.password = password;
+            this.accessToken = accessToken;
+        }
+
+        public static Grant passwordGrant(String username, char[] password) {
+            return new Grant(
+                "password",
+                Objects.requireNonNull(username, "Username may not be null"),
+                Objects.requireNonNull(password, "Password may not be null"),
+                null);
+        }
+
+        public static Grant accessTokenGrant(String accessToken) {
+            return new Grant(
+                "access_token",
+                null,
+                null,
+                Objects.requireNonNull(accessToken, "Access token may not be null")
+            );
+        }
+
+        public String getGrantType() {
+            return grantType;
+        }
+
+        public String getUsername() {
+            return username;
+        }
+
+        public char[] getPassword() {
+            return password;
+        }
+
+        public String getAccessToken() {
+            return accessToken;
+        }
+
+        @Override
+        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+            builder.field("grant_type", grantType);
+            if (username != null) {
+                builder.field("username", username);
+            }
+            if (password != null) {
+                byte[] passwordBytes = CharArrays.toUtf8Bytes(password);
+                try {
+                    builder.field("password").utf8Value(passwordBytes, 0, passwordBytes.length);
+                } finally {
+                    Arrays.fill(passwordBytes, (byte) 0);
+                }
+            }
+            if (accessToken != null) {
+                builder.field("access_token", accessToken);
+            }
+            return builder;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            }
+            if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+            Grant grant = (Grant) o;
+            return grantType.equals(grant.grantType)
+                && Objects.equals(username, grant.username)
+                && Arrays.equals(password, grant.password)
+                && Objects.equals(accessToken, grant.accessToken);
+        }
+
+        @Override
+        public int hashCode() {
+            int result = Objects.hash(grantType, username, accessToken);
+            result = 31 * result + Arrays.hashCode(password);
+            return result;
+        }
+    }
+
+    public GrantApiKeyRequest(Grant grant, CreateApiKeyRequest apiKeyRequest) {
+        this.grant = Objects.requireNonNull(grant, "Grant may not be null");
+        this.apiKeyRequest = Objects.requireNonNull(apiKeyRequest, "Create API key request may not be null");
+    }
+
+    public Grant getGrant() {
+        return grant;
+    }
+
+    public CreateApiKeyRequest getApiKeyRequest() {
+        return apiKeyRequest;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        grant.toXContent(builder, params);
+        builder.field("api_key", apiKeyRequest);
+        return builder.endObject();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final GrantApiKeyRequest that = (GrantApiKeyRequest) o;
+        return Objects.equals(this.grant, that.grant)
+            && Objects.equals(this.apiKeyRequest, that.apiKeyRequest);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(grant, apiKeyRequest);
+    }
+}

client/rest-high-level/src/main/java/org/elasticsearch/client/security/GrantApiKeyRequest.java

@@ -212,6 +212,17 @@ public static final class Builder {
         private Builder() {
         }
 
+        public Builder clone(Role role) {
+            return this
+                .name(role.name)
+                .clusterPrivileges(role.clusterPrivileges)
+                .globalApplicationPrivileges(role.globalPrivileges)
+                .indicesPrivileges(role.indicesPrivileges)
+                .applicationResourcePrivileges(role.applicationPrivileges)
+                .runAsPrivilege(role.runAsPrivilege)
+                .metadata(role.metadata);
+        }
+
         public Builder name(String name) {
             if (Strings.hasText(name) == false){
                 throw new IllegalArgumentException("role name must be provided");

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java

@@ -27,6 +27,7 @@
 import org.elasticsearch.client.security.GetRoleMappingsRequest;
 import org.elasticsearch.client.security.GetRolesRequest;
 import org.elasticsearch.client.security.GetUsersRequest;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
 import org.elasticsearch.client.security.PutPrivilegesRequest;
 import org.elasticsearch.client.security.PutRoleMappingRequest;
@@ -425,23 +426,52 @@ public void testPutRole() throws IOException {
     }
 
     public void testCreateApiKey() throws IOException {
+        final CreateApiKeyRequest createApiKeyRequest = buildCreateApiKeyRequest();
+
+        final Map<String, String> expectedParams;
+        final RefreshPolicy refreshPolicy = createApiKeyRequest.getRefreshPolicy();
+        if (refreshPolicy != RefreshPolicy.NONE) {
+            expectedParams = Collections.singletonMap("refresh", refreshPolicy.getValue());
+        } else {
+            expectedParams = Collections.emptyMap();
+        }
+
+        final Request request = SecurityRequestConverters.createApiKey(createApiKeyRequest);
+        assertEquals(HttpPost.METHOD_NAME, request.getMethod());
+        assertEquals("/_security/api_key", request.getEndpoint());
+        assertEquals(expectedParams, request.getParameters());
+        assertToXContentBody(createApiKeyRequest, request.getEntity());
+    }
+
+    private CreateApiKeyRequest buildCreateApiKeyRequest() {
         final String name = randomAlphaOfLengthBetween(4, 7);
         final List<Role> roles = Collections.singletonList(Role.builder().name("r1").clusterPrivileges(ClusterPrivilegeName.ALL)
                 .indicesPrivileges(IndicesPrivileges.builder().indices("ind-x").privileges(IndexPrivilegeName.ALL).build()).build());
         final TimeValue expiration = randomBoolean() ? null : TimeValue.timeValueHours(24);
         final RefreshPolicy refreshPolicy = randomFrom(RefreshPolicy.values());
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(name, roles, expiration, refreshPolicy);
+        return createApiKeyRequest;
+    }
+
+    public void testGrantApiKey() throws IOException {
+        final CreateApiKeyRequest createApiKeyRequest = buildCreateApiKeyRequest();
+        final GrantApiKeyRequest grantApiKeyRequest = new GrantApiKeyRequest(randomBoolean()
+            ? GrantApiKeyRequest.Grant.accessTokenGrant(randomAlphaOfLength(24))
+            : GrantApiKeyRequest.Grant.passwordGrant(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(14, 18).toCharArray()),
+            createApiKeyRequest);
         final Map<String, String> expectedParams;
+        final RefreshPolicy refreshPolicy = createApiKeyRequest.getRefreshPolicy();
         if (refreshPolicy != RefreshPolicy.NONE) {
             expectedParams = Collections.singletonMap("refresh", refreshPolicy.getValue());
         } else {
             expectedParams = Collections.emptyMap();
         }
-        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(name, roles, expiration, refreshPolicy);
-        final Request request = SecurityRequestConverters.createApiKey(createApiKeyRequest);
+
+        final Request request = SecurityRequestConverters.grantApiKey(grantApiKeyRequest);
         assertEquals(HttpPost.METHOD_NAME, request.getMethod());
-        assertEquals("/_security/api_key", request.getEndpoint());
+        assertEquals("/_security/api_key/grant", request.getEndpoint());
         assertEquals(expectedParams, request.getParameters());
-        assertToXContentBody(createApiKeyRequest, request.getEntity());
+        assertToXContentBody(grantApiKeyRequest, request.getEntity());
     }
 
     public void testGetApiKey() throws IOException {