Add grant-api-key to HLRC (#68190)

This adds support for "Grant API Key" to the Java High Level Rest
Client.

This API was added in Elasticsearch 7.7 but did not have explicit support
in the HLRC.

Author: tvernum

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityClient.java

@@ -52,6 +52,7 @@
 import org.elasticsearch.client.security.GetUserPrivilegesResponse;
 import org.elasticsearch.client.security.GetUsersRequest;
 import org.elasticsearch.client.security.GetUsersResponse;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.HasPrivilegesRequest;
 import org.elasticsearch.client.security.HasPrivilegesResponse;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
@@ -1064,6 +1065,37 @@ public Cancellable invalidateApiKeyAsync(final InvalidateApiKeyRequest request,
                 InvalidateApiKeyResponse::fromXContent, listener, emptySet());
     }
 
+    /**
+     * Create an API Key on behalf of another user.<br>
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-grant-api-key.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to grant an API key
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @return the response from the create API key call
+     * @throws IOException in case there is a problem sending the request or parsing back the response
+     */
+    public CreateApiKeyResponse grantApiKey(final GrantApiKeyRequest request, final RequestOptions options) throws IOException {
+        return restHighLevelClient.performRequestAndParseEntity(request, SecurityRequestConverters::grantApiKey, options,
+            CreateApiKeyResponse::fromXContent, emptySet());
+    }
+
+    /**
+     * Asynchronously creates an API key on behalf of another user.<br>
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-grant-api-key.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to grant an API key
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @param listener the listener to be notified upon request completion
+     * @return cancellable that may be used to cancel the request
+     */
+    public Cancellable grantApiKeyAsync(final GrantApiKeyRequest request, final RequestOptions options,
+                                         final ActionListener<CreateApiKeyResponse> listener) {
+        return restHighLevelClient.performRequestAsyncAndParseEntity(request, SecurityRequestConverters::grantApiKey, options,
+            CreateApiKeyResponse::fromXContent, listener, emptySet());
+    }
+
     /**
      * Get an Elasticsearch access token from an {@code X509Certificate} chain. The certificate chain is that of the client from a mutually
      * authenticated TLS session, and it is validated by the PKI realms with {@code delegation.enabled} toggled to {@code true}.<br>

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityRequestConverters.java

@@ -31,6 +31,7 @@
 import org.elasticsearch.client.security.GetRoleMappingsRequest;
 import org.elasticsearch.client.security.GetRolesRequest;
 import org.elasticsearch.client.security.GetUsersRequest;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.HasPrivilegesRequest;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
 import org.elasticsearch.client.security.InvalidateTokenRequest;
@@ -296,6 +297,15 @@ static Request createApiKey(final CreateApiKeyRequest createApiKeyRequest) throw
         return request;
     }
 
+    static Request grantApiKey(final GrantApiKeyRequest grantApiKeyRequest) throws IOException {
+        final Request request = new Request(HttpPost.METHOD_NAME, "/_security/api_key/grant");
+        request.setEntity(createEntity(grantApiKeyRequest, REQUEST_BODY_CONTENT_TYPE));
+        final RequestConverters.Params params = new RequestConverters.Params();
+        params.withRefreshPolicy(grantApiKeyRequest.getApiKeyRequest().getRefreshPolicy());
+        request.addParameters(params.asMap());
+        return request;
+    }
+
     static Request getApiKey(final GetApiKeyRequest getApiKeyRequest) throws IOException {
         final Request request = new Request(HttpGet.METHOD_NAME, "/_security/api_key");
         if (Strings.hasText(getApiKeyRequest.getId())) {

client/rest-high-level/src/main/java/org/elasticsearch/client/security/GrantApiKeyRequest.java

@@ -0,0 +1,156 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+package org.elasticsearch.client.security;
+
+import org.elasticsearch.client.Validatable;
+import org.elasticsearch.common.CharArrays;
+import org.elasticsearch.common.xcontent.ToXContentFragment;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Objects;
+
+/**
+ * Request to create a new API Key on behalf of another user.
+ */
+public final class GrantApiKeyRequest implements Validatable, ToXContentObject {
+
+    private final Grant grant;
+    private final CreateApiKeyRequest apiKeyRequest;
+
+    public static class Grant implements ToXContentFragment {
+        private final String grantType;
+        private final String username;
+        private final char[] password;
+        private final String accessToken;
+
+        private Grant(String grantType, String username, char[] password, String accessToken) {
+            this.grantType = Objects.requireNonNull(grantType, "Grant type may not be null");
+            this.username = username;
+            this.password = password;
+            this.accessToken = accessToken;
+        }
+
+        public static Grant passwordGrant(String username, char[] password) {
+            return new Grant(
+                "password",
+                Objects.requireNonNull(username, "Username may not be null"),
+                Objects.requireNonNull(password, "Password may not be null"),
+                null);
+        }
+
+        public static Grant accessTokenGrant(String accessToken) {
+            return new Grant(
+                "access_token",
+                null,
+                null,
+                Objects.requireNonNull(accessToken, "Access token may not be null")
+            );
+        }
+
+        public String getGrantType() {
+            return grantType;
+        }
+
+        public String getUsername() {
+            return username;
+        }
+
+        public char[] getPassword() {
+            return password;
+        }
+
+        public String getAccessToken() {
+            return accessToken;
+        }
+
+        @Override
+        public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+            builder.field("grant_type", grantType);
+            if (username != null) {
+                builder.field("username", username);
+            }
+            if (password != null) {
+                byte[] passwordBytes = CharArrays.toUtf8Bytes(password);
+                try {
+                    builder.field("password").utf8Value(passwordBytes, 0, passwordBytes.length);
+                } finally {
+                    Arrays.fill(passwordBytes, (byte) 0);
+                }
+            }
+            if (accessToken != null) {
+                builder.field("access_token", accessToken);
+            }
+            return builder;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            }
+            if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+            Grant grant = (Grant) o;
+            return grantType.equals(grant.grantType)
+                && Objects.equals(username, grant.username)
+                && Arrays.equals(password, grant.password)
+                && Objects.equals(accessToken, grant.accessToken);
+        }
+
+        @Override
+        public int hashCode() {
+            int result = Objects.hash(grantType, username, accessToken);
+            result = 31 * result + Arrays.hashCode(password);
+            return result;
+        }
+    }
+
+    public GrantApiKeyRequest(Grant grant, CreateApiKeyRequest apiKeyRequest) {
+        this.grant = Objects.requireNonNull(grant, "Grant may not be null");
+        this.apiKeyRequest = Objects.requireNonNull(apiKeyRequest, "Create API key request may not be null");
+    }
+
+    public Grant getGrant() {
+        return grant;
+    }
+
+    public CreateApiKeyRequest getApiKeyRequest() {
+        return apiKeyRequest;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        grant.toXContent(builder, params);
+        builder.field("api_key", apiKeyRequest);
+        return builder.endObject();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final GrantApiKeyRequest that = (GrantApiKeyRequest) o;
+        return Objects.equals(this.grant, that.grant)
+            && Objects.equals(this.apiKeyRequest, that.apiKeyRequest);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(grant, apiKeyRequest);
+    }
+}

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java

@@ -212,6 +212,17 @@ public static final class Builder {
         private Builder() {
         }
 
+        public Builder clone(Role role) {
+            return this
+                .name(role.name)
+                .clusterPrivileges(role.clusterPrivileges)
+                .globalApplicationPrivileges(role.globalPrivileges)
+                .indicesPrivileges(role.indicesPrivileges)
+                .applicationResourcePrivileges(role.applicationPrivileges)
+                .runAsPrivilege(role.runAsPrivilege)
+                .metadata(role.metadata);
+        }
+
         public Builder name(String name) {
             if (Strings.hasText(name) == false){
                 throw new IllegalArgumentException("role name must be provided");

client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityRequestConvertersTests.java

@@ -27,6 +27,7 @@
 import org.elasticsearch.client.security.GetRoleMappingsRequest;
 import org.elasticsearch.client.security.GetRolesRequest;
 import org.elasticsearch.client.security.GetUsersRequest;
+import org.elasticsearch.client.security.GrantApiKeyRequest;
 import org.elasticsearch.client.security.InvalidateApiKeyRequest;
 import org.elasticsearch.client.security.PutPrivilegesRequest;
 import org.elasticsearch.client.security.PutRoleMappingRequest;
@@ -425,23 +426,52 @@ public void testPutRole() throws IOException {
     }
 
     public void testCreateApiKey() throws IOException {
+        final CreateApiKeyRequest createApiKeyRequest = buildCreateApiKeyRequest();
+
+        final Map<String, String> expectedParams;
+        final RefreshPolicy refreshPolicy = createApiKeyRequest.getRefreshPolicy();
+        if (refreshPolicy != RefreshPolicy.NONE) {
+            expectedParams = Collections.singletonMap("refresh", refreshPolicy.getValue());
+        } else {
+            expectedParams = Collections.emptyMap();
+        }
+
+        final Request request = SecurityRequestConverters.createApiKey(createApiKeyRequest);
+        assertEquals(HttpPost.METHOD_NAME, request.getMethod());
+        assertEquals("/_security/api_key", request.getEndpoint());
+        assertEquals(expectedParams, request.getParameters());
+        assertToXContentBody(createApiKeyRequest, request.getEntity());
+    }
+
+    private CreateApiKeyRequest buildCreateApiKeyRequest() {
         final String name = randomAlphaOfLengthBetween(4, 7);
         final List<Role> roles = Collections.singletonList(Role.builder().name("r1").clusterPrivileges(ClusterPrivilegeName.ALL)
                 .indicesPrivileges(IndicesPrivileges.builder().indices("ind-x").privileges(IndexPrivilegeName.ALL).build()).build());
         final TimeValue expiration = randomBoolean() ? null : TimeValue.timeValueHours(24);
         final RefreshPolicy refreshPolicy = randomFrom(RefreshPolicy.values());
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(name, roles, expiration, refreshPolicy);
+        return createApiKeyRequest;
+    }
+
+    public void testGrantApiKey() throws IOException {
+        final CreateApiKeyRequest createApiKeyRequest = buildCreateApiKeyRequest();
+        final GrantApiKeyRequest grantApiKeyRequest = new GrantApiKeyRequest(randomBoolean()
+            ? GrantApiKeyRequest.Grant.accessTokenGrant(randomAlphaOfLength(24))
+            : GrantApiKeyRequest.Grant.passwordGrant(randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(14, 18).toCharArray()),
+            createApiKeyRequest);
         final Map<String, String> expectedParams;
+        final RefreshPolicy refreshPolicy = createApiKeyRequest.getRefreshPolicy();
         if (refreshPolicy != RefreshPolicy.NONE) {
             expectedParams = Collections.singletonMap("refresh", refreshPolicy.getValue());
         } else {
             expectedParams = Collections.emptyMap();
         }
-        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(name, roles, expiration, refreshPolicy);
-        final Request request = SecurityRequestConverters.createApiKey(createApiKeyRequest);
+
+        final Request request = SecurityRequestConverters.grantApiKey(grantApiKeyRequest);
         assertEquals(HttpPost.METHOD_NAME, request.getMethod());
-        assertEquals("/_security/api_key", request.getEndpoint());
+        assertEquals("/_security/api_key/grant", request.getEndpoint());
         assertEquals(expectedParams, request.getParameters());
-        assertToXContentBody(createApiKeyRequest, request.getEntity());
+        assertToXContentBody(grantApiKeyRequest, request.getEntity());
     }
 
     public void testGetApiKey() throws IOException {