Skip to content

Commit

Permalink
feat: remove API Key CLI functionality (#14790)
Browse files Browse the repository at this point in the history
update systemtest to create apikey using api
remove unused functions
  • Loading branch information
kruskall authored Dec 3, 2024
1 parent 767abab commit c6d5b33
Show file tree
Hide file tree
Showing 10 changed files with 59 additions and 917 deletions.
512 changes: 0 additions & 512 deletions internal/beatcmd/apikey.go

This file was deleted.

1 change: 0 additions & 1 deletion internal/beatcmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@ func NewRootCommand(beatParams BeatParams) *cobra.Command {
rootCommand.AddCommand(keystoreCommand)
rootCommand.AddCommand(versionCommand)
rootCommand.AddCommand(genTestCmd(beatParams))
rootCommand.AddCommand(genApikeyCmd())

return rootCommand
}
Expand Down
21 changes: 15 additions & 6 deletions internal/elasticsearch/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ package elasticsearch

import (
"bytes"
"context"
"fmt"
"net/http"
"net/http/httptest"
Expand Down Expand Up @@ -50,9 +49,11 @@ func TestClient(t *testing.T) {
}

func TestClientCustomHeaders(t *testing.T) {
var requestHeaders http.Header
wait := make(chan struct{})
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
requestHeaders = r.Header
w.Header().Set("X-Elastic-Product", "Elasticsearch")
assert.Equal(t, "header", r.Header.Get("custom"))
close(wait)
}))
defer srv.Close()

Expand All @@ -63,13 +64,20 @@ func TestClientCustomHeaders(t *testing.T) {
client, err := NewClient(&cfg)
require.NoError(t, err)

CreateAPIKey(context.Background(), client, CreateAPIKeyRequest{})
assert.Equal(t, "header", requestHeaders.Get("custom"))
_, err = client.Bulk(bytes.NewReader([]byte("{}")))
require.NoError(t, err)
select {
case <-wait:
case <-time.After(1 * time.Second):
t.Fatal("timed out while waiting for request")
}

}

func TestClientCustomUserAgent(t *testing.T) {
wait := make(chan struct{})
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Elastic-Product", "Elasticsearch")
assert.Equal(t, fmt.Sprintf("Elastic-APM-Server/%s go-elasticsearch/%s", apmVersion.Version, esv8.Version), r.Header.Get("User-Agent"))
close(wait)
}))
Expand All @@ -81,7 +89,8 @@ func TestClientCustomUserAgent(t *testing.T) {
client, err := NewClient(&cfg)
require.NoError(t, err)

CreateAPIKey(context.Background(), client, CreateAPIKeyRequest{})
_, err = client.Bulk(bytes.NewReader([]byte("{}")))
require.NoError(t, err)
select {
case <-wait:
case <-time.After(1 * time.Second):
Expand Down
87 changes: 0 additions & 87 deletions internal/elasticsearch/security_api.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,35 +25,6 @@ import (
"github.com/elastic/go-elasticsearch/v8/esutil"
)

// CreateAPIKey requires manage_api_key cluster privilege
func CreateAPIKey(ctx context.Context, client *Client, apikeyReq CreateAPIKeyRequest) (CreateAPIKeyResponse, error) {
var apikey CreateAPIKeyResponse
req := esapi.SecurityCreateAPIKeyRequest{Body: esutil.NewJSONReader(apikeyReq)}
err := doRequest(ctx, client, req, &apikey)
return apikey, err
}

// GetAPIKeys requires manage_api_key cluster privilege
func GetAPIKeys(ctx context.Context, client *Client, apikeyReq GetAPIKeyRequest) (GetAPIKeyResponse, error) {
req := esapi.SecurityGetAPIKeyRequest{}
if apikeyReq.ID != nil {
req.ID = *apikeyReq.ID
} else if apikeyReq.Name != nil {
req.Name = *apikeyReq.Name
}
var apikey GetAPIKeyResponse
err := doRequest(ctx, client, req, &apikey)
return apikey, err
}

// InvalidateAPIKey requires manage_api_key cluster privilege
func InvalidateAPIKey(ctx context.Context, client *Client, apikeyReq InvalidateAPIKeyRequest) (InvalidateAPIKeyResponse, error) {
var confirmation InvalidateAPIKeyResponse
req := esapi.SecurityInvalidateAPIKeyRequest{Body: esutil.NewJSONReader(apikeyReq)}
err := doRequest(ctx, client, req, &confirmation)
return confirmation, err
}

func HasPrivileges(ctx context.Context, client *Client, privileges HasPrivilegesRequest, credentials string) (HasPrivilegesResponse, error) {
var info HasPrivilegesResponse
req := esapi.SecurityHasPrivilegesRequest{Body: esutil.NewJSONReader(privileges)}
Expand All @@ -66,27 +37,6 @@ func HasPrivileges(ctx context.Context, client *Client, privileges HasPrivileges
return info, err
}

type CreateAPIKeyRequest struct {
Name string `json:"name"`
Expiration *string `json:"expiration,omitempty"`
RoleDescriptors RoleDescriptor `json:"role_descriptors"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}

type CreateAPIKeyResponse struct {
APIKey
Key string `json:"api_key"`
}

type GetAPIKeyRequest struct {
APIKeyQuery
Owner bool `json:"owner"`
}

type GetAPIKeyResponse struct {
APIKeys []APIKeyResponse `json:"api_keys"`
}

type HasPrivilegesRequest struct {
// can't reuse the `Applications` type because here the JSON attribute must be singular
Applications []Application `json:"application"`
Expand All @@ -97,49 +47,12 @@ type HasPrivilegesResponse struct {
Application map[AppName]PermissionsPerResource `json:"application"`
}

type InvalidateAPIKeyRequest struct {
// normally the Elasticsearch API will require either Ids or Name, but not both
IDs []string `json:"ids,omitempty"`
Name *string `json:"name,omitempty"`
}

type InvalidateAPIKeyResponse struct {
Invalidated []string `json:"invalidated_api_keys"`
ErrorCount int `json:"error_count"`
}

type RoleDescriptor map[AppName]Applications

type Applications struct {
Applications []Application `json:"applications"`
}

type Application struct {
Name AppName `json:"application"`
Privileges []PrivilegeAction `json:"privileges"`
Resources []Resource `json:"resources"`
}

type APIKeyResponse struct {
APIKey
Creation int64 `json:"creation"`
Invalidated bool `json:"invalidated"`
Username string `json:"username"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}

type APIKeyQuery struct {
// normally the Elasticsearch API will require either Id or Name, but not both
ID *string `json:"id,omitempty"`
Name *string `json:"name,omitempty"`
}

type APIKey struct {
ID string `json:"id"`
Name string `json:"name"`
ExpirationMs *int64 `json:"expiration,omitempty"`
}

type Permissions map[PrivilegeAction]bool

type PermissionsPerResource map[Resource]Permissions
Expand Down
2 changes: 1 addition & 1 deletion systemtest/agentconfig_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ func TestAgentConfigForbiddenOnInvalidConfig(t *testing.T) {
systemtest.InvalidateAPIKeyByName(t, apiKeyName)
})
// Create an API Key without agent config read privileges
apiKeyBase64 := createAPIKey(t, apiKeyName, "--sourcemap")
apiKeyBase64 := systemtest.CreateAPIKey(t, apiKeyName, []string{"sourcemap:write"})
apiKeyBytes, err := base64.StdEncoding.DecodeString(apiKeyBase64)
require.NoError(t, err)
srv := apmservertest.NewUnstartedServerTB(t)
Expand Down
Loading

0 comments on commit c6d5b33

Please sign in to comment.