From eeb4f183ff4b76858bad7ec79e15d36b715b6603 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Wed, 10 Jul 2024 09:30:38 +0200
Subject: [PATCH] Add spec for bulk put roles (#2682)

* Add spec for bulk put roles
---
 specification/security/_types/Bulk.ts         | 33 ++++++++++++++
 .../security/_types/RoleDescriptor.ts         | 12 ++++--
 .../SecurityBulkPutRoleRequest.ts             | 43 +++++++++++++++++++
 .../SecurityBulkPutRoleResponse.ts            | 41 ++++++++++++++++++
 4 files changed, 126 insertions(+), 3 deletions(-)
 create mode 100644 specification/security/_types/Bulk.ts
 create mode 100644 specification/security/bulk_put_role/SecurityBulkPutRoleRequest.ts
 create mode 100644 specification/security/bulk_put_role/SecurityBulkPutRoleResponse.ts

diff --git a/specification/security/_types/Bulk.ts b/specification/security/_types/Bulk.ts
new file mode 100644
index 0000000000..bff4806526
--- /dev/null
+++ b/specification/security/_types/Bulk.ts
@@ -0,0 +1,33 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { integer } from '@_types/Numeric'
+import { Dictionary } from '@spec_utils/Dictionary'
+import { ErrorCause } from '@_types/Errors'
+
+export class BulkError {
+  /**
+   * The number of errors
+   */
+  count: integer
+  /**
+   * Details about the errors, keyed by role name
+   */
+  details: Dictionary<string, ErrorCause>
+}
diff --git a/specification/security/_types/RoleDescriptor.ts b/specification/security/_types/RoleDescriptor.ts
index 332e2912f6..a087815707 100644
--- a/specification/security/_types/RoleDescriptor.ts
+++ b/specification/security/_types/RoleDescriptor.ts
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-import { GlobalPrivilege } from './Privileges'
+import { ClusterPrivilege, GlobalPrivilege } from './Privileges'
 import { IndicesPrivileges } from './Privileges'
 import { ApplicationPrivileges } from './Privileges'
 import { Metadata } from '@_types/common'
@@ -29,7 +29,7 @@ export class RoleDescriptor {
   /**
    * A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
    */
-  cluster?: string[]
+  cluster?: ClusterPrivilege[]
   /**
    * A list of indices permissions entries.
    * @aliases index
@@ -52,6 +52,9 @@ export class RoleDescriptor {
    * @doc_id run-as-privilege
    */
   run_as?: string[]
+  /**
+   * Optional description of the role descriptor
+   */
   description?: string
   transient_metadata?: Dictionary<string, UserDefinedValue>
 }
@@ -60,7 +63,7 @@ export class RoleDescriptorRead implements OverloadOf<RoleDescriptor> {
   /**
    * A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
    */
-  cluster: string[]
+  cluster: ClusterPrivilege[]
   /**
    * A list of indices permissions entries.
    * @aliases index
@@ -83,6 +86,9 @@ export class RoleDescriptorRead implements OverloadOf<RoleDescriptor> {
    * @doc_id run-as-privilege
    */
   run_as?: string[]
+  /**
+   * Optional description of the role descriptor
+   */
   description?: string
   transient_metadata?: Dictionary<string, UserDefinedValue>
 }
diff --git a/specification/security/bulk_put_role/SecurityBulkPutRoleRequest.ts b/specification/security/bulk_put_role/SecurityBulkPutRoleRequest.ts
new file mode 100644
index 0000000000..cd85fe3d3b
--- /dev/null
+++ b/specification/security/bulk_put_role/SecurityBulkPutRoleRequest.ts
@@ -0,0 +1,43 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { Dictionary } from '@spec_utils/Dictionary'
+import { RequestBase } from '@_types/Base'
+import { Refresh } from '@_types/common'
+import { RoleDescriptor } from '@security/_types/RoleDescriptor'
+
+/**
+ * The role management APIs are generally the preferred way to manage roles, rather than using file-based role management.
+ * The bulk create or update roles API cannot update roles that are defined in roles files.
+ * @rest_spec_name security.bulk_put_role
+ * @availability stack since=8.15.0 stability=stable
+ * @availability serverless stability=stable visibility=private
+ * @cluster_privileges manage_security
+ */
+export interface Request extends RequestBase {
+  query_parameters: {
+    refresh?: Refresh
+  }
+  body: {
+    /**
+     * A dictionary of role name to RoleDescriptor objects to add or update
+     */
+    roles: Dictionary<string, RoleDescriptor>
+  }
+}
diff --git a/specification/security/bulk_put_role/SecurityBulkPutRoleResponse.ts b/specification/security/bulk_put_role/SecurityBulkPutRoleResponse.ts
new file mode 100644
index 0000000000..1cbadb8bbb
--- /dev/null
+++ b/specification/security/bulk_put_role/SecurityBulkPutRoleResponse.ts
@@ -0,0 +1,41 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { BulkError } from '@security/_types/Bulk'
+
+export class Response {
+  body: {
+    /**
+     * Array of created roles
+     */
+    created?: string[]
+    /**
+     * Array of updated roles
+     */
+    updated?: string[]
+    /**
+     * Array of role names without any changes
+     */
+    noop?: string[]
+    /**
+     * Present if any updates resulted in errors
+     */
+    errors?: BulkError
+  }
+}