feat: remove API Key CLI functionality (#14790)

update systemtest to create apikey using api remove unused functions
elastic · Dec 3, 2024 · c6d5b33 · c6d5b33
1 parent 767abab
commit c6d5b33
Show file tree

Hide file tree

Showing 10 changed files with 59 additions and 917 deletions.
diff --git a/internal/beatcmd/apikey.go b/internal/beatcmd/apikey.go
diff --git a/internal/beatcmd/cmd.go b/internal/beatcmd/cmd.go
@@ -77,7 +77,6 @@ func NewRootCommand(beatParams BeatParams) *cobra.Command {
 	rootCommand.AddCommand(keystoreCommand)
 	rootCommand.AddCommand(versionCommand)
 	rootCommand.AddCommand(genTestCmd(beatParams))
-	rootCommand.AddCommand(genApikeyCmd())
 
 	return rootCommand
 }

diff --git a/internal/elasticsearch/client_test.go b/internal/elasticsearch/client_test.go
@@ -19,7 +19,6 @@ package elasticsearch
 
 import (
 	"bytes"
-	"context"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -50,9 +49,11 @@ func TestClient(t *testing.T) {
 }
 
 func TestClientCustomHeaders(t *testing.T) {
-	var requestHeaders http.Header
+	wait := make(chan struct{})
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		requestHeaders = r.Header
+		w.Header().Set("X-Elastic-Product", "Elasticsearch")
+		assert.Equal(t, "header", r.Header.Get("custom"))
+		close(wait)
 	}))
 	defer srv.Close()
 
@@ -63,13 +64,20 @@ func TestClientCustomHeaders(t *testing.T) {
 	client, err := NewClient(&cfg)
 	require.NoError(t, err)
 
-	CreateAPIKey(context.Background(), client, CreateAPIKeyRequest{})
-	assert.Equal(t, "header", requestHeaders.Get("custom"))
+	_, err = client.Bulk(bytes.NewReader([]byte("{}")))
+	require.NoError(t, err)
+	select {
+	case <-wait:
+	case <-time.After(1 * time.Second):
+		t.Fatal("timed out while waiting for request")
+	}
+
 }
 
 func TestClientCustomUserAgent(t *testing.T) {
 	wait := make(chan struct{})
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Elastic-Product", "Elasticsearch")
 		assert.Equal(t, fmt.Sprintf("Elastic-APM-Server/%s go-elasticsearch/%s", apmVersion.Version, esv8.Version), r.Header.Get("User-Agent"))
 		close(wait)
 	}))
@@ -81,7 +89,8 @@ func TestClientCustomUserAgent(t *testing.T) {
 	client, err := NewClient(&cfg)
 	require.NoError(t, err)
 
-	CreateAPIKey(context.Background(), client, CreateAPIKeyRequest{})
+	_, err = client.Bulk(bytes.NewReader([]byte("{}")))
+	require.NoError(t, err)
 	select {
 	case <-wait:
 	case <-time.After(1 * time.Second):

diff --git a/internal/elasticsearch/security_api.go b/internal/elasticsearch/security_api.go
@@ -25,35 +25,6 @@ import (
 	"github.com/elastic/go-elasticsearch/v8/esutil"
 )
 
-// CreateAPIKey requires manage_api_key cluster privilege
-func CreateAPIKey(ctx context.Context, client *Client, apikeyReq CreateAPIKeyRequest) (CreateAPIKeyResponse, error) {
-	var apikey CreateAPIKeyResponse
-	req := esapi.SecurityCreateAPIKeyRequest{Body: esutil.NewJSONReader(apikeyReq)}
-	err := doRequest(ctx, client, req, &apikey)
-	return apikey, err
-}
-
-// GetAPIKeys requires manage_api_key cluster privilege
-func GetAPIKeys(ctx context.Context, client *Client, apikeyReq GetAPIKeyRequest) (GetAPIKeyResponse, error) {
-	req := esapi.SecurityGetAPIKeyRequest{}
-	if apikeyReq.ID != nil {
-		req.ID = *apikeyReq.ID
-	} else if apikeyReq.Name != nil {
-		req.Name = *apikeyReq.Name
-	}
-	var apikey GetAPIKeyResponse
-	err := doRequest(ctx, client, req, &apikey)
-	return apikey, err
-}
-
-// InvalidateAPIKey requires manage_api_key cluster privilege
-func InvalidateAPIKey(ctx context.Context, client *Client, apikeyReq InvalidateAPIKeyRequest) (InvalidateAPIKeyResponse, error) {
-	var confirmation InvalidateAPIKeyResponse
-	req := esapi.SecurityInvalidateAPIKeyRequest{Body: esutil.NewJSONReader(apikeyReq)}
-	err := doRequest(ctx, client, req, &confirmation)
-	return confirmation, err
-}
-
 func HasPrivileges(ctx context.Context, client *Client, privileges HasPrivilegesRequest, credentials string) (HasPrivilegesResponse, error) {
 	var info HasPrivilegesResponse
 	req := esapi.SecurityHasPrivilegesRequest{Body: esutil.NewJSONReader(privileges)}
@@ -66,27 +37,6 @@ func HasPrivileges(ctx context.Context, client *Client, privileges HasPrivileges
 	return info, err
 }
 
-type CreateAPIKeyRequest struct {
-	Name            string                 `json:"name"`
-	Expiration      *string                `json:"expiration,omitempty"`
-	RoleDescriptors RoleDescriptor         `json:"role_descriptors"`
-	Metadata        map[string]interface{} `json:"metadata,omitempty"`
-}
-
-type CreateAPIKeyResponse struct {
-	APIKey
-	Key string `json:"api_key"`
-}
-
-type GetAPIKeyRequest struct {
-	APIKeyQuery
-	Owner bool `json:"owner"`
-}
-
-type GetAPIKeyResponse struct {
-	APIKeys []APIKeyResponse `json:"api_keys"`
-}
-
 type HasPrivilegesRequest struct {
 	// can't reuse the `Applications` type because here the JSON attribute must be singular
 	Applications []Application `json:"application"`
@@ -97,49 +47,12 @@ type HasPrivilegesResponse struct {
 	Application map[AppName]PermissionsPerResource `json:"application"`
 }
 
-type InvalidateAPIKeyRequest struct {
-	// normally the Elasticsearch API will require either Ids or Name, but not both
-	IDs  []string `json:"ids,omitempty"`
-	Name *string  `json:"name,omitempty"`
-}
-
-type InvalidateAPIKeyResponse struct {
-	Invalidated []string `json:"invalidated_api_keys"`
-	ErrorCount  int      `json:"error_count"`
-}
-
-type RoleDescriptor map[AppName]Applications
-
-type Applications struct {
-	Applications []Application `json:"applications"`
-}
-
 type Application struct {
 	Name       AppName           `json:"application"`
 	Privileges []PrivilegeAction `json:"privileges"`
 	Resources  []Resource        `json:"resources"`
 }
 
-type APIKeyResponse struct {
-	APIKey
-	Creation    int64                  `json:"creation"`
-	Invalidated bool                   `json:"invalidated"`
-	Username    string                 `json:"username"`
-	Metadata    map[string]interface{} `json:"metadata,omitempty"`
-}
-
-type APIKeyQuery struct {
-	// normally the Elasticsearch API will require either Id or Name, but not both
-	ID   *string `json:"id,omitempty"`
-	Name *string `json:"name,omitempty"`
-}
-
-type APIKey struct {
-	ID           string `json:"id"`
-	Name         string `json:"name"`
-	ExpirationMs *int64 `json:"expiration,omitempty"`
-}
-
 type Permissions map[PrivilegeAction]bool
 
 type PermissionsPerResource map[Resource]Permissions

diff --git a/systemtest/agentconfig_test.go b/systemtest/agentconfig_test.go
@@ -249,7 +249,7 @@ func TestAgentConfigForbiddenOnInvalidConfig(t *testing.T) {
 			systemtest.InvalidateAPIKeyByName(t, apiKeyName)
 		})
 		// Create an API Key without agent config read privileges
-		apiKeyBase64 := createAPIKey(t, apiKeyName, "--sourcemap")
+		apiKeyBase64 := systemtest.CreateAPIKey(t, apiKeyName, []string{"sourcemap:write"})
 		apiKeyBytes, err := base64.StdEncoding.DecodeString(apiKeyBase64)
 		require.NoError(t, err)
 		srv := apmservertest.NewUnstartedServerTB(t)