Adding authc.invalidateAPIKeyAsInternalUser (#60717)

* Initial work

* Fix type check issues

* Fix test failures

* Fix ESLint issues

* Add back comment

* PR feedback

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

x-pack/plugins/security/server/authentication/api_keys.test.ts

@@ -225,4 +225,56 @@ describe('API Keys', () => {
       );
     });
   });
+
+  describe('invalidateAsInternalUser()', () => {
+    it('returns null when security feature is disabled', async () => {
+      mockLicense.isEnabled.mockReturnValue(false);
+      const result = await apiKeys.invalidateAsInternalUser({ id: '123' });
+      expect(result).toBeNull();
+      expect(mockClusterClient.callAsInternalUser).not.toHaveBeenCalled();
+    });
+
+    it('calls callCluster with proper parameters', async () => {
+      mockLicense.isEnabled.mockReturnValue(true);
+      mockClusterClient.callAsInternalUser.mockResolvedValueOnce({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      const result = await apiKeys.invalidateAsInternalUser({ id: '123' });
+      expect(result).toEqual({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.invalidateAPIKey', {
+        body: {
+          id: '123',
+        },
+      });
+    });
+
+    it('Only passes id as a parameter', async () => {
+      mockLicense.isEnabled.mockReturnValue(true);
+      mockClusterClient.callAsInternalUser.mockResolvedValueOnce({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      const result = await apiKeys.invalidateAsInternalUser({
+        id: '123',
+        name: 'abc',
+      } as any);
+      expect(result).toEqual({
+        invalidated_api_keys: ['api-key-id-1'],
+        previously_invalidated_api_keys: [],
+        error_count: 0,
+      });
+      expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.invalidateAPIKey', {
+        body: {
+          id: '123',
+        },
+      });
+    });
+  });
 });

x-pack/plugins/security/server/authentication/api_keys.ts

@@ -193,26 +193,51 @@ export class APIKeys {
    * @param request Request instance.
    * @param params The params to invalidate an API key.
    */
-  async invalidate(
-    request: KibanaRequest,
-    params: InvalidateAPIKeyParams
-  ): Promise<InvalidateAPIKeyResult | null> {
+  async invalidate(request: KibanaRequest, params: InvalidateAPIKeyParams) {
     if (!this.license.isEnabled()) {
       return null;
     }
 
-    this.logger.debug('Trying to invalidate an API key');
+    this.logger.debug('Trying to invalidate an API key as current user');
 
-    // User needs `manage_api_key` privilege to use this API
     let result: InvalidateAPIKeyResult;
     try {
-      result = (await this.clusterClient
+      // User needs `manage_api_key` privilege to use this API
+      result = await this.clusterClient
         .asScoped(request)
         .callAsCurrentUser('shield.invalidateAPIKey', {
           body: {
             id: params.id,
           },
-        })) as InvalidateAPIKeyResult;
+        });
+      this.logger.debug('API key was invalidated successfully as current user');
+    } catch (e) {
+      this.logger.error(`Failed to invalidate API key as current user: ${e.message}`);
+      throw e;
+    }
+
+    return result;
+  }
+
+  /**
+   * Tries to invalidate an API key by using the internal user.
+   * @param params The params to invalidate an API key.
+   */
+  async invalidateAsInternalUser(params: InvalidateAPIKeyParams) {
+    if (!this.license.isEnabled()) {
+      return null;
+    }
+
+    this.logger.debug('Trying to invalidate an API key');
+
+    let result: InvalidateAPIKeyResult;
+    try {
+      // Internal user needs `cluster:admin/xpack/security/api_key/invalidate` privilege to use this API
+      result = await this.clusterClient.callAsInternalUser('shield.invalidateAPIKey', {
+        body: {
+          id: params.id,
+        },
+      });
       this.logger.debug('API key was invalidated successfully');
     } catch (e) {
       this.logger.error(`Failed to invalidate API key: ${e.message}`);

x-pack/plugins/security/server/authentication/index.mock.ts

@@ -15,6 +15,7 @@ export const authenticationMock = {
     getCurrentUser: jest.fn(),
     grantAPIKeyAsInternalUser: jest.fn(),
     invalidateAPIKey: jest.fn(),
+    invalidateAPIKeyAsInternalUser: jest.fn(),
     isAuthenticated: jest.fn(),
     getSessionInfo: jest.fn(),
   }),

x-pack/plugins/security/server/authentication/index.test.ts

@@ -33,7 +33,7 @@ import {
 import { AuthenticatedUser } from '../../common/model';
 import { ConfigType, createConfig$ } from '../config';
 import { AuthenticationResult } from './authentication_result';
-import { setupAuthentication } from '.';
+import { Authentication, setupAuthentication } from '.';
 import {
   CreateAPIKeyResult,
   CreateAPIKeyParams,
@@ -410,4 +410,25 @@ describe('setupAuthentication()', () => {
       expect(apiKeysInstance.invalidate).toHaveBeenCalledWith(request, params);
     });
   });
+
+  describe('invalidateAPIKeyAsInternalUser()', () => {
+    let invalidateAPIKeyAsInternalUser: Authentication['invalidateAPIKeyAsInternalUser'];
+
+    beforeEach(async () => {
+      invalidateAPIKeyAsInternalUser = (await setupAuthentication(mockSetupAuthenticationParams))
+        .invalidateAPIKeyAsInternalUser;
+    });
+
+    it('calls invalidateAPIKeyAsInternalUser with given arguments', async () => {
+      const apiKeysInstance = jest.requireMock('./api_keys').APIKeys.mock.instances[0];
+      const params = {
+        id: '123',
+      };
+      apiKeysInstance.invalidateAsInternalUser.mockResolvedValueOnce({ success: true });
+      await expect(invalidateAPIKeyAsInternalUser(params)).resolves.toEqual({
+        success: true,
+      });
+      expect(apiKeysInstance.invalidateAsInternalUser).toHaveBeenCalledWith(params);
+    });
+  });
 });

x-pack/plugins/security/server/authentication/index.ts

@@ -176,6 +176,8 @@ export async function setupAuthentication({
     grantAPIKeyAsInternalUser: (request: KibanaRequest) => apiKeys.grantAsInternalUser(request),
     invalidateAPIKey: (request: KibanaRequest, params: InvalidateAPIKeyParams) =>
       apiKeys.invalidate(request, params),
+    invalidateAPIKeyAsInternalUser: (params: InvalidateAPIKeyParams) =>
+      apiKeys.invalidateAsInternalUser(params),
     isAuthenticated: (request: KibanaRequest) => http.auth.isAuthenticated(request),
   };
 }

x-pack/plugins/security/server/plugin.test.ts

@@ -76,6 +76,7 @@ describe('Security Plugin', () => {
                   "getSessionInfo": [Function],
                   "grantAPIKeyAsInternalUser": [Function],
                   "invalidateAPIKey": [Function],
+                  "invalidateAPIKeyAsInternalUser": [Function],
                   "isAuthenticated": [Function],
                   "isProviderEnabled": [Function],
                   "login": [Function],