# Licensed to Elasticsearch B.V. under one or more contributor # license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright # ownership. Elasticsearch B.V. licenses this file to you under # the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. require 'base64' require_relative '../platinum_helper' describe 'API keys API' do let(:user) { 'admin_user' } let(:password) { 'x-pack-test-password' } before do ADMIN_CLIENT.security.put_role( name: 'admin_role', body: { cluster: ['manage_security'] } ) ADMIN_CLIENT.security.put_user( username: user, body: { password: password, roles: [ 'admin_role' ], full_name: 'Admin user' } ) end after do ADMIN_CLIENT.security.delete_role(name: 'admin_role', ignore: 404) ADMIN_CLIENT.security.delete_user(username: user, ignore: 404) end describe 'Cross Cluster API Key' do it 'updates api key' do response = ADMIN_CLIENT.security.create_cross_cluster_api_key( body: { name: "my-cc-api-key", expiration: "1d", access: { search: [ { names: ["logs*"], query: { term: { "category": "shared" } }, field_security: { grant: ["*"], except: ["private"] } } ], replication: [ { names: ["archive"], allow_restricted_indices: false } ] }, metadata: { answer: 42, tag: "dev" } } ) expect(response.status).to eq 200 expect(response['name']).to eq 'my-cc-api-key' id = response['id'] expect(id).not_to be nil expect(response['api_key']).not_to be nil expect(response['expiration']).not_to be nil credentials = Base64.strict_encode64("#{response['id']}:#{response['api_key']}") expect(credentials).to eq response['encoded'] new_client = Elasticsearch::Client.new( host: "https://#{HOST_URI.host}:#{HOST_URI.port}", transport_options: TRANSPORT_OPTIONS ) expect do new_client.security.authenticate(headers: { authorization: "ApiKey #{credentials}" }) end.to raise_error(Elastic::Transport::Transport::Errors::Unauthorized) response = ADMIN_CLIENT.security.get_api_key(id: id, with_limited_by: true) expect(response.status).to eq 200 api_key = response['api_keys'].first expect(api_key['name']) == 'my-cc-api-key' expect(api_key['type']) == 'cross_cluster' expect(api_key['invalidated']).to be false expect(api_key['metadata']).to eq({'answer' => 42, 'tag' => 'dev'}) # Tests update cc api_key response = ADMIN_CLIENT.security.update_cross_cluster_api_key( id: id, body: { access: { replication: [{ names: ["archive"] }] }, metadata: { "tag": "prod" } } ) expect(response['updated']).to be true response = ADMIN_CLIENT.security.get_api_key(id: id, with_limited_by: true) expect(response['api_keys'].length).to eq 1 api_key = response['api_keys'].first expect(api_key['name']) == 'my-cc-api-key' expect(api_key['type']) == 'cross_cluster' expect(api_key['invalidated']).to be false expect(api_key['metadata']).to eq({'tag' => 'prod'}) end end end