elastic
diff --git a/‎build-tools-internal/src/main/groovy/elasticsearch.bwc-test.gradle
Lines changed: 1 addition & 1 deletion b/‎build-tools-internal/src/main/groovy/elasticsearch.bwc-test.gradle
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Subject.java
Lines changed: 4 additions & 3 deletions b/‎x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Subject.java
Lines changed: 4 additions & 3 deletions
diff --git a/‎x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
Lines changed: 44 additions & 27 deletions b/‎x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
Lines changed: 44 additions & 27 deletions
diff --git a/‎x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
Lines changed: 110 additions & 7 deletions b/‎x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
Lines changed: 110 additions & 7 deletions
@@ -32,7 +32,7 @@ tasks.register("bwcTest") {
 }
 
 plugins.withType(ElasticsearchTestBasePlugin) {
-  tasks.withType(Test).configureEach {
+  tasks.withType(Test).matching { it.name ==~ /v[0-9\.]+#.*/ }.configureEach {
     onlyIf { project.bwc_tests_enabled }
     nonInputProperties.systemProperty 'tests.bwc', 'true'
   }
 
@@ -275,9 +275,10 @@ private RoleReferenceIntersection buildRoleReferencesForCrossClusterAccess() {
             // restrict access of the overall intersection accordingly
             roleReferences.add(new RoleReference.CrossClusterAccessRoleReference(RoleDescriptorsBytes.EMPTY));
         } else {
-            // TODO handle this once we support API keys as querying subjects
-            assert crossClusterAccessRoleDescriptorsBytes.size() == 1
-                : "only a singleton list of cross cluster access role descriptors bytes is supported";
+            // This is just a sanity check, since we should never have more than 2 role descriptors.
+            // We can have max two role descriptors in case when API key is used for cross cluster access.
+            assert crossClusterAccessRoleDescriptorsBytes.size() <= 2
+                : "not expected to have list of cross cluster access role descriptors bytes which have more than 2 elements";
             for (RoleDescriptorsBytes roleDescriptorsBytes : crossClusterAccessRoleDescriptorsBytes) {
                 roleReferences.add(new RoleReference.CrossClusterAccessRoleReference(roleDescriptorsBytes));
             }
 
@@ -39,6 +39,7 @@
 
 import java.io.IOException;
 import java.io.UncheckedIOException;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -241,42 +242,58 @@ public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo(
         RoleDescriptorsIntersection roleDescriptorsIntersection
     ) {
         try {
-            // TODO add apikey() once we have querying-cluster-side API key support
-            final Authentication authentication = ESTestCase.randomFrom(
-                AuthenticationTestHelper.builder().realm(),
-                AuthenticationTestHelper.builder().internal(SystemUser.INSTANCE)
-            ).build();
+            final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject();
             return new CrossClusterAccessSubjectInfo(authentication, roleDescriptorsIntersection);
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
 
+    private static Authentication randomCrossClusterAccessSupportedAuthenticationSubject() {
+        return ESTestCase.randomFrom(
+            AuthenticationTestHelper.builder().realm(),
+            AuthenticationTestHelper.builder().internal(SystemUser.INSTANCE),
+            AuthenticationTestHelper.builder().apiKey()
+        ).build();
+    }
+
     public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo() {
-        return randomCrossClusterAccessSubjectInfo(
-            new RoleDescriptorsIntersection(
-                List.of(
-                    // TODO randomize to add a second set once we have querying-cluster-side API key support
-                    Set.of(
-                        new RoleDescriptor(
-                            "_remote_user",
-                            null,
-                            new RoleDescriptor.IndicesPrivileges[] {
-                                RoleDescriptor.IndicesPrivileges.builder()
-                                    .indices("index1")
-                                    .privileges("read", "read_cross_cluster")
-                                    .build() },
-                            null,
-                            null,
-                            null,
-                            null,
-                            null,
-                            null
-                        )
+        final Authentication authentication = randomCrossClusterAccessSupportedAuthenticationSubject();
+        return randomCrossClusterAccessSubjectInfo(authentication);
+    }
+
+    public static CrossClusterAccessSubjectInfo randomCrossClusterAccessSubjectInfo(final Authentication authentication) {
+        final int numberOfRoleDescriptors;
+        if (authentication.isApiKey()) {
+            // In case of API keys, we can have either 1 (only owner's - aka limited-by) or 2 role descriptors.
+            numberOfRoleDescriptors = ESTestCase.randomIntBetween(1, 2);
+        } else {
+            numberOfRoleDescriptors = 1;
+        }
+        final List<Set<RoleDescriptor>> roleDescriptors = new ArrayList<>(numberOfRoleDescriptors);
+        for (int i = 0; i < numberOfRoleDescriptors; i++) {
+            roleDescriptors.add(
+                Set.of(
+                    new RoleDescriptor(
+                        "_remote_user",
+                        null,
+                        new RoleDescriptor.IndicesPrivileges[] {
+                            RoleDescriptor.IndicesPrivileges.builder().indices("index1").privileges("read", "read_cross_cluster").build() },
+                        null,
+                        null,
+                        null,
+                        null,
+                        null,
+                        null
                     )
                 )
-            )
-        );
+            );
+        }
+        try {
+            return new CrossClusterAccessSubjectInfo(authentication, new RoleDescriptorsIntersection(roleDescriptors));
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
     }
 
     public static class AuthenticationTestBuilder {
 
@@ -40,6 +40,7 @@
 import java.util.stream.Collectors;
 
 import static java.util.Map.entry;
+import static org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper.randomCrossClusterAccessSubjectInfo;
 import static org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfoTests.randomRoleDescriptorsIntersection;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
@@ -139,9 +140,8 @@ public void testCanAccessResourcesOf() {
 
     public void testCrossClusterAccessCanAccessResourceOf() throws IOException {
         final String apiKeyId1 = randomAlphaOfLengthBetween(10, 20);
-        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo1 = randomValueOtherThanMany(
-            ra -> User.isInternal(ra.getAuthentication().getEffectiveSubject().getUser()),
-            AuthenticationTestHelper::randomCrossClusterAccessSubjectInfo
+        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo1 = randomCrossClusterAccessSubjectInfo(
+            AuthenticationTestHelper.builder().realm().build()
         );
         final Authentication authentication = AuthenticationTestHelper.builder()
             .crossClusterAccess(apiKeyId1, crossClusterAccessSubjectInfo1)
@@ -260,7 +260,110 @@ public void testCrossClusterAccessCanAccessResourceOf() throws IOException {
                 assert false : "Case number out of range";
         }
 
-        // TODO: Add more tests for API keys when they work as QC subject
+    }
+
+    private static Authentication randomCrossClusterAccessAuthentication(
+        String crossClusterApiKeyId,
+        User user,
+        Authentication authentication
+    ) {
+        return AuthenticationTestHelper.builder()
+            .crossClusterAccess(crossClusterApiKeyId, randomCrossClusterAccessSubjectInfo(authentication))
+            .user(user)
+            .build(false);
+    }
+
+    public void testCrossClusterAccessCanAccessResourceOfWithApiKey() {
+        final User user1 = randomUser();
+        final RealmRef realm1 = randomRealmRef(false);
+
+        // Different username is different no matter which realm it is from
+        final User user2 = randomValueOtherThanMany(u -> u.principal().equals(user1.principal()), AuthenticationTests::randomUser);
+        // user 2 can be from either the same realm or a different realm
+        final RealmRef realm2 = randomFrom(realm1, randomRealmRef(false));
+
+        final String apiKeyId1 = randomAlphaOfLengthBetween(10, 20);
+        // User is irrelevant
+        final User crossClusterUser1 = randomFrom(user1, user2, randomUser());
+        final String crossClusterApiKeyId1 = randomAlphaOfLengthBetween(10, 20);
+
+        // Same cross cluster access authentication with the same API key is allowed.
+        assertCanAccessResources(
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId1, crossClusterUser1, randomApiKeyAuthentication(user1, apiKeyId1)),
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId1, crossClusterUser1, randomApiKeyAuthentication(user1, apiKeyId1))
+        );
+
+        // Cluster access authentication with different API credentials keys is not allowed.
+        final String crossClusterApiKeyId2 = randomValueOtherThan(crossClusterApiKeyId1, () -> randomAlphaOfLengthBetween(10, 20));
+        assertCannotAccessResources(
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId1, crossClusterUser1, randomApiKeyAuthentication(user1, apiKeyId1)),
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId2, crossClusterUser1, randomApiKeyAuthentication(user1, apiKeyId1))
+        );
+
+        // Cross cluster access with a user and its API key is not the same owner, hence not allowed.
+        assertCannotAccessResources(
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId1, crossClusterUser1, randomAuthentication(user1, realm1)),
+            randomCrossClusterAccessAuthentication(crossClusterApiKeyId1, crossClusterUser1, randomApiKeyAuthentication(user1, apiKeyId1))
+        );
+
+        // Cross cluster access with two different API keys (regardless if the same user is owner) is not allowed.
+        final String apiKeyId2 = randomValueOtherThanMany(id -> id.equals(apiKeyId1), () -> randomAlphaOfLengthBetween(10, 20));
+        assertCannotAccessResources(
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(randomFrom(user1, user2), apiKeyId1)
+            ),
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(randomFrom(user1, user2), apiKeyId2)
+            )
+        );
+
+        // Cross cluster access using same API key but run-as different users is not allowed.
+        final User user3 = randomValueOtherThanMany(
+            u -> u.principal().equals(user1.principal()) || u.principal().equals(user2.principal()),
+            AuthenticationTests::randomUser
+        );
+        assertCannotAccessResources(
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user1, apiKeyId1).runAs(user2, realm2)
+            ),
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user1, apiKeyId1).runAs(user3, realm2)
+            )
+        );
+
+        // Cross cluster access using same or different API key which run-as the same user (user3) is allowed.
+        assertCanAccessResources(
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user1, apiKeyId1).runAs(user3, realm2)
+            ),
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user1, apiKeyId1).runAs(user3, realm2)
+            )
+        );
+        assertCanAccessResources(
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user1, apiKeyId1).runAs(user3, realm2)
+            ),
+            randomCrossClusterAccessAuthentication(
+                crossClusterApiKeyId1,
+                crossClusterUser1,
+                randomApiKeyAuthentication(user2, apiKeyId2).runAs(user3, realm2)
+            )
+        );
     }
 
     public void testTokenAccessResourceOf() {
@@ -569,7 +672,7 @@ public void testDomainSerialize() throws Exception {
 
     public void testCrossClusterAccessAuthentication() throws IOException {
         final String crossClusterAccessApiKeyId = ESTestCase.randomAlphaOfLength(20);
-        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = AuthenticationTestHelper.randomCrossClusterAccessSubjectInfo();
+        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = randomCrossClusterAccessSubjectInfo();
         final Authentication authentication = AuthenticationTestHelper.builder()
             .crossClusterAccess(crossClusterAccessApiKeyId, crossClusterAccessSubjectInfo)
             .build(false);
@@ -676,7 +779,7 @@ public void testToXContentWithApiKey() throws IOException {
     public void testToXContentWithCrossClusterAccess() throws IOException {
         final String apiKeyId = randomAlphaOfLength(20);
         final Authentication authentication = AuthenticationTestHelper.builder()
-            .crossClusterAccess(apiKeyId, AuthenticationTestHelper.randomCrossClusterAccessSubjectInfo())
+            .crossClusterAccess(apiKeyId, randomCrossClusterAccessSubjectInfo())
             .build(false);
         final String apiKeyName = (String) authentication.getAuthenticatingSubject()
             .getMetadata()
@@ -867,7 +970,7 @@ public void testToCrossClusterAccess() {
         final User creator = randomUser();
         final String apiKeyId = randomAlphaOfLength(42);
         final Authentication apiKeyAuthentication = AuthenticationTestHelper.builder().apiKey(apiKeyId).user(creator).build(false);
-        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = AuthenticationTestHelper.randomCrossClusterAccessSubjectInfo();
+        final CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = randomCrossClusterAccessSubjectInfo();
 
         final Authentication actualAuthentication = apiKeyAuthentication.toCrossClusterAccess(crossClusterAccessSubjectInfo);
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ tasks.register("bwcTest") {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`plugins.withType(ElasticsearchTestBasePlugin) {`
`35`		`- tasks.withType(Test).configureEach {`
	`35`	`+ tasks.withType(Test).matching { it.name ==~ /v[0-9\.]+#.*/ }.configureEach {`
`36`	`36`	`onlyIf { project.bwc_tests_enabled }`
`37`	`37`	`nonInputProperties.systemProperty 'tests.bwc', 'true'`
`38`	`38`	`}`