Merge remote-tracking branch 'upstream/patch/incident-981-serverless-da50e9c11'

Merge patch branch for serverless back into main

Author: thecoop

server/src/main/java/org/elasticsearch/TransportVersions.java

@@ -52,7 +52,10 @@ static TransportVersion def(int id) {
     @UpdateForV9(owner = UpdateForV9.Owner.CORE_INFRA) // remove the transport versions with which v9 will not need to interact
     public static final TransportVersion ZERO = def(0);
     public static final TransportVersion V_7_0_0 = def(7_00_00_99);
+    public static final TransportVersion V_7_1_0 = def(7_01_00_99);
+    public static final TransportVersion V_7_2_0 = def(7_02_00_99);
     public static final TransportVersion V_7_3_0 = def(7_03_00_99);
+    public static final TransportVersion V_7_3_2 = def(7_03_02_99);
     public static final TransportVersion V_7_4_0 = def(7_04_00_99);
     public static final TransportVersion V_7_6_0 = def(7_06_00_99);
     public static final TransportVersion V_7_8_0 = def(7_08_00_99);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java

@@ -55,8 +55,10 @@ public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         realmsUsage = in.readGenericMap();
         rolesStoreUsage = in.readGenericMap();
         sslUsage = in.readGenericMap();
-        tokenServiceUsage = in.readGenericMap();
-        apiKeyServiceUsage = in.readGenericMap();
+        if (in.getTransportVersion().onOrAfter(TransportVersions.V_7_2_0)) {
+            tokenServiceUsage = in.readGenericMap();
+            apiKeyServiceUsage = in.readGenericMap();
+        }
         auditUsage = in.readGenericMap();
         ipFilterUsage = in.readGenericMap();
         anonymousUsage = in.readGenericMap();
@@ -121,8 +123,10 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeGenericMap(realmsUsage);
         out.writeGenericMap(rolesStoreUsage);
         out.writeGenericMap(sslUsage);
-        out.writeGenericMap(tokenServiceUsage);
-        out.writeGenericMap(apiKeyServiceUsage);
+        if (out.getTransportVersion().onOrAfter(TransportVersions.V_7_2_0)) {
+            out.writeGenericMap(tokenServiceUsage);
+            out.writeGenericMap(apiKeyServiceUsage);
+        }
         out.writeGenericMap(auditUsage);
         out.writeGenericMap(ipFilterUsage);
         out.writeGenericMap(anonymousUsage);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/TokensInvalidationResult.java

@@ -59,6 +59,9 @@ public TokensInvalidationResult(StreamInput in) throws IOException {
         this.invalidatedTokens = in.readStringCollectionAsList();
         this.previouslyInvalidatedTokens = in.readStringCollectionAsList();
         this.errors = in.readCollectionAsList(StreamInput::readException);
+        if (in.getTransportVersion().before(TransportVersions.V_7_2_0)) {
+            in.readVInt();
+        }
         if (in.getTransportVersion().onOrAfter(TransportVersions.V_8_0_0)) {
             this.restStatus = RestStatus.readFrom(in);
         }
@@ -108,6 +111,9 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeStringCollection(invalidatedTokens);
         out.writeStringCollection(previouslyInvalidatedTokens);
         out.writeCollection(errors, StreamOutput::writeException);
+        if (out.getTransportVersion().before(TransportVersions.V_7_2_0)) {
+            out.writeVInt(5);
+        }
         if (out.getTransportVersion().onOrAfter(TransportVersions.V_8_0_0)) {
             RestStatus.writeTo(out, restStatus);
         }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/TokenAuthIntegTests.java

@@ -327,8 +327,8 @@ public void testInvalidateNotValidAccessTokens() throws Exception {
             ResponseException.class,
             () -> invalidateAccessToken(
                 tokenService.prependVersionAndEncodeAccessToken(
-                    TransportVersions.MINIMUM_COMPATIBLE,
-                    tokenService.getRandomTokenBytes(TransportVersions.MINIMUM_COMPATIBLE, randomBoolean()).v1()
+                    TransportVersions.V_7_3_2,
+                    tokenService.getRandomTokenBytes(TransportVersions.V_7_3_2, randomBoolean()).v1()
                 )
             )
         );
@@ -347,7 +347,7 @@ public void testInvalidateNotValidAccessTokens() throws Exception {
         byte[] longerAccessToken = new byte[randomIntBetween(17, 24)];
         random().nextBytes(longerAccessToken);
         invalidateResponse = invalidateAccessToken(
-            tokenService.prependVersionAndEncodeAccessToken(TransportVersions.MINIMUM_COMPATIBLE, longerAccessToken)
+            tokenService.prependVersionAndEncodeAccessToken(TransportVersions.V_7_3_2, longerAccessToken)
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
         assertThat(invalidateResponse.previouslyInvalidated(), equalTo(0));
@@ -365,7 +365,7 @@ public void testInvalidateNotValidAccessTokens() throws Exception {
         byte[] shorterAccessToken = new byte[randomIntBetween(12, 15)];
         random().nextBytes(shorterAccessToken);
         invalidateResponse = invalidateAccessToken(
-            tokenService.prependVersionAndEncodeAccessToken(TransportVersions.MINIMUM_COMPATIBLE, shorterAccessToken)
+            tokenService.prependVersionAndEncodeAccessToken(TransportVersions.V_7_3_2, shorterAccessToken)
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
         assertThat(invalidateResponse.previouslyInvalidated(), equalTo(0));
@@ -394,8 +394,8 @@ public void testInvalidateNotValidAccessTokens() throws Exception {
 
         invalidateResponse = invalidateAccessToken(
             tokenService.prependVersionAndEncodeAccessToken(
-                TransportVersions.MINIMUM_COMPATIBLE,
-                tokenService.getRandomTokenBytes(TransportVersions.MINIMUM_COMPATIBLE, randomBoolean()).v1()
+                TransportVersions.V_7_3_2,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_3_2, randomBoolean()).v1()
             )
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
@@ -420,8 +420,8 @@ public void testInvalidateNotValidRefreshTokens() throws Exception {
             ResponseException.class,
             () -> invalidateRefreshToken(
                 TokenService.prependVersionAndEncodeRefreshToken(
-                    TransportVersions.MINIMUM_COMPATIBLE,
-                    tokenService.getRandomTokenBytes(TransportVersions.MINIMUM_COMPATIBLE, true).v2()
+                    TransportVersions.V_7_3_2,
+                    tokenService.getRandomTokenBytes(TransportVersions.V_7_3_2, true).v2()
                 )
             )
         );
@@ -441,7 +441,7 @@ public void testInvalidateNotValidRefreshTokens() throws Exception {
         byte[] longerRefreshToken = new byte[randomIntBetween(17, 24)];
         random().nextBytes(longerRefreshToken);
         invalidateResponse = invalidateRefreshToken(
-            TokenService.prependVersionAndEncodeRefreshToken(TransportVersions.MINIMUM_COMPATIBLE, longerRefreshToken)
+            TokenService.prependVersionAndEncodeRefreshToken(TransportVersions.V_7_3_2, longerRefreshToken)
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
         assertThat(invalidateResponse.previouslyInvalidated(), equalTo(0));
@@ -459,7 +459,7 @@ public void testInvalidateNotValidRefreshTokens() throws Exception {
         byte[] shorterRefreshToken = new byte[randomIntBetween(12, 15)];
         random().nextBytes(shorterRefreshToken);
         invalidateResponse = invalidateRefreshToken(
-            TokenService.prependVersionAndEncodeRefreshToken(TransportVersions.MINIMUM_COMPATIBLE, shorterRefreshToken)
+            TokenService.prependVersionAndEncodeRefreshToken(TransportVersions.V_7_3_2, shorterRefreshToken)
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
         assertThat(invalidateResponse.previouslyInvalidated(), equalTo(0));
@@ -488,8 +488,8 @@ public void testInvalidateNotValidRefreshTokens() throws Exception {
 
         invalidateResponse = invalidateRefreshToken(
             TokenService.prependVersionAndEncodeRefreshToken(
-                TransportVersions.MINIMUM_COMPATIBLE,
-                tokenService.getRandomTokenBytes(TransportVersions.MINIMUM_COMPATIBLE, true).v2()
+                TransportVersions.V_7_3_2,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_3_2, true).v2()
             )
         );
         assertThat(invalidateResponse.invalidated(), equalTo(0));
@@ -758,11 +758,18 @@ public void testAuthenticateWithWrongToken() throws Exception {
         assertAuthenticateWithToken(response.accessToken(), TEST_USER_NAME);
         // Now attempt to authenticate with an invalid access token string
         assertUnauthorizedToken(randomAlphaOfLengthBetween(0, 128));
-        // Now attempt to authenticate with an invalid access token with valid structure (after 8.0 pre 8.10)
+        // Now attempt to authenticate with an invalid access token with valid structure (pre 7.2)
         assertUnauthorizedToken(
             tokenService.prependVersionAndEncodeAccessToken(
-                TransportVersions.V_8_0_0,
-                tokenService.getRandomTokenBytes(TransportVersions.V_8_0_0, randomBoolean()).v1()
+                TransportVersions.V_7_1_0,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_1_0, randomBoolean()).v1()
+            )
+        );
+        // Now attempt to authenticate with an invalid access token with valid structure (after 7.2 pre 8.10)
+        assertUnauthorizedToken(
+            tokenService.prependVersionAndEncodeAccessToken(
+                TransportVersions.V_7_4_0,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_4_0, randomBoolean()).v1()
             )
         );
         // Now attempt to authenticate with an invalid access token with valid structure (current version)