Reindex-from-remote: Validate basic auth params

This fixes a bug in the reindex API where it did not correctly
validate the request parameters for authenticating with a remote
source using basic auth, which requires both username and password.

1. Prior to this change, a reindex request which set
`source.remote.username` but not `source.remote.password` would result
in a response with HTTP status code 500 (Internal Server Error). This
will now result in a response with HTTP status code 400 (Bad Request).

2. Prior to this change, a reindex request which set
`source.remote.password` but not `source.remote.username` would
normally result in a response with HTTP status code 401
(Unuauthorized). (If the remote cluster does not require
authentication, or if an API key or some other form of authentication
is provided, the request would succeed, with the password silently
ignored.) This will now result in a response with HTTP status code 400
(Bad Request).

Author: PeteGillinElastic

server/src/main/java/org/elasticsearch/index/reindex/ReindexRequest.java

@@ -116,6 +116,12 @@ public ActionRequestValidationException validate() {
             if (getSlices() == AbstractBulkByScrollRequest.AUTO_SLICES || getSlices() > 1) {
                 e = addValidationError("reindex from remote sources doesn't support slices > 1 but was [" + getSlices() + "]", e);
             }
+            if (getRemoteInfo().getUsername() != null && getRemoteInfo().getPassword() == null) {
+                e = addValidationError("reindex from remote source included username but not password", e);
+            }
+            if (getRemoteInfo().getPassword() != null && getRemoteInfo().getUsername() == null) {
+                e = addValidationError("reindex from remote source included password but not username", e);
+            }
         }
         return e;
     }

server/src/test/java/org/elasticsearch/index/reindex/ReindexRequestTests.java

@@ -186,6 +186,52 @@ public void testReindexFromRemoteDoesNotSupportSlices() {
         );
     }
 
+    public void testReindexFromRemoteRejectsUsernameWithNoPassword() {
+        ReindexRequest reindex = newRequest();
+        reindex.setRemoteInfo(
+            new RemoteInfo(
+                randomAlphaOfLength(5),
+                randomAlphaOfLength(5),
+                between(1, Integer.MAX_VALUE),
+                null,
+                matchAll,
+                "user",
+                null,
+                emptyMap(),
+                RemoteInfo.DEFAULT_SOCKET_TIMEOUT,
+                RemoteInfo.DEFAULT_CONNECT_TIMEOUT
+            )
+        );
+        ActionRequestValidationException e = reindex.validate();
+        assertEquals(
+            "Validation Failed: 1: reindex from remote source included username but not password;",
+            e.getMessage()
+        );
+    }
+
+    public void testReindexFromRemoteRejectsPasswordWithNoUsername() {
+        ReindexRequest reindex = newRequest();
+        reindex.setRemoteInfo(
+            new RemoteInfo(
+                randomAlphaOfLength(5),
+                randomAlphaOfLength(5),
+                between(1, Integer.MAX_VALUE),
+                null,
+                matchAll,
+                null,
+                new SecureString("password".toCharArray()),
+                emptyMap(),
+                RemoteInfo.DEFAULT_SOCKET_TIMEOUT,
+                RemoteInfo.DEFAULT_CONNECT_TIMEOUT
+            )
+        );
+        ActionRequestValidationException e = reindex.validate();
+        assertEquals(
+            "Validation Failed: 1: reindex from remote source included password but not username;",
+            e.getMessage()
+        );
+    }
+
     public void testNoSliceBuilderSetWithSlicedRequest() {
         ReindexRequest reindex = newRequest();
         reindex.getSearchRequest().source().slice(new SliceBuilder(0, 4));