[Test] Add API key yaml tests to entsearch yaml test suite (#96881)

This commit adds YAML tests for Search Application Search API 
using API key restricted to `search_application_query` workflow.

Relates to #96744

Author: slobodanadamovic

x-pack/plugin/ent-search/qa/rest/build.gradle

@@ -7,7 +7,7 @@ dependencies {
 
 restResources {
   restApi {
-    include '_common', 'cluster', 'nodes', 'indices', 'index', 'query_ruleset', 'search_application', 'xpack'
+    include '_common', 'cluster', 'nodes', 'indices', 'index', 'query_ruleset', 'search_application', 'xpack', 'security', 'search'
   }
 }
 

x-pack/plugin/ent-search/qa/rest/roles.yml

@@ -33,6 +33,7 @@ admin:
 user:
   cluster:
     - post_behavioral_analytics_event
+    - manage_api_key
   indices:
     - names: [
       "test-search-application",

x-pack/plugin/ent-search/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/entsearch/56_search_application_search_with_apikey.yml

@@ -0,0 +1,376 @@
+setup:
+  - do:
+      indices.create:
+        index: test-search-index1
+        body:
+          settings:
+            index:
+              number_of_shards: 1
+              number_of_replicas: 0
+
+  - do:
+      indices.create:
+        index: test-search-index2
+        body:
+          settings:
+            index:
+              number_of_shards: 1
+              number_of_replicas: 0
+
+  - do:
+      indices.create:
+        index: test-index
+        body:
+          settings:
+            index:
+              number_of_shards: 1
+              number_of_replicas: 0
+
+  - do:
+      search_application.put:
+        name: test-search-application
+        body:
+          indices: [ "test-search-index1", "test-search-index2" ]
+          analytics_collection_name: "test-analytics"
+          template:
+            script:
+              source:
+                query:
+                  term:
+                    "{{field_name}}": "{{field_value}}"
+              params:
+                field_name: field1
+                field_value: value1
+            dictionary:
+              additionalProperties: false
+              required: [ "field_name" ]
+              properties:
+                field_name:
+                  type: string
+                field_value:
+                  type: string
+
+  - do:
+      search_application.put:
+        name: test-search-application-1
+        body:
+          indices: [ "test-search-index1", "test-search-index2" ]
+          analytics_collection_name: "test-analytics"
+          template:
+            script:
+              source:
+                query:
+                  term:
+                    "{{field_name}}": "{{field_value}}"
+              params:
+                field_name: field1
+                field_value: value1
+            dictionary:
+              additionalProperties: false
+              properties:
+                field_name:
+                  type: string
+                field_value:
+                  type: string
+  - do:
+      search_application.put:
+        name: test-search-application-with-list
+        body:
+          indices: [ "test-search-index1", "test-search-index2" ]
+          template:
+            script:
+              source: "{ \"query\": { \"multi_match\":{ \"query\": \"{{query_string}}\", \"fields\": [{{#text_fields}}\"{{name}}^{{boost}}\",{{/text_fields}}] } } }"
+              params:
+                query_string: "elastic"
+                text_fields:
+                  - name: field1
+                    boost: 1
+                  - name: field2
+                    boost: 2
+                  - name: field3
+                    boost: 3
+              lang: "mustache"
+
+  - do:
+      index:
+        index: test-search-index1
+        id: doc1
+        body:
+          field1: value1
+          field2: value1
+        refresh: true
+
+  - do:
+      index:
+        index: test-search-index2
+        id: doc2
+        body:
+          field1: value1
+          field3: value3
+        refresh: true
+
+  - do:
+      search_application.put_behavioral_analytics:
+        name: my-test-analytics-collection
+---
+teardown:
+  - do:
+      search_application.delete:
+        name: test-search-application
+        ignore: 404
+
+  - do:
+      search_application.delete:
+        name: test-search-application-1
+        ignore: 404
+
+  - do:
+      search_application.delete:
+        name: test-search-application-with-list
+        ignore: 404
+
+  - do:
+      indices.delete:
+        index: test-search-index1
+        ignore: 404
+
+  - do:
+      indices.delete:
+        index: test-search-index2
+        ignore: 404
+
+  - do:
+      indices.delete:
+        index: test-index
+        ignore: 404
+
+  - do:
+      search_application.delete_behavioral_analytics:
+        name: my-test-analytics-collection
+
+---
+"Query Search Application with API key":
+  - skip:
+      features: headers
+
+  - do:
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
+      security.create_api_key:
+        body:  >
+          {
+            "name": "search-application-api-key",
+            "role_descriptors": {
+              "role": {
+                "cluster": [ "manage_behavioral_analytics" ],
+                "index": [
+                  {
+                    "names": ["*"],
+                    "privileges": ["read"]
+                  }
+                ],
+                "restriction": {
+                  "workflows": ["search_application_query"]
+                }
+              }
+            }
+          }
+
+  - match: { name: "search-application-api-key" }
+  - set: { encoded: api_key_encoded  }
+  - set: { id: api_key_id }
+
+# Query Search Application with default parameters:
+  - do:
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application-1
+
+  - match: { hits.total.value: 2 }
+  - match: { hits.hits.0._id: "doc1" }
+  - match: { hits.hits.1._id: "doc2" }
+
+
+# Query Search Application overriding part of the parameters:
+  - do:
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application
+        body:
+          params:
+            field_name: field2
+
+
+  - match: { hits.total.value: 1 }
+  - match: { hits.hits.0._id: "doc1" }
+
+# Query Search Application overriding all parameters:
+  - do:
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application
+        body:
+          params:
+            field_name: field3
+            field_value: value3
+
+
+  - match: { hits.total.value: 1 }
+  - match: { hits.hits.0._id: "doc2" }
+
+# Query Search Application with list of parameters:
+  - do:
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application-with-list
+        body:
+          params:
+            query_string: value3
+            text_fields:
+              - name: field1
+                boost: 1
+              - name: field2
+                boost: 2
+              - name: field3
+                boost: 3
+
+
+  - match: { hits.total.value: 1 }
+  - match: { hits.hits.0._id: "doc2" }
+
+# Query Search Application with invalid parameter validation:
+  - do:
+      catch: "bad_request"
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application
+        body:
+          params:
+            field_name: field3
+            field_value: 35
+
+# Query Search Application without required parameter:
+  - do:
+      catch: "bad_request"
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: test-search-application
+        body:
+          params:
+            field_value: test
+
+# Query Search Application - not found:
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.search:
+        name: nonexisting-test-search-application
+        body:
+          params:
+            field_name: field3
+            field_value: value3
+
+# Get Analytics Collection should be rejected due to a workflow restriction
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search_application.get_behavioral_analytics:
+        name:
+  - match: { status: 403 }
+  - match: { error.type: security_exception }
+  - match: { error.root_cause.0.type: role_restriction_exception }
+  - match: { error.root_cause.0.reason: "access restricted by workflow" }
+
+# Get API key should not be allowed
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      security.get_api_key:
+        id: "$api_key_id"
+  - match: { status: 403 }
+  - match: { error.type: security_exception }
+  - match: { error.root_cause.0.type: role_restriction_exception }
+  - match: { error.root_cause.0.reason: "access restricted by workflow" }
+
+# Authenticate with API key should not be allowed
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      security.authenticate: {}
+  - match: { status: 403 }
+  - match: { error.type: security_exception }
+  - match: { error.root_cause.0.type: role_restriction_exception }
+  - match: { error.root_cause.0.reason: "access restricted by workflow" }
+
+# Direct index search should be rejected due to a workflow restriction
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded}
+      search:
+        index: test-search-index1
+        body:
+          query:
+            term:
+              field1: value1
+  - match: { status: 403 }
+  - match: { error.type: security_exception }
+  - match: { error.root_cause.0.type: role_restriction_exception }
+  - match: { error.root_cause.0.reason: "access restricted by workflow" }
+
+# Creating an API key which can only search 'test-search-application-1'
+  - do:
+      headers: { Authorization: "Basic ZW50c2VhcmNoLXVzZXI6ZW50c2VhcmNoLXVzZXItcGFzc3dvcmQ=" }  # user
+      security.create_api_key:
+        body:  >
+          {
+            "name": "search-application-1-api-key",
+            "role_descriptors": {
+              "role": {
+                "index": [
+                  {
+                    "names": ["test-search-application-1"],
+                    "privileges": ["read"]
+                  }
+                ],
+                "restriction": {
+                  "workflows": ["search_application_query"]
+                }
+              }
+            }
+          }
+
+  - match: { name: "search-application-1-api-key" }
+  - set: { encoded: api_key_encoded_1  }
+  - set: { id: api_key_id_1 }
+
+# Query Search Application 'test-search-application' should be denied since API key (api_key_encoded_1) does not have required index privilege
+  - do:
+      catch: forbidden
+      headers:
+        Authorization: ApiKey ${api_key_encoded_1}
+      search_application.search:
+        name: test-search-application
+  - match: { status: 403 }
+  - match: { error.type: security_exception }
+  - match: { error.reason: "action [indices:data/read/xpack/application/search_application/search] is unauthorized for API key id [${api_key_id_1}] of user [entsearch-user] on indices [test-search-application], this action is granted by the index privileges [read,all]" }
+
+# Query Search Application 'test-search-application-1' with new API key (api_key_encoded_1) should be allowed:
+  - do:
+      headers:
+        Authorization: ApiKey ${api_key_encoded_1}
+      search_application.search:
+        name: test-search-application-1
+
+  - match: { hits.total.value: 2 }
+  - match: { hits.hits.0._id: "doc1" }
+  - match: { hits.hits.1._id: "doc2" }