Reindex-from-remote: Validate basic auth params (#136501) (#136552)

This fixes a bug in the reindex API where it did not correctly validate the request parameters for authenticating with a remote source using basic auth. These require both username and password, and providing only one or the other is a user error.

1. Prior to this change, a reindex request which set `source.remote.username` but not `source.remote.password` would result in a response with HTTP status code 500 (Internal Server Error). This will now result in a response with HTTP status code 400 (Bad Request).

2. Prior to this change, a reindex request which set `source.remote.password` but not `source.remote.username` would normally result in a response with HTTP status code 401 (Unuauthorized). (If the remote cluster does not require authentication, or if an API key or some other form of authentication is provided, the request would succeed, with the password silently ignored.) This will now result in a response with HTTP status code 400 (Bad Request).

The new behaviour more correctly indicates to the user that there is an error in their request.

Closes #135925

Author: PeteGillinElastic

docs/changelog/136501.yaml

@@ -0,0 +1,6 @@
+pr: 136501
+summary: "Reindex-from-remote: Validate basic auth params"
+area: Indices APIs
+type: bug
+issues:
+ - 135925

server/src/main/java/org/elasticsearch/index/reindex/ReindexRequest.java

@@ -116,6 +116,12 @@ public ActionRequestValidationException validate() {
             if (getSlices() == AbstractBulkByScrollRequest.AUTO_SLICES || getSlices() > 1) {
                 e = addValidationError("reindex from remote sources doesn't support slices > 1 but was [" + getSlices() + "]", e);
             }
+            if (getRemoteInfo().getUsername() != null && getRemoteInfo().getPassword() == null) {
+                e = addValidationError("reindex from remote source included username but not password", e);
+            }
+            if (getRemoteInfo().getPassword() != null && getRemoteInfo().getUsername() == null) {
+                e = addValidationError("reindex from remote source included password but not username", e);
+            }
         }
         return e;
     }

server/src/test/java/org/elasticsearch/index/reindex/ReindexRequestTests.java

@@ -186,6 +186,46 @@ public void testReindexFromRemoteDoesNotSupportSlices() {
         );
     }
 
+    public void testReindexFromRemoteRejectsUsernameWithNoPassword() {
+        ReindexRequest reindex = newRequest();
+        reindex.setRemoteInfo(
+            new RemoteInfo(
+                randomAlphaOfLength(5),
+                randomAlphaOfLength(5),
+                between(1, Integer.MAX_VALUE),
+                null,
+                matchAll,
+                "user",
+                null,
+                emptyMap(),
+                RemoteInfo.DEFAULT_SOCKET_TIMEOUT,
+                RemoteInfo.DEFAULT_CONNECT_TIMEOUT
+            )
+        );
+        ActionRequestValidationException e = reindex.validate();
+        assertEquals("Validation Failed: 1: reindex from remote source included username but not password;", e.getMessage());
+    }
+
+    public void testReindexFromRemoteRejectsPasswordWithNoUsername() {
+        ReindexRequest reindex = newRequest();
+        reindex.setRemoteInfo(
+            new RemoteInfo(
+                randomAlphaOfLength(5),
+                randomAlphaOfLength(5),
+                between(1, Integer.MAX_VALUE),
+                null,
+                matchAll,
+                null,
+                new SecureString("password".toCharArray()),
+                emptyMap(),
+                RemoteInfo.DEFAULT_SOCKET_TIMEOUT,
+                RemoteInfo.DEFAULT_CONNECT_TIMEOUT
+            )
+        );
+        ActionRequestValidationException e = reindex.validate();
+        assertEquals("Validation Failed: 1: reindex from remote source included password but not username;", e.getMessage());
+    }
+
     public void testNoSliceBuilderSetWithSlicedRequest() {
         ReindexRequest reindex = newRequest();
         reindex.getSearchRequest().source().slice(new SliceBuilder(0, 4));