Feature/prevent create api with cloud api key (#129966)

ankit--sethi · n1v0lg · slobodanadamovic · web-flow · commit afbcaff78854 · 2025-06-30T15:22:51.000-05:00
* [UIAM] Cloud API key authentication

* Clean up

* Nit

* Fix more tests

* Nit

* Fix sig

* Fix not

* Nit

* Authenticator

* More

* Javadoc

* Javadoc

* Fix tests

* Exception handling

* Javadoc

* add new transport version

* add todo to followup in ES-11961

* test cloud API key authentication serialization

* add a validation

* fix merge

* fix merge

* code review feedback + test

* Update x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java

Co-authored-by: Slobodan Adamović &lt;slobodanadamovic@users.noreply.github.com&gt;

* Update x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java

Co-authored-by: Slobodan Adamović &lt;slobodanadamovic@users.noreply.github.com&gt;

* [CI] Auto commit changes from spotless

---------

Co-authored-by: Nikolaj Volgushev &lt;n1v0lg@users.noreply.github.com&gt;
Co-authored-by: Slobodan Adamovic &lt;slobodan.adamovic@elastic.co&gt;
Co-authored-by: Slobodan Adamović &lt;slobodanadamovic@users.noreply.github.com&gt;
Co-authored-by: elasticsearchmachine &lt;infra-root+elasticsearchmachine@elastic.co&gt;
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -368,6 +368,8 @@ public void createApiKey(
         ensureEnabled();
         if (authentication == null) {
             listener.onFailure(new IllegalArgumentException("authentication must be provided"));
+        } else if (authentication.isCloudApiKey()) {
+            listener.onFailure(new IllegalArgumentException("creating elasticsearch api keys using cloud api keys is not supported"));
         } else {
             final TransportVersion transportVersion = getMinTransportVersion();
             if (validateRoleDescriptorsForMixedCluster(listener, request.getRoleDescriptors(), transportVersion) == false) {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
@@ -2557,6 +2557,16 @@ public void testCreationWillFailIfHashingThreadPoolIsSaturated() {
         assertThat(e, is(rejectedExecutionException));
     }
 
+    public void testCreationFailsIfAuthenticationIsCloudApiKey() throws InterruptedException {
+        final Authentication authentication = AuthenticationTestHelper.randomCloudApiKeyAuthentication();
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null);
+        ApiKeyService service = createApiKeyService(Settings.EMPTY);
+        final PlainActionFuture<CreateApiKeyResponse> future = new PlainActionFuture<>();
+        service.createApiKey(authentication, createApiKeyRequest, Set.of(), future);
+        final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class, future);
+        assertThat(iae.getMessage(), equalTo("creating elasticsearch api keys using cloud api keys is not supported"));
+    }
+
     public void testCachedApiKeyValidationWillNotBeBlockedByUnCachedApiKey() throws IOException, ExecutionException, InterruptedException {
         final String apiKeyId1 = randomAlphaOfLength(12);
         final String apiKey1 = randomAlphaOfLength(16);
