code review feedback + test

ankit--sethi · ankit--sethi · commit d84886e36e01 · 2025-06-25T14:17:20.000-05:00
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/apikey/TransportCreateApiKeyAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/apikey/TransportCreateApiKeyAction.java
@@ -63,10 +63,6 @@ protected void doExecute(Task task, CreateApiKeyRequest request, ActionListener<
                 );
                 return;
             }
-            if (authentication.isCloudApiKey()) {
-                listener.onFailure(new IllegalArgumentException("creating elasticsearch api keys using cloud api keys is not supported"));
-                return;
-            }
             resolver.resolveUserRoleDescriptors(
                 authentication,
                 ActionListener.wrap(
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -368,6 +368,8 @@ public void createApiKey(
         ensureEnabled();
         if (authentication == null) {
             listener.onFailure(new IllegalArgumentException("authentication must be provided"));
+        } else if (authentication.isCloudApiKey()) {
+            listener.onFailure(new IllegalArgumentException("creating elasticsearch api keys using cloud api keys is not supported"));
         } else {
             final TransportVersion transportVersion = getMinTransportVersion();
             if (validateRoleDescriptorsForMixedCluster(listener, request.getRoleDescriptors(), transportVersion) == false) {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
@@ -125,6 +125,7 @@
 import org.elasticsearch.xpack.security.test.SecurityMocks;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Test;
 import org.mockito.ArgumentMatcher;
 import org.mockito.Mockito;
 
@@ -2557,6 +2558,25 @@ public void testCreationWillFailIfHashingThreadPoolIsSaturated() {
         assertThat(e, is(rejectedExecutionException));
     }
 
+    @Test
+    public void testCreationFailsIfAuthenticationIsCloudApiKey() throws InterruptedException {
+        final Authentication authentication = AuthenticationTestHelper.randomCloudApiKeyAuthentication();
+        final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null);
+        ApiKeyService service = createApiKeyService(Settings.EMPTY);
+        final PlainActionFuture<CreateApiKeyResponse> future = new PlainActionFuture<>();
+        service.createApiKey(authentication, createApiKeyRequest, Set.of(), future);
+        assertEquals(true, future.isDone());
+        assertThrows(ExecutionException.class, future::get);
+        try {
+            future.get();
+        } catch (ExecutionException ex) {
+            assertEquals(
+                "java.lang.IllegalArgumentException: creating elasticsearch api keys using cloud api keys is not supported",
+                ex.getMessage()
+            );
+        }
+    }
+
     public void testCachedApiKeyValidationWillNotBeBlockedByUnCachedApiKey() throws IOException, ExecutionException, InterruptedException {
         final String apiKeyId1 = randomAlphaOfLength(12);
         final String apiKey1 = randomAlphaOfLength(16);
