[ML] When using CCM, EIS authorization header should use ApiKey instead of Bearer (elastic#138590)

* Switch eis auth key to ApiKey instead of Bearer

* Addressing feedback, adding test

Author: jonathan-buttner

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/external/request/RequestUtils.java

@@ -29,6 +29,14 @@ public static String bearerToken(String apiKey) {
         return "Bearer " + apiKey;
     }
 
+    public static Header createAuthApiKeyHeader(SecureString apiKey) {
+        return new BasicHeader(HttpHeaders.AUTHORIZATION, apiKey(apiKey.toString()));
+    }
+
+    public static String apiKey(String apiKey) {
+        return "ApiKey " + apiKey;
+    }
+
     public static URI buildUri(URI accountUri, String service, CheckedSupplier<URI, URISyntaxException> uriBuilder) {
         try {
             return accountUri == null ? uriBuilder.get() : accountUri;

x-pack/plugin/inference/src/main/java/org/elasticsearch/xpack/inference/services/elastic/ccm/CCMAuthenticationApplierFactory.java

@@ -17,7 +17,7 @@
 import java.util.Objects;
 import java.util.function.Function;
 
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.createAuthBearerHeader;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.createAuthApiKeyHeader;
 import static org.elasticsearch.xpack.inference.rest.Paths.INFERENCE_CCM_PATH;
 
 /**
@@ -70,7 +70,7 @@ public AuthenticationHeaderApplier(String apiKey) {
 
         @Override
         public HttpRequestBase apply(HttpRequestBase request) {
-            request.setHeader(createAuthBearerHeader(apiKey));
+            request.setHeader(createAuthApiKeyHeader(apiKey));
             return request;
         }
     }

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/external/request/RequestUtilsTests.java

@@ -10,19 +10,37 @@
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.test.ESTestCase;
 
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.createAuthApiKeyHeader;
 import static org.elasticsearch.xpack.inference.external.request.RequestUtils.createAuthBearerHeader;
 import static org.hamcrest.Matchers.is;
 
 public class RequestUtilsTests extends ESTestCase {
+    private static final String SECRET = "abc";
+    private static final String BEARER_PREFIX = "Bearer ";
+    private static final String APIKEY_PREFIX = "ApiKey ";
+    private static final String AUTHORIZATION_HEADER = "Authorization";
+
     public void testCreateAuthBearerHeader() {
-        var header = createAuthBearerHeader(new SecureString("abc".toCharArray()));
+        var header = createAuthBearerHeader(new SecureString(SECRET.toCharArray()));
 
-        assertThat(header.getName(), is("Authorization"));
-        assertThat(header.getValue(), is("Bearer abc"));
+        assertThat(header.getName(), is(AUTHORIZATION_HEADER));
+        assertThat(header.getValue(), is(BEARER_PREFIX + SECRET));
     }
 
     public void testBearerToken() {
-        assertThat(bearerToken("abc"), is("Bearer abc"));
+        assertThat(bearerToken(SECRET), is(BEARER_PREFIX + SECRET));
+    }
+
+    public void testCreateAuthApiKeyHeader() {
+        var header = createAuthApiKeyHeader(new SecureString(SECRET.toCharArray()));
+
+        assertThat(header.getName(), is(AUTHORIZATION_HEADER));
+        assertThat(header.getValue(), is(APIKEY_PREFIX + SECRET));
+    }
+
+    public void testApiKey() {
+        assertThat(apiKey(SECRET), is(APIKEY_PREFIX + SECRET));
     }
 }

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/external/request/elastic/ElasticInferenceServiceRerankRequestTests.java

@@ -20,7 +20,7 @@
 import java.util.List;
 
 import static org.elasticsearch.xpack.inference.external.http.Utils.entityAsMap;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.services.elastic.request.ElasticInferenceServiceRequestTests.randomElasticInferenceServiceRequestMetadata;
 import static org.hamcrest.Matchers.aMapWithSize;
 import static org.hamcrest.Matchers.instanceOf;
@@ -99,7 +99,7 @@ public void testDecorate_HttpRequest_WithAuthorizationHeader() {
         assertThat(httpPost.getLastHeader(Task.TRACE_STATE).getValue(), is(traceState));
         var headers = httpPost.getHeaders(HttpHeaders.AUTHORIZATION);
         assertThat(headers.length, is(1));
-        assertThat(headers[0].getValue(), is(bearerToken(secret)));
+        assertThat(headers[0].getValue(), is(apiKey(secret)));
     }
 
     private ElasticInferenceServiceRerankRequest createRequest(

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/action/ElasticInferenceServiceActionCreatorTests.java

@@ -52,7 +52,7 @@
 import static org.elasticsearch.xpack.inference.external.http.Utils.getUrl;
 import static org.elasticsearch.xpack.inference.external.http.retry.RetrySettingsTests.buildSettingsWithRetryFields;
 import static org.elasticsearch.xpack.inference.external.http.sender.HttpRequestSenderTests.createSender;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.services.ServiceComponentsTests.createWithEmptySettings;
 import static org.elasticsearch.xpack.inference.services.elastic.ccm.CCMAuthenticationApplierFactoryTests.createApplierFactory;
 import static org.elasticsearch.xpack.inference.services.elastic.ccm.CCMAuthenticationApplierFactoryTests.createNoopApplierFactory;
@@ -208,7 +208,7 @@ public void testExecute_SparseEmbedding_AddsAuthorizationHeader() throws IOExcep
 
     private static void assertHeadersWithAuth(List<MockRequest> requests, String secret) {
         var request = assertSingleRequestSent(requests);
-        assertThat(request.getHeader(HttpHeaders.AUTHORIZATION), equalTo(bearerToken(secret)));
+        assertThat(request.getHeader(HttpHeaders.AUTHORIZATION), equalTo(apiKey(secret)));
     }
 
     private static MockRequest assertSingleRequestSent(List<MockRequest> requests) {

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/authorization/ElasticInferenceServiceAuthorizationRequestHandlerTests.java

@@ -41,7 +41,7 @@
 import static org.elasticsearch.xpack.inference.Utils.mockClusterServiceEmpty;
 import static org.elasticsearch.xpack.inference.external.http.Utils.getUrl;
 import static org.elasticsearch.xpack.inference.external.http.retry.RetryingHttpSender.MAX_RETIES;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.services.SenderServiceTests.createMockSender;
 import static org.elasticsearch.xpack.inference.services.elastic.ccm.CCMAuthenticationApplierFactoryTests.createApplierFactory;
 import static org.elasticsearch.xpack.inference.services.elastic.ccm.CCMAuthenticationApplierFactoryTests.createNoopApplierFactory;
@@ -266,7 +266,7 @@ public void testGetAuthorization_ReturnsAValidResponse_WithAuthHeader() throws I
 
     private static void assertAuthHeader(List<MockRequest> requests, String secret) {
         assertThat(requests.size(), is(1));
-        assertThat(requests.get(0).getHeader(HttpHeaders.AUTHORIZATION), is(bearerToken(secret)));
+        assertThat(requests.get(0).getHeader(HttpHeaders.AUTHORIZATION), is(apiKey(secret)));
     }
 
     public void testGetAuthorization_OnResponseCalledOnce() throws IOException {

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/ccm/CCMAuthenticationApplierFactoryTests.java

@@ -16,7 +16,7 @@
 import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.test.ESTestCase;
 
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.sameInstance;
@@ -61,7 +61,7 @@ public void testAuthenticationHeaderApplierSetsAuthorizationHeader() {
         var applier = new CCMAuthenticationApplierFactory.AuthenticationHeaderApplier(secret);
         var request = new HttpGet("http://localhost");
         applier.apply(request);
-        assertThat(request.getFirstHeader(HttpHeaders.AUTHORIZATION).getValue(), is(bearerToken(secret)));
+        assertThat(request.getFirstHeader(HttpHeaders.AUTHORIZATION).getValue(), is(apiKey(secret)));
     }
 
     public void testGetAuthenticationApplier_ReturnsNoopWhenConfiguringCCMIsDisabled() {

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/request/ElasticInferenceServiceDenseTextEmbeddingsRequestTests.java

@@ -23,7 +23,7 @@
 
 import static org.elasticsearch.xpack.inference.InferencePlugin.X_ELASTIC_PRODUCT_USE_CASE_HTTP_HEADER;
 import static org.elasticsearch.xpack.inference.external.http.Utils.entityAsMap;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.services.elastic.request.ElasticInferenceServiceRequestTests.randomElasticInferenceServiceRequestMetadata;
 import static org.hamcrest.Matchers.aMapWithSize;
 import static org.hamcrest.Matchers.equalTo;
@@ -200,7 +200,7 @@ public void testDecorate_HttpRequest_WithAuthorizationHeader() {
 
             var headers = httpPost.getHeaders(HttpHeaders.AUTHORIZATION);
             assertThat(headers.length, is(1));
-            assertThat(headers[0].getValue(), is(bearerToken(secret)));
+            assertThat(headers[0].getValue(), is(apiKey(secret)));
         }
     }
 

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/request/ElasticInferenceServiceRequestTests.java

@@ -20,7 +20,7 @@
 
 import static org.elasticsearch.xpack.inference.InferencePlugin.X_ELASTIC_ES_VERSION;
 import static org.elasticsearch.xpack.inference.InferencePlugin.X_ELASTIC_PRODUCT_USE_CASE_HTTP_HEADER;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 
@@ -36,7 +36,7 @@ public void testElasticInferenceServiceRequestSubclasses_Decorate_HttpRequest_Wi
         var httpRequest = elasticInferenceServiceRequestWrapper.createHttpRequest();
 
         assertThat(httpRequest.httpRequestBase().getHeaders(HttpHeaders.AUTHORIZATION).length, equalTo(1));
-        assertThat(httpRequest.httpRequestBase().getFirstHeader(HttpHeaders.AUTHORIZATION).getValue(), is(bearerToken(secret)));
+        assertThat(httpRequest.httpRequestBase().getFirstHeader(HttpHeaders.AUTHORIZATION).getValue(), is(apiKey(secret)));
     }
 
     public void testElasticInferenceServiceRequestSubclasses_Decorate_HttpRequest_WithProductOrigin() {

x-pack/plugin/inference/src/test/java/org/elasticsearch/xpack/inference/services/elastic/request/ElasticInferenceServiceSparseEmbeddingsRequestTests.java

@@ -24,7 +24,7 @@
 
 import static org.elasticsearch.xpack.inference.InferencePlugin.X_ELASTIC_PRODUCT_USE_CASE_HTTP_HEADER;
 import static org.elasticsearch.xpack.inference.external.http.Utils.entityAsMap;
-import static org.elasticsearch.xpack.inference.external.request.RequestUtils.bearerToken;
+import static org.elasticsearch.xpack.inference.external.request.RequestUtils.apiKey;
 import static org.elasticsearch.xpack.inference.services.elastic.request.ElasticInferenceServiceRequestTests.randomElasticInferenceServiceRequestMetadata;
 import static org.hamcrest.Matchers.aMapWithSize;
 import static org.hamcrest.Matchers.equalTo;
@@ -152,7 +152,7 @@ public void testDecorate_HttpRequest_WithAuthorizationHeader() {
 
             var headers = httpPost.getHeaders(HttpHeaders.AUTHORIZATION);
             assertThat(headers.length, is(1));
-            assertThat(headers[0].getValue(), is(bearerToken(secret)));
+            assertThat(headers[0].getValue(), is(apiKey(secret)));
         }
     }