Merge remote-tracking branch 'upstream/main' into logs-message-default-sort

Author: jordan-powers

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/transport/ValidateTransportVersionReferencesTask.java

@@ -59,7 +59,7 @@ public void validateTransportVersions() throws IOException {
                         + "\") was used at "
                         + tvReference.location()
                         + ", but lacks a transport version definition. "
-                        + "If this is a new transport version, run './gradle generateTransportVersion'."
+                        + "If this is a new transport version, run './gradlew generateTransportVersion'."
                 );
             }
         }

server/src/main/java/org/elasticsearch/TransportVersion.java

@@ -257,7 +257,7 @@ public static TransportVersion fromName(String name) {
                 message.append(names);
                 message.append("?");
             }
-            message.append(" If this is a new transport version, run './gradle generateTransportVersion'.");
+            message.append(" If this is a new transport version, run './gradlew generateTransportVersion'.");
             throw new IllegalStateException(message.toString());
         }
         return known;

server/src/main/java/org/elasticsearch/TransportVersions.java

@@ -53,6 +53,8 @@ static TransportVersion def(int id) {
     }
 
     // TODO: ES-10337 we can remove all transport versions earlier than 8.18
+    public static final TransportVersion V_7_1_0 = def(7_01_00_99);
+    public static final TransportVersion V_7_2_0 = def(7_02_00_99);
     public static final TransportVersion V_7_3_0 = def(7_03_00_99);
     public static final TransportVersion V_7_3_2 = def(7_03_02_99);
     public static final TransportVersion V_7_4_0 = def(7_04_00_99);

server/src/test/java/org/elasticsearch/TransportVersionTests.java

@@ -400,7 +400,7 @@ public void testMoreLikeThis() {
             is(
                 "Unknown transport version [to_child_lock_join_query]. "
                     + "Did you mean [to_child_block_join_query]? "
-                    + "If this is a new transport version, run './gradle generateTransportVersion'."
+                    + "If this is a new transport version, run './gradlew generateTransportVersion'."
             )
         );
 
@@ -409,7 +409,7 @@ public void testMoreLikeThis() {
             ise.getMessage(),
             is(
                 "Unknown transport version [brand_new_version_unrelated_to_others]. "
-                    + "If this is a new transport version, run './gradle generateTransportVersion'."
+                    + "If this is a new transport version, run './gradlew generateTransportVersion'."
             )
         );
     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityFeatureSetUsage.java

@@ -55,8 +55,10 @@ public SecurityFeatureSetUsage(StreamInput in) throws IOException {
         realmsUsage = in.readGenericMap();
         rolesStoreUsage = in.readGenericMap();
         sslUsage = in.readGenericMap();
-        tokenServiceUsage = in.readGenericMap();
-        apiKeyServiceUsage = in.readGenericMap();
+        if (in.getTransportVersion().onOrAfter(TransportVersions.V_7_2_0)) {
+            tokenServiceUsage = in.readGenericMap();
+            apiKeyServiceUsage = in.readGenericMap();
+        }
         auditUsage = in.readGenericMap();
         ipFilterUsage = in.readGenericMap();
         anonymousUsage = in.readGenericMap();
@@ -119,8 +121,10 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeGenericMap(realmsUsage);
         out.writeGenericMap(rolesStoreUsage);
         out.writeGenericMap(sslUsage);
-        out.writeGenericMap(tokenServiceUsage);
-        out.writeGenericMap(apiKeyServiceUsage);
+        if (out.getTransportVersion().onOrAfter(TransportVersions.V_7_2_0)) {
+            out.writeGenericMap(tokenServiceUsage);
+            out.writeGenericMap(apiKeyServiceUsage);
+        }
         out.writeGenericMap(auditUsage);
         out.writeGenericMap(ipFilterUsage);
         out.writeGenericMap(anonymousUsage);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/TokensInvalidationResult.java

@@ -8,6 +8,7 @@
 package org.elasticsearch.xpack.core.security.authc.support;
 
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.TransportVersions;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.io.stream.Writeable;
@@ -58,6 +59,9 @@ public TokensInvalidationResult(StreamInput in) throws IOException {
         this.invalidatedTokens = in.readStringCollectionAsList();
         this.previouslyInvalidatedTokens = in.readStringCollectionAsList();
         this.errors = in.readCollectionAsList(StreamInput::readException);
+        if (in.getTransportVersion().before(TransportVersions.V_7_2_0)) {
+            in.readVInt();
+        }
         this.restStatus = RestStatus.readFrom(in);
     }
 
@@ -105,6 +109,9 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeStringCollection(invalidatedTokens);
         out.writeStringCollection(previouslyInvalidatedTokens);
         out.writeCollection(errors, StreamOutput::writeException);
+        if (out.getTransportVersion().before(TransportVersions.V_7_2_0)) {
+            out.writeVInt(5);
+        }
         RestStatus.writeTo(out, restStatus);
     }
 }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/TokenAuthIntegTests.java

@@ -750,6 +750,37 @@ public void testClientCredentialsGrant() throws Exception {
         assertUnauthorizedToken(createTokenResponse.accessToken());
     }
 
+    public void testAuthenticateWithWrongToken() throws Exception {
+        final TokenService tokenService = internalCluster().getInstance(TokenService.class);
+        OAuth2Token response = createToken(TEST_USER_NAME, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING);
+        assertNotNull(response.getRefreshToken());
+        // Assert that we can authenticate with the access token
+        assertAuthenticateWithToken(response.accessToken(), TEST_USER_NAME);
+        // Now attempt to authenticate with an invalid access token string
+        assertUnauthorizedToken(randomAlphaOfLengthBetween(0, 128));
+        // Now attempt to authenticate with an invalid access token with valid structure (pre 7.2)
+        assertUnauthorizedToken(
+            tokenService.prependVersionAndEncodeAccessToken(
+                TransportVersions.V_7_1_0,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_1_0, randomBoolean()).v1()
+            )
+        );
+        // Now attempt to authenticate with an invalid access token with valid structure (after 7.2 pre 8.10)
+        assertUnauthorizedToken(
+            tokenService.prependVersionAndEncodeAccessToken(
+                TransportVersions.V_7_4_0,
+                tokenService.getRandomTokenBytes(TransportVersions.V_7_4_0, randomBoolean()).v1()
+            )
+        );
+        // Now attempt to authenticate with an invalid access token with valid structure (current version)
+        assertUnauthorizedToken(
+            tokenService.prependVersionAndEncodeAccessToken(
+                TransportVersion.current(),
+                tokenService.getRandomTokenBytes(TransportVersion.current(), randomBoolean()).v1()
+            )
+        );
+    }
+
     @Before
     public void waitForSecurityIndexWritable() throws Exception {
         createSecurityIndexWithWaitForActiveShards();