From 8ea6f0b5f76f128603f8c66f4b383fec227ee365 Mon Sep 17 00:00:00 2001
From: Yang Wang <yang.wang@elastic.co>
Date: Tue, 12 Jul 2022 11:34:05 +1000
Subject: [PATCH 1/2] Audit API key ID when create or grant API keys

The API key ID generation is handled by the Request class since #63221.
This makes it possible to audit it when creating or granting API keys.
This PR makes the necessary changes for it to happen.

Relates: #63221
---
 .../docs/en/security/auditing/event-types.asciidoc  |  2 +-
 .../security/audit/logfile/LoggingAuditTrail.java   |  1 +
 .../audit/logfile/LoggingAuditTrailTests.java       | 13 ++++++++++---
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc
index 7cc041ff4ccf8..d3e7047eb1113 100644
--- a/x-pack/docs/en/security/auditing/event-types.asciidoc
+++ b/x-pack/docs/en/security/auditing/event-types.asciidoc
@@ -733,7 +733,7 @@ the <<mapping-roles, API request for mapping roles>>.
 +
 [source,js]
 ----
-`{"name": <string>, "expiration": <string>, "role_descriptors" [<object>]}`
+`{"id": <string>, "name": <string>, "expiration": <string>, "role_descriptors" [<object>]}`
 ----
 // NOTCONSOLE
 +
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
index 33f48b65fe9d1..0780be38f4bc2 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@@ -1218,6 +1218,7 @@ LogEntryBuilder withRequestBody(GrantApiKeyRequest grantApiKeyRequest) throws IO
         private void withRequestBody(XContentBuilder builder, CreateApiKeyRequest createApiKeyRequest) throws IOException {
             TimeValue expiration = createApiKeyRequest.getExpiration();
             builder.startObject("apikey")
+                .field("id", createApiKeyRequest.getId())
                 .field("name", createApiKeyRequest.getName())
                 .field("expiration", expiration != null ? expiration.toString() : null)
                 .startArray("role_descriptors");
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
index 4ea4ce42a19eb..0128eaf516589 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -587,8 +587,13 @@ public void testSecurityConfigChangeEventFormattingForRoles() throws IOException
         createApiKeyRequest.setRefreshPolicy(randomFrom(WriteRequest.RefreshPolicy.values()));
         auditTrail.accessGranted(requestId, authentication, CreateApiKeyAction.NAME, createApiKeyRequest, authorizationInfo);
         String expectedCreateKeyAuditEventString = """
-            "create":{"apikey":{"name":"%s","expiration":%s,%s}}\
-            """.formatted(keyName, expiration != null ? "\"" + expiration + "\"" : "null", roleDescriptorsStringBuilder);
+            "create":{"apikey":{"id":"%s","name":"%s","expiration":%s,%s}}\
+            """.formatted(
+            createApiKeyRequest.getId(),
+            keyName,
+            expiration != null ? "\"" + expiration + "\"" : "null",
+            roleDescriptorsStringBuilder
+        );
         List<String> output = CapturingLogger.output(logger.getName(), Level.INFO);
         assertThat(output.size(), is(2));
         String generatedCreateKeyAuditEventString = output.get(1);
@@ -617,7 +622,9 @@ public void testSecurityConfigChangeEventFormattingForRoles() throws IOException
         output = CapturingLogger.output(logger.getName(), Level.INFO);
         assertThat(output.size(), is(2));
         String generatedGrantKeyAuditEventString = output.get(1);
-        StringBuilder grantKeyAuditEventStringBuilder = new StringBuilder().append("\"create\":{\"apikey\":{\"name\":\"")
+        StringBuilder grantKeyAuditEventStringBuilder = new StringBuilder().append("\"create\":{\"apikey\":{\"id\":\"")
+            .append(grantApiKeyRequest.getApiKeyRequest().getId())
+            .append("\",\"name\":\"")
             .append(keyName)
             .append("\",\"expiration\":")
             .append(expiration != null ? "\"" + expiration + "\"" : "null")

From f202316adab3f41f092554f52ae2ed20f63fd6fb Mon Sep 17 00:00:00 2001
From: Yang Wang <ywangd@gmail.com>
Date: Tue, 12 Jul 2022 11:43:23 +1000
Subject: [PATCH 2/2] Update docs/changelog/88456.yaml

---
 docs/changelog/88456.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 docs/changelog/88456.yaml

diff --git a/docs/changelog/88456.yaml b/docs/changelog/88456.yaml
new file mode 100644
index 0000000000000..bb3a5d1182365
--- /dev/null
+++ b/docs/changelog/88456.yaml
@@ -0,0 +1,5 @@
+pr: 88456
+summary: Audit API key ID when create or grant API keys
+area: Audit
+type: enhancement
+issues: []