elastic · mikecote · Jul 31, 2019 · Jul 29, 2019 · Jul 29, 2019 · Jul 29, 2019
diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js
@@ -145,7 +145,10 @@ export const security = (kibana) => new kibana.Plugin({
     // to re-compute the license check results for this plugin
     xpackInfoFeature.registerLicenseCheckResultsGenerator(checkLicense);
 
-    server.expose({ getUser: request => securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)) });
+    server.expose({
+      getUser: request => securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)),
+      createApiKey: (request, body) => securityPlugin.authc.createApiKey(KibanaRequest.from(request), body),
+    });
 
     const { savedObjects } = server;
 

diff --git a/x-pack/legacy/server/lib/esjs_shield_plugin.js b/x-pack/legacy/server/lib/esjs_shield_plugin.js
@@ -497,5 +497,16 @@
         }
       ]
     });
+
+    /**
+     * Perform a [shield.createApiKey](Creates an API Key for the current user) request
+    */
+    shield.createApiKey = ca({
+      method: 'POST',
+      needBody: true,
+      url: {
+        fmt: '/_security/api_key',
+      },
+    });
   };
 }));
diff --git a/x-pack/plugins/security/server/authentication/api_key.test.ts b/x-pack/plugins/security/server/authentication/api_key.test.ts
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { createApiKey } from './api_key';
+
+const mockCallCluster = jest.fn();
+
+beforeAll(() => jest.resetAllMocks());
+
+describe('createApiKey()', () => {
+  test('returns null when security feature is disabled', async () => {
+    const result = await createApiKey({
+      body: {
+        name: '',
+        role_descriptors: {},
+      },
+      callCluster: mockCallCluster,
+      isSecurityFeatureDisabled: () => true,
+    });
+    expect(result).toBeNull();
+  });
+
+  test('calls callCluster with proper body arguments', async () => {
+    mockCallCluster.mockResolvedValueOnce({
+      id: '123',
+      name: 'key-name',
+      expiration: '1d',
+      api_key: 'abc123',
+    });
+    const result = await createApiKey({
+      body: {
+        name: 'key-name',
+        role_descriptors: { foo: true },
+        expiration: '1d',
+      },
+      callCluster: mockCallCluster,
+      isSecurityFeatureDisabled: () => false,
+    });
+    expect(result).toMatchInlineSnapshot(`
+      Object {
+        "api_key": "abc123",
+        "expiration": "1d",
+        "id": "123",
+        "name": "key-name",
+      }
+    `);
+    expect(mockCallCluster).toHaveBeenCalledWith('shield.createApiKey', {
+      body: {
+        name: 'key-name',
+        role_descriptors: { foo: true },
+        expiration: '1d',
+      },
+    });
+  });
+});
diff --git a/x-pack/plugins/security/server/authentication/api_key.ts b/x-pack/plugins/security/server/authentication/api_key.ts
@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface CreateApiKeyOptions {
+  callCluster: any;
+  isSecurityFeatureDisabled: () => boolean;
+  body: {
+    name: string;
+    role_descriptors: Record<string, any>;
+    expiration?: string;
+  };
+}
+
+export interface CreateApiKeyResult {
+  id: string;
+  name: string;
+  expiration?: string;
+  api_key: string;
+}
+
+export async function createApiKey({
+  callCluster,
+  body,
+  isSecurityFeatureDisabled,
+}: CreateApiKeyOptions): Promise<CreateApiKeyResult | null> {
+  if (isSecurityFeatureDisabled()) {
+    return null;
+  }
+  return await callCluster('shield.createApiKey', { body });
+}
diff --git a/x-pack/plugins/security/server/authentication/index.test.ts b/x-pack/plugins/security/server/authentication/index.test.ts
@@ -35,6 +35,7 @@ import { getErrorStatusCode } from '../errors';
 import { LegacyAPI } from '../plugin';
 import { AuthenticationResult } from './authentication_result';
 import { setupAuthentication } from '.';
+import { CreateApiKeyResult, CreateApiKeyOptions } from './api_key';
 
 function mockXPackFeature({ isEnabled = true }: Partial<{ isEnabled: boolean }> = {}) {
   return {
@@ -336,4 +337,57 @@ describe('setupAuthentication()', () => {
       );
     });
   });
+
+  describe('createApiKey()', () => {
+    let createApiKey: (
+      r: KibanaRequest,
+      body: CreateApiKeyOptions['body']
+    ) => Promise<CreateApiKeyResult | null>;
+    beforeEach(async () => {
+      createApiKey = (await setupAuthentication(mockSetupAuthenticationParams)).createApiKey;
+    });
+
+    it('returns `null` if Security is disabled', async () => {
+      mockXpackInfo.feature.mockReturnValue(mockXPackFeature({ isEnabled: false }));
+
+      await expect(
+        createApiKey(httpServerMock.createKibanaRequest(), {
+          name: 'my-key',
+          role_descriptors: {},
+          expiration: '1d',
+        })
+      ).resolves.toBe(null);
+    });
+
+    it('fails if `authenticate` call fails', async () => {
+      const failureReason = new Error('Something went wrong');
+      mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason);
+
+      await expect(
+        createApiKey(httpServerMock.createKibanaRequest(), {
+          name: 'my-key',
+          role_descriptors: {},
+          expiration: '1d',
+        })
+      ).rejects.toBe(failureReason);
+    });
+
+    it('returns result of `createApiKey` call.', async () => {
+      const mockKey = {
+        id: '123',
+        name: 'my-key',
+        expiration: '1d',
+        api_key: '123abc',
+      };
+      mockScopedClusterClient.callAsCurrentUser.mockResolvedValue(mockKey);
+
+      await expect(
+        createApiKey(httpServerMock.createKibanaRequest(), {
+          name: 'my-key',
+          role_descriptors: {},
+          expiration: '1d',
+        })
+      ).resolves.toBe(mockKey);
+    });
+  });
 });
diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts
@@ -16,6 +16,7 @@ import { ConfigType } from '../config';
 import { getErrorStatusCode, wrapError } from '../errors';
 import { Authenticator, ProviderSession } from './authenticator';
 import { LegacyAPI } from '../plugin';
+import { createApiKey, CreateApiKeyOptions } from './api_key';
 
 export { canRedirectRequest } from './can_redirect_request';
 export { Authenticator, ProviderLoginAttempt } from './authenticator';
@@ -134,6 +135,12 @@ export async function setupAuthentication({
     login: authenticator.login.bind(authenticator),
     logout: authenticator.logout.bind(authenticator),
     getCurrentUser,
+    createApiKey: (request: KibanaRequest, body: CreateApiKeyOptions['body']) =>
+      createApiKey({
+        body,
+        isSecurityFeatureDisabled,
+        callCluster: clusterClient.asScoped(request).callAsCurrentUser,
+      }),
     isAuthenticated: async (request: KibanaRequest) => {
       try {
         await getCurrentUser(request);

diff --git a/x-pack/plugins/security/server/plugin.test.ts b/x-pack/plugins/security/server/plugin.test.ts
@@ -36,6 +36,7 @@ describe('Security Plugin', () => {
       await expect(plugin.setup(mockCoreSetup)).resolves.toMatchInlineSnapshot(`
               Object {
                 "authc": Object {
+                  "createApiKey": [Function],
                   "getCurrentUser": [Function],
                   "isAuthenticated": [Function],
                   "login": [Function],