Support prefix search for API key names (#59113)

This PR adds minimum support for prefix search of API Key name. It only touches API key name and leave all other query parameters, e.g. realm name, username unchanged.

x-pack/docs/en/rest-api/security/get-api-keys.asciidoc

@@ -30,12 +30,12 @@ The following parameters can be specified in the query parameters of a GET reque
 pertain to retrieving api keys:
 
 `id`::
-(Optional, string) An API key id. This parameter cannot be used with any of 
+(Optional, string) An API key id. This parameter cannot be used with any of
 `name`, `realm_name` or `username` are used.
 
 `name`::
 (Optional, string) An API key name. This parameter cannot be used with any of
-`id`, `realm_name` or `username` are used.
+`id`, `realm_name` or `username` are used. It supports prefix search with wildcard.
 
 `realm_name`::
 (Optional, string) The name of an authentication realm. This parameter cannot be
@@ -47,7 +47,7 @@ either `id` or `name` or when `owner` flag is set to `true`.
 
 `owner`::
 (Optional, boolean) A boolean flag that can be used to query API keys owned
-by the currently authenticated user. Defaults to false. 
+by the currently authenticated user. Defaults to false.
 The 'realm_name' or 'username' parameters cannot be specified when this
 parameter is set to 'true' as they are assumed to be the currently authenticated ones.
 
@@ -101,6 +101,14 @@ GET /_security/api_key?name=my-api-key
 --------------------------------------------------
 // TEST[continued]
 
+API key name supports prefix search by using wildcard:
+
+[source,console]
+--------------------------------------------------
+GET /_security/api_key?name=my-*
+--------------------------------------------------
+// TEST[continued]
+
 The following example retrieves all API keys for the `native1` realm:
 
 [source,console]

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java

@@ -820,8 +820,12 @@ public class ApiKeyService {
             if (Strings.hasText(userName)) {
                 boolQuery.filter(QueryBuilders.termQuery("creator.principal", userName));
             }
-            if (Strings.hasText(apiKeyName)) {
-                boolQuery.filter(QueryBuilders.termQuery("name", apiKeyName));
+            if (Strings.hasText(apiKeyName) && "*".equals(apiKeyName) == false) {
+                if (apiKeyName.endsWith("*")) {
+                    boolQuery.filter(QueryBuilders.prefixQuery("name", apiKeyName.substring(0, apiKeyName.length() - 1)));
+                } else {
+                    boolQuery.filter(QueryBuilders.termQuery("name", apiKeyName));
+                }
             }
             if (Strings.hasText(apiKeyId)) {
                 boolQuery.filter(QueryBuilders.termQuery("_id", apiKeyId));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyIntegTests.java

@@ -535,13 +535,42 @@ public class ApiKeyIntegTests extends SecurityIntegTestCase {
     }
 
     public void testGetApiKeysForApiKeyName() throws InterruptedException, ExecutionException {
-        List<CreateApiKeyResponse> responses = createApiKeys(1, null);
-        Client client = client().filterWithHeader(Collections.singletonMap("Authorization", UsernamePasswordToken
-                .basicAuthHeaderValue(SecuritySettingsSource.TEST_SUPERUSER, SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING)));
+        final Map<String, String> headers = Collections.singletonMap(
+            "Authorization",
+            UsernamePasswordToken.basicAuthHeaderValue(
+                SecuritySettingsSource.TEST_SUPERUSER,
+                SecuritySettingsSourceField.TEST_PASSWORD_SECURE_STRING));
+
+        final int noOfApiKeys = randomIntBetween(1, 3);
+        final List<CreateApiKeyResponse> createApiKeyResponses1 = createApiKeys(noOfApiKeys, null);
+        final List<CreateApiKeyResponse> createApiKeyResponses2 = createApiKeys(
+            headers, noOfApiKeys, "another-test-key-", null, "monitor");
+
+        Client client = client().filterWithHeader(headers);
         PlainActionFuture<GetApiKeyResponse> listener = new PlainActionFuture<>();
+        List<CreateApiKeyResponse> responses = randomFrom(createApiKeyResponses1, createApiKeyResponses2);
         client.execute(GetApiKeyAction.INSTANCE, GetApiKeyRequest.usingApiKeyName(responses.get(0).getName(), false), listener);
-        GetApiKeyResponse response = listener.get();
-        verifyGetResponse(1, responses, response, Collections.singleton(responses.get(0).getId()), null);
+        verifyGetResponse(1, responses, listener.get(), Collections.singleton(responses.get(0).getId()), null);
+
+        PlainActionFuture<GetApiKeyResponse> listener2 = new PlainActionFuture<>();
+        client.execute(GetApiKeyAction.INSTANCE, GetApiKeyRequest.usingApiKeyName("test-key*", false), listener2);
+        verifyGetResponse(noOfApiKeys, createApiKeyResponses1, listener2.get(),
+            createApiKeyResponses1.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
+
+        PlainActionFuture<GetApiKeyResponse> listener3 = new PlainActionFuture<>();
+        client.execute(GetApiKeyAction.INSTANCE, GetApiKeyRequest.usingApiKeyName("*", false), listener3);
+        responses = Stream.concat(createApiKeyResponses1.stream(), createApiKeyResponses2.stream()).collect(Collectors.toList());
+        verifyGetResponse(2 * noOfApiKeys, responses, listener3.get(),
+            responses.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
+
+        PlainActionFuture<GetApiKeyResponse> listener4 = new PlainActionFuture<>();
+        client.execute(GetApiKeyAction.INSTANCE, GetApiKeyRequest.usingApiKeyName("does-not-exist*", false), listener4);
+        verifyGetResponse(0, Collections.emptyList(), listener4.get(), Collections.emptySet(), null);
+
+        PlainActionFuture<GetApiKeyResponse> listener5 = new PlainActionFuture<>();
+        client.execute(GetApiKeyAction.INSTANCE, GetApiKeyRequest.usingApiKeyName("another-test-key*", false), listener5);
+        verifyGetResponse(noOfApiKeys, createApiKeyResponses2, listener5.get(),
+            createApiKeyResponses2.stream().map(CreateApiKeyResponse::getId).collect(Collectors.toSet()), null);
     }
 
     public void testGetApiKeysOwnedByCurrentAuthenticatedUser() throws InterruptedException, ExecutionException {
@@ -966,12 +995,17 @@ public class ApiKeyIntegTests extends SecurityIntegTestCase {
 
     private List<CreateApiKeyResponse> createApiKeys(Map<String, String> headers,
         int noOfApiKeys, TimeValue expiration, String... clusterPrivileges) {
+        return createApiKeys(headers, noOfApiKeys, "test-key-", expiration, clusterPrivileges);
+    }
+
+    private List<CreateApiKeyResponse> createApiKeys(Map<String, String> headers,
+        int noOfApiKeys, String namePrefix, TimeValue expiration, String... clusterPrivileges) {
         List<CreateApiKeyResponse> responses = new ArrayList<>();
         for (int i = 0; i < noOfApiKeys; i++) {
             final RoleDescriptor descriptor = new RoleDescriptor("role", clusterPrivileges, null, null);
             Client client = client().filterWithHeader(headers);
             final CreateApiKeyResponse response = new CreateApiKeyRequestBuilder(client)
-                .setName("test-key-" + randomAlphaOfLengthBetween(5, 9) + i).setExpiration(expiration)
+                .setName(namePrefix + randomAlphaOfLengthBetween(5, 9) + i).setExpiration(expiration)
                 .setRoleDescriptors(Collections.singletonList(descriptor)).get();
             assertNotNull(response.getId());
             assertNotNull(response.getKey());