Fix type issues in security APIs

Author: sethmlarson

output/schema/schema.json

@@ -17,8 +17,12 @@
  * under the License.
  */
 
+import { Role } from '@security/get_role/types'
+import { Dictionary } from '@spec_utils/Dictionary'
 import { Id, Metadata, Name, Username } from '@_types/common'
 import { long } from '@_types/Numeric'
+import { SortResults } from '@_types/sort'
+import { RoleDescriptor } from './RoleDescriptor'
 
 export class ApiKey {
   creation?: long
@@ -30,4 +34,8 @@ export class ApiKey {
   username?: Username
   /** @since 7.13.0 */
   metadata?: Metadata
+  role_descriptors?: Dictionary<string, RoleDescriptor>
+  /** @since 8.5.0 */
+  limited_by?: Array<Dictionary<string, RoleDescriptor>>
+  _sort?: SortResults
 }

output/schema/validation-errors.json

@@ -18,6 +18,7 @@
  */
 
 import { Metadata, Name, Username } from '@_types/common'
+import { UserProfileId } from './UserProfile'
 
 export class User {
   email?: string | null
@@ -26,4 +27,5 @@ export class User {
   roles: string[]
   username: Username
   enabled: boolean
+  profile_uid?: UserProfileId
 }

output/typescript/types.ts

@@ -20,7 +20,6 @@
 import { Dictionary } from '@spec_utils/Dictionary'
 import { UserDefinedValue } from '@spec_utils/UserDefinedValue'
 import { Username, Name } from '@_types/common'
-import { Metadata } from '@_types/common'
 import { long } from '@_types/Numeric'
 import { SequenceNumber } from '@_types/common'
 

specification/security/_types/ApiKey.ts

@@ -32,5 +32,14 @@ export interface Request extends RequestBase {
     owner?: boolean
     realm_name?: Name
     username?: Username
+    /**
+     * Return the snapshot of the owner user's role descriptors
+     * associated with the API key. An API key's actual
+     * permission is the intersection of its assigned role
+     * descriptors and the owner user's role descriptors.
+     * @server_default false
+     * @since 8.5.0
+     */
+    with_limited_by?: boolean
   }
 }

specification/security/_types/User.ts

@@ -30,4 +30,12 @@ export interface Request extends RequestBase {
     /** An identifier for the user. You can specify multiple usernames as a comma-separated list. If you omit this parameter, the API retrieves information about all users. */
     username?: Username | Username[]
   }
+  query_parameters: {
+    /**
+     * If true will return the User Profile ID for a user, if any.
+     * @server_default false
+     * @since 8.5.0
+     */
+    with_profile_uid?: boolean
+  }
 }

specification/security/_types/UserProfile.ts

@@ -32,7 +32,7 @@ export interface Request extends RequestBase {
     /**
      * A unique identifier for the user profile.
      */
-    uid: UserProfileId
+    uid: UserProfileId | UserProfileId[]
   }
   query_parameters: {
     /**

specification/security/get_api_key/SecurityGetApiKeyRequest.ts

@@ -18,8 +18,11 @@
  */
 
 import { UserProfileWithMetadata } from '@security/_types/UserProfile'
-import { Dictionary } from '@spec_utils/Dictionary'
+import { GetUserProfileErrors } from './types'
 
 export class Response {
-  body: Dictionary<string, UserProfileWithMetadata>
+  body: {
+    profiles: UserProfileWithMetadata[]
+    errors?: GetUserProfileErrors
+  }
 }

specification/security/get_user/SecurityGetUserRequest.ts

@@ -0,0 +1,28 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { UserProfileId } from '@security/_types/UserProfile'
+import { Dictionary } from '@spec_utils/Dictionary'
+import { ErrorCause } from '@_types/Errors'
+import { long } from '@_types/Numeric'
+
+export class GetUserProfileErrors {
+  count: long
+  details: Dictionary<UserProfileId, ErrorCause>
+}

specification/security/get_user_profile/Request.ts

@@ -33,5 +33,6 @@ export interface Request extends RequestBase {
     access_token?: string
     username?: Username
     password?: Password
+    run_as?: Username
   }
 }

specification/security/get_user_profile/Response.ts

@@ -26,5 +26,6 @@ export class Response {
     id: Id
     name: Name
     expiration?: EpochTime<UnitMillis>
+    encoded: string
   }
 }

specification/security/get_user_profile/types.ts

@@ -17,15 +17,18 @@
  * under the License.
  */
 
+import { RoleDescriptor } from '@security/_types/RoleDescriptor'
 import { Dictionary } from '@spec_utils/Dictionary'
-import { UserDefinedValue } from '@spec_utils/UserDefinedValue'
-import { Name } from '@_types/common'
-import { Duration } from '@_types/Time'
+import { Metadata, Name } from '@_types/common'
+import { DurationLarge } from '@_types/Time'
 
 export class GrantApiKey {
   name: Name
-  expiration?: Duration
-  role_descriptors?: Dictionary<string, UserDefinedValue>[]
+  expiration?: DurationLarge
+  role_descriptors?:
+    | Dictionary<string, RoleDescriptor>
+    | Dictionary<string, RoleDescriptor>[]
+  metadata?: Metadata
 }
 
 export enum ApiKeyGrantType {

specification/security/grant_api_key/SecurityGrantApiKeyRequest.ts

@@ -18,6 +18,7 @@
  */
 
 import { UserProfileId } from '@security/_types/UserProfile'
+import { HasPrivilegesUserProfileErrors } from './types'
 
 export class Response {
   body: {
@@ -32,6 +33,6 @@ export class Response {
      * or the profile IDs of the users that do not have all the
      * requested privileges. This field is absent if empty.
      */
-    error_uids?: UserProfileId[]
+    errors?: HasPrivilegesUserProfileErrors
   }
 }

specification/security/grant_api_key/SecurityGrantApiKeyResponse.ts

@@ -18,6 +18,10 @@
  */
 
 import { ClusterPrivilege } from '@security/_types/Privileges'
+import { UserProfileId } from '@security/_types/UserProfile'
+import { Dictionary } from '@spec_utils/Dictionary'
+import { ErrorCause } from '@_types/Errors'
+import { long } from '@_types/Numeric'
 import {
   ApplicationPrivilegesCheck,
   IndexPrivilegesCheck
@@ -31,3 +35,8 @@ export class PrivilegesCheck {
   cluster?: ClusterPrivilege[]
   index?: IndexPrivilegesCheck[]
 }
+
+export class HasPrivilegesUserProfileErrors {
+  count: long
+  details: Dictionary<UserProfileId, ErrorCause>
+}

specification/security/grant_api_key/types.ts

@@ -28,6 +28,16 @@ import { Sort, SortResults } from '@_types/sort'
  * @stability stable
  */
 export interface Request extends RequestBase {
+  query_parameters: {
+    /**
+     * Return the snapshot of the owner user's role descriptors
+     * associated with the API key. An API key's actual
+     * permission is the intersection of its assigned role
+     * descriptors and the owner user's role descriptors.
+     * @since 8.5.0
+     */
+    with_limited_by?: boolean
+  }
   body: {
     /**
      * A query to filter which API keys to return.
@@ -48,6 +58,7 @@ export interface Request extends RequestBase {
      * The number of hits to return. By default, you cannot page through more
      * than 10,000 hits using the from and size parameters. To page through more
      * hits, use the search_after parameter.
+     * @server_default false
      * @server_default 10
      */
     size?: integer