HLRC: Add InvalidateToken security API (#35114)

This change adds the Invalidate Token API
(DELETE /_xpack/security/oauth2/token) to the Elasticsearch
High Level Rest Client.

Relates: #29827

Author: tvernum

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityClient.java

@@ -40,6 +40,8 @@
 import org.elasticsearch.client.security.GetRoleMappingsResponse;
 import org.elasticsearch.client.security.GetSslCertificatesRequest;
 import org.elasticsearch.client.security.GetSslCertificatesResponse;
+import org.elasticsearch.client.security.InvalidateTokenRequest;
+import org.elasticsearch.client.security.InvalidateTokenResponse;
 import org.elasticsearch.client.security.PutRoleMappingRequest;
 import org.elasticsearch.client.security.PutRoleMappingResponse;
 import org.elasticsearch.client.security.PutUserRequest;
@@ -440,4 +442,35 @@ public void createTokenAsync(CreateTokenRequest request, RequestOptions options,
         restHighLevelClient.performRequestAsyncAndParseEntity(request, SecurityRequestConverters::createToken, options,
             CreateTokenResponse::fromXContent, listener, emptySet());
     }
+
+    /**
+     * Invalidates an OAuth2 token.
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-token.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to invalidate the token
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @return the response from the create token call
+     * @throws IOException in case there is a problem sending the request or parsing back the response
+     */
+    public InvalidateTokenResponse invalidateToken(InvalidateTokenRequest request, RequestOptions options) throws IOException {
+        return restHighLevelClient.performRequestAndParseEntity(request, SecurityRequestConverters::invalidateToken, options,
+            InvalidateTokenResponse::fromXContent, emptySet());
+    }
+
+    /**
+     * Asynchronously invalidates an OAuth2 token.
+     * See <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-token.html">
+     * the docs</a> for more.
+     *
+     * @param request the request to invalidate the token
+     * @param options the request options (e.g. headers), use {@link RequestOptions#DEFAULT} if nothing needs to be customized
+     * @param listener the listener to be notified upon request completion
+     */
+    public void invalidateTokenAsync(InvalidateTokenRequest request, RequestOptions options,
+                                     ActionListener<InvalidateTokenResponse> listener) {
+        restHighLevelClient.performRequestAsyncAndParseEntity(request, SecurityRequestConverters::invalidateToken, options,
+            InvalidateTokenResponse::fromXContent, listener, emptySet());
+    }
+
 }

client/rest-high-level/src/main/java/org/elasticsearch/client/SecurityRequestConverters.java

@@ -28,6 +28,7 @@
 import org.elasticsearch.client.security.CreateTokenRequest;
 import org.elasticsearch.client.security.DeleteRoleMappingRequest;
 import org.elasticsearch.client.security.DeleteRoleRequest;
+import org.elasticsearch.client.security.InvalidateTokenRequest;
 import org.elasticsearch.client.security.PutRoleMappingRequest;
 import org.elasticsearch.client.security.DisableUserRequest;
 import org.elasticsearch.client.security.EnableUserRequest;
@@ -165,4 +166,10 @@ static Request createToken(CreateTokenRequest createTokenRequest) throws IOExcep
         request.setEntity(createEntity(createTokenRequest, REQUEST_BODY_CONTENT_TYPE));
         return request;
     }
+
+    static Request invalidateToken(InvalidateTokenRequest invalidateTokenRequest) throws IOException {
+        Request request = new Request(HttpDelete.METHOD_NAME, "/_xpack/security/oauth2/token");
+        request.setEntity(createEntity(invalidateTokenRequest, REQUEST_BODY_CONTENT_TYPE));
+        return request;
+    }
 }

client/rest-high-level/src/main/java/org/elasticsearch/client/security/InvalidateTokenRequest.java

@@ -0,0 +1,102 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.security;
+
+import org.elasticsearch.client.Validatable;
+import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * Request to invalidate a OAuth2 token within the Elasticsearch cluster.
+ */
+public final class InvalidateTokenRequest implements Validatable, ToXContentObject {
+
+    private final String accessToken;
+    private final String refreshToken;
+
+    InvalidateTokenRequest(@Nullable String accessToken, @Nullable String refreshToken) {
+        if (Strings.isNullOrEmpty(accessToken)) {
+            if (Strings.isNullOrEmpty(refreshToken)) {
+                throw new IllegalArgumentException("Either access-token or refresh-token is required");
+            }
+        } else if (Strings.isNullOrEmpty(refreshToken) == false) {
+            throw new IllegalArgumentException("Cannot supply both access-token and refresh-token");
+        }
+        this.accessToken = accessToken;
+        this.refreshToken = refreshToken;
+    }
+
+    public static InvalidateTokenRequest accessToken(String accessToken) {
+        if (Strings.isNullOrEmpty(accessToken)) {
+            throw new IllegalArgumentException("token is required");
+        }
+        return new InvalidateTokenRequest(accessToken, null);
+    }
+
+    public static InvalidateTokenRequest refreshToken(String refreshToken) {
+        if (Strings.isNullOrEmpty(refreshToken)) {
+            throw new IllegalArgumentException("refresh_token is required");
+        }
+        return new InvalidateTokenRequest(null, refreshToken);
+    }
+
+    public String getAccessToken() {
+        return accessToken;
+    }
+
+    public String getRefreshToken() {
+        return refreshToken;
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject();
+        if (accessToken != null) {
+            builder.field("token", accessToken);
+        }
+        if (refreshToken != null) {
+            builder.field("refresh_token", refreshToken);
+        }
+        return builder.endObject();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final InvalidateTokenRequest that = (InvalidateTokenRequest) o;
+        return Objects.equals(this.accessToken, that.accessToken) &&
+            Objects.equals(this.refreshToken, that.refreshToken);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(accessToken, refreshToken);
+    }
+}

client/rest-high-level/src/main/java/org/elasticsearch/client/security/InvalidateTokenResponse.java

@@ -0,0 +1,74 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client.security;
+
+import org.elasticsearch.common.ParseField;
+import org.elasticsearch.common.xcontent.ConstructingObjectParser;
+import org.elasticsearch.common.xcontent.XContentParser;
+
+import java.io.IOException;
+import java.util.Objects;
+
+import static org.elasticsearch.common.xcontent.ConstructingObjectParser.constructorArg;
+
+/**
+ * Response when invalidating an OAuth2 token. Returns a
+ * single boolean field for whether the invalidation record was created or updated.
+ */
+public final class InvalidateTokenResponse {
+
+    private final boolean created;
+
+    public InvalidateTokenResponse(boolean created) {
+        this.created = created;
+    }
+
+    public boolean isCreated() {
+        return created;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        InvalidateTokenResponse that = (InvalidateTokenResponse) o;
+        return created == that.created;
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(created);
+    }
+
+    private static final ConstructingObjectParser<InvalidateTokenResponse, Void> PARSER = new ConstructingObjectParser<>(
+        "invalidate_token_response", true, args -> new InvalidateTokenResponse((boolean) args[0]));
+
+    static {
+        PARSER.declareBoolean(constructorArg(), new ParseField("created"));
+    }
+
+    public static InvalidateTokenResponse fromXContent(XContentParser parser) throws IOException {
+        return PARSER.parse(parser, null);
+    }
+}