Merge branch 'main' into file-delivery-order

Author: juliaElastic

changelog/fragments/1707997503-429-es-error.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Respond with 429 if elasticsearch API key auth gives 429
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: 3278
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234

internal/pkg/api/auth.go

@@ -7,7 +7,6 @@ package api
 
 import (
 	"errors"
-	"fmt"
 	"net/http"
 	"time"
 
@@ -60,7 +59,7 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 			Str(LogAPIKeyID, key.ID).
 			Int64(ECSEventDuration, time.Since(start).Nanoseconds()).
 			Msg("ApiKey fail authentication")
-		return nil, fmt.Errorf("%w: %w", apikey.ErrUnauthorized, err)
+		return nil, err
 	}
 
 	hlog.FromRequest(r).Debug().

internal/pkg/api/error.go

@@ -137,6 +137,15 @@ func NewHTTPErrResp(err error) HTTPErrResp {
 				zerolog.WarnLevel,
 			},
 		},
+		{
+			apikey.ErrElasticsearchAuthLimit,
+			HTTPErrResp{
+				http.StatusTooManyRequests,
+				"ElasticsearchAPIKeyAuthLimit",
+				"exceeded the elasticsearch api key auth limit",
+				zerolog.WarnLevel,
+			},
+		},
 		{
 			os.ErrDeadlineExceeded,
 			HTTPErrResp{

internal/pkg/apikey/auth.go

@@ -15,7 +15,8 @@ import (
 )
 
 var (
-	ErrUnauthorized = errors.New("unauthorized")
+	ErrUnauthorized           = errors.New("unauthorized")
+	ErrElasticsearchAuthLimit = errors.New("elasticsearch auth limit")
 )
 
 // SecurityInfo contains all related information about an APIKey that Elasticsearch tracks.
@@ -51,7 +52,11 @@ func (k APIKey) Authenticate(ctx context.Context, es *elasticsearch.Client) (*Se
 	}
 
 	if res.IsError() {
-		return nil, fmt.Errorf("%w: %w", ErrUnauthorized, fmt.Errorf("apikey auth response %s: %s", k.ID, res.String()))
+		returnError := ErrUnauthorized
+		if res.StatusCode == 429 {
+			returnError = ErrElasticsearchAuthLimit
+		}
+		return nil, fmt.Errorf("%w: %w", returnError, fmt.Errorf("apikey auth response %s: %s", k.ID, res.String()))
 	}
 
 	var info SecurityInfo

internal/pkg/apikey/auth_test.go

@@ -0,0 +1,46 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package apikey
+
+import (
+	"context"
+	"encoding/base64"
+	"net/http"
+	"testing"
+
+	"github.com/elastic/fleet-server/v7/internal/pkg/testing/esutil"
+	"github.com/elastic/go-elasticsearch/v8"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	rawToken = " foo:bar"
+)
+
+func setup(t *testing.T, statusCode int) (context.Context, *APIKey, *elasticsearch.Client) {
+	token := base64.StdEncoding.EncodeToString([]byte(rawToken))
+	apiKey, err := NewAPIKeyFromToken(token)
+	assert.NoError(t, err)
+	ctx := context.Background()
+
+	mockES, mockTransport := esutil.MockESClient(t)
+	mockTransport.RoundTripFn = func(req *http.Request) (*http.Response, error) { return &http.Response{StatusCode: statusCode}, nil }
+
+	return ctx, apiKey, mockES
+}
+
+func TestAuth429(t *testing.T) {
+	ctx, apiKey, mockES := setup(t, 429)
+	_, err := apiKey.Authenticate(ctx, mockES)
+
+	assert.Equal(t, "elasticsearch auth limit: apikey auth response  foo: [429 Too Many Requests] ", err.Error())
+}
+
+func TestAuth401(t *testing.T) {
+	ctx, apiKey, mockES := setup(t, 401)
+	_, err := apiKey.Authenticate(ctx, mockES)
+
+	assert.Equal(t, "unauthorized: apikey auth response  foo: [401 Unauthorized] ", err.Error())
+}