Improve efficiency of querying API key for user profile retrieval (elastic#260410)

## Summary

Implementation of a couple of recent features required querying for API
keys to retrieve user profile information. The `getApiKey` API calls now
pass the ID of the specific API key in the request header, which
eliminates the possibility that a large number of keys will be retrieved
regardless of the API key's granted privileges.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

This PR was partially created with AI.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: jeramysoucy

src/core/packages/security/server/index.ts

@@ -31,7 +31,12 @@ export type { AuditLogger } from './src/audit_logging/audit_logger';
 export type * from './src/authentication';
 
 export type { KibanaPrivilegesType, ElasticsearchPrivilegesType } from './src/roles';
-export { isCreateRestAPIKeyParams, HTTPAuthorizationHeader } from './src/authentication';
+export {
+  isCreateRestAPIKeyParams,
+  extractApiKeyIdFromAuthzHeader,
+  decodeApiKeyId,
+  HTTPAuthorizationHeader,
+} from './src/authentication';
 export { isUiamCredential } from './src/uiam';
 export type { CoreFipsService } from './src/fips';
 export { AuthzDisabled, AuthzOptOutReason, unwindNestedSecurityPrivileges } from './src/authz';

src/core/packages/security/server/src/authentication/api_keys/index.ts

@@ -30,6 +30,7 @@ export type {
 } from './api_keys';
 export type { NativeAPIKeysWithContextType } from './api_keys_context';
 export { isCreateRestAPIKeyParams } from './api_keys';
+export { extractApiKeyIdFromAuthzHeader, decodeApiKeyId } from './utils';
 
 export type {
   UiamAPIKeysType,

src/core/packages/security/server/src/authentication/api_keys/utils.test.ts

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { extractApiKeyIdFromAuthzHeader, decodeApiKeyId } from './utils';
+
+describe('extractApiKeyIdFromAuthzHeader', () => {
+  it('returns the API key ID from a valid ApiKey authorization header', () => {
+    const id = 'my-api-key-id';
+    const secret = 'my-api-key-secret';
+    const encoded = Buffer.from(`${id}:${secret}`).toString('base64');
+    expect(extractApiKeyIdFromAuthzHeader(`ApiKey ${encoded}`)).toBe(id);
+  });
+
+  it('is case-insensitive for the ApiKey prefix', () => {
+    const id = 'test-id';
+    const encoded = Buffer.from(`${id}:secret`).toString('base64');
+    expect(extractApiKeyIdFromAuthzHeader(`apikey ${encoded}`)).toBe(id);
+    expect(extractApiKeyIdFromAuthzHeader(`APIKEY ${encoded}`)).toBe(id);
+    expect(extractApiKeyIdFromAuthzHeader(`aPiKeY ${encoded}`)).toBe(id);
+  });
+
+  it('returns undefined when the header is undefined', () => {
+    expect(extractApiKeyIdFromAuthzHeader(undefined)).toBeUndefined();
+  });
+
+  it('returns undefined when the header is an array', () => {
+    expect(extractApiKeyIdFromAuthzHeader(['ApiKey abc'])).toBeUndefined();
+  });
+
+  it('returns undefined when the header does not start with ApiKey prefix', () => {
+    expect(extractApiKeyIdFromAuthzHeader('Bearer some-token')).toBeUndefined();
+    expect(extractApiKeyIdFromAuthzHeader('Basic dXNlcjpwYXNz')).toBeUndefined();
+  });
+
+  it('returns the ID when there is no colon in the decoded value', () => {
+    const encoded = Buffer.from('just-an-id').toString('base64');
+    expect(extractApiKeyIdFromAuthzHeader(`ApiKey ${encoded}`)).toBe('just-an-id');
+  });
+
+  it('returns undefined when the decoded ID is empty', () => {
+    const encoded = Buffer.from(':secret').toString('base64');
+    expect(extractApiKeyIdFromAuthzHeader(`ApiKey ${encoded}`)).toBeUndefined();
+  });
+});
+
+describe('decodeApiKeyId', () => {
+  it('returns the API key ID from a base64-encoded api key', () => {
+    const id = 'my-api-key-id';
+    const secret = 'my-api-key-secret';
+    const encoded = Buffer.from(`${id}:${secret}`).toString('base64');
+    expect(decodeApiKeyId(encoded)).toBe(id);
+  });
+
+  it('returns the full decoded value when there is no colon', () => {
+    const encoded = Buffer.from('just-an-id').toString('base64');
+    expect(decodeApiKeyId(encoded)).toBe('just-an-id');
+  });
+
+  it('returns undefined when the decoded ID is empty', () => {
+    const encoded = Buffer.from(':secret').toString('base64');
+    expect(decodeApiKeyId(encoded)).toBeUndefined();
+  });
+
+  it('returns undefined for an empty string', () => {
+    expect(decodeApiKeyId('')).toBeUndefined();
+  });
+
+  it('returns undefined when the decoded ID is only whitespace', () => {
+    const encoded = Buffer.from('  :secret').toString('base64');
+    expect(decodeApiKeyId(encoded)).toBeUndefined();
+  });
+});

src/core/packages/security/server/src/authentication/api_keys/utils.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+export const extractApiKeyIdFromAuthzHeader = (
+  authorizationHeader: string | string[] | undefined
+): string | undefined => {
+  if (typeof authorizationHeader !== 'string') {
+    return undefined;
+  }
+  const prefix = 'apikey ';
+  if (!authorizationHeader.toLowerCase().startsWith(prefix)) {
+    return undefined;
+  }
+  const encodedApiKey = authorizationHeader.slice(prefix.length);
+  return decodeApiKeyId(encodedApiKey);
+};
+
+export const decodeApiKeyId = (encodedApiKey: string): string | undefined => {
+  const decoded = Buffer.from(encodedApiKey, 'base64').toString();
+  const [id] = decoded.split(':');
+  return id.trim() === '' ? undefined : id;
+};

src/core/packages/security/server/src/authentication/index.ts

@@ -37,4 +37,8 @@ export type {
 } from './api_keys';
 
 export { HTTPAuthorizationHeader } from './http_authentication';
-export { isCreateRestAPIKeyParams } from './api_keys';
+export {
+  isCreateRestAPIKeyParams,
+  extractApiKeyIdFromAuthzHeader,
+  decodeApiKeyId,
+} from './api_keys';

x-pack/platform/plugins/shared/actions/moon.yml

@@ -65,6 +65,7 @@ dependsOn:
   - '@kbn/actions-utils'
   - '@kbn/encrypted-saved-objects-shared'
   - '@kbn/usage-api-plugin'
+  - '@kbn/core-security-server'
 tags:
   - plugin
   - prod

x-pack/platform/plugins/shared/actions/server/plugin.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { extractApiKeyIdFromAuthzHeader } from '@kbn/core-security-server';
 import type { PublicMethodsOf, Writable } from '@kbn/utility-types';
 import type { UsageCollectionSetup, UsageCounter } from '@kbn/usage-collection-plugin/server';
 import type {
@@ -662,14 +663,23 @@ export class ActionsPlugin
       request: KibanaRequest
     ): Promise<string | undefined> => {
       try {
+        const id = extractApiKeyIdFromAuthzHeader(request.headers.authorization);
+        if (!id) {
+          this.logger.debug(`Failed to decode API key ID from Authorization header.`);
+          return undefined;
+        }
+
         const response = await core.elasticsearch.client
           .asScoped(request)
           .asCurrentUser.security.getApiKey({
             with_profile_uid: true,
+            id,
           });
+
         if (response.api_keys && response.api_keys.length > 0) {
           return response.api_keys[0].profile_uid;
         }
+
         logger.debug(
           `No API keys were returned from query, cannot retrieve associated profile id.`
         );

x-pack/platform/plugins/shared/actions/tsconfig.json

@@ -59,6 +59,7 @@
     "@kbn/actions-utils",
     "@kbn/encrypted-saved-objects-shared",
     "@kbn/usage-api-plugin",
+    "@kbn/core-security-server",
   ],
   "exclude": [
     "target/**/*",

x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.test.ts

@@ -445,11 +445,15 @@ describe('UserProfileService', () => {
 
     describe(`with api key`, () => {
       const testApiKeyValue = 'some-api-key-value';
+      const testApiKeyId = 'some-api-key-id';
+      const testEncodedApiKey = Buffer.from(`${testApiKeyId}:${testApiKeyValue}`).toString(
+        'base64'
+      );
       let mockApiKeyRequest: ReturnType<typeof httpServerMock.createKibanaRequest>;
 
       beforeEach(() => {
         mockApiKeyRequest = httpServerMock.createKibanaRequest({
-          headers: { authorization: `apikey ${testApiKeyValue}` },
+          headers: { authorization: `apikey ${testEncodedApiKey}` },
         });
       });
 
@@ -469,7 +473,10 @@ describe('UserProfileService', () => {
         ).toHaveBeenCalledTimes(1);
         expect(
           mockStartParams.clusterClient.asScoped().asCurrentUser.security.getApiKey
-        ).toHaveBeenCalledWith({ with_profile_uid: true });
+        ).toHaveBeenCalledWith({
+          with_profile_uid: true,
+          id: testApiKeyId,
+        });
 
         expect(
           mockStartParams.clusterClient.asInternalUser.security.activateUserProfile
@@ -499,7 +506,10 @@ describe('UserProfileService', () => {
         expect(mockStartParams.clusterClient.asScoped).toBeCalledWith(mockApiKeyRequest);
         expect(
           mockStartParams.clusterClient.asScoped().asCurrentUser.security.getApiKey
-        ).toHaveBeenCalledWith({ with_profile_uid: true });
+        ).toHaveBeenCalledWith({
+          with_profile_uid: true,
+          id: testApiKeyId,
+        });
 
         expect(
           mockStartParams.clusterClient.asInternalUser.security.activateUserProfile
@@ -533,7 +543,10 @@ describe('UserProfileService', () => {
         expect(mockStartParams.clusterClient.asScoped).toBeCalledWith(mockApiKeyRequest);
         expect(
           mockStartParams.clusterClient.asScoped().asCurrentUser.security.getApiKey
-        ).toHaveBeenCalledWith({ with_profile_uid: true });
+        ).toHaveBeenCalledWith({
+          with_profile_uid: true,
+          id: testApiKeyId,
+        });
 
         expect(
           mockStartParams.clusterClient.asInternalUser.security.activateUserProfile
@@ -596,7 +609,10 @@ describe('UserProfileService', () => {
         expect(mockStartParams.clusterClient.asScoped).toBeCalledWith(mockApiKeyRequest);
         expect(
           mockStartParams.clusterClient.asScoped().asCurrentUser.security.getApiKey
-        ).toHaveBeenCalledWith({ with_profile_uid: true });
+        ).toHaveBeenCalledWith({
+          with_profile_uid: true,
+          id: testApiKeyId,
+        });
 
         expect(
           mockStartParams.clusterClient.asInternalUser.security.getUserProfile

x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts

@@ -12,6 +12,7 @@ import type {
 import pLimit from 'p-limit';
 
 import type { IClusterClient, Logger } from '@kbn/core/server';
+import { extractApiKeyIdFromAuthzHeader } from '@kbn/core-security-server';
 import type {
   CheckUserProfilesPrivilegesResponse,
   UserProfileBulkGetParams,
@@ -288,8 +289,15 @@ export class UserProfileService {
     request: UserProfileGetCurrentParams['request']
   ): Promise<string | undefined> {
     try {
+      const id = extractApiKeyIdFromAuthzHeader(request.headers.authorization);
+      if (!id) {
+        this.logger.debug(`Failed to decode API key ID from Authorization header.`);
+        return undefined;
+      }
+
       const response = await clusterClient.asScoped(request).asCurrentUser.security.getApiKey({
         with_profile_uid: true,
+        id,
       });
 
       if (response.api_keys && response.api_keys.length > 0) {