Allow users to Update API Keys

docs/user/security/api-keys/index.asciidoc

@@ -24,7 +24,7 @@ image:images/api-keys.png["API Keys UI"]
 === Security privileges
 
 You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key` 
-cluster privileges to use API keys in {kib}. To manage roles, open the main menu, then click 
+cluster privileges to use API keys in {kib}.  API keys can also be seen in a readonly view with access to the page and the `read_security` cluster privilege. To manage roles, open the main menu, then click 
 *Stack Management > Roles*, or use the <<role-management-api, {kib} Role Management API>>. 
 
 
@@ -45,11 +45,20 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \
 --header 'kbn-xsrf: true' \
 --header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \
 
+
 [IMPORTANT]
 ============================================================================
 API keys are intended for programmatic access to {kib} and {es}. Do not use API keys to authenticate access via a web browser.
 ============================================================================
 
+[float]
+[[udpate-api-key]]
+=== Update an API key
+
+To update an API key, open the main menu, click *Stack Management > API Keys*, and then click on the name of the key.
+
+You can only update the `Restrict privileges` and `metadata` fields.
+
 [float]
 [[view-api-keys]]
 === View and delete API keys
@@ -62,6 +71,3 @@ created by which user in which realm.
 If you have only the `manage_own_api_key` permission, you see only a list of your own keys.
 
 You can delete API keys individually or in bulk.
-
-You cannot modify an API key. If you need additional privileges,
-you must create a new key with the desired configuration and invalidate the old key.

x-pack/plugins/security/common/model/api_key.ts

@@ -16,6 +16,7 @@ export interface ApiKey {
   expiration: number;
   invalidated: boolean;
   metadata: Record<string, any>;
+  role_descriptors?: Record<string, any>;
 }
 
 export interface ApiKeyToInvalidate {

x-pack/plugins/security/public/components/form_flyout.tsx

@@ -34,6 +34,7 @@ export interface FormFlyoutProps extends Omit<EuiFlyoutProps, 'onClose'> {
   submitButtonColor?: EuiButtonProps['color'];
   isLoading?: EuiButtonProps['isLoading'];
   isDisabled?: EuiButtonProps['isDisabled'];
+  isSubmitButtonHidden?: boolean;
 }
 
 export const FormFlyout: FunctionComponent<FormFlyoutProps> = ({
@@ -44,6 +45,7 @@ export const FormFlyout: FunctionComponent<FormFlyoutProps> = ({
   onSubmit,
   isLoading,
   isDisabled,
+  isSubmitButtonHidden,
   children,
   initialFocus,
   ...rest
@@ -80,18 +82,20 @@ export const FormFlyout: FunctionComponent<FormFlyoutProps> = ({
                 />
               </EuiButtonEmpty>
             </EuiFlexItem>
-            <EuiFlexItem grow={false}>
-              <EuiButton
-                data-test-subj="formFlyoutSubmitButton"
-                isLoading={isLoading}
-                isDisabled={isDisabled}
-                color={submitButtonColor}
-                fill
-                onClick={onSubmit}
-              >
-                {submitButtonText}
-              </EuiButton>
-            </EuiFlexItem>
+            {!isSubmitButtonHidden && (
+              <EuiFlexItem grow={false}>
+                <EuiButton
+                  data-test-subj="formFlyoutSubmitButton"
+                  isLoading={isLoading}
+                  isDisabled={isDisabled}
+                  color={submitButtonColor}
+                  fill
+                  onClick={onSubmit}
+                >
+                  {submitButtonText}
+                </EuiButton>
+              </EuiFlexItem>
+            )}
           </EuiFlexGroup>
         </EuiFlyoutFooter>
       </EuiFlyout>

x-pack/plugins/security/public/management/api_keys/api_keys_api_client.mock.ts

@@ -11,5 +11,6 @@ export const apiKeysAPIClientMock = {
     getApiKeys: jest.fn(),
     invalidateApiKeys: jest.fn(),
     createApiKey: jest.fn(),
+    updateApiKey: jest.fn(),
   }),
 };

x-pack/plugins/security/public/management/api_keys/api_keys_api_client.test.ts

@@ -100,4 +100,20 @@ describe('APIKeysAPIClient', () => {
       body: JSON.stringify(mockAPIKeys),
     });
   });
+
+  it('updateApiKey() queries correct endpoint', async () => {
+    const httpMock = httpServiceMock.createStartContract();
+
+    const mockResponse = Symbol('mockResponse');
+    httpMock.put.mockResolvedValue(mockResponse);
+
+    const apiClient = new APIKeysAPIClient(httpMock);
+    const mockApiKeyUpdate = { id: 'test_id', metadata: {}, roles_descriptor: {} };
+
+    await expect(apiClient.updateApiKey(mockApiKeyUpdate)).resolves.toBe(mockResponse);
+    expect(httpMock.put).toHaveBeenCalledTimes(1);
+    expect(httpMock.put).toHaveBeenCalledWith('/internal/security/api_key', {
+      body: JSON.stringify(mockApiKeyUpdate),
+    });
+  });
 });

x-pack/plugins/security/public/management/api_keys/api_keys_api_client.ts

@@ -38,6 +38,16 @@ export interface CreateApiKeyResponse {
   api_key: string;
 }
 
+export interface UpdateApiKeyRequest {
+  id: string;
+  role_descriptors?: ApiKeyRoleDescriptors;
+  metadata?: Record<string, any>;
+}
+
+export interface UpdateApiKeyResponse {
+  updated: boolean;
+}
+
 const apiKeysUrl = '/internal/security/api_key';
 
 export class APIKeysAPIClient {
@@ -62,4 +72,10 @@ export class APIKeysAPIClient {
       body: JSON.stringify(apiKey),
     });
   }
+
+  public async updateApiKey(apiKey: UpdateApiKeyRequest) {
+    return await this.http.put<UpdateApiKeyResponse>(apiKeysUrl, {
+      body: JSON.stringify(apiKey),
+    });
+  }
 }