Merge branch 'master' of github.com:elastic/kibana into issue-36825-m…

…ultiple-cookies

.ci/Jenkinsfile_flaky

@@ -3,10 +3,13 @@
 library 'kibana-pipeline-library'
 kibanaLibrary.load()
 
-// Looks like 'oss:ciGroup:1' or 'oss:firefoxSmoke'
-def JOB_PARTS = params.CI_GROUP.split(':')
+def CI_GROUP_PARAM = params.CI_GROUP
+
+// Looks like 'oss:ciGroup:1', 'oss:firefoxSmoke', or 'all:serverMocha'
+def JOB_PARTS = CI_GROUP_PARAM.split(':')
 def IS_XPACK = JOB_PARTS[0] == 'xpack'
 def JOB = JOB_PARTS[1]
+def NEED_BUILD = JOB != 'serverMocha'
 def CI_GROUP = JOB_PARTS.size() > 2 ? JOB_PARTS[2] : ''
 def EXECUTIONS = params.NUMBER_EXECUTIONS.toInteger()
 def AGENT_COUNT = getAgentCount(EXECUTIONS)
@@ -31,13 +34,15 @@ stage("Kibana Pipeline") {
               print "Agent ${agentNumberInside} - ${agentExecutions} executions"
 
               kibanaPipeline.withWorkers('flaky-test-runner', {
-                if (!IS_XPACK) {
-                  kibanaPipeline.buildOss()
-                  if (CI_GROUP == '1') {
-                    runbld("./test/scripts/jenkins_build_kbn_tp_sample_panel_action.sh", "Build kbn tp sample panel action for ciGroup1")
+                if (NEED_BUILD) {
+                  if (!IS_XPACK) {
+                    kibanaPipeline.buildOss()
+                    if (CI_GROUP == '1') {
+                      runbld("./test/scripts/jenkins_build_kbn_tp_sample_panel_action.sh", "Build kbn tp sample panel action for ciGroup1")
+                    }
+                  } else {
+                    kibanaPipeline.buildXpack()
                   }
-                } else {
-                  kibanaPipeline.buildXpack()
                 }
               }, getWorkerMap(agentNumberInside, agentExecutions, worker, workerFailures))()
             }
@@ -61,7 +66,17 @@ stage("Kibana Pipeline") {
 
 def getWorkerFromParams(isXpack, job, ciGroup) {
   if (!isXpack) {
-    if (job == 'firefoxSmoke') {
+    if (job == 'serverMocha') {
+      return kibanaPipeline.getPostBuildWorker('serverMocha', {
+        kibanaPipeline.bash(
+          """
+            source src/dev/ci_setup/setup_env.sh
+            node scripts/mocha
+          """,
+          "run `node scripts/mocha`"
+        )
+      })
+    } else if (job == 'firefoxSmoke') {
       return kibanaPipeline.getPostBuildWorker('firefoxSmoke', { runbld('./test/scripts/jenkins_firefox_smoke.sh', 'Execute kibana-firefoxSmoke') })
     } else if(job == 'visualRegression') {
       return kibanaPipeline.getPostBuildWorker('visualRegression', { runbld('./test/scripts/jenkins_visual_regression.sh', 'Execute kibana-visualRegression') })

.github/CODEOWNERS

@@ -61,6 +61,7 @@
 /config/kibana.yml @elastic/kibana-platform
 /x-pack/plugins/features/  @elastic/kibana-platform
 /x-pack/plugins/licensing/  @elastic/kibana-platform
+/packages/kbn-config-schema/ @elastic/kibana-platform
 
 # Security
 /x-pack/legacy/plugins/security/  @elastic/kibana-security

docs/development/core/server/kibana-plugin-server.irouter.delete.md

@@ -9,5 +9,5 @@ Register a route handler for `DELETE` request.
 <b>Signature:</b>
 
 ```typescript
-delete: <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(route: RouteConfig<P, Q, B>, handler: RequestHandler<P, Q, B>) => void;
+delete: RouteRegistrar;
 ```

docs/development/core/server/kibana-plugin-server.irouter.get.md

@@ -9,5 +9,5 @@ Register a route handler for `GET` request.
 <b>Signature:</b>
 
 ```typescript
-get: <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(route: RouteConfig<P, Q, B>, handler: RequestHandler<P, Q, B>) => void;
+get: RouteRegistrar;
 ```

docs/development/core/server/kibana-plugin-server.irouter.handlelegacyerrors.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [IRouter](./kibana-plugin-server.irouter.md) &gt; [handleLegacyErrors](./kibana-plugin-server.irouter.handlelegacyerrors.md)
+
+## IRouter.handleLegacyErrors property
+
+Wrap a router handler to catch and converts legacy boom errors to proper custom errors.
+
+<b>Signature:</b>
+
+```typescript
+handleLegacyErrors: <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(handler: RequestHandler<P, Q, B>) => RequestHandler<P, Q, B>;
+```

docs/development/core/server/kibana-plugin-server.irouter.md

@@ -16,9 +16,10 @@ export interface IRouter
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [delete](./kibana-plugin-server.irouter.delete.md) | <code>&lt;P extends ObjectType, Q extends ObjectType, B extends ObjectType&gt;(route: RouteConfig&lt;P, Q, B&gt;, handler: RequestHandler&lt;P, Q, B&gt;) =&gt; void</code> | Register a route handler for <code>DELETE</code> request. |
-|  [get](./kibana-plugin-server.irouter.get.md) | <code>&lt;P extends ObjectType, Q extends ObjectType, B extends ObjectType&gt;(route: RouteConfig&lt;P, Q, B&gt;, handler: RequestHandler&lt;P, Q, B&gt;) =&gt; void</code> | Register a route handler for <code>GET</code> request. |
-|  [post](./kibana-plugin-server.irouter.post.md) | <code>&lt;P extends ObjectType, Q extends ObjectType, B extends ObjectType&gt;(route: RouteConfig&lt;P, Q, B&gt;, handler: RequestHandler&lt;P, Q, B&gt;) =&gt; void</code> | Register a route handler for <code>POST</code> request. |
-|  [put](./kibana-plugin-server.irouter.put.md) | <code>&lt;P extends ObjectType, Q extends ObjectType, B extends ObjectType&gt;(route: RouteConfig&lt;P, Q, B&gt;, handler: RequestHandler&lt;P, Q, B&gt;) =&gt; void</code> | Register a route handler for <code>PUT</code> request. |
+|  [delete](./kibana-plugin-server.irouter.delete.md) | <code>RouteRegistrar</code> | Register a route handler for <code>DELETE</code> request. |
+|  [get](./kibana-plugin-server.irouter.get.md) | <code>RouteRegistrar</code> | Register a route handler for <code>GET</code> request. |
+|  [handleLegacyErrors](./kibana-plugin-server.irouter.handlelegacyerrors.md) | <code>&lt;P extends ObjectType, Q extends ObjectType, B extends ObjectType&gt;(handler: RequestHandler&lt;P, Q, B&gt;) =&gt; RequestHandler&lt;P, Q, B&gt;</code> | Wrap a router handler to catch and converts legacy boom errors to proper custom errors. |
+|  [post](./kibana-plugin-server.irouter.post.md) | <code>RouteRegistrar</code> | Register a route handler for <code>POST</code> request. |
+|  [put](./kibana-plugin-server.irouter.put.md) | <code>RouteRegistrar</code> | Register a route handler for <code>PUT</code> request. |
 |  [routerPath](./kibana-plugin-server.irouter.routerpath.md) | <code>string</code> | Resulted path |
 

docs/development/core/server/kibana-plugin-server.irouter.post.md

@@ -9,5 +9,5 @@ Register a route handler for `POST` request.
 <b>Signature:</b>
 
 ```typescript
-post: <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(route: RouteConfig<P, Q, B>, handler: RequestHandler<P, Q, B>) => void;
+post: RouteRegistrar;
 ```

docs/development/core/server/kibana-plugin-server.irouter.put.md

@@ -9,5 +9,5 @@ Register a route handler for `PUT` request.
 <b>Signature:</b>
 
 ```typescript
-put: <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(route: RouteConfig<P, Q, B>, handler: RequestHandler<P, Q, B>) => void;
+put: RouteRegistrar;
 ```

docs/development/core/server/kibana-plugin-server.md

@@ -171,6 +171,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  [ResponseErrorAttributes](./kibana-plugin-server.responseerrorattributes.md) | Additional data to provide error details. |
 |  [ResponseHeaders](./kibana-plugin-server.responseheaders.md) | Http response headers to set. |
 |  [RouteMethod](./kibana-plugin-server.routemethod.md) | The set of common HTTP methods supported by Kibana routing. |
+|  [RouteRegistrar](./kibana-plugin-server.routeregistrar.md) | Handler to declare a route. |
 |  [SavedObjectAttribute](./kibana-plugin-server.savedobjectattribute.md) | Type definition for a Saved Object attribute value |
 |  [SavedObjectAttributeSingle](./kibana-plugin-server.savedobjectattributesingle.md) | Don't use this type, it's simply a helper type for [SavedObjectAttribute](./kibana-plugin-server.savedobjectattribute.md) |
 |  [SavedObjectsClientContract](./kibana-plugin-server.savedobjectsclientcontract.md) | Saved Objects is Kibana's data persisentence mechanism allowing plugins to use Elasticsearch for storing plugin state.<!-- -->\#\# SavedObjectsClient errors<!-- -->Since the SavedObjectsClient has its hands in everything we are a little paranoid about the way we present errors back to to application code. Ideally, all errors will be either:<!-- -->1. Caused by bad implementation (ie. undefined is not a function) and as such unpredictable 2. An error that has been classified and decorated appropriately by the decorators in [SavedObjectsErrorHelpers](./kibana-plugin-server.savedobjectserrorhelpers.md)<!-- -->Type 1 errors are inevitable, but since all expected/handle-able errors should be Type 2 the <code>isXYZError()</code> helpers exposed at <code>SavedObjectsErrorHelpers</code> should be used to understand and manage error responses from the <code>SavedObjectsClient</code>.<!-- -->Type 2 errors are decorated versions of the source error, so if the elasticsearch client threw an error it will be decorated based on its type. That means that rather than looking for <code>error.body.error.type</code> or doing substring checks on <code>error.body.error.reason</code>, just use the helpers to understand the meaning of the error:<!-- -->\`\`\`<!-- -->js if (SavedObjectsErrorHelpers.isNotFoundError(error)) { // handle 404 }<!-- -->if (SavedObjectsErrorHelpers.isNotAuthorizedError(error)) { // 401 handling should be automatic, but in case you wanted to know }<!-- -->// always rethrow the error unless you handle it throw error; \`\`\`<!-- -->\#\#\# 404s from missing index<!-- -->From the perspective of application code and APIs the SavedObjectsClient is a black box that persists objects. One of the internal details that users have no control over is that we use an elasticsearch index for persistance and that index might be missing.<!-- -->At the time of writing we are in the process of transitioning away from the operating assumption that the SavedObjects index is always available. Part of this transition is handling errors resulting from an index missing. These used to trigger a 500 error in most cases, and in others cause 404s with different error messages.<!-- -->From my (Spencer) perspective, a 404 from the SavedObjectsApi is a 404; The object the request/call was targeting could not be found. This is why \#14141 takes special care to ensure that 404 errors are generic and don't distinguish between index missing or document missing.<!-- -->\#\#\# 503s from missing index<!-- -->Unlike all other methods, create requests are supposed to succeed even when the Kibana index does not exist because it will be automatically created by elasticsearch. When that is not the case it is because Elasticsearch's <code>action.auto_create_index</code> setting prevents it from being created automatically so we throw a special 503 with the intention of informing the user that their Elasticsearch settings need to be updated.<!-- -->See [SavedObjectsClient](./kibana-plugin-server.savedobjectsclient.md) See [SavedObjectsErrorHelpers](./kibana-plugin-server.savedobjectserrorhelpers.md) |

docs/development/core/server/kibana-plugin-server.pluginsservicesetup.md

@@ -16,6 +16,5 @@ export interface PluginsServiceSetup
 |  Property | Type | Description |
 |  --- | --- | --- |
 |  [contracts](./kibana-plugin-server.pluginsservicesetup.contracts.md) | <code>Map&lt;PluginName, unknown&gt;</code> |  |
-|  [uiPluginConfigs](./kibana-plugin-server.pluginsservicesetup.uipluginconfigs.md) | <code>Map&lt;PluginName, Observable&lt;unknown&gt;&gt;</code> |  |
-|  [uiPlugins](./kibana-plugin-server.pluginsservicesetup.uiplugins.md) | <code>{</code><br/><code>        public: Map&lt;PluginName, DiscoveredPlugin&gt;;</code><br/><code>        internal: Map&lt;PluginName, DiscoveredPluginInternal&gt;;</code><br/><code>    }</code> |  |
+|  [uiPlugins](./kibana-plugin-server.pluginsservicesetup.uiplugins.md) | <code>{</code><br/><code>        internal: Map&lt;PluginName, InternalPluginInfo&gt;;</code><br/><code>        public: Map&lt;PluginName, DiscoveredPlugin&gt;;</code><br/><code>        browserConfigs: Map&lt;PluginName, Observable&lt;unknown&gt;&gt;;</code><br/><code>    }</code> |  |
 

docs/development/core/server/kibana-plugin-server.pluginsservicesetup.uiplugins.md

@@ -8,7 +8,8 @@
 
 ```typescript
 uiPlugins: {
+        internal: Map<PluginName, InternalPluginInfo>;
         public: Map<PluginName, DiscoveredPlugin>;
-        internal: Map<PluginName, DiscoveredPluginInternal>;
+        browserConfigs: Map<PluginName, Observable<unknown>>;
     };
 ```

docs/development/core/server/kibana-plugin-server.routeregistrar.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [RouteRegistrar](./kibana-plugin-server.routeregistrar.md)
+
+## RouteRegistrar type
+
+Handler to declare a route.
+
+<b>Signature:</b>
+
+```typescript
+export declare type RouteRegistrar = <P extends ObjectType, Q extends ObjectType, B extends ObjectType>(route: RouteConfig<P, Q, B>, handler: RequestHandler<P, Q, B>) => void;
+```

docs/settings/security-settings.asciidoc

@@ -20,7 +20,7 @@ are enabled.
 Do not set this to `false`; it disables the login form, user and role management
 screens, and authorization using <<kibana-privileges>>. To disable
 {security-features} entirely, see
-{ref}/security-settings.html[{es} security settings]. 
+{ref}/security-settings.html[{es} security settings].
 
 `xpack.security.audit.enabled`::
 Set to `true` to enable audit logging for security events. By default, it is set
@@ -40,7 +40,7 @@ An arbitrary string of 32 characters or more that is used to encrypt credentials
 in a cookie. It is crucial that this key is not exposed to users of {kib}. By
 default, a value is automatically generated in memory. If you use that default
 behavior, all sessions are invalidated when {kib} restarts.
-In addition, high-availability deployments of {kib} will behave unexpectedly 
+In addition, high-availability deployments of {kib} will behave unexpectedly
 if this setting isn't the same for all instances of {kib}.
 
 `xpack.security.secureCookies`::
@@ -49,7 +49,16 @@ is set to `true` if `server.ssl.certificate` and `server.ssl.key` are set. Set
 this to `true` if SSL is configured outside of {kib} (for example, you are
 routing requests through a load balancer or proxy).
 
-`xpack.security.sessionTimeout`::
+`xpack.security.session.idleTimeout`::
 Sets the session duration (in milliseconds). By default, sessions stay active
-until the browser is closed. When this is set to an explicit timeout, closing the
-browser still requires the user to log back in to {kib}.
+until the browser is closed. When this is set to an explicit idle timeout, closing
+the browser still requires the user to log back in to {kib}.
+
+`xpack.security.session.lifespan`::
+Sets the maximum duration (in milliseconds), also known as "absolute timeout". By
+default, a session can be renewed indefinitely. When this value is set, a session
+will end once its lifespan is exceeded, even if the user is not idle. NOTE: if
+`idleTimeout` is not set, this setting will still cause sessions to expire.
+
+`xpack.security.loginAssistanceMessage`::
+Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.

docs/user/security/authentication/index.asciidoc

@@ -188,9 +188,10 @@ The following sections apply both to <<saml>> and <<oidc>>
 
 Once the user logs in to {kib} Single Sign-On, either using SAML or OpenID Connect, {es} issues access and refresh tokens
 that {kib} encrypts and stores them in its own session cookie. This way, the user isn't redirected to the Identity Provider
-for every request that requires authentication. It also means that the {kib} session depends on the `xpack.security.sessionTimeout` 
-setting and the user is automatically logged out if the session expires. An access token that is stored in the session cookie 
-can expire, in  which case {kib} will automatically renew it with a one-time-use refresh token and store it in the same cookie.
+for every request that requires authentication. It also means that the {kib} session depends on the <<security-ui-settings,
+`xpack.security.session.idleTimeout` and `xpack.security.session.lifespan`>> settings, and the user is automatically logged
+out if the session expires. An access token that is stored in the session cookie can expire, in which case {kib} will
+automatically renew it with a one-time-use refresh token and store it in the same cookie.
 
 {kib} can only determine if an access token has expired if it receives a request that requires authentication. If both access
 and refresh tokens have already expired (for example, after 24 hours of inactivity), {kib} initiates a new "handshake" and

docs/user/security/securing-kibana.asciidoc

@@ -56,16 +56,31 @@ xpack.security.encryptionKey: "something_at_least_32_characters"
 For more information, see <<security-settings-kb,Security Settings in {kib}>>.
 --
 
-. Optional: Change the default session duration. By default, sessions stay
-active until the browser is closed. To change the duration, set the
-`xpack.security.sessionTimeout` property in the `kibana.yml` configuration file.
-The timeout is specified in milliseconds. For example, set the timeout to 600000
-to expire sessions after 10 minutes:
+. Optional: Set a timeout to expire idle sessions. By default, a session stays
+active until the browser is closed. To define a sliding session expiration, set
+the `xpack.security.session.idleTimeout` property in the `kibana.yml`
+configuration file. The idle timeout is specified in milliseconds. For example,
+set the idle timeout to 600000 to expire idle sessions after 10 minutes:
 +
 --
 [source,yaml]
 --------------------------------------------------------------------------------
-xpack.security.sessionTimeout: 600000
+xpack.security.session.idleTimeout: 600000
+--------------------------------------------------------------------------------
+--
+
+. Optional: Change the maximum session duration or "lifespan" -- also known as
+the "absolute timeout". By default, a session stays active until the browser is
+closed. If an idle timeout is defined, a session can still be extended
+indefinitely. To define a maximum session lifespan, set the
+`xpack.security.session.lifespan` property in the `kibana.yml` configuration
+file. The lifespan is specified in milliseconds. For example, set the lifespan
+to 28800000 to expire sessions after 8 hours:
++
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.lifespan: 28800000
 --------------------------------------------------------------------------------
 --