Register privileges in Kibana Platform Security plugin and remove legacy getUser API.

.sass-lint.yml

@@ -4,14 +4,14 @@ files:
     - 'src/legacy/core_plugins/timelion/**/*.s+(a|c)ss'
     - 'src/plugins/vis_type_vislib/**/*.s+(a|c)ss'
     - 'src/plugins/vis_type_xy/**/*.s+(a|c)ss'
-    - 'x-pack/legacy/plugins/security/**/*.s+(a|c)ss'
     - 'x-pack/plugins/canvas/**/*.s+(a|c)ss'
     - 'x-pack/plugins/triggers_actions_ui/**/*.s+(a|c)ss'
     - 'x-pack/plugins/lens/**/*.s+(a|c)ss'
     - 'x-pack/plugins/cross_cluster_replication/**/*.s+(a|c)ss'
     - 'x-pack/legacy/plugins/maps/**/*.s+(a|c)ss'
     - 'x-pack/plugins/maps/**/*.s+(a|c)ss'
     - 'x-pack/plugins/spaces/**/*.s+(a|c)ss'
+    - 'x-pack/plugins/security/**/*.s+(a|c)ss'
   ignore:
     - 'x-pack/plugins/canvas/shareable_runtime/**/*.s+(a|c)ss'
 rules:

x-pack/.i18nrc.json

@@ -38,7 +38,7 @@
     "xpack.reporting": ["plugins/reporting"],
     "xpack.rollupJobs": ["legacy/plugins/rollup", "plugins/rollup"],
     "xpack.searchProfiler": "plugins/searchprofiler",
-    "xpack.security": ["legacy/plugins/security", "plugins/security"],
+    "xpack.security": "plugins/security",
     "xpack.server": "legacy/server",
     "xpack.siem": "plugins/siem",
     "xpack.snapshotRestore": "plugins/snapshot_restore",

x-pack/legacy/plugins/beats_management/server/lib/adapters/framework/adapter_types.ts

@@ -8,6 +8,7 @@
 
 import { Lifecycle, ResponseToolkit } from 'hapi';
 import * as t from 'io-ts';
+import { SecurityPluginSetup } from '../../../../../../../plugins/security/server';
 import { LicenseType } from '../../../../common/constants/security';
 
 export const internalAuthData = Symbol('internalAuthData');
@@ -39,6 +40,11 @@ export interface BackendFrameworkAdapter {
 }
 
 export interface KibanaLegacyServer {
+  newPlatform: {
+    setup: {
+      plugins: { security: SecurityPluginSetup };
+    };
+  };
   plugins: {
     xpack_main: {
       status: {
@@ -53,9 +59,6 @@ export interface KibanaLegacyServer {
         };
       };
     };
-    security: {
-      getUser: (request: KibanaServerRequest) => any;
-    };
     elasticsearch: {
       status: {
         on: (status: 'green' | 'yellow' | 'red', callback: () => void) => void;

x-pack/legacy/plugins/beats_management/server/lib/adapters/framework/kibana_framework_adapter.ts

@@ -8,6 +8,7 @@ import { ResponseToolkit } from 'hapi';
 import { PathReporter } from 'io-ts/lib/PathReporter';
 import { get } from 'lodash';
 import { isLeft } from 'fp-ts/lib/Either';
+import { KibanaRequest, LegacyRequest } from '../../../../../../../../src/core/server';
 // @ts-ignore
 import { mirrorPluginStatus } from '../../../../../../server/lib/mirror_plugin_status';
 import {
@@ -128,13 +129,10 @@ export class KibanaBackendFrameworkAdapter implements BackendFrameworkAdapter {
   }
 
   private async getUser(request: KibanaServerRequest): Promise<KibanaUser | null> {
-    let user;
-    try {
-      user = await this.server.plugins.security.getUser(request);
-    } catch (e) {
-      return null;
-    }
-    if (user === null) {
+    const user = this.server.newPlatform.setup.plugins.security?.authc.getCurrentUser(
+      KibanaRequest.from((request as unknown) as LegacyRequest)
+    );
+    if (!user) {
       return null;
     }
     const assertKibanaUser = RuntimeKibanaUser.decode(user);

x-pack/legacy/plugins/security/index.ts

@@ -6,64 +6,17 @@
 
 import { Root } from 'joi';
 import { resolve } from 'path';
-import { Server } from 'src/legacy/server/kbn_server';
-import { KibanaRequest, LegacyRequest } from '../../../../src/core/server';
-// @ts-ignore
-import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
-import { AuthenticatedUser, SecurityPluginSetup } from '../../../plugins/security/server';
-
-/**
- * Public interface of the security plugin.
- */
-export interface SecurityPlugin {
-  getUser: (request: LegacyRequest) => Promise<AuthenticatedUser>;
-}
-
-function getSecurityPluginSetup(server: Server) {
-  const securityPlugin = server.newPlatform.setup.plugins.security as SecurityPluginSetup;
-  if (!securityPlugin) {
-    throw new Error('Kibana Platform Security plugin is not available.');
-  }
-
-  return securityPlugin;
-}
 
 export const security = (kibana: Record<string, any>) =>
   new kibana.Plugin({
     id: 'security',
     publicDir: resolve(__dirname, 'public'),
-    require: ['kibana', 'xpack_main'],
+    require: ['kibana'],
     configPrefix: 'xpack.security',
-    uiExports: {
-      hacks: ['plugins/security/hacks/legacy'],
-      injectDefaultVars: (server: Server) => {
-        return { enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled') };
-      },
-    },
-
-    config(Joi: Root) {
-      return Joi.object({
-        enabled: Joi.boolean().default(true),
-      })
+    uiExports: { hacks: ['plugins/security/hacks/legacy'] },
+    config: (Joi: Root) =>
+      Joi.object({ enabled: Joi.boolean().default(true) })
         .unknown()
-        .default();
-    },
-
-    async postInit(server: Server) {
-      watchStatusAndLicenseToInitialize(server.plugins.xpack_main, this, async () => {
-        const xpackInfo = server.plugins.xpack_main.info;
-        if (xpackInfo.isAvailable() && xpackInfo.feature('security').isEnabled()) {
-          await getSecurityPluginSetup(server).__legacyCompat.registerPrivilegesWithCluster();
-        }
-      });
-    },
-
-    async init(server: Server) {
-      const securityPlugin = getSecurityPluginSetup(server);
-
-      server.expose({
-        getUser: async (request: LegacyRequest) =>
-          securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)),
-      });
-    },
+        .default(),
+    init() {},
   });

x-pack/plugins/security/public/account_management/account_management_app.ts

@@ -5,7 +5,12 @@
  */
 
 import { i18n } from '@kbn/i18n';
-import { StartServicesAccessor, ApplicationSetup, AppMountParameters } from 'src/core/public';
+import {
+  ApplicationSetup,
+  AppMountParameters,
+  AppNavLinkStatus,
+  StartServicesAccessor,
+} from '../../../../../src/core/public';
 import { AuthenticationServiceSetup } from '../authentication';
 
 interface CreateDeps {
@@ -23,8 +28,7 @@ export const accountManagementApp = Object.freeze({
     application.register({
       id: this.id,
       title,
-      // TODO: switch to proper enum once https://github.com/elastic/kibana/issues/58327 is resolved.
-      navLinkStatus: 3,
+      navLinkStatus: AppNavLinkStatus.hidden,
       appRoute: '/security/account',
       async mount({ element }: AppMountParameters) {
         const [

x-pack/plugins/security/public/authentication/login/components/login_form/login_form.scss

@@ -23,9 +23,10 @@
   }
 
   &:focus {
+    @include euiFocusRing;
+
     border-color: transparent;
     border-radius: $euiBorderRadius;
-    @include euiFocusRing;
 
     .secLoginCard__title {
       text-decoration: underline;

x-pack/plugins/security/public/management/roles/__fixtures__/kibana_privileges.ts

@@ -11,13 +11,15 @@ import { Feature } from '../../../../../features/public';
 import { KibanaPrivileges } from '../model';
 import { SecurityLicenseFeatures } from '../../..';
 
+// eslint-disable-next-line @kbn/eslint/no-restricted-paths
+import { featuresPluginMock } from '../../../../../features/server/mocks';
+
 export const createRawKibanaPrivileges = (
   features: Feature[],
   { allowSubFeaturePrivileges = true } = {}
 ) => {
-  const featuresService = {
-    getFeatures: () => features,
-  };
+  const featuresService = featuresPluginMock.createSetup();
+  featuresService.getFeatures.mockReturnValue(features);
 
   const licensingService = {
     getFeatures: () => ({ allowSubFeaturePrivileges } as SecurityLicenseFeatures),

x-pack/plugins/security/public/management/roles/edit_role/edit_role_page.test.tsx

@@ -163,7 +163,12 @@ function getProps({
   const { http, docLinks, notifications } = coreMock.createStart();
   http.get.mockImplementation(async (path: any) => {
     if (path === '/api/spaces/space') {
-      return buildSpaces();
+      if (spacesEnabled) {
+        return buildSpaces();
+      }
+
+      const notFoundError = { response: { status: 404 } };
+      throw notFoundError;
     }
   });
 
@@ -181,7 +186,6 @@ function getProps({
     notifications,
     docLinks: new DocumentationLinksService(docLinks),
     fatalErrors,
-    spacesEnabled,
     uiCapabilities: buildUICapabilities(canManageSpaces),
     history: (scopedHistoryMock.create() as unknown) as ScopedHistory,
   };

x-pack/plugins/security/public/management/roles/edit_role/edit_role_page.tsx

@@ -80,7 +80,6 @@ interface Props {
   docLinks: DocumentationLinksService;
   http: HttpStart;
   license: SecurityLicense;
-  spacesEnabled: boolean;
   uiCapabilities: Capabilities;
   notifications: NotificationsStart;
   fatalErrors: FatalErrorsSetup;
@@ -225,14 +224,21 @@ function useRole(
   return [role, setRole] as [Role | null, typeof setRole];
 }
 
-function useSpaces(http: HttpStart, fatalErrors: FatalErrorsSetup, spacesEnabled: boolean) {
-  const [spaces, setSpaces] = useState<Space[] | null>(null);
+function useSpaces(http: HttpStart, fatalErrors: FatalErrorsSetup) {
+  const [spaces, setSpaces] = useState<{ enabled: boolean; list: Space[] } | null>(null);
   useEffect(() => {
-    (spacesEnabled ? http.get('/api/spaces/space') : Promise.resolve([])).then(
-      (fetchedSpaces) => setSpaces(fetchedSpaces),
-      (err) => fatalErrors.add(err)
+    http.get('/api/spaces/space').then(
+      (fetchedSpaces) => setSpaces({ enabled: true, list: fetchedSpaces }),
+      (err: IHttpFetchError) => {
+        // Spaces plugin can be disabled and hence this endpoint can be unavailable.
+        if (err.response?.status === 404) {
+          setSpaces({ enabled: false, list: [] });
+        } else {
+          fatalErrors.add(err);
+        }
+      }
     );
-  }, [http, fatalErrors, spacesEnabled]);
+  }, [http, fatalErrors]);
 
   return spaces;
 }
@@ -278,7 +284,6 @@ export const EditRolePage: FunctionComponent<Props> = ({
   roleName,
   action,
   fatalErrors,
-  spacesEnabled,
   license,
   docLinks,
   uiCapabilities,
@@ -295,7 +300,7 @@ export const EditRolePage: FunctionComponent<Props> = ({
   const runAsUsers = useRunAsUsers(userAPIClient, fatalErrors);
   const indexPatternsTitles = useIndexPatternsTitles(indexPatterns, fatalErrors, notifications);
   const privileges = usePrivileges(privilegesAPIClient, fatalErrors);
-  const spaces = useSpaces(http, fatalErrors, spacesEnabled);
+  const spaces = useSpaces(http, fatalErrors);
   const features = useFeatures(getFeatures, fatalErrors);
   const [role, setRole] = useRole(
     rolesAPIClient,
@@ -434,8 +439,8 @@ export const EditRolePage: FunctionComponent<Props> = ({
         <EuiSpacer />
         <KibanaPrivilegesRegion
           kibanaPrivileges={new KibanaPrivileges(kibanaPrivileges, features)}
-          spaces={spaces}
-          spacesEnabled={spacesEnabled}
+          spaces={spaces.list}
+          spacesEnabled={spaces.enabled}
           uiCapabilities={uiCapabilities}
           canCustomizeSubFeaturePrivileges={license.getFeatures().allowSubFeaturePrivileges}
           editable={!isRoleReadOnly}
@@ -519,7 +524,7 @@ export const EditRolePage: FunctionComponent<Props> = ({
       setFormError(null);
 
       try {
-        await rolesAPIClient.saveRole({ role, spacesEnabled });
+        await rolesAPIClient.saveRole({ role, spacesEnabled: spaces.enabled });
       } catch (error) {
         notifications.toasts.addDanger(get(error, 'data.message'));
         return;
@@ -554,7 +559,7 @@ export const EditRolePage: FunctionComponent<Props> = ({
     backToRoleList();
   };
 
-  const description = spacesEnabled ? (
+  const description = spaces.enabled ? (
     <FormattedMessage
       id="xpack.security.management.editRole.setPrivilegesToKibanaSpacesDescription"
       defaultMessage="Set privileges on your Elasticsearch data and control access to your Kibana spaces."

x-pack/plugins/security/public/management/roles/roles_management_app.tsx

@@ -36,10 +36,7 @@ export const rolesManagementApp = Object.freeze({
         ];
 
         const [
-          [
-            { application, docLinks, http, i18n: i18nStart, injectedMetadata, notifications },
-            { data, features },
-          ],
+          [{ application, docLinks, http, i18n: i18nStart, notifications }, { data, features }],
           { RolesGridPage },
           { EditRolePage },
           { RolesAPIClient },
@@ -86,9 +83,6 @@ export const rolesManagementApp = Object.freeze({
             <EditRolePage
               action={action}
               roleName={roleName}
-              spacesEnabled={
-                injectedMetadata.getInjectedVar('enableSpaceAwarePrivileges') as boolean
-              }
               rolesAPIClient={rolesAPIClient}
               userAPIClient={new UserAPIClient(http)}
               indicesAPIClient={new IndicesAPIClient(http)}

x-pack/plugins/security/server/authorization/api_authorization.ts

@@ -4,12 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { CoreSetup, Logger } from '../../../../../src/core/server';
-import { Authorization } from '.';
+import { HttpServiceSetup, Logger } from '../../../../../src/core/server';
+import { AuthorizationServiceSetup } from '.';
 
 export function initAPIAuthorization(
-  http: CoreSetup['http'],
-  { actions, checkPrivilegesDynamicallyWithRequest, mode }: Authorization,
+  http: HttpServiceSetup,
+  { actions, checkPrivilegesDynamicallyWithRequest, mode }: AuthorizationServiceSetup,
   logger: Logger
 ) {
   http.registerOnPostAuth(async (request, response, toolkit) => {

x-pack/plugins/security/server/authorization/app_authorization.ts

@@ -4,13 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { CoreSetup, Logger } from '../../../../../src/core/server';
-import { FeaturesService } from '../plugin';
-import { Authorization } from '.';
+import { HttpServiceSetup, Logger } from '../../../../../src/core/server';
+import { PluginSetupContract as FeaturesPluginSetup } from '../../../features/server';
+import { AuthorizationServiceSetup } from '.';
 
 class ProtectedApplications {
   private applications: Set<string> | null = null;
-  constructor(private readonly featuresService: FeaturesService) {}
+  constructor(private readonly featuresService: FeaturesPluginSetup) {}
 
   public shouldProtect(appId: string) {
     // Currently, once we get the list of features we essentially "lock" additional
@@ -30,14 +30,14 @@ class ProtectedApplications {
 }
 
 export function initAppAuthorization(
-  http: CoreSetup['http'],
+  http: HttpServiceSetup,
   {
     actions,
     checkPrivilegesDynamicallyWithRequest,
     mode,
-  }: Pick<Authorization, 'actions' | 'checkPrivilegesDynamicallyWithRequest' | 'mode'>,
+  }: Pick<AuthorizationServiceSetup, 'actions' | 'checkPrivilegesDynamicallyWithRequest' | 'mode'>,
   logger: Logger,
-  featuresService: FeaturesService
+  featuresService: FeaturesPluginSetup
 ) {
   const protectedApplications = new ProtectedApplications(featuresService);