Security - remove auth scope provider (#36998)

* remove auth scope provider * handle missing roles * guard for unauthenticated calls * update functional tests to not expect a scope property * there's always money in the banana stand * revert interceptor optimizations * protect against missing roles * address pr feedback * remove scope as expected property on kerberos auth response
2025-06-28 11:05:39 -04:00 · 2019-05-29 11:01:35 -04:00 · 2019-05-29 11:01:35 -04:00 · 38eb16d4e6
commit 38eb16d4e6
parent e1b2b485a8
16 changed files with 53 additions and 420 deletions
--- a/x-pack/plugins/security/server/lib/authentication/authenticator.ts
+++ b/x-pack/plugins/security/server/lib/authentication/authenticator.ts
@ -6,7 +6,6 @@

 import { Legacy } from 'kibana';
 import { getClient } from '../../../../../server/lib/get_client_shield';
-import { AuthScopeService, ScopesGetter } from '../auth_scope_service';
 import { getErrorStatusCode } from '../errors';
 import {
  AuthenticationProviderOptions,
@ -133,14 +132,9 @@ class Authenticator {
  /**
   * Instantiates Authenticator and bootstrap configured providers.
   * @param server Server instance.
-   * @param authScope AuthScopeService instance.
   * @param session Session instance.
   */
-  constructor(
-    private readonly server: Legacy.Server,
-    private readonly authScope: AuthScopeService,
-    private readonly session: Session
-  ) {
+  constructor(private readonly server: Legacy.Server, private readonly session: Session) {
    const config = this.server.config();
    const authProviders = config.get<string[]>('xpack.security.authProviders');
    if (authProviders.length === 0) {
@ -213,11 +207,7 @@ class Authenticator {
      }

      if (authenticationResult.succeeded()) {
-        return AuthenticationResult.succeeded({
-          ...authenticationResult.user,
-          // Complement user returned from the provider with scopes.
-          scope: await this.authScope.getForRequestAndUser(request, authenticationResult.user!),
-        } as any);
+        return AuthenticationResult.succeeded(authenticationResult.user!);
      } else if (authenticationResult.redirected()) {
        return authenticationResult;
      }
@ -298,8 +288,7 @@ class Authenticator {

 export async function initAuthenticator(server: Legacy.Server) {
  const session = await Session.create(server);
-  const authScope = new AuthScopeService();
-  const authenticator = new Authenticator(server, authScope, session);
+  const authenticator = new Authenticator(server, session);

  const loginAttempts = new WeakMap();
  server.decorate('request', 'loginAttempt', function(this: Legacy.Request) {
@ -316,9 +305,6 @@ export async function initAuthenticator(server: Legacy.Server) {
  server.expose('deauthenticate', (request: RequestWithLoginAttempt) =>
    authenticator.deauthenticate(request)
  );
-  server.expose('registerAuthScopeGetter', (scopeExtender: ScopesGetter) =>
-    authScope.registerGetter(scopeExtender)
-  );

  server.expose('isAuthenticated', async (request: Legacy.Request) => {
    try {