[EBT] Fix userId generation (#131701)

2025-04-23 09:19:04 -04:00 · 2022-05-07 01:21:23 +02:00 · 2022-05-07 01:21:23 +02:00 · c8e3fc57ed
commit c8e3fc57ed
parent 19298ee3e6
2 changed files with 44 additions and 15 deletions
--- a/x-pack/plugins/cloud/public/plugin.test.ts
+++ b/x-pack/plugins/cloud/public/plugin.test.ts
@ -11,6 +11,7 @@ import { homePluginMock } from '@kbn/home-plugin/public/mocks';
 import { securityMock } from '@kbn/security-plugin/public/mocks';
 import { CloudPlugin, CloudConfigType } from './plugin';
 import { firstValueFrom } from 'rxjs';
+import { Sha256 } from '@kbn/core/public/utils';

 describe('Cloud Plugin', () => {
  describe('#setup', () => {
@ -74,6 +75,9 @@ describe('Cloud Plugin', () => {
    });

    describe('setupTelemetryContext', () => {
+      const username = '1234';
+      const expectedHashedPlainUsername = new Sha256().update(username, 'utf8').digest('hex');
+
      beforeEach(() => {
        jest.clearAllMocks();
      });
@ -121,9 +125,7 @@ describe('Cloud Plugin', () => {
      test('register the context provider for the cloud user with hashed user ID when security is available', async () => {
        const { coreSetup } = await setupPlugin({
          config: { id: 'cloudId' },
-          currentUserProps: {
-            username: '1234',
-          },
+          currentUserProps: { username },
        });

        expect(coreSetup.analytics.registerContextProvider).toHaveBeenCalled();
@ -140,9 +142,7 @@ describe('Cloud Plugin', () => {
      it('user hash includes cloud id', async () => {
        const { coreSetup: coreSetup1 } = await setupPlugin({
          config: { id: 'esOrg1' },
-          currentUserProps: {
-            username: '1234',
-          },
+          currentUserProps: { username },
        });

        const [{ context$: context1$ }] =
@ -151,12 +151,11 @@ describe('Cloud Plugin', () => {
          )!;

        const hashId1 = await firstValueFrom(context1$);
+        expect(hashId1).not.toEqual(expectedHashedPlainUsername);

        const { coreSetup: coreSetup2 } = await setupPlugin({
          config: { full_story: { enabled: true, org_id: 'foo' }, id: 'esOrg2' },
-          currentUserProps: {
-            username: '1234',
-          },
+          currentUserProps: { username },
        });

        const [{ context$: context2$ }] =
@ -165,15 +164,17 @@ describe('Cloud Plugin', () => {
          )!;

        const hashId2 = await firstValueFrom(context2$);
+        expect(hashId2).not.toEqual(expectedHashedPlainUsername);

        expect(hashId1).not.toEqual(hashId2);
      });

-      test('user hash does not include cloudId when not provided', async () => {
+      test('user hash does not include cloudId when authenticated via Cloud SAML', async () => {
        const { coreSetup } = await setupPlugin({
-          config: {},
+          config: { id: 'cloudDeploymentId' },
          currentUserProps: {
-            username: '1234',
+            username,
+            authentication_realm: { type: 'saml', name: 'cloud-saml-kibana' },
          },
        });

@ -184,7 +185,24 @@ describe('Cloud Plugin', () => {
        )!;

        await expect(firstValueFrom(context$)).resolves.toEqual({
-          userId: '03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4',
+          userId: expectedHashedPlainUsername,
+        });
+      });
+
+      test('user hash does not include cloudId when not provided', async () => {
+        const { coreSetup } = await setupPlugin({
+          config: {},
+          currentUserProps: { username },
+        });
+
+        expect(coreSetup.analytics.registerContextProvider).toHaveBeenCalled();
+
+        const [{ context$ }] = coreSetup.analytics.registerContextProvider.mock.calls.find(
+          ([{ name }]) => name === 'cloud_user_id'
+        )!;
+
+        await expect(firstValueFrom(context$)).resolves.toEqual({
+          userId: expectedHashedPlainUsername,
        });
      });

--- a/x-pack/plugins/cloud/public/plugin.tsx
+++ b/x-pack/plugins/cloud/public/plugin.tsx
@ -261,10 +261,21 @@ export class CloudPlugin implements Plugin<CloudSetup> {
      analytics.registerContextProvider({
        name: 'cloud_user_id',
        context$: from(security.authc.getCurrentUser()).pipe(
-          map((user) => user.username),
+          map((user) => {
+            if (
+              getIsCloudEnabled(cloudId) &&
+              user.authentication_realm?.type === 'saml' &&
+              user.authentication_realm?.name === 'cloud-saml-kibana'
+            ) {
+              // If authenticated via Cloud SAML, use the SAML username as the user ID
+              return user.username;
+            }
+
+            return cloudId ? `${cloudId}:${user.username}` : user.username;
+          }),
          // Join the cloud org id and the user to create a truly unique user id.
          // The hashing here is to keep it at clear as possible in our source code that we do not send literal user IDs
-          map((userId) => ({ userId: sha256(cloudId ? `${cloudId}:${userId}` : `${userId}`) })),
+          map((userId) => ({ userId: sha256(userId) })),
          catchError(() => of({ userId: undefined }))
        ),
        schema: {