Adding deprecation warning for Interactive Users using ApiKeys (#136422)

* Adding deprecation warning for Interactive Users using ApiKeys

* Fixing unit test verbiage

* Update docs/user/security/authentication/index.asciidoc

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Update docs/user/security/api-keys/index.asciidoc

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Changing capitalization on 'keys' to avoid confusion with the UI API Keys

* Update docs/user/security/api-keys/index.asciidoc

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Update docs/user/security/authentication/index.asciidoc

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Changing the logging message and unit test descriptions based on PR review feedback

* Update x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts

Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>

* Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts

Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>

* Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts

Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>

* Removing unnecessary whitespace

* Fixing spelling in unit test assertion

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>

docs/user/security/api-keys/index.asciidoc

@@ -45,6 +45,11 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \
 --header 'kbn-xsrf: true' \
 --header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \
 
+[IMPORTANT]
+============================================================================
+API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser.
+============================================================================
+
 [float]
 [[view-api-keys]]
 === View and delete API keys

docs/user/security/authentication/index.asciidoc

@@ -394,6 +394,12 @@ HTTP protocol provides a simple authentication framework that can be used by a c
 
 This type of authentication is usually useful for machine-to-machine interaction that requires authentication and where human intervention is not desired or just infeasible. There are a number of use cases when HTTP authentication support comes in handy for {kib} users as well.
 
+[IMPORTANT]
+============================================================================
+API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser.
+============================================================================
+
+
 By default {kib} supports <<api-keys, `ApiKey`>> authentication scheme _and_ any scheme supported by the currently enabled authentication provider. For example, `Basic` authentication scheme is automatically supported when basic authentication provider is enabled, or `Bearer` scheme when any of the token based authentication providers is enabled (Token, SAML, OpenID Connect, PKI or Kerberos). But it's also possible to add support for any other authentication scheme in the `kibana.yml` configuration file, as follows:
 
 NOTE: Don't forget to explicitly specify the default `apikey` and `bearer` schemes when you just want to add a new one to the list.

x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts

@@ -19,6 +19,7 @@ import { routeDefinitionParamsMock } from '../index.mock';
 import { defineRecordAnalyticsOnAuthTypeRoutes } from './authentication_type';
 
 const FAKE_TIMESTAMP = 1637665318135;
+
 function getMockContext(
   licenseCheckResult: { state: string; message?: string } = { state: 'valid' }
 ) {
@@ -34,6 +35,7 @@ describe('POST /internal/security/analytics/_record_auth_type', () => {
 
   let routeHandler: RequestHandler<any, any, any, any>;
   let routeParamsMock: DeeplyMockedKeys<RouteDefinitionParams>;
+
   beforeEach(() => {
     routeParamsMock = routeDefinitionParamsMock.create();
     defineRecordAnalyticsOnAuthTypeRoutes(routeParamsMock);
@@ -49,6 +51,10 @@ describe('POST /internal/security/analytics/_record_auth_type', () => {
     const response = await routeHandler(getMockContext(), request, kibanaResponseFactory);
 
     expect(response.status).toBe(204);
+    expect(routeParamsMock.logger.warn).toBeCalledWith(
+      'Cannot record authentication type: current user could not be retrieved.'
+    );
+
     expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).not.toHaveBeenCalled();
   });
 
@@ -294,11 +300,13 @@ describe('POST /internal/security/analytics/_record_auth_type', () => {
       routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc);
 
       const response = await routeHandler(getMockContext(), request, kibanaResponseFactory);
+
       expect(response.status).toBe(200);
       expect(response.payload).toEqual({
         timestamp: FAKE_TIMESTAMP,
         signature: 'f4f6b485690816127c33d5aa13cd6cd12c9892641ba23b5d58e5c6590cd43db0',
       });
+
       routeParamsMock.analyticsService.reportAuthenticationTypeEvent.mockClear();
 
       initialTimestamp = response.payload.timestamp;
@@ -312,13 +320,13 @@ describe('POST /internal/security/analytics/_record_auth_type', () => {
       });
 
       const response = await routeHandler(getMockContext(), request, kibanaResponseFactory);
+
       expect(response.status).toBe(200);
       expect(response.payload).toEqual({
         timestamp: initialTimestamp,
         signature: '46d5841ad21d29ca6c7c1c639adc6294c176c394adb0b40dfc05797cfe29218e',
       });
       expect(response.payload.signature).not.toEqual(initialSignature);
-
       expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes(
         1
       );
@@ -329,4 +337,68 @@ describe('POST /internal/security/analytics/_record_auth_type', () => {
       });
     });
   });
+
+  describe('logApiKeyWithInteractiveUserDeprecated', () => {
+    it('should log a deprecation warning if API key is being used for access via a web browser', async () => {
+      const request = httpServerMock.createKibanaRequest({
+        headers: { authorization: 'ApiKey xxxx' },
+      });
+
+      const mockAuthc = authenticationServiceMock.createStart();
+
+      mockAuthc.getCurrentUser.mockReturnValue(
+        mockAuthenticatedUser({
+          authentication_provider: { type: 'http', name: '__http__' },
+        })
+      );
+
+      routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc);
+
+      const response = await routeHandler(getMockContext(), request, kibanaResponseFactory);
+
+      expect(response.status).toBe(200);
+      expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes(
+        1
+      );
+      expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({
+        authenticationProviderType: 'http',
+        authenticationRealmType: 'native',
+        httpAuthenticationScheme: 'ApiKey',
+      });
+      expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1);
+      expect(routeParamsMock.logger.warn).toBeCalledWith(
+        'API keys are intended for programmatic access. Do not use API keys to authenticate access via a web browser.',
+        { tags: ['deprecation'] }
+      );
+    });
+
+    it('should not log a deprecation warning if other http auth scheme is being used for access via a web browser', async () => {
+      const request = httpServerMock.createKibanaRequest({
+        headers: { authorization: 'Basic' },
+      });
+
+      const mockAuthc = authenticationServiceMock.createStart();
+
+      mockAuthc.getCurrentUser.mockReturnValue(
+        mockAuthenticatedUser({
+          authentication_provider: { type: 'http', name: '__http__' },
+        })
+      );
+
+      routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc);
+
+      const response = await routeHandler(getMockContext(), request, kibanaResponseFactory);
+
+      expect(response.status).toBe(200);
+      expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes(
+        1
+      );
+      expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({
+        authenticationProviderType: 'http',
+        authenticationRealmType: 'native',
+        httpAuthenticationScheme: 'Basic',
+      });
+      expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(0);
+    });
+  });
 });

x-pack/plugins/security/server/routes/analytics/authentication_type.ts

@@ -8,6 +8,7 @@
 import { createHash } from 'crypto';
 
 import { schema } from '@kbn/config-schema';
+import type { Logger } from '@kbn/logging';
 
 import type { RouteDefinitionParams } from '..';
 import type { AuthenticationTypeAnalyticsEvent } from '../../analytics';
@@ -74,6 +75,11 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({
           previouslyRegisteredSignature !== signature
         ) {
           analyticsService.reportAuthenticationTypeEvent(authTypeEventToReport);
+
+          logApiKeyWithInteractiveUserDeprecated(
+            authTypeEventToReport.httpAuthenticationScheme,
+            logger
+          );
         } else {
           timestamp = previousRegistrationTimestamp;
         }
@@ -88,3 +94,23 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({
     })
   );
 }
+
+/**
+ * API Key authentication by interactive users is deprecated, this method logs a deprecation warning.
+ *
+ * @param httpAuthenticationScheme A string representing the authentication type event's scheme (ApiKey, etc.) by an interactive user.
+ * @param logger A reference to the Logger to log the deprecation message.
+ */
+function logApiKeyWithInteractiveUserDeprecated(
+  httpAuthenticationScheme: string = '',
+  logger: Logger
+): void {
+  const isUsingApiKey = httpAuthenticationScheme?.toLowerCase() === 'apikey';
+
+  if (isUsingApiKey) {
+    logger.warn(
+      `API keys are intended for programmatic access. Do not use API keys to authenticate access via a web browser.`,
+      { tags: ['deprecation'] }
+    );
+  }
+}