github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Move Kibana Security public types to separate packages (#171886)

Browse source 
## Summary

In this PR, I'm relocating all Kibana Security types (along with a few
schemas necessary for some of these types, unfortunately) that are part
of public contracts to separate packages. This change will enable any
plugin to utilize Security APIs via "static" or
["runtime"](https://github.com/elastic/kibana/pull/167113) dependencies,
regardless of whether Kibana Security already relies on these plugins or
not.

__NOTE TO REVIEWERS:__ I tried to minimize changes as much as I could
via moving only necessary types. I also didn't move deprecated parts of
the Setup/Start contracts to these new packages.

__Triggered by:__ https://github.com/elastic/kibana/pull/168910

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Aleh Zasypkin 2023-11-27 21:26:31 +01:00 committed by GitHub
parent bfb450e7ee
commit f7fa8469bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
290 changed files with 2196 additions and 1299 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/CODEOWNERS vendored
View file

@ -643,6 +643,9 @@ packages/kbn-search-response-warnings @elastic/kibana-data-discovery
x-pack/plugins/searchprofiler @elastic/platform-deployment-management
x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
x-pack/plugins/security @elastic/kibana-security
x-pack/packages/security/plugin_types_common @elastic/kibana-security
x-pack/packages/security/plugin_types_public @elastic/kibana-security
x-pack/packages/security/plugin_types_server @elastic/kibana-security
x-pack/plugins/security_solution_ess @elastic/security-solution
x-pack/packages/security-solution/features @elastic/security-threat-hunting-explore
x-pack/test/cases_api_integration/common/plugins/security_solution @elastic/response-ops

3
package.json
View file

@ -646,6 +646,9 @@
"@kbn/search-response-warnings": "link:packages/kbn-search-response-warnings",
"@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
"@kbn/security-plugin": "link:x-pack/plugins/security",
"@kbn/security-plugin-types-common": "link:x-pack/packages/security/plugin_types_common",
"@kbn/security-plugin-types-public": "link:x-pack/packages/security/plugin_types_public",
"@kbn/security-plugin-types-server": "link:x-pack/packages/security/plugin_types_server",
"@kbn/security-solution-ess": "link:x-pack/plugins/security_solution_ess",
"@kbn/security-solution-features": "link:x-pack/packages/security-solution/features",
"@kbn/security-solution-fixtures-plugin": "link:x-pack/test/cases_api_integration/common/plugins/security_solution",

2
src/plugins/data/server/search/session/session_service.test.ts
View file

@ -18,7 +18,7 @@ import { createRequestHash } from './utils';
import moment from 'moment';
import { coreMock } from '@kbn/core/server/mocks';
import { ConfigSchema } from '../../../config';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import { SEARCH_SESSION_TYPE, SearchSessionStatus } from '../../../common';
import { elasticsearchServiceMock } from '@kbn/core/server/mocks';

2
src/plugins/image_embeddable/public/image_editor/configure_image.tsx
View file

@ -11,7 +11,7 @@ import { toMountPoint } from '@kbn/kibana-react-plugin/public';
import { FilesContext } from '@kbn/shared-ux-file-context';
import { skip, take, takeUntil } from 'rxjs/operators';
import { Subject } from 'rxjs';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import { ImageConfig } from '../types';
import { ImageEditorFlyout } from './image_editor_flyout';
import { ImageViewerContext } from '../image_viewer';

2
src/plugins/image_embeddable/public/image_editor/image_editor_flyout.tsx
View file

@ -34,7 +34,7 @@ import { FileUpload } from '@kbn/shared-ux-file-upload';
import { FilePicker } from '@kbn/shared-ux-file-picker';
import { i18n } from '@kbn/i18n';
import { FormattedMessage } from '@kbn/i18n-react';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import { FileImageMetadata, imageEmbeddableFileKind } from '../imports';
import { ImageConfig } from '../types';
import { ImageViewer } from '../image_viewer/image_viewer'; // use eager version to avoid flickering

2
src/plugins/image_embeddable/public/image_embeddable/image_embeddable_factory.tsx
View file

@ -8,7 +8,7 @@
import { i18n } from '@kbn/i18n';
import { IExternalUrl } from '@kbn/core-http-browser';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import {
IContainer,
EmbeddableInput,

6
tsconfig.base.json
View file

@ -1280,6 +1280,12 @@
"@kbn/security-api-integration-helpers/*": ["x-pack/test/security_api_integration/packages/helpers/*"],
"@kbn/security-plugin": ["x-pack/plugins/security"],
"@kbn/security-plugin/*": ["x-pack/plugins/security/*"],
"@kbn/security-plugin-types-common": ["x-pack/packages/security/plugin_types_common"],
"@kbn/security-plugin-types-common/*": ["x-pack/packages/security/plugin_types_common/*"],
"@kbn/security-plugin-types-public": ["x-pack/packages/security/plugin_types_public"],
"@kbn/security-plugin-types-public/*": ["x-pack/packages/security/plugin_types_public/*"],
"@kbn/security-plugin-types-server": ["x-pack/packages/security/plugin_types_server"],
"@kbn/security-plugin-types-server/*": ["x-pack/packages/security/plugin_types_server/*"],
"@kbn/security-solution-ess": ["x-pack/plugins/security_solution_ess"],
"@kbn/security-solution-ess/*": ["x-pack/plugins/security_solution_ess/*"],
"@kbn/security-solution-features": ["x-pack/packages/security-solution/features"],

4
x-pack/packages/security/plugin_types_common/README.md Normal file
View file

@ -0,0 +1,4 @@
# @kbn/security-plugin-types-common
Contains type definitions for the Kibana Security plugin (common).

29
x-pack/packages/security/plugin_types_common/index.ts Normal file
View file

@ -0,0 +1,29 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
AuthenticatedUser,
UserRealm,
User,
AuthenticationProvider,
} from './src/authentication';
export type {
Role,
RoleIndexPrivilege,
RoleKibanaPrivilege,
RoleRemoteIndexPrivilege,
FeaturesPrivileges,
} from './src/authorization';
export type { SecurityLicense, SecurityLicenseFeatures, LoginLayout } from './src/licensing';
export type {
UserProfileUserInfo,
UserProfileData,
UserProfileLabels,
UserProfile,
UserProfileWithSecurity,
UserProfileUserInfoWithSecurity,
} from './src/user_profile';

5
x-pack/packages/security/plugin_types_common/kibana.jsonc Normal file
View file

@ -0,0 +1,5 @@
{
"type": "shared-common",
"id": "@kbn/security-plugin-types-common",
"owner": "@elastic/kibana-security"
}

6
x-pack/packages/security/plugin_types_common/package.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "@kbn/security-plugin-types-common",
"private": true,
"version": "1.0.0",
"license": "Elastic License 2.0"
}

61
x-pack/packages/security/plugin_types_common/src/authentication/authenticated_user.ts Normal file
View file

@ -0,0 +1,61 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { AuthenticationProvider } from './authentication_provider';
import type { User } from './user';
/**
* An Elasticsearch realm that was used to resolve and authenticate the user.
*/
export interface UserRealm {
/**
* Arbitrary name of the security realm.
*/
name: string;
/**
* Type of the security realm (file, native, saml etc.).
*/
type: string;
}
/**
* Represents the currently authenticated user.
*/
export interface AuthenticatedUser extends User {
/**
* The name and type of the Realm that has authenticated the user.
*/
authentication_realm: UserRealm;
/**
* The name and type of the Realm where the user information were retrieved from.
*/
lookup_realm: UserRealm;
/**
* The authentication provider that used to authenticate user.
*/
authentication_provider: AuthenticationProvider;
/**
* The AuthenticationType used by ES to authenticate the user.
*
* @example "realm" | "api_key" | "token" | "anonymous" | "internal"
*/
authentication_type: string;
/**
* Indicates whether user is authenticated via Elastic Cloud built-in SAML realm.
*/
elastic_cloud_user: boolean;
/**
* User profile ID of this user.
*/
profile_uid?: string;
}

20
x-pack/packages/security/plugin_types_common/src/authentication/authentication_provider.ts Normal file
View file

@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
/**
* Type and name tuple to identify provider used to authenticate user.
*/
export interface AuthenticationProvider {
/**
* Type of the Kibana authentication provider.
*/
type: string;
/**
* Name of the Kibana authentication provider (arbitrary string).
*/
name: string;
}

10
x-pack/packages/security/plugin_types_common/src/authentication/index.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { AuthenticatedUser, UserRealm } from './authenticated_user';
export type { User } from './user';
export type { AuthenticationProvider } from './authentication_provider';

22
x-pack/packages/security/plugin_types_common/src/authentication/user.ts Normal file
View file

@ -0,0 +1,22 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
/**
* A set of fields describing Kibana user.
*/
export interface User {
username: string;
email?: string;
full_name?: string;
roles: readonly string[];
enabled: boolean;
metadata?: {
_reserved: boolean;
_deprecated?: boolean;
_deprecated_reason?: string;
};
}

0
x-pack/plugins/security/common/model/features_privileges.ts → x-pack/packages/security/plugin_types_common/src/authorization/features_privileges.ts
View file

14
x-pack/packages/security/plugin_types_common/src/authorization/index.ts Normal file
View file

@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { FeaturesPrivileges } from './features_privileges';
export type {
Role,
RoleKibanaPrivilege,
RoleIndexPrivilege,
RoleRemoteIndexPrivilege,
} from './role';

48
x-pack/packages/security/plugin_types_common/src/authorization/role.ts Normal file
View file

@ -0,0 +1,48 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { FeaturesPrivileges } from './features_privileges';
export interface RoleIndexPrivilege {
names: string[];
privileges: string[];
field_security?: {
grant?: string[];
except?: string[];
};
query?: string;
}
export interface RoleRemoteIndexPrivilege extends RoleIndexPrivilege {
clusters: string[];
}
export interface RoleKibanaPrivilege {
spaces: string[];
base: string[];
feature: FeaturesPrivileges;
_reserved?: string[];
}
export interface Role {
name: string;
elasticsearch: {
cluster: string[];
indices: RoleIndexPrivilege[];
remote_indices?: RoleRemoteIndexPrivilege[];
run_as: string[];
};
kibana: RoleKibanaPrivilege[];
metadata?: {
[anyKey: string]: any;
};
transient_metadata?: {
[anyKey: string]: any;
};
_transform_error?: string[];
_unrecognized_applications?: string[];
}

9
x-pack/packages/security/plugin_types_common/src/licensing/index.ts Normal file
View file

@ -0,0 +1,9 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { SecurityLicense } from './license';
export type { LoginLayout, SecurityLicenseFeatures } from './license_features';

20
x-pack/packages/security/plugin_types_common/src/licensing/license.ts Normal file
View file

@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { Observable } from 'rxjs';
import type { LicenseType } from '@kbn/licensing-plugin/common/types';
import type { SecurityLicenseFeatures } from './license_features';
export interface SecurityLicense {
isLicenseAvailable(): boolean;
isEnabled(): boolean;
getFeatures(): SecurityLicenseFeatures;
hasAtLeast(licenseType: LicenseType): boolean | undefined;
features$: Observable<SecurityLicenseFeatures>;
}

0
x-pack/plugins/security/common/licensing/license_features.ts → x-pack/packages/security/plugin_types_common/src/licensing/license_features.ts
View file

15
x-pack/packages/security/plugin_types_common/src/user_profile/index.ts Normal file
View file

@ -0,0 +1,15 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
UserProfileUserInfo,
UserProfileData,
UserProfileLabels,
UserProfileUserInfoWithSecurity,
UserProfile,
UserProfileWithSecurity,
} from './user_profile';

106
x-pack/packages/security/plugin_types_common/src/user_profile/user_profile.ts Normal file
View file

@ -0,0 +1,106 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
/**
* IMPORTANT:
*
* The types in this file are duplicated at
* `packages/kbn-user-profile-components/src/user_profile.ts`
*
* When making changes please ensure to keep both files in sync.
*/
/**
* Describes basic properties stored in user profile.
*/
export interface UserProfile<D extends UserProfileData = UserProfileData> {
/**
* Unique ID for of the user profile.
*/
uid: string;
/**
* Indicates whether user profile is enabled or not.
*/
enabled: boolean;
/**
* Information about the user that owns profile.
*/
user: UserProfileUserInfo;
/**
* User specific data associated with the profile.
*/
data: Partial<D>;
}
/**
* Basic user information returned in user profile.
*/
export interface UserProfileUserInfo {
/**
* Username of the user.
*/
username: string;
/**
* Optional email of the user.
*/
email?: string;
/**
* Optional full name of the user.
*/
full_name?: string;
}
/**
* Placeholder for data stored in user profile.
*/
export type UserProfileData = Record<string, unknown>;
/**
* Type of the user profile labels structure (currently
*/
export type UserProfileLabels = Record<string, string>;
/**
* Extended user information returned in user profile (both basic and security related properties).
*/
export interface UserProfileUserInfoWithSecurity extends UserProfileUserInfo {
/**
* List of the user roles.
*/
roles: readonly string[];
/**
* Name of the Elasticsearch security realm that was used to authenticate user.
*/
realm_name: string;
/**
* Optional name of the security domain that Elasticsearch security realm that was
* used to authenticate user resides in (if any).
*/
realm_domain?: string;
}
/**
* Describes all properties stored in user profile (both basic and security related properties).
*/
export interface UserProfileWithSecurity<
D extends UserProfileData = UserProfileData,
L extends UserProfileLabels = UserProfileLabels
> extends UserProfile<D> {
/**
* Information about the user that owns profile.
*/
user: UserProfileUserInfoWithSecurity;
/**
* User specific _searchable_ labels associated with the profile. Note that labels are considered
* security related field since it's going to be used to store user's space ID.
*/
labels: L;
}

15
x-pack/packages/security/plugin_types_common/tsconfig.json Normal file
View file

@ -0,0 +1,15 @@
{
"extends": "../../../../tsconfig.base.json",
"compilerOptions": {
"outDir": "target/types"
},
"include": [
"**/*.ts",
],
"exclude": [
"target/**/*"
],
"kbn_references": [
"@kbn/licensing-plugin"
]
}

4
x-pack/packages/security/plugin_types_public/README.md Normal file
View file

@ -0,0 +1,4 @@
# @kbn/security-plugin-types-public
Contains type definitions for the Kibana Security plugin (public).

17
x-pack/packages/security/plugin_types_public/index.ts Normal file
View file

@ -0,0 +1,17 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { AuthenticationServiceStart, AuthenticationServiceSetup } from './src/authentication';
export type { UserMenuLink, SecurityNavControlServiceStart } from './src/nav_control';
export type { SecurityPluginSetup, SecurityPluginStart } from './src/plugin';
export type {
GetUserProfileResponse,
UserProfileGetCurrentParams,
UserProfileBulkGetParams,
UserProfileSuggestParams,
UserProfileAPIClient,
} from './src/user_profile';

5
x-pack/packages/security/plugin_types_public/kibana.jsonc Normal file
View file

@ -0,0 +1,5 @@
{
"type": "shared-browser",
"id": "@kbn/security-plugin-types-public",
"owner": "@elastic/kibana-security"
}

6
x-pack/packages/security/plugin_types_public/package.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "@kbn/security-plugin-types-public",
"private": true,
"version": "1.0.0",
"license": "Elastic License 2.0"
}

25
x-pack/packages/security/plugin_types_public/src/authentication/authentication_service.ts Normal file
View file

@ -0,0 +1,25 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { AuthenticatedUser } from '@kbn/security-plugin-types-common';
export interface AuthenticationServiceSetup {
/**
* Returns currently authenticated user and throws if current user isn't authenticated.
*/
getCurrentUser: () => Promise<AuthenticatedUser>;
/**
* Determines if API Keys are currently enabled.
*/
areAPIKeysEnabled: () => Promise<boolean>;
}
/**
* Start has the same contract as Setup for now.
*/
export type AuthenticationServiceStart = AuthenticationServiceSetup;

11
x-pack/packages/security/plugin_types_public/src/authentication/index.ts Normal file
View file

@ -0,0 +1,11 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
AuthenticationServiceSetup,
AuthenticationServiceStart,
} from './authentication_service';

8
x-pack/packages/security/plugin_types_public/src/nav_control/index.ts Normal file
View file

@ -0,0 +1,8 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { UserMenuLink, SecurityNavControlServiceStart } from './nav_control_service';

32
x-pack/packages/security/plugin_types_public/src/nav_control/nav_control_service.ts Normal file
View file

@ -0,0 +1,32 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { IconType } from '@elastic/eui';
import type { ReactNode } from 'react';
import type { Observable } from 'rxjs';
export interface UserMenuLink {
label: string;
iconType: IconType;
href: string;
order?: number;
setAsProfile?: boolean;
/** Render a custom ReactNode instead of the default <EuiContextMenuItem /> */
content?: ReactNode;
}
export interface SecurityNavControlServiceStart {
/**
* Returns an Observable of the array of user menu links (the links that show up under the user's Avatar in the UI) registered by other plugins
*/
getUserMenuLinks$: () => Observable<UserMenuLink[]>;
/**
* Registers the provided user menu links to be displayed in the user menu (the links that show up under the user's Avatar in the UI).
*/
addUserMenuLinks: (newUserMenuLink: UserMenuLink[]) => void;
}

37
x-pack/packages/security/plugin_types_public/src/plugin.ts Normal file
View file

@ -0,0 +1,37 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SecurityLicense } from '@kbn/security-plugin-types-common';
import type { AuthenticationServiceSetup, AuthenticationServiceStart } from './authentication';
import type { SecurityNavControlServiceStart } from './nav_control';
import type { UserProfileAPIClient } from './user_profile';
export interface SecurityPluginSetup {
/**
* Exposes authentication information about the currently logged in user.
*/
authc: AuthenticationServiceSetup;
/**
* Exposes information about the available security features under the current license.
*/
license: SecurityLicense;
}
export interface SecurityPluginStart {
/**
* Exposes the ability to add custom links to the dropdown menu in the top right, where the user's Avatar is.
*/
navControlService: SecurityNavControlServiceStart;
/**
* Exposes authentication information about the currently logged in user.
*/
authc: AuthenticationServiceStart;
/**
* A set of methods to work with Kibana user profiles.
*/
userProfiles: UserProfileAPIClient;
}

14
x-pack/packages/security/plugin_types_public/src/user_profile/index.ts Normal file
View file

@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
GetUserProfileResponse,
UserProfileAPIClient,
UserProfileGetCurrentParams,
UserProfileBulkGetParams,
UserProfileSuggestParams,
} from './user_profile_api_client';

123
x-pack/packages/security/plugin_types_public/src/user_profile/user_profile_api_client.ts Normal file
View file

@ -0,0 +1,123 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type {
UserProfileData,
AuthenticatedUser,
UserProfileWithSecurity,
UserProfile,
} from '@kbn/security-plugin-types-common';
import type { Observable } from 'rxjs';
export interface UserProfileAPIClient {
readonly userProfile$: Observable<UserProfileData | null>;
/**
* Retrieves the user profile of the current user. If the profile isn't available, e.g. for the anonymous users or
* users authenticated via authenticating proxies, the `null` value is returned.
* @param [params] Get current user profile operation parameters.
* @param params.dataPath By default `getCurrent()` returns user information, but does not return any user data. The
* optional "dataPath" parameter can be used to return personal data for this user.
*/
getCurrent<D extends UserProfileData>(
params?: UserProfileGetCurrentParams
): Promise<GetUserProfileResponse<D>>;
/**
* Retrieves multiple user profiles by their identifiers.
* @param params Bulk get operation parameters.
* @param params.uids List of user profile identifiers.
* @param params.dataPath By default Elasticsearch returns user information, but does not return any user data. The
* optional "dataPath" parameter can be used to return personal data for the requested user profiles.
*/
bulkGet<D extends UserProfileData>(
params: UserProfileBulkGetParams
): Promise<Array<UserProfile<D>>>;
/**
* Suggests multiple user profiles by search criteria.
*
* Note: This endpoint is not provided out-of-the-box by the platform. You need to expose your own
* version within your app. An example of how to do this can be found in:
* `examples/user_profile_examples/server/plugin.ts`
*
* @param path Path to your app's suggest endpoint.
* @param params Suggest operation parameters.
* @param params.name Query string used to match name-related fields in user profiles. The
* following fields are treated as name-related: username, full_name and email.
* @param params.size Desired number of suggestions to return. The default value is 10.
* @param params.dataPath By default, suggest API returns user information, but does not return
* any user data. The optional "dataPath" parameter can be used to return personal data for this
* user (within `kibana` namespace only).
*/
suggest<D extends UserProfileData>(
path: string,
params: UserProfileSuggestParams
): Promise<Array<UserProfile<D>>>;
/**
* Updates user profile data of the current user.
* @param data Application data to be written (merged with existing data).
*/
update<D extends UserProfileData>(data: D): Promise<void>;
}
/**
* Parameters for the get user profile for the current user API.
*/
export interface UserProfileGetCurrentParams {
/**
* By default, get API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath: string;
}
export interface GetUserProfileResponse<D extends UserProfileData = UserProfileData>
extends UserProfileWithSecurity<D> {
/**
* Information about the currently authenticated user that owns the profile.
*/
user: UserProfileWithSecurity['user'] & Pick<AuthenticatedUser, 'authentication_provider'>;
}
/**
* Parameters for the bulk get API.
*/
export interface UserProfileBulkGetParams {
/**
* List of user profile identifiers.
*/
uids: Set<string>;
/**
* By default, suggest API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath?: string;
}
/**
* Parameters for the suggest API.
*/
export interface UserProfileSuggestParams {
/**
* Query string used to match name-related fields in user profiles. The following fields are treated as
* name-related: username, full_name and email.
*/
name: string;
/**
* Desired number of suggestions to return. The default value is 10.
*/
size?: number;
/**
* By default, suggest API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath?: string;
}

15
x-pack/packages/security/plugin_types_public/tsconfig.json Normal file
View file

@ -0,0 +1,15 @@
{
"extends": "../../../../tsconfig.base.json",
"compilerOptions": {
"outDir": "target/types"
},
"include": [
"**/*.ts",
],
"exclude": [
"target/**/*"
],
"kbn_references": [
"@kbn/security-plugin-types-common"
]
}

4
x-pack/packages/security/plugin_types_server/README.md Normal file
View file

@ -0,0 +1,4 @@
# @kbn/security-plugin-types-server
Contains type definitions for the Kibana Security plugin (server).

74
x-pack/packages/security/plugin_types_server/index.ts Normal file
View file

@ -0,0 +1,74 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
AuditEvent,
AuditHttp,
AuditKibana,
AuditRequest,
AuditServiceSetup,
AuditLogger,
} from './src/audit';
export type {
CreateAPIKeyParams,
CreateAPIKeyResult,
CreateRestAPIKeyParams,
GrantAPIKeyResult,
InvalidateAPIKeysParams,
ValidateAPIKeyParams,
CreateRestAPIKeyWithKibanaPrivilegesParams,
CreateCrossClusterAPIKeyParams,
InvalidateAPIKeyResult,
APIKeys,
AuthenticationServiceStart,
} from './src/authentication';
export type {
PrivilegeDeprecationsService,
PrivilegeDeprecationsRolesByFeatureIdResponse,
PrivilegeDeprecationsRolesByFeatureIdRequest,
CheckPrivilegesResponse,
CheckPrivilegesWithRequest,
CheckSavedObjectsPrivilegesWithRequest,
CheckPrivilegesDynamicallyWithRequest,
KibanaPrivilegesType,
SavedObjectActions,
UIActions,
CheckPrivilegesPayload,
CheckSavedObjectsPrivileges,
HasPrivilegesResponse,
HasPrivilegesResponseApplication,
SpaceActions,
Actions,
CheckPrivilegesOptions,
CheckUserProfilesPrivilegesPayload,
CheckUserProfilesPrivilegesResponse,
ElasticsearchPrivilegesType,
CasesActions,
CheckPrivileges,
AlertingActions,
AppActions,
ApiActions,
CheckPrivilegesDynamically,
CheckUserProfilesPrivileges,
AuthorizationMode,
AuthorizationServiceSetup,
} from './src/authorization';
export type { SecurityPluginSetup, SecurityPluginStart } from './src/plugin';
export type {
UserProfileServiceStart,
UserProfileSuggestParams,
UserProfileGetCurrentParams,
UserProfileBulkGetParams,
UserProfileRequiredPrivileges,
} from './src/user_profile';
export {
restApiKeySchema,
getRestApiKeyWithKibanaPrivilegesSchema,
crossClusterApiKeySchema,
} from './src/authentication';
export { GLOBAL_RESOURCE, elasticsearchRoleSchema, getKibanaRoleSchema } from './src/authorization';

5
x-pack/packages/security/plugin_types_server/kibana.jsonc Normal file
View file

@ -0,0 +1,5 @@
{
"type": "shared-server",
"id": "@kbn/security-plugin-types-server",
"owner": "@elastic/kibana-security"
}

6
x-pack/packages/security/plugin_types_server/package.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "@kbn/security-plugin-types-server",
"private": true,
"version": "1.0.0",
"license": "Elastic License 2.0"
}

112
x-pack/packages/security/plugin_types_server/src/audit/audit_events.ts Normal file
View file

@ -0,0 +1,112 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { LogMeta } from '@kbn/core/server';
/**
* Audit kibana schema using ECS format
*/
export interface AuditKibana {
/**
* The ID of the space associated with this event.
*/
space_id?: string;
/**
* The ID of the user session associated with this event. Each login attempt
* results in a unique session id.
*/
session_id?: string;
/**
* Saved object that was created, changed, deleted or accessed as part of this event.
*/
saved_object?: {
type: string;
id: string;
};
/**
* Name of authentication provider associated with a login event.
*/
authentication_provider?: string;
/**
* Type of authentication provider associated with a login event.
*/
authentication_type?: string;
/**
* Name of Elasticsearch realm that has authenticated the user.
*/
authentication_realm?: string;
/**
* Name of Elasticsearch realm where the user details were retrieved from.
*/
lookup_realm?: string;
/**
* Set of space IDs that a saved object was shared to.
*/
add_to_spaces?: readonly string[];
/**
* Set of space IDs that a saved object was removed from.
*/
delete_from_spaces?: readonly string[];
/**
* Set of space IDs that are not authorized for an action.
*/
unauthorized_spaces?: readonly string[];
/**
* Set of types that are not authorized for an action.
*/
unauthorized_types?: readonly string[];
}
type EcsHttp = Required<LogMeta>['http'];
type EcsRequest = Required<EcsHttp>['request'];
/**
* Audit request schema using ECS format
*/
export interface AuditRequest extends EcsRequest {
/**
* HTTP request headers
*/
headers?: {
'x-forwarded-for'?: string;
};
}
/**
* Audit http schema using ECS format
*/
export interface AuditHttp extends EcsHttp {
/**
* HTTP request details
*/
request?: AuditRequest;
}
/**
* Audit event schema using ECS format: https://www.elastic.co/guide/en/ecs/1.12/index.html
*
* If you add additional fields to the schema ensure you update the Kibana Filebeat module:
* https://github.com/elastic/beats/tree/master/filebeat/module/kibana
*
* @public
*/
export interface AuditEvent extends LogMeta {
/**
* Log message
*/
message: string;
/**
* Kibana specific fields
*/
kibana?: AuditKibana;
/**
* Fields describing an HTTP request
*/
http?: AuditHttp;
}

42
x-pack/packages/security/plugin_types_server/src/audit/audit_logger.ts Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { AuditEvent } from './audit_events';
export interface AuditLogger {
/**
* Logs an {@link AuditEvent} and automatically adds meta data about the
* current user, space and correlation id.
*
* Guidelines around what events should be logged and how they should be
* structured can be found in: `/x-pack/plugins/security/README.md`
*
* @example
* ```typescript
* const auditLogger = securitySetup.audit.asScoped(request);
* auditLogger.log({
* message: 'User is updating dashboard [id=123]',
* event: {
* action: 'saved_object_update',
* outcome: 'unknown'
* },
* kibana: {
* saved_object: { type: 'dashboard', id: '123' }
* },
* });
* ```
*/
log: (event: AuditEvent | undefined) => void;
/**
* Indicates whether audit logging is enabled or not.
*
* Useful for skipping resource-intense operations that don't need to be performed when audit
* logging is disabled.
*/
readonly enabled: boolean;
}

39
x-pack/packages/security/plugin_types_server/src/audit/audit_service.ts Normal file
View file

@ -0,0 +1,39 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
import type { AuditLogger } from './audit_logger';
export interface AuditServiceSetup {
/**
* Creates an {@link AuditLogger} scoped to the current request.
*
* This audit logger logs events with all required user and session info and should be used for
* all user-initiated actions.
*
* @example
* ```typescript
* const auditLogger = securitySetup.audit.asScoped(request);
* auditLogger.log(event);
* ```
*/
asScoped: (request: KibanaRequest) => AuditLogger;
/**
* {@link AuditLogger} for background tasks only.
*
* This audit logger logs events without any user or session info and should never be used to log
* user-initiated actions.
*
* @example
* ```typescript
* securitySetup.audit.withoutRequest.log(event);
* ```
*/
withoutRequest: AuditLogger;
}

10
x-pack/packages/security/plugin_types_server/src/audit/index.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { AuditServiceSetup } from './audit_service';
export type { AuditEvent, AuditHttp, AuditKibana, AuditRequest } from './audit_events';
export type { AuditLogger } from './audit_logger';

201
x-pack/packages/security/plugin_types_server/src/authentication/api_keys/api_keys.ts Normal file
View file

@ -0,0 +1,201 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { estypes } from '@elastic/elasticsearch';
import type { KibanaRequest } from '@kbn/core/server';
import { schema, TypeOf } from '@kbn/config-schema';
import { getKibanaRoleSchema, elasticsearchRoleSchema } from '../../authorization';
export interface APIKeys {
/**
* Determines if API Keys are enabled in Elasticsearch.
*/
areAPIKeysEnabled(): Promise<boolean>;
/**
* Determines if Cross-Cluster API Keys are enabled in Elasticsearch.
*/
areCrossClusterAPIKeysEnabled(): Promise<boolean>;
/**
* Tries to create an API key for the current user.
*
* Returns newly created API key or `null` if API keys are disabled.
*
* User needs `manage_api_key` privilege to create REST API keys and `manage_security` for Cross-Cluster API keys.
*
* @param request Request instance.
* @param createParams The params to create an API key
*/
create(
request: KibanaRequest,
createParams: CreateAPIKeyParams
): Promise<CreateAPIKeyResult | null>;
/**
* Tries to grant an API key for the current user.
* @param request Request instance.
* @param createParams Create operation parameters.
*/
grantAsInternalUser(
request: KibanaRequest,
createParams: CreateRestAPIKeyParams | CreateRestAPIKeyWithKibanaPrivilegesParams
): Promise<GrantAPIKeyResult | null>;
/**
* Tries to validate an API key.
* @param apiKeyPrams ValidateAPIKeyParams.
*/
validate(apiKeyPrams: ValidateAPIKeyParams): Promise<boolean>;
/**
* Tries to invalidate an API keys.
* @param request Request instance.
* @param params The params to invalidate an API keys.
*/
invalidate(
request: KibanaRequest,
params: InvalidateAPIKeysParams
): Promise<InvalidateAPIKeyResult | null>;
/**
* Tries to invalidate the API keys by using the internal user.
* @param params The params to invalidate the API keys.
*/
invalidateAsInternalUser(params: InvalidateAPIKeysParams): Promise<InvalidateAPIKeyResult | null>;
}
export type CreateAPIKeyParams =
| CreateRestAPIKeyParams
| CreateRestAPIKeyWithKibanaPrivilegesParams
| CreateCrossClusterAPIKeyParams;
/**
* Response of Kibana Create API key endpoint.
*/
export type CreateAPIKeyResult = estypes.SecurityCreateApiKeyResponse;
export type CreateRestAPIKeyParams = TypeOf<typeof restApiKeySchema>;
export type CreateRestAPIKeyWithKibanaPrivilegesParams = TypeOf<
ReturnType<typeof getRestApiKeyWithKibanaPrivilegesSchema>
>;
export type CreateCrossClusterAPIKeyParams = TypeOf<typeof crossClusterApiKeySchema>;
export interface GrantAPIKeyResult {
/**
* Unique id for this API key
*/
id: string;
/**
* Name for this API key
*/
name: string;
/**
* Generated API key
*/
api_key: string;
}
/**
* Represents the parameters for validating API Key credentials.
*/
export interface ValidateAPIKeyParams {
/**
* Unique id for this API key
*/
id: string;
/**
* Generated API Key (secret)
*/
api_key: string;
}
/**
* Represents the params for invalidating multiple API keys
*/
export interface InvalidateAPIKeysParams {
ids: string[];
}
/**
* The return value when invalidating an API key in Elasticsearch.
*/
export interface InvalidateAPIKeyResult {
/**
* The IDs of the API keys that were invalidated as part of the request.
*/
invalidated_api_keys: string[];
/**
* The IDs of the API keys that were already invalidated.
*/
previously_invalidated_api_keys: string[];
/**
* The number of errors that were encountered when invalidating the API keys.
*/
error_count: number;
/**
* Details about these errors. This field is not present in the response when error_count is 0.
*/
error_details?: Array<{
type?: string;
reason?: string;
caused_by?: {
type?: string;
reason?: string;
};
}>;
}
export const restApiKeySchema = schema.object({
type: schema.maybe(schema.literal('rest')),
name: schema.string(),
expiration: schema.maybe(schema.string()),
role_descriptors: schema.recordOf(schema.string(), schema.object({}, { unknowns: 'allow' }), {
defaultValue: {},
}),
metadata: schema.maybe(schema.object({}, { unknowns: 'allow' })),
});
export const getRestApiKeyWithKibanaPrivilegesSchema = (
getBasePrivilegeNames: Parameters<typeof getKibanaRoleSchema>[0]
) =>
restApiKeySchema.extends({
role_descriptors: null,
kibana_role_descriptors: schema.recordOf(
schema.string(),
schema.object({
elasticsearch: elasticsearchRoleSchema.extends({}, { unknowns: 'allow' }),
kibana: getKibanaRoleSchema(getBasePrivilegeNames),
})
),
});
export const crossClusterApiKeySchema = restApiKeySchema.extends({
type: schema.literal('cross_cluster'),
role_descriptors: null,
access: schema.object(
{
search: schema.maybe(
schema.arrayOf(
schema.object({
names: schema.arrayOf(schema.string()),
})
)
),
replication: schema.maybe(
schema.arrayOf(
schema.object({
names: schema.arrayOf(schema.string()),
})
)
),
},
{ unknowns: 'allow' }
),
});

24
x-pack/packages/security/plugin_types_server/src/authentication/api_keys/index.ts Normal file
View file

@ -0,0 +1,24 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
CreateAPIKeyParams,
CreateAPIKeyResult,
InvalidateAPIKeyResult,
InvalidateAPIKeysParams,
ValidateAPIKeyParams,
CreateRestAPIKeyParams,
CreateRestAPIKeyWithKibanaPrivilegesParams,
CreateCrossClusterAPIKeyParams,
GrantAPIKeyResult,
APIKeys,
} from './api_keys';
export {
crossClusterApiKeySchema,
getRestApiKeyWithKibanaPrivilegesSchema,
restApiKeySchema,
} from './api_keys';

19
x-pack/packages/security/plugin_types_server/src/authentication/authentication_service.ts Normal file
View file

@ -0,0 +1,19 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
import type { AuthenticatedUser } from '@kbn/security-plugin-types-common';
import type { APIKeys } from './api_keys';
/**
* Authentication services available on the security plugin's start contract.
*/
export interface AuthenticationServiceStart {
apiKeys: APIKeys;
getCurrentUser: (request: KibanaRequest) => AuthenticatedUser | null;
}

25
x-pack/packages/security/plugin_types_server/src/authentication/index.ts Normal file
View file

@ -0,0 +1,25 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
CreateAPIKeyParams,
CreateAPIKeyResult,
CreateRestAPIKeyParams,
CreateRestAPIKeyWithKibanaPrivilegesParams,
CreateCrossClusterAPIKeyParams,
InvalidateAPIKeyResult,
InvalidateAPIKeysParams,
ValidateAPIKeyParams,
APIKeys,
GrantAPIKeyResult,
} from './api_keys';
export type { AuthenticationServiceStart } from './authentication_service';
export {
restApiKeySchema,
getRestApiKeyWithKibanaPrivilegesSchema,
crossClusterApiKeySchema,
} from './api_keys';

29
x-pack/packages/security/plugin_types_server/src/authorization/actions/actions.ts Normal file
View file

@ -0,0 +1,29 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { AlertingActions } from './alerting';
import type { ApiActions } from './api';
import type { AppActions } from './app';
import type { CasesActions } from './cases';
import type { SavedObjectActions } from './saved_object';
import type { SpaceActions } from './space';
import type { UIActions } from './ui';
/** Actions are used to create the "actions" that are associated with Elasticsearch's
* application privileges, and are used to perform the authorization checks implemented
* by the various `checkPrivilegesWithRequest` derivatives.
*/
export interface Actions {
readonly api: ApiActions;
readonly app: AppActions;
readonly cases: CasesActions;
readonly login: string;
readonly savedObject: SavedObjectActions;
readonly alerting: AlertingActions;
readonly space: SpaceActions;
readonly ui: UIActions;
}

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/alerting.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface AlertingActions {
get(ruleTypeId: string, consumer: string, alertingEntity: string, operation: string): string;
}

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/api.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface ApiActions {
get(operation: string): string;
}

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/app.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface AppActions {
get(operation: string): string;
}

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/cases.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface CasesActions {
get(owner: string, operation: string): string;
}

15
x-pack/packages/security/plugin_types_server/src/authorization/actions/index.ts Normal file
View file

@ -0,0 +1,15 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type { Actions } from './actions';
export type { AlertingActions } from './alerting';
export type { ApiActions } from './api';
export type { AppActions } from './app';
export type { CasesActions } from './cases';
export type { SavedObjectActions } from './saved_object';
export type { SpaceActions } from './space';
export type { UIActions } from './ui';

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/saved_object.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface SavedObjectActions {
get(type: string, operation: string): string;
}

10
x-pack/packages/security/plugin_types_server/src/authorization/actions/space.ts Normal file
View file

@ -0,0 +1,10 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export interface SpaceActions {
manage: string;
}

12
x-pack/packages/security/plugin_types_server/src/authorization/actions/ui.ts Normal file
View file

@ -0,0 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { Capabilities as UICapabilities } from '@kbn/core/server';
export interface UIActions {
get(featureId: keyof UICapabilities, ...uiCapabilityParts: string[]): string;
}

28
x-pack/packages/security/plugin_types_server/src/authorization/authorization_service.ts Normal file
View file

@ -0,0 +1,28 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { Actions } from './actions';
import type { CheckPrivilegesWithRequest } from './check_privileges';
import type { CheckPrivilegesDynamicallyWithRequest } from './check_privileges_dynamically';
import type { CheckSavedObjectsPrivilegesWithRequest } from './check_saved_objects_privileges';
import type { AuthorizationMode } from './mode';
/**
* Authorization services available on the setup contract of the security plugin.
*/
export interface AuthorizationServiceSetup {
/**
* Actions are used to create the "actions" that are associated with Elasticsearch's
* application privileges, and are used to perform the authorization checks implemented
* by the various `checkPrivilegesWithRequest` derivatives.
*/
actions: Actions;
checkPrivilegesWithRequest: CheckPrivilegesWithRequest;
checkPrivilegesDynamicallyWithRequest: CheckPrivilegesDynamicallyWithRequest;
checkSavedObjectsPrivilegesWithRequest: CheckSavedObjectsPrivilegesWithRequest;
mode: AuthorizationMode;
}

0
x-pack/plugins/security/server/authorization/types.ts → x-pack/packages/security/plugin_types_server/src/authorization/check_privileges.ts
View file

22
x-pack/packages/security/plugin_types_server/src/authorization/check_privileges_dynamically.ts Normal file
View file

@ -0,0 +1,22 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
import type {
CheckPrivilegesPayload,
CheckPrivilegesOptions,
CheckPrivilegesResponse,
} from './check_privileges';
export type CheckPrivilegesDynamically = (
privileges: CheckPrivilegesPayload,
options?: CheckPrivilegesOptions
) => Promise<CheckPrivilegesResponse>;
export type CheckPrivilegesDynamicallyWithRequest = (
request: KibanaRequest
) => CheckPrivilegesDynamically;

18
x-pack/packages/security/plugin_types_server/src/authorization/check_saved_objects_privileges.ts Normal file
View file

@ -0,0 +1,18 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
import type { CheckPrivilegesResponse } from './check_privileges';
export type CheckSavedObjectsPrivilegesWithRequest = (
request: KibanaRequest
) => CheckSavedObjectsPrivileges;
export type CheckSavedObjectsPrivileges = (
actions: string | string[],
namespaceOrNamespaces?: string | Array<undefined | string>
) => Promise<CheckPrivilegesResponse>;

8
x-pack/packages/security/plugin_types_server/src/authorization/constants.ts Normal file
View file

@ -0,0 +1,8 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export const GLOBAL_RESOURCE = '*';

2
x-pack/plugins/security/common/model/deprecations.ts → x-pack/packages/security/plugin_types_server/src/authorization/deprecations.ts
View file

@ -7,7 +7,7 @@
import type { DeprecationsDetails, GetDeprecationsContext } from '@kbn/core/server';
import type { Role } from './role';
import type { Role } from '@kbn/security-plugin-types-common';
export interface PrivilegeDeprecationsRolesByFeatureIdResponse {
roles?: Role[];

48
x-pack/packages/security/plugin_types_server/src/authorization/index.ts Normal file
View file

@ -0,0 +1,48 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
Actions,
ApiActions,
AppActions,
AlertingActions,
CasesActions,
SavedObjectActions,
SpaceActions,
UIActions,
} from './actions';
export type { AuthorizationServiceSetup } from './authorization_service';
export type {
CheckPrivilegesOptions,
CheckPrivilegesResponse,
CheckPrivilegesWithRequest,
CheckPrivilegesPayload,
CheckPrivileges,
HasPrivilegesResponse,
HasPrivilegesResponseApplication,
CheckUserProfilesPrivilegesPayload,
CheckUserProfilesPrivilegesResponse,
CheckUserProfilesPrivileges,
} from './check_privileges';
export type {
CheckPrivilegesDynamically,
CheckPrivilegesDynamicallyWithRequest,
} from './check_privileges_dynamically';
export type {
CheckSavedObjectsPrivileges,
CheckSavedObjectsPrivilegesWithRequest,
} from './check_saved_objects_privileges';
export type {
PrivilegeDeprecationsService,
PrivilegeDeprecationsRolesByFeatureIdRequest,
PrivilegeDeprecationsRolesByFeatureIdResponse,
} from './deprecations';
export type { AuthorizationMode } from './mode';
export type { ElasticsearchPrivilegesType, KibanaPrivilegesType } from './role_schema';
export { GLOBAL_RESOURCE } from './constants';
export { elasticsearchRoleSchema, getKibanaRoleSchema } from './role_schema';

12
x-pack/packages/security/plugin_types_server/src/authorization/mode.ts Normal file
View file

@ -0,0 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
export interface AuthorizationMode {
useRbacForRequest(request: KibanaRequest): boolean;
}

2
x-pack/plugins/security/server/lib/role_schema.ts → x-pack/packages/security/plugin_types_server/src/authorization/role_schema.ts
View file

@ -9,7 +9,7 @@ import _ from 'lodash';
import type { TypeOf } from '@kbn/config-schema';
import { schema } from '@kbn/config-schema';
import { GLOBAL_RESOURCE } from '../../common/constants';
import { GLOBAL_RESOURCE } from './constants';
/**
* Elasticsearch specific portion of the role definition.

48
x-pack/packages/security/plugin_types_server/src/plugin.ts Normal file
View file

@ -0,0 +1,48 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SecurityLicense } from '@kbn/security-plugin-types-common';
import type { AuditServiceSetup } from './audit';
import type { PrivilegeDeprecationsService, AuthorizationServiceSetup } from './authorization';
import type { AuthenticationServiceStart } from './authentication';
import type { UserProfileServiceStart } from './user_profile';
/**
* Describes public Security plugin contract returned at the `setup` stage.
*/
export interface SecurityPluginSetup {
/**
* Exposes information about the available security features under the current license.
*/
license: SecurityLicense;
/**
* Exposes services for audit logging.
*/
audit: AuditServiceSetup;
/**
* Exposes services to access kibana roles per feature id with the GetDeprecationsContext
*/
privilegeDeprecationsService: PrivilegeDeprecationsService;
}
/**
* Describes public Security plugin contract returned at the `start` stage.
*/
export interface SecurityPluginStart {
/**
* Authentication services to confirm the user is who they say they are.
*/
authc: AuthenticationServiceStart;
/**
* Authorization services to manage and access the permissions a particular user has.
*/
authz: AuthorizationServiceSetup;
/**
* User profiles services to retrieve user profiles.
*/
userProfiles: UserProfileServiceStart;
}

14
x-pack/packages/security/plugin_types_server/src/user_profile/index.ts Normal file
View file

@ -0,0 +1,14 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type {
UserProfileServiceStart,
UserProfileSuggestParams,
UserProfileBulkGetParams,
UserProfileRequiredPrivileges,
UserProfileGetCurrentParams,
} from './user_profile_service';

142
x-pack/packages/security/plugin_types_server/src/user_profile/user_profile_service.ts Normal file
View file

@ -0,0 +1,142 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { KibanaRequest } from '@kbn/core/server';
import type {
UserProfileData,
UserProfileLabels,
UserProfileWithSecurity,
UserProfile,
} from '@kbn/security-plugin-types-common';
/**
* A set of methods to work with Kibana user profiles.
*/
export interface UserProfileServiceStart {
/**
* Retrieves a user profile for the current user extracted from the specified request. If the profile isn't available,
* e.g. for the anonymous users or users authenticated via authenticating proxies, the `null` value is returned.
* @param params Get current user profile operation parameters.
* @param params.request User request instance to get user profile for.
* @param params.dataPath By default Elasticsearch returns user information, but does not return any user data. The
* optional "dataPath" parameter can be used to return personal data for the requested user profiles.
*/
getCurrent<D extends UserProfileData, L extends UserProfileLabels>(
params: UserProfileGetCurrentParams
): Promise<UserProfileWithSecurity<D, L> | null>;
/**
* Retrieves multiple user profiles by their identifiers.
* @param params Bulk get operation parameters.
* @param params.uids List of user profile identifiers.
* @param params.dataPath By default Elasticsearch returns user information, but does not return any user data. The
* optional "dataPath" parameter can be used to return personal data for the requested user profiles.
*/
bulkGet<D extends UserProfileData>(
params: UserProfileBulkGetParams
): Promise<Array<UserProfile<D>>>;
/**
* Suggests multiple user profiles by search criteria.
* @param params Suggest operation parameters.
* @param params.name Query string used to match name-related fields in user profiles. The following fields are treated as name-related: username, full_name and email.
* @param params.size Desired number of suggestion to return. The default value is 10.
* @param params.dataPath By default, suggest API returns user information, but does not return any user data. The optional "dataPath" parameter can be used to return personal data for this user (within `kibana` namespace only).
* @param params.requiredPrivileges The set of the privileges that users associated with the suggested user profile should have in the specified space. If not specified, privileges check isn't performed and all matched profiles are returned irrespective to the privileges of the associated users.
*/
suggest<D extends UserProfileData>(
params: UserProfileSuggestParams
): Promise<Array<UserProfile<D>>>;
}
/**
* The set of privileges that users associated with the suggested user profile should have for a specified space id.
*/
export interface UserProfileRequiredPrivileges {
/**
* The id of the Kibana Space.
*/
spaceId: string;
/**
* The set of the Kibana specific application privileges.
*/
privileges: { kibana: string[] };
}
/**
* Parameters for the get user profile for the current user API.
*/
export interface UserProfileGetCurrentParams {
/**
* User request instance to get user profile for.
*/
request: KibanaRequest;
/**
* By default, get API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath?: string;
}
/**
* Parameters for the bulk get API.
*/
export interface UserProfileBulkGetParams {
/**
* List of user profile identifiers.
*/
uids: Set<string>;
/**
* By default, suggest API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath?: string;
}
/**
* Parameters for the suggest API.
*/
export interface UserProfileSuggestParams {
/**
* Query string used to match name-related fields in user profiles. The following fields are treated as
* name-related: username, full_name and email.
*/
name?: string;
/**
* Extra search criteria to improve relevance of the suggestion result. A profile matching the
* specified hint is ranked higher in the response. But not-matching the hint does not exclude a
* profile from the response as long as it matches the `name` field query.
*/
hint?: {
/**
* A list of Profile UIDs to match against.
*/
uids: string[];
};
/**
* Desired number of suggestion to return. The default value is 10.
*/
size?: number;
/**
* By default, suggest API returns user information, but does not return any user data. The optional "dataPath"
* parameter can be used to return personal data for this user (within `kibana` namespace only).
*/
dataPath?: string;
/**
* The set of the privileges that users associated with the suggested user profile should have in the specified space.
* If not specified, privileges check isn't performed and all matched profiles are returned irrespective to the
* privileges of the associated users.
*/
requiredPrivileges?: UserProfileRequiredPrivileges;
}

17
x-pack/packages/security/plugin_types_server/tsconfig.json Normal file
View file

@ -0,0 +1,17 @@
{
"extends": "../../../../tsconfig.base.json",
"compilerOptions": {
"outDir": "target/types"
},
"include": [
"**/*.ts",
],
"exclude": [
"target/**/*"
],
"kbn_references": [
"@kbn/config-schema",
"@kbn/core",
"@kbn/security-plugin-types-common",
]
}

2
x-pack/plugins/alerting/server/maintenance_window_client_factory.test.ts
View file

@ -14,7 +14,7 @@ import {
savedObjectsServiceMock,
loggingSystemMock,
} from '@kbn/core/server/mocks';
import { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import { AuthenticatedUser } from '@kbn/security-plugin/common';
import { securityMock } from '@kbn/security-plugin/server/mocks';
import { SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
import { MAINTENANCE_WINDOW_SAVED_OBJECT_TYPE } from '../common';

2
x-pack/plugins/alerting/server/rules_client_factory.test.ts
View file

@ -15,7 +15,7 @@ import {
savedObjectsRepositoryMock,
} from '@kbn/core/server/mocks';
import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/server/mocks';
import { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import { AuthenticatedUser } from '@kbn/security-plugin/common';
import { securityMock } from '@kbn/security-plugin/server/mocks';
import { PluginStartContract as ActionsStartContract } from '@kbn/actions-plugin/server';
import { actionsMock, actionsAuthorizationMock } from '@kbn/actions-plugin/server/mocks';

2
x-pack/plugins/alerting/server/rules_settings_client_factory.test.ts
View file

@ -15,7 +15,7 @@ import {
savedObjectsServiceMock,
loggingSystemMock,
} from '@kbn/core/server/mocks';
import { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import { AuthenticatedUser } from '@kbn/security-plugin/common';
import { securityMock } from '@kbn/security-plugin/server/mocks';
import { SECURITY_EXTENSION_ID } from '@kbn/core-saved-objects-server';
import { RULES_SETTINGS_SAVED_OBJECT_TYPE } from '../common';

2
x-pack/plugins/apm/public/hooks/use_current_user.ts
View file

@ -7,7 +7,7 @@
import { useState, useEffect } from 'react';
import { useKibana } from '@kbn/kibana-react-plugin/public';
import { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import { AuthenticatedUser } from '@kbn/security-plugin/common';
import { ApmPluginStartDeps } from '../plugin';
export function useCurrentUser() {

2
x-pack/plugins/cases/public/common/lib/kibana/hooks.ts
View file

@ -10,7 +10,7 @@ import moment from 'moment-timezone';
import { useCallback, useEffect, useMemo, useState } from 'react';
import { i18n } from '@kbn/i18n';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import type { NavigateToAppOptions } from '@kbn/core/public';
import { getUICapabilities } from '../../../client/helpers/capabilities';
import { convertToCamelCase } from '../../../api/utils';

2
x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts
View file

@ -10,7 +10,7 @@ import stringify from 'json-stable-stringify';
import typeDetect from 'type-detect';
import type { Logger } from '@kbn/core/server';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import { EncryptedSavedObjectAttributesDefinition } from './encrypted_saved_object_type_definition';
import { EncryptionError, EncryptionErrorOperation } from './encryption_error';

2
x-pack/plugins/fleet/server/services/agent_policy_create.ts
View file

@ -7,7 +7,7 @@
import type { ElasticsearchClient, SavedObjectsClientContract } from '@kbn/core/server';
import type { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import type { HTTPAuthorizationHeader } from '../../common/http_authorization_header';

10
x-pack/plugins/fleet/server/services/security/fleet_router.test.ts
View file

@ -5,7 +5,11 @@
* 2.0.
*/
import type { CheckPrivilegesDynamically } from '@kbn/security-plugin/server/authorization/check_privileges_dynamically';
import type {
CheckPrivilegesDynamically,
CheckPrivilegesResponse,
CheckPrivilegesPayload,
} from '@kbn/security-plugin/server';
import type { RequestHandler } from '@kbn/core/server';
import type { VersionedRouter } from '@kbn/core-http-server';
import { loggingSystemMock } from '@kbn/core/server/mocks';
@ -14,10 +18,6 @@ import type { AuthenticatedUser } from '@kbn/security-plugin/common';
import { coreMock } from '@kbn/core/server/mocks';
import type { CheckPrivilegesPayload } from '@kbn/security-plugin/server';
import type { CheckPrivilegesResponse } from '@kbn/security-plugin/server/authorization/types';
import { API_VERSIONS } from '../../../common/constants';
import type { FleetRequestHandlerContext } from '../..';

2
x-pack/plugins/observability_ai_assistant/public/hooks/use_current_user.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import { AuthenticatedUser } from '@kbn/security-plugin/common/model';
import { AuthenticatedUser } from '@kbn/security-plugin/common';
import { useEffect, useState } from 'react';
import { useObservabilityAIAssistant } from './use_observability_ai_assistant';

1
x-pack/plugins/security/common/constants.ts
View file

@ -15,7 +15,6 @@ export const ALL_SPACES_ID = '*';
*/
export const UNKNOWN_SPACE = '?';
export const GLOBAL_RESOURCE = '*';
export const APPLICATION_PREFIX = 'kibana-';
/**

35
x-pack/plugins/security/common/index.ts
View file

@ -5,27 +5,40 @@
* 2.0.
*/
export type { SecurityLicense, SecurityLicenseFeatures, LoginLayout } from './licensing';
export type {
GetUserProfileResponse,
ApiKey,
RestApiKey,
GetUserDisplayNameParams,
EditUser,
BuiltinESPrivileges,
RawKibanaPrivileges,
RoleMapping,
RoleTemplate,
StoredRoleTemplate,
InvalidRoleTemplate,
InlineRoleTemplate,
} from './model';
export { getUserDisplayName, isRoleReserved } from './model';
// Re-export types from the plugin directly to enhance the developer experience for consumers of the Security plugin.
export type {
AuthenticatedUser,
GetUserProfileResponse,
UserRealm,
User,
AuthenticationProvider,
PrivilegeDeprecationsService,
PrivilegeDeprecationsRolesByFeatureIdRequest,
PrivilegeDeprecationsRolesByFeatureIdResponse,
Role,
RoleIndexPrivilege,
RoleKibanaPrivilege,
RoleRemoteIndexPrivilege,
FeaturesPrivileges,
User,
LoginLayout,
SecurityLicenseFeatures,
SecurityLicense,
UserProfile,
UserProfileUserInfo,
UserProfileWithSecurity,
UserProfileData,
UserProfileLabels,
UserProfileUserInfoWithSecurity,
ApiKey,
UserRealm,
GetUserDisplayNameParams,
} from './model';
export { getUserDisplayName } from './model';
} from '@kbn/security-plugin-types-common';

4
x-pack/plugins/security/common/licensing/index.mock.ts
View file

@ -9,9 +9,7 @@ import { Observable, of } from 'rxjs';
import type { LicenseType } from '@kbn/licensing-plugin/common/types';
import { LICENSE_TYPE } from '@kbn/licensing-plugin/common/types';
import type { SecurityLicenseFeatures } from './license_features';
import type { SecurityLicense } from './license_service';
import type { SecurityLicense, SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
export const licenseMock = {
create: (

3
x-pack/plugins/security/common/licensing/index.ts
View file

@ -5,7 +5,4 @@
* 2.0.
*/
export type { SecurityLicense } from './license_service';
export { SecurityLicenseService } from './license_service';
export type { LoginLayout, SecurityLicenseFeatures } from './license_features';

12
x-pack/plugins/security/common/licensing/license_service.ts
View file

@ -9,17 +9,7 @@ import type { Observable, Subscription } from 'rxjs';
import { map } from 'rxjs/operators';
import type { ILicense, LicenseType } from '@kbn/licensing-plugin/common/types';
import type { SecurityLicenseFeatures } from './license_features';
export interface SecurityLicense {
isLicenseAvailable(): boolean;
isEnabled(): boolean;
getFeatures(): SecurityLicenseFeatures;
hasAtLeast(licenseType: LicenseType): boolean | undefined;
features$: Observable<SecurityLicenseFeatures>;
}
import type { SecurityLicenseFeatures } from '@kbn/security-plugin-types-common';
interface SetupDeps {
license$: Observable<ILicense>;
}

2
x-pack/plugins/security/common/login_state.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import type { LoginLayout } from './licensing';
import type { LoginLayout } from '@kbn/security-plugin-types-common';
export interface LoginSelectorProvider {
type: string;

2
x-pack/plugins/security/common/model/authenticated_user.mock.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import type { AuthenticatedUser } from './authenticated_user';
import type { AuthenticatedUser } from '@kbn/security-plugin-types-common';
// We omit `roles` here since the original interface defines this field as `readonly string[]` that makes it hard to use
// in various mocks that expect mutable string array.

2
x-pack/plugins/security/common/model/authenticated_user.test.ts
View file

@ -6,8 +6,8 @@
*/
import { applicationServiceMock } from '@kbn/core/public/mocks';
import type { AuthenticatedUser } from '@kbn/security-plugin-types-common';
import type { AuthenticatedUser } from './authenticated_user';
import {
canUserChangeDetails,
canUserChangePassword,

56
x-pack/plugins/security/common/model/authenticated_user.ts
View file

@ -6,64 +6,10 @@
*/
import type { Capabilities } from '@kbn/core/types';
import type { AuthenticationProvider } from './authentication_provider';
import type { User } from './user';
import type { AuthenticatedUser } from '@kbn/security-plugin-types-common';
const REALMS_ELIGIBLE_FOR_PASSWORD_CHANGE = ['reserved', 'native'];
/**
* An Elasticsearch realm that was used to resolve and authenticate the user.
*/
export interface UserRealm {
/**
* Arbitrary name of the security realm.
*/
name: string;
/**
* Type of the security realm (file, native, saml etc.).
*/
type: string;
}
/**
* Represents the currently authenticated user.
*/
export interface AuthenticatedUser extends User {
/**
* The name and type of the Realm that has authenticated the user.
*/
authentication_realm: UserRealm;
/**
* The name and type of the Realm where the user information were retrieved from.
*/
lookup_realm: UserRealm;
/**
* The authentication provider that used to authenticate user.
*/
authentication_provider: AuthenticationProvider;
/**
* The AuthenticationType used by ES to authenticate the user.
*
* @example "realm" | "api_key" | "token" | "anonymous" | "internal"
*/
authentication_type: string;
/**
* Indicates whether user is authenticated via Elastic Cloud built-in SAML realm.
*/
elastic_cloud_user: boolean;
/**
* User profile ID of this user.
*/
profile_uid?: string;
}
export function isUserAnonymous(user: Pick<AuthenticatedUser, 'authentication_provider'>) {
return user.authentication_provider.type === 'anonymous';
}

14
x-pack/plugins/security/common/model/authentication_provider.ts
View file

@ -5,20 +5,6 @@
* 2.0.
*/
/**
* Type and name tuple to identify provider used to authenticate user.
*/
export interface AuthenticationProvider {
/**
* Type of the Kibana authentication provider.
*/
type: string;
/**
* Name of the Kibana authentication provider (arbitrary string).
*/
name: string;
}
/**
* Checks whether authentication provider with the specified type uses Kibana's native login form.
* @param providerType Type of the authentication provider.

26
x-pack/plugins/security/common/model/index.ts
View file

@ -13,40 +13,23 @@ export type {
ApiKeyRoleDescriptors,
CrossClusterApiKeyAccess,
} from './api_key';
export type { User, EditUser, GetUserDisplayNameParams } from './user';
export type {
GetUserProfileResponse,
UserProfile,
UserProfileUserInfo,
UserProfileWithSecurity,
UserProfileData,
UserProfileLabels,
UserProfileUserInfoWithSecurity,
} from './user_profile';
export type { EditUser, GetUserDisplayNameParams } from './user';
export type { GetUserProfileResponse } from './user_profile';
export {
getUserAvatarColor,
getUserAvatarInitials,
USER_AVATAR_MAX_INITIALS,
} from './user_profile';
export { getUserDisplayName } from './user';
export type { AuthenticatedUser, UserRealm } from './authenticated_user';
export {
canUserChangePassword,
canUserChangeDetails,
isUserAnonymous,
canUserHaveProfile,
} from './authenticated_user';
export type { AuthenticationProvider } from './authentication_provider';
export { shouldProviderUseLoginForm } from './authentication_provider';
export type { BuiltinESPrivileges } from './builtin_es_privileges';
export type { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';
export type { FeaturesPrivileges } from './features_privileges';
export type {
Role,
RoleIndexPrivilege,
RoleRemoteIndexPrivilege,
RoleKibanaPrivilege,
} from './role';
export {
copyRole,
isRoleDeprecated,
@ -65,8 +48,3 @@ export type {
RoleTemplate,
RoleMapping,
} from './role_mapping';
export type {
PrivilegeDeprecationsRolesByFeatureIdRequest,
PrivilegeDeprecationsRolesByFeatureIdResponse,
PrivilegeDeprecationsService,
} from './deprecations';

3
x-pack/plugins/security/common/model/role.test.ts
View file

@ -5,7 +5,8 @@
* 2.0.
*/
import type { Role } from '.';
import type { Role } from '@kbn/security-plugin-types-common';
import {
copyRole,
getExtendedRoleDeprecationNotice,

43
x-pack/plugins/security/common/model/role.ts
View file

@ -8,48 +8,7 @@
import { cloneDeep } from 'lodash';
import { i18n } from '@kbn/i18n';
import type { FeaturesPrivileges } from './features_privileges';
export interface RoleIndexPrivilege {
names: string[];
privileges: string[];
field_security?: {
grant?: string[];
except?: string[];
};
query?: string;
}
export interface RoleRemoteIndexPrivilege extends RoleIndexPrivilege {
clusters: string[];
}
export interface RoleKibanaPrivilege {
spaces: string[];
base: string[];
feature: FeaturesPrivileges;
_reserved?: string[];
}
export interface Role {
name: string;
elasticsearch: {
cluster: string[];
indices: RoleIndexPrivilege[];
remote_indices?: RoleRemoteIndexPrivilege[];
run_as: string[];
};
kibana: RoleKibanaPrivilege[];
metadata?: {
[anyKey: string]: any;
};
transient_metadata?: {
[anyKey: string]: any;
};
_transform_error?: string[];
_unrecognized_applications?: string[];
}
import type { Role } from '@kbn/security-plugin-types-common';
/**
* Returns whether given role is enabled or not

3
x-pack/plugins/security/common/model/user.test.ts
View file

@ -5,7 +5,8 @@
* 2.0.
*/
import type { User } from './user';
import type { User } from '@kbn/security-plugin-types-common';
import { getUserDisplayName } from './user';
describe('#getUserDisplayName', () => {

16
x-pack/plugins/security/common/model/user.ts
View file

@ -5,21 +5,7 @@
* 2.0.
*/
/**
* A set of fields describing Kibana user.
*/
export interface User {
username: string;
email?: string;
full_name?: string;
roles: readonly string[];
enabled: boolean;
metadata?: {
_reserved: boolean;
_deprecated?: boolean;
_deprecated_reason?: string;
};
}
import type { User } from '@kbn/security-plugin-types-common';
export interface EditUser extends User {
password?: string;

2
x-pack/plugins/security/common/model/user_profile.mock.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import type { UserProfile, UserProfileWithSecurity } from './user_profile';
import type { UserProfile, UserProfileWithSecurity } from '@kbn/security-plugin-types-common';
function createUserProfileMock(userProfile: Partial<UserProfile> = {}) {
return {

107
x-pack/plugins/security/common/model/user_profile.ts
View file

@ -7,111 +7,16 @@
import { VISUALIZATION_COLORS } from '@elastic/eui';
import type {
AuthenticatedUser,
UserProfileData,
UserProfileUserInfo,
UserProfileWithSecurity,
} from '@kbn/security-plugin-types-common';
import type { UserProfileAvatarData } from '@kbn/user-profile-components';
import type { AuthenticatedUser } from './authenticated_user';
import { getUserDisplayName } from './user';
/**
* IMPORTANT:
*
* The types in this file are duplicated at
* `packages/kbn-user-profile-components/src/user_profile.ts`
*
* When making changes please ensure to keep both files in sync.
*/
/**
* Describes basic properties stored in user profile.
*/
export interface UserProfile<D extends UserProfileData = UserProfileData> {
/**
* Unique ID for of the user profile.
*/
uid: string;
/**
* Indicates whether user profile is enabled or not.
*/
enabled: boolean;
/**
* Information about the user that owns profile.
*/
user: UserProfileUserInfo;
/**
* User specific data associated with the profile.
*/
data: Partial<D>;
}
/**
* Basic user information returned in user profile.
*/
export interface UserProfileUserInfo {
/**
* Username of the user.
*/
username: string;
/**
* Optional email of the user.
*/
email?: string;
/**
* Optional full name of the user.
*/
full_name?: string;
}
/**
* Placeholder for data stored in user profile.
*/
export type UserProfileData = Record<string, unknown>;
/**
* Type of the user profile labels structure (currently
*/
export type UserProfileLabels = Record<string, string>;
/**
* Extended user information returned in user profile (both basic and security related properties).
*/
export interface UserProfileUserInfoWithSecurity extends UserProfileUserInfo {
/**
* List of the user roles.
*/
roles: readonly string[];
/**
* Name of the Elasticsearch security realm that was used to authenticate user.
*/
realm_name: string;
/**
* Optional name of the security domain that Elasticsearch security realm that was
* used to authenticate user resides in (if any).
*/
realm_domain?: string;
}
/**
* Describes all properties stored in user profile (both basic and security related properties).
*/
export interface UserProfileWithSecurity<
D extends UserProfileData = UserProfileData,
L extends UserProfileLabels = UserProfileLabels
> extends UserProfile<D> {
/**
* Information about the user that owns profile.
*/
user: UserProfileUserInfoWithSecurity;
/**
* User specific _searchable_ labels associated with the profile. Note that labels are considered
* security related field since it's going to be used to store user's space ID.
*/
labels: L;
}
/**
* User profile enriched with session information.
*/

2
x-pack/plugins/security/common/types.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import type { AuthenticationProvider } from './model';
import type { AuthenticationProvider } from '@kbn/security-plugin-types-common';
export interface SessionInfo {
expiresInMs: number | null;

2
x-pack/plugins/security/public/account_management/account_management_app.tsx
View file

@ -26,10 +26,10 @@ import {
KibanaThemeProvider,
toMountPoint,
} from '@kbn/kibana-react-plugin/public';
import type { AuthenticationServiceSetup } from '@kbn/security-plugin-types-public';
import { Router } from '@kbn/shared-ux-router';
import { UserProfilesKibanaProvider } from '@kbn/user-profile-components';
import type { AuthenticationServiceSetup } from '../authentication';
import type { SecurityApiClients } from '../components';
import { AuthenticationProvider, SecurityApiClientsProvider } from '../components';
import type { BreadcrumbsChangeHandler } from '../components/breadcrumb';

5
x-pack/plugins/security/public/account_management/index.ts
View file

@ -7,8 +7,3 @@
export { accountManagementApp } from './account_management_app';
export { UserProfileAPIClient } from './user_profile/user_profile_api_client';
export type {
UserProfileBulkGetParams,
UserProfileGetCurrentParams,
UserProfileSuggestParams,
} from './user_profile';

5
x-pack/plugins/security/public/account_management/user_profile/index.ts
View file

@ -8,8 +8,3 @@
export { UserProfile } from './user_profile';
export type { UserProfileProps, UserProfileFormValues } from './user_profile';
export type {
UserProfileGetCurrentParams,
UserProfileBulkGetParams,
UserProfileSuggestParams,
} from './user_profile_api_client';

Some files were not shown because too many files have changed in this diff Show more