* Initial work
* Fix failing jest test
* Use APIKeys class
* Only use id to invalidate
* Log all errors in invalidate function
* Cleanup
* Apply PR feedback
* Initial work
* Cleanup add createAPIKey fn pt1
* Change getServices function to take request as parameter
* Use API key when executing alerts
* Revert task manager using encrypted saved objects
* Store fired actions within a saved object to encrypt API keys
* Fix fireActionId
* Cleanup code, fix type check error
* Add a type for getScopedSavedObjectsClient
* Fix getBasePath and spaceIdToNamespace functions
* Add safety check for API key and action
* Fix integration tests
* Fix broken jest tests
* Cleanup
* Rename generatedApiKey to apiKeyValue
* Ensure access to action record
* Cleanup
* Add unit tests
* Fix variable conflict
* Revert task manager specific code (no longer needed)
* Remove fire terminology
* Move tests to spaces and security folder
* Use ES Archiver to remove spaces (empty_kibana)
* Fix missing pieces
* Convert action tests to run per user
* Convert alerting tests to run per user
* Fix type check issue
* Fix failing test
* Add callCluster and savedObjectsClient authorization tests
* Make savedObjectsClient return 403 for authorization tests
* Cleanup
* Fix test failure
* Common function to get data from test index
* Create ObjectRemover
* Cleanup
* useApiKey now provided to functions instead of relying on condition of two strings
* Fix typo
* Make tests it(...) start with should
* Rename useApiKey to isSecurityEnabled
* Merge apiKeyId and apiKeyValue into one
* Update docs
* Use feature controls for list alert / action types API
* Remove need to add ! in TypeScript for required plugins
* Fix ESLint issue
* Include actions and alertTypeParams into AAD and genereate new API key on update
* Generate random id for API key name attribute
* Include interval in AAD
* Send pre-encoded string
* Fix ExecutorError
* Fix apiKey snapshot
* Fix 'default' typo
* De-compose apiKey
* Refresh API key when enabling / disabling an alert
* Add updatedBy
* Make unauthorized APIs return 404
* add response factory to the interceptors
* adopt x-pack code to the changes
* Add a separate response factory for lifecycles.
Only route handler can respond with 2xx response.
Interceptors may redirect or reject an incoming request.
* re-generate docs
* response.internal --> response.internalError
* use internalError for exceptions in authenticator
* before Security plugin proxied ES error status code. now sets explicitly.
* provide error via message field of error response for BWC
* update docs
* add customError response
* restore integration test and update unit tests
* update docs
* support Hapi error format for BWC
* add a couple of tests
* Add createApiKey support to security plugin
* Expiration is optional
* Start moving code to new platform
* Add unit tests
* Fix jest test
* Apply PR feedback
* Apply PR feedback
* Apply PR feedback pt2
* crude test updates
* remove custom server typedef
* allow spaces to aquire security plugin after init
* split CoreSetup into CoreSetup and PluginsSetup
* move interfaces to new plugin
* init interceptors in legacy plugin
* fix import
* add placeholder kibana.json
* use NP Elasticsearch service instead of legacy ES Plugin
* cleanup imports
* don't destructure the es client
* introduce request facade
* document reason for getSecurity
* prefer relative imports from src/core
* fix typo in filename: inteceptors --> interceptors
* fix imports; remove stray ts-ignore
* improve typings for spaces client
* rename InterfaceExcept --> Omit
* don't use legacy config in NP
* additional comment
* shim NP config service
* fix merge from master
* revert relative imports into src/core and src/legacy
* shim capabilities modifier into new platform
* removing placeholder kibana.json
* fix prettier problem
* temporary: patch NP 'setUrl'
* migrate onRequest interceptor to NP, without tests
* fix ts error
* testing and deps cleanup for onRequestInterceptor
* replace spaces's usages of request.getBasePath with http.getBasePathFor
* add explicit timeouts for jest interceptor tests
* attempt to fix imports
* use NP logging instead of faked implementation
* revert stray yarn.lock change
* attempt to stablize and fix tests
* update jest config to include src/core/server/mocks
* fix plugin config typings
* add service tests
* fix merge
* allow spaces service to also work with legacy requests
* update interfaces to confirm to new internal/external API convention
* re-enable some post auth interceptor tests
* add explicit timeouts for tests
* prefer modifyUrl instead of manual url modification
* update logger shim to conform to PluginInitializerContext
* remove spaces ConfigClass
* don't weaken type declaration for scoped cluster client calls
* remove legacy server from SpacesCoreSetup
* remove spaces service cache
* remove legacy server as an interceptor dependency
* use modifyUrl on the raw request too
* remove unused import
* cleanup typings
* replace onRequest interceptor with new onPreAuth interceptor
* fix onPostAuth tests
* temporarily copy modifyUrl into spaces plugin
* fix mock export
* fix merge from master
* spaces scopedClient always uses updated ES client and config
* improve typings for usage collector
* rename isLegacyRequest -> isFakeRequest
* use updated NP base path API
* remove commented code
* only expose scoped spaces client
* use OptionalPlugin instead of getSecurity
* update imports of Saved Objects Service to use new src/core/server location
* update core docs
* Always mock metadata/chrome in OSS
* Enable jest env in jest mocks
* Exclude jest mocks in karma bundles
* Use setupFilesAfterEnv in config
* Remove chrome/metadata mock from x-pack
* Remove kuery mock
* Add missing mock to SIEM test
* Fix typo in mock import
* Remove top level capabilities x-pack mock
* Move kfetch mock to ui/public
* Move moment-timezone to mocks file
* Unmock kfetch in kfetch specific tests
* Make kfetch mock manual
* Removed unnecessary jest.mock
* Remove kfetch unmocks
* Changing the Spaces management section to behave like the other FC
controlled sections
* Adding those glorious tests and fixing a bug
* Fixing some test descriptions
* Making the mergeCapabilities operation emulate the old behavior
* Fixing privileges test with the addition of the new action
* Updating jest snapshot
* Adding tests, preventing additional clobbering
* Changing requireUICapability to use management.kibana.spaces
* remove usage of legacy notifier
* fix superfluous whitespace changes
* fix redirection on role management screen
* extract session expiration warning into its own component
This change adjusts validation of query parameters in the
/api/security/v1/oidc endpoint. It was discovered during manual
testing that Google's OP is sending extra parameters than the ones
identified in https://tools.ietf.org/html/rfc6749#section-4.1.2
which is refernced by
https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
(for instance auth_user and session_state). The existing validation
rules only allowed the expected query parameters but this
means that Kibana wouldn't be able to complete OpenID Connect
authentication with Google acting as the OP.
As dictated in the standard (RFC6749), "The client MUST ignore
unrecognized response parameters." so we should allow but discard
any extra parameters we do not recognize and not throw an error.
Furthermore, it adds stricter validation for the issuer and all
parameters of type URI when these are present.
* Switching from public/private to external/internal APIs
We use the public folder a lot of other places to denote files which
should be exposed client-side. Using folders names public was causing
issues with some of the operations team's tooling, so we're renaming
these.
* Fixing forgotten import in test
The OpenID Connect authProvider is the accompanying authProvider for the OpenID Connect authentication realm in Elasticsearch. This is very similar to the saml authProvider in most ways with three noticeable differences:
- We require explicit configuration regarding the Elasticsearch realm name instead of trying to build an environment aware string (like ACS URL in saml) and pass that to Elasticsearch for it to resolve the realm.
- We do not support multiple values for the realm specific nonces (state and nonce) as we do with requestId in the SAML realm. Instead if an existing value ( for state and nonce) is present in the user's session, we pass that to Elasticsearch to be reused. The end goal is the same, allow a better UX for users attempting many requests over different tabs in the same browser context.
- IDP initiated SSO ( Third Party initiated authentication in OIDC-speak ) is implemented but starts as an unsolicited request to initiate the handshake, instead of an unsolicited request with an authentication response (which is not supported here)
This change also adds a fake plugin named oidc_provider to be used in integration tests for mocking calls to the token and userinfo endpoint of an OpenID Connect Provider
This does not support the OpenID Connect Implicit flow as that depends on fragment handling/processing as described for instance in the spec
Co-Authored-By: Brandon Kobel <kobelb@elastic.co>
* [xpack/encryptionKeys] use default keys when running from source
* add tests for the config schema with different contexts
* share the getConfigSchema helper
* await promises returned by expect().resolves
* tweak test naming
* use data-driven tests
* fix type error
* hide platform dependent config from snapshot
* convert user management screen to TypeScript
* rename Users to UsersListPage for consistency
* unit testing for user management page
* fix props for change password form
* test authentication state page
* add access modifiers
* remove unused translations
* reorganize user management files to be consistent with the rest of security's mgmt ui
* add missing license header
* fix import
* remove stray import
* remove unnecessary style hacks
* Update x-pack/plugins/security/public/views/management/edit_user/components/edit_user_page.tsx
Co-Authored-By: legrego <lgregorydev@gmail.com>
* address pr feedback
* restrict access to Features API
* introduce featureControls.manage capability to control calls to features api
* add snapshots
* rename manage_feature_controls api tag to features
* Revert "introduce featureControls.manage capability to control calls to features api"
This reverts commit addc149193.
* update spaces management to only call APIs if authorized
* handle 404 response when requesting features on role management page
* better variable naming
* remove unnecessary mock
* remove unused code
* remove unnecessary snapshots
enable security on file dataviz and import (ML plugin)
update unit tests
add api test coverage for security in basic
move audit logging to standard+ license level
