Migrate security chromeless views to Kibana Platform plugin (#54021)

Co-authored-by: Joe Portner <[email protected]>

test/functional/config.js

@@ -92,10 +92,6 @@ export default async function({ readConfigFile }) {
         pathname: '/app/kibana',
         hash: '/dev_tools/console',
       },
-      account: {
-        pathname: '/app/kibana',
-        hash: '/account',
-      },
       home: {
         pathname: '/app/kibana',
         hash: '/home',

x-pack/legacy/plugins/security/index.ts

@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Root } from 'joi';
+import { resolve } from 'path';
+import { Server } from 'src/legacy/server/kbn_server';
+import { KibanaRequest, LegacyRequest } from '../../../../src/core/server';
+// @ts-ignore
+import { AuditLogger } from '../../server/lib/audit_logger';
+// @ts-ignore
+import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { AuthenticatedUser, SecurityPluginSetup } from '../../../plugins/security/server';
+
+/**
+ * Public interface of the security plugin.
+ */
+export interface SecurityPlugin {
+  getUser: (request: LegacyRequest) => Promise<AuthenticatedUser>;
+}
+
+function getSecurityPluginSetup(server: Server) {
+  const securityPlugin = server.newPlatform.setup.plugins.security as SecurityPluginSetup;
+  if (!securityPlugin) {
+    throw new Error('Kibana Platform Security plugin is not available.');
+  }
+
+  return securityPlugin;
+}
+
+export const security = (kibana: Record<string, any>) =>
+  new kibana.Plugin({
+    id: 'security',
+    configPrefix: 'xpack.security',
+    publicDir: resolve(__dirname, 'public'),
+    require: ['kibana', 'elasticsearch', 'xpack_main'],
+
+    // This config is only used by `AuditLogger` and should be removed as soon as `AuditLogger`
+    // is migrated to Kibana Platform.
+    config(Joi: Root) {
+      return Joi.object({
+        enabled: Joi.boolean().default(true),
+        audit: Joi.object({ enabled: Joi.boolean().default(false) }).default(),
+      })
+        .unknown()
+        .default();
+    },
+
+    uiExports: {
+      hacks: ['plugins/security/hacks/legacy'],
+      injectDefaultVars: (server: Server) => {
+        return {
+          secureCookies: getSecurityPluginSetup(server).__legacyCompat.config.secureCookies,
+          enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'),
+        };
+      },
+    },
+
+    async postInit(server: Server) {
+      watchStatusAndLicenseToInitialize(server.plugins.xpack_main, this, async () => {
+        const xpackInfo = server.plugins.xpack_main.info;
+        if (xpackInfo.isAvailable() && xpackInfo.feature('security').isEnabled()) {
+          await getSecurityPluginSetup(server).__legacyCompat.registerPrivilegesWithCluster();
+        }
+      });
+    },
+
+    async init(server: Server) {
+      const securityPlugin = getSecurityPluginSetup(server);
+
+      const xpackInfo = server.plugins.xpack_main.info;
+      securityPlugin.__legacyCompat.registerLegacyAPI({
+        auditLogger: new AuditLogger(server, 'security', server.config(), xpackInfo),
+      });
+
+      // Legacy xPack Info endpoint returns whatever we return in a callback for `registerLicenseCheckResultsGenerator`
+      // and the result is consumed by the legacy plugins all over the place, so we should keep it here for now. We assume
+      // that when legacy callback is called license has been already propagated to the new platform security plugin and
+      // features are up to date.
+      xpackInfo
+        .feature(this.id)
+        .registerLicenseCheckResultsGenerator(() =>
+          securityPlugin.__legacyCompat.license.getFeatures()
+        );
+
+      server.expose({
+        getUser: async (request: LegacyRequest) =>
+          securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)),
+      });
+    },
+  });

x-pack/legacy/plugins/security/public/hacks/legacy.ts

@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+// @ts-ignore
+import { uiModules } from 'ui/modules';
+import { npSetup, npStart } from 'ui/new_platform';
+import routes from 'ui/routes';
+import { isSystemApiRequest } from '../../../../../../src/plugins/kibana_legacy/public';
+import { SecurityPluginSetup } from '../../../../../plugins/security/public';
+
+const securityPluginSetup = (npSetup.plugins as any).security as SecurityPluginSetup;
+if (securityPluginSetup) {
+  routes.when('/account', {
+    template: '<div />',
+    controller: () => npStart.core.application.navigateToApp('security_account'),
+  });
+
+  const getNextParameter = () => {
+    const { location } = window;
+    const next = encodeURIComponent(`${location.pathname}${location.search}${location.hash}`);
+    return `&next=${next}`;
+  };
+
+  const getProviderParameter = (tenant: string) => {
+    const key = `${tenant}/session_provider`;
+    const providerName = sessionStorage.getItem(key);
+    return providerName ? `&provider=${encodeURIComponent(providerName)}` : '';
+  };
+
+  const module = uiModules.get('security', []);
+  module.config(($httpProvider: ng.IHttpProvider) => {
+    $httpProvider.interceptors.push(($q, $window, Promise) => {
+      const isAnonymous = npSetup.core.http.anonymousPaths.isAnonymous(window.location.pathname);
+
+      function interceptorFactory(responseHandler: (response: ng.IHttpResponse<unknown>) => any) {
+        return function interceptor(response: ng.IHttpResponse<unknown>) {
+          if (!isAnonymous && !isSystemApiRequest(response.config)) {
+            securityPluginSetup.sessionTimeout.extend(response.config.url);
+          }
+
+          if (response.status !== 401 || isAnonymous) {
+            return responseHandler(response);
+          }
+
+          const { logoutUrl, tenant } = securityPluginSetup.__legacyCompat;
+          const next = getNextParameter();
+          const provider = getProviderParameter(tenant);
+
+          $window.location.href = `${logoutUrl}?msg=SESSION_EXPIRED${next}${provider}`;
+
+          return Promise.halt();
+        };
+      }
+
+      return {
+        response: interceptorFactory(response => response),
+        responseError: interceptorFactory($q.reject),
+      };
+    });
+  });
+}