Move CSP options to new platform (#52698)

* Move CSP options to new platform

* Expose SharedGlobalConfig from root

* Derive CSP options from config

* Consolidate CSP configuration with HTTP config

* Fix outstanding config renames

* Remove legacy CSP configuration calls, migrate to platform properties

* Revise docs

* Fix test from type change

* Expose ICspConfig, consolidate and simplify CSP defaults access

* Rebase and update docs

* Remove legacy API from route definition params, review nits

* Clean up config path usages for consistency

* Regenerate docs

.github/CODEOWNERS

@@ -80,20 +80,19 @@
 /x-pack/plugins/licensing/  @elastic/kibana-platform
 /packages/kbn-config-schema/ @elastic/kibana-platform
 /src/legacy/server/config/ @elastic/kibana-platform
-/src/legacy/server/csp/ @elastic/kibana-platform
 /src/legacy/server/http/ @elastic/kibana-platform
 /src/legacy/server/i18n/ @elastic/kibana-platform
 /src/legacy/server/logging/ @elastic/kibana-platform
 /src/legacy/server/saved_objects/  @elastic/kibana-platform
 /src/legacy/server/status/ @elastic/kibana-platform
 
 # Security
+/src/core/server/csp/  @elastic/kibana-security @elastic/kibana-platform
 /x-pack/legacy/plugins/security/  @elastic/kibana-security
 /x-pack/legacy/plugins/spaces/  @elastic/kibana-security
 /x-pack/plugins/spaces/  @elastic/kibana-security
 /x-pack/legacy/plugins/encrypted_saved_objects/  @elastic/kibana-security
 /x-pack/plugins/encrypted_saved_objects/  @elastic/kibana-security
-/src/legacy/server/csp/ @elastic/kibana-security
 /x-pack/plugins/security/  @elastic/kibana-security
 /x-pack/test/api_integration/apis/security/ @elastic/kibana-security
 

docs/development/core/server/kibana-plugin-server.cspconfig.default.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [DEFAULT](./kibana-plugin-server.cspconfig.default.md)
+
+## CspConfig.DEFAULT property
+
+<b>Signature:</b>
+
+```typescript
+static readonly DEFAULT: CspConfig;
+```

docs/development/core/server/kibana-plugin-server.cspconfig.header.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [header](./kibana-plugin-server.cspconfig.header.md)
+
+## CspConfig.header property
+
+<b>Signature:</b>
+
+```typescript
+readonly header: string;
+```

docs/development/core/server/kibana-plugin-server.cspconfig.md

@@ -0,0 +1,28 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md)
+
+## CspConfig class
+
+CSP configuration for use in Kibana.
+
+<b>Signature:</b>
+
+```typescript
+export declare class CspConfig implements ICspConfig 
+```
+
+## Properties
+
+|  Property | Modifiers | Type | Description |
+|  --- | --- | --- | --- |
+|  [DEFAULT](./kibana-plugin-server.cspconfig.default.md) | <code>static</code> | <code>CspConfig</code> |  |
+|  [header](./kibana-plugin-server.cspconfig.header.md) |  | <code>string</code> |  |
+|  [rules](./kibana-plugin-server.cspconfig.rules.md) |  | <code>string[]</code> |  |
+|  [strict](./kibana-plugin-server.cspconfig.strict.md) |  | <code>boolean</code> |  |
+|  [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md) |  | <code>boolean</code> |  |
+
+## Remarks
+
+The constructor for this class is marked as internal. Third-party code should not call the constructor directly or create subclasses that extend the `CspConfig` class.
+

docs/development/core/server/kibana-plugin-server.cspconfig.rules.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [rules](./kibana-plugin-server.cspconfig.rules.md)
+
+## CspConfig.rules property
+
+<b>Signature:</b>
+
+```typescript
+readonly rules: string[];
+```

docs/development/core/server/kibana-plugin-server.cspconfig.strict.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [strict](./kibana-plugin-server.cspconfig.strict.md)
+
+## CspConfig.strict property
+
+<b>Signature:</b>
+
+```typescript
+readonly strict: boolean;
+```

docs/development/core/server/kibana-plugin-server.cspconfig.warnlegacybrowsers.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md)
+
+## CspConfig.warnLegacyBrowsers property
+
+<b>Signature:</b>
+
+```typescript
+readonly warnLegacyBrowsers: boolean;
+```

docs/development/core/server/kibana-plugin-server.httpservicesetup.csp.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) &gt; [csp](./kibana-plugin-server.httpservicesetup.csp.md)
+
+## HttpServiceSetup.csp property
+
+The CSP config used for Kibana.
+
+<b>Signature:</b>
+
+```typescript
+csp: ICspConfig;
+```

docs/development/core/server/kibana-plugin-server.httpservicesetup.md

@@ -19,6 +19,7 @@ export interface HttpServiceSetup
 |  [basePath](./kibana-plugin-server.httpservicesetup.basepath.md) | <code>IBasePath</code> | Access or manipulate the Kibana base path See [IBasePath](./kibana-plugin-server.ibasepath.md)<!-- -->. |
 |  [createCookieSessionStorageFactory](./kibana-plugin-server.httpservicesetup.createcookiesessionstoragefactory.md) | <code>&lt;T&gt;(cookieOptions: SessionStorageCookieOptions&lt;T&gt;) =&gt; Promise&lt;SessionStorageFactory&lt;T&gt;&gt;</code> | Creates cookie based session storage factory [SessionStorageFactory](./kibana-plugin-server.sessionstoragefactory.md) |
 |  [createRouter](./kibana-plugin-server.httpservicesetup.createrouter.md) | <code>() =&gt; IRouter</code> | Provides ability to declare a handler function for a particular path and HTTP request method. |
+|  [csp](./kibana-plugin-server.httpservicesetup.csp.md) | <code>ICspConfig</code> | The CSP config used for Kibana. |
 |  [isTlsEnabled](./kibana-plugin-server.httpservicesetup.istlsenabled.md) | <code>boolean</code> | Flag showing whether a server was configured to use TLS connection. |
 |  [registerAuth](./kibana-plugin-server.httpservicesetup.registerauth.md) | <code>(handler: AuthenticationHandler) =&gt; void</code> | To define custom authentication and/or authorization mechanism for incoming requests. |
 |  [registerOnPostAuth](./kibana-plugin-server.httpservicesetup.registeronpostauth.md) | <code>(handler: OnPostAuthHandler) =&gt; void</code> | To define custom logic to perform for incoming requests. |

docs/development/core/server/kibana-plugin-server.icspconfig.header.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [header](./kibana-plugin-server.icspconfig.header.md)
+
+## ICspConfig.header property
+
+The CSP rules in a formatted directives string for use in a `Content-Security-Policy` header.
+
+<b>Signature:</b>
+
+```typescript
+readonly header: string;
+```

docs/development/core/server/kibana-plugin-server.icspconfig.md

@@ -0,0 +1,23 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md)
+
+## ICspConfig interface
+
+CSP configuration for use in Kibana.
+
+<b>Signature:</b>
+
+```typescript
+export interface ICspConfig 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [header](./kibana-plugin-server.icspconfig.header.md) | <code>string</code> | The CSP rules in a formatted directives string for use in a <code>Content-Security-Policy</code> header. |
+|  [rules](./kibana-plugin-server.icspconfig.rules.md) | <code>string[]</code> | The CSP rules used for Kibana. |
+|  [strict](./kibana-plugin-server.icspconfig.strict.md) | <code>boolean</code> | Specify whether browsers that do not support CSP should be able to use Kibana. Use <code>true</code> to block and <code>false</code> to allow. |
+|  [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md) | <code>boolean</code> | Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance. |
+

docs/development/core/server/kibana-plugin-server.icspconfig.rules.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [rules](./kibana-plugin-server.icspconfig.rules.md)
+
+## ICspConfig.rules property
+
+The CSP rules used for Kibana.
+
+<b>Signature:</b>
+
+```typescript
+readonly rules: string[];
+```

docs/development/core/server/kibana-plugin-server.icspconfig.strict.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [strict](./kibana-plugin-server.icspconfig.strict.md)
+
+## ICspConfig.strict property
+
+Specify whether browsers that do not support CSP should be able to use Kibana. Use `true` to block and `false` to allow.
+
+<b>Signature:</b>
+
+```typescript
+readonly strict: boolean;
+```

docs/development/core/server/kibana-plugin-server.icspconfig.warnlegacybrowsers.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md)
+
+## ICspConfig.warnLegacyBrowsers property
+
+Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance.
+
+<b>Signature:</b>
+
+```typescript
+readonly warnLegacyBrowsers: boolean;
+```

docs/development/core/server/kibana-plugin-server.md

@@ -18,6 +18,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  --- | --- |
 |  [BasePath](./kibana-plugin-server.basepath.md) | Access or manipulate the Kibana base path |
 |  [ClusterClient](./kibana-plugin-server.clusterclient.md) | Represents an Elasticsearch cluster API client and allows to call API on behalf of the internal Kibana user and the actual user that is derived from the request headers (via <code>asScoped(...)</code>).<!-- -->See [ClusterClient](./kibana-plugin-server.clusterclient.md)<!-- -->. |
+|  [CspConfig](./kibana-plugin-server.cspconfig.md) | CSP configuration for use in Kibana. |
 |  [ElasticsearchErrorHelpers](./kibana-plugin-server.elasticsearcherrorhelpers.md) | Helpers for working with errors returned from the Elasticsearch service.Since the internal data of errors are subject to change, consumers of the Elasticsearch service should always use these helpers to classify errors instead of checking error internals such as <code>body.error.header[WWW-Authenticate]</code> |
 |  [KibanaRequest](./kibana-plugin-server.kibanarequest.md) | Kibana specific abstraction for an incoming request. |
 |  [SavedObjectsClient](./kibana-plugin-server.savedobjectsclient.md) |  |
@@ -64,6 +65,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | Kibana HTTP Service provides own abstraction for work with HTTP stack. Plugins don't have direct access to <code>hapi</code> server and its primitives anymore. Moreover, plugins shouldn't rely on the fact that HTTP Service uses one or another library under the hood. This gives the platform flexibility to upgrade or changing our internal HTTP stack without breaking plugins. If the HTTP Service lacks functionality you need, we are happy to discuss and support your needs. |
 |  [HttpServiceStart](./kibana-plugin-server.httpservicestart.md) |  |
 |  [IContextContainer](./kibana-plugin-server.icontextcontainer.md) | An object that handles registration of context providers and configuring handlers with context. |
+|  [ICspConfig](./kibana-plugin-server.icspconfig.md) | CSP configuration for use in Kibana. |
 |  [IKibanaResponse](./kibana-plugin-server.ikibanaresponse.md) | A response data object, expected to returned as a result of [RequestHandler](./kibana-plugin-server.requesthandler.md) execution |
 |  [IKibanaSocket](./kibana-plugin-server.ikibanasocket.md) | A tiny abstraction for TCP socket. |
 |  [IndexSettingsDeprecationInfo](./kibana-plugin-server.indexsettingsdeprecationinfo.md) |  |

src/core/server/csp/config.ts

@@ -0,0 +1,42 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { TypeOf, schema } from '@kbn/config-schema';
+
+/**
+ * @internal
+ */
+export type CspConfigType = TypeOf<typeof config.schema>;
+
+export const config = {
+  // TODO: Move this to server.csp using config deprecations
+  // ? https://github.com/elastic/kibana/pull/52251
+  path: 'csp',
+  schema: schema.object({
+    rules: schema.arrayOf(schema.string(), {
+      defaultValue: [
+        `script-src 'unsafe-eval' 'self'`,
+        `worker-src blob: 'self'`,
+        `style-src 'unsafe-inline' 'self'`,
+      ],
+    }),
+    strict: schema.boolean({ defaultValue: true }),
+    warnLegacyBrowsers: schema.boolean({ defaultValue: true }),
+  }),
+};

src/core/server/csp/csp_config.test.ts

@@ -0,0 +1,97 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { CspConfig } from '.';
+
+// CSP rules aren't strictly additive, so any change can potentially expand or
+// restrict the policy in a way we consider a breaking change. For that reason,
+// we test the default rules exactly so any change to those rules gets flagged
+// for manual review. In other words, this test is intentionally fragile to draw
+// extra attention if defaults are modified in any way.
+//
+// A test failure here does not necessarily mean this change cannot be made,
+// but any change here should undergo sufficient scrutiny by the Kibana
+// security team.
+//
+// The tests use inline snapshots to make it as easy as possible to identify
+// the nature of a change in defaults during a PR review.
+
+describe('CspConfig', () => {
+  test('DEFAULT', () => {
+    expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
+      CspConfig {
+        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "rules": Array [
+          "script-src 'unsafe-eval' 'self'",
+          "worker-src blob: 'self'",
+          "style-src 'unsafe-inline' 'self'",
+        ],
+        "strict": true,
+        "warnLegacyBrowsers": true,
+      }
+    `);
+  });
+
+  test('defaults from config', () => {
+    expect(new CspConfig()).toMatchInlineSnapshot(`
+      CspConfig {
+        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "rules": Array [
+          "script-src 'unsafe-eval' 'self'",
+          "worker-src blob: 'self'",
+          "style-src 'unsafe-inline' 'self'",
+        ],
+        "strict": true,
+        "warnLegacyBrowsers": true,
+      }
+    `);
+  });
+
+  test('creates from partial config', () => {
+    expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(`
+      CspConfig {
+        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "rules": Array [
+          "script-src 'unsafe-eval' 'self'",
+          "worker-src blob: 'self'",
+          "style-src 'unsafe-inline' 'self'",
+        ],
+        "strict": false,
+        "warnLegacyBrowsers": false,
+      }
+    `);
+  });
+
+  test('computes header from rules', () => {
+    const cspConfig = new CspConfig({ rules: ['alpha', 'beta', 'gamma'] });
+
+    expect(cspConfig).toMatchInlineSnapshot(`
+      CspConfig {
+        "header": "alpha; beta; gamma",
+        "rules": Array [
+          "alpha",
+          "beta",
+          "gamma",
+        ],
+        "strict": true,
+        "warnLegacyBrowsers": true,
+      }
+    `);
+  });
+});