Skip to content

Commit

Permalink
Merge branch 'main' into security-api-integrations
Browse files Browse the repository at this point in the history
  • Loading branch information
dkirchan authored May 2, 2024
2 parents b42ae7c + dbfea52 commit 8374d6d
Show file tree
Hide file tree
Showing 131 changed files with 3,707 additions and 3,542 deletions.
1 change: 0 additions & 1 deletion config/serverless.security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ xpack.securitySolutionServerless.productTypes:

xpack.securitySolution.offeringSettings: {
ILMEnabled: false, # Index Lifecycle Management (ILM) functionalities disabled, not supported by serverless Elasticsearch
ESQLEnabled: false, # ES|QL disabled, not supported by serverless Elasticsearch
}

newsfeed.enabled: true
Expand Down
3 changes: 2 additions & 1 deletion docs/CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,9 @@ Fleet::
* Fixes managed agent policy preconfiguration update ({kibana-pull}181624[#181624]).
* Use lowercase dataset in template names ({kibana-pull}180887[#180887]).
* Fixes KQL/kuery for getting Fleet Server agent count ({kibana-pull}180650[#180650]).
Index Management::
* Fixes `allow_auto_create` field in the Index Template form ({kibana-pull}178321[#178321]).
Lens & Visualizations::
* Fixes table sorting on time picker interval change in *Lens* ({kibana-pull}182173[#182173]).
* Fixes controls on fields with custom label ({kibana-pull}180615[#180615]).
Machine Learning::
* Fixes deep link for Index data visualizer & ES|QL data visualizer ({kibana-pull}180389[#180389]).
Expand Down
2 changes: 1 addition & 1 deletion fleet_packages.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
},
{
"name": "elastic_agent",
"version": "1.18.0"
"version": "1.19.0"
},
{
"name": "endpoint",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,7 @@ export function createPluginStartContext<TPlugin, TPluginDependencies>({
},
security: {
authc: deps.security.authc,
audit: deps.security.audit,
},
userProfile: deps.userProfile,
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,13 @@ import type { KibanaRequest } from '@kbn/core-http-server';
import type {
SecurityRequestHandlerContext,
AuthcRequestHandlerContext,
AuditRequestHandlerContext,
} from '@kbn/core-security-server';
import type { InternalSecurityServiceStart } from './internal_contracts';

export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerContext {
#authc?: AuthcRequestHandlerContext;

#audit?: AuditRequestHandlerContext;
constructor(
private readonly securityStart: InternalSecurityServiceStart,
private readonly request: KibanaRequest
Expand All @@ -29,4 +30,13 @@ export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerCo
}
return this.#authc;
}

public get audit() {
if (this.#audit == null) {
this.#audit = {
logger: this.securityStart.audit.asScoped(this.request),
};
}
return this.#audit;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import { AuditLogger } from '@kbn/core-security-server';

export type MockedAuditLogger = jest.Mocked<AuditLogger>;

export const createAuditLoggerMock = {
create(): MockedAuditLogger {
return {
log: jest.fn(),
enabled: true,
};
},
};
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,22 @@

import type { CoreSecurityDelegateContract } from '@kbn/core-security-server';
import { convertSecurityApi } from './convert_security_api';
import { createAuditLoggerMock } from '../test_helpers/create_audit_logger.mock';

describe('convertSecurityApi', () => {
it('returns the API from the source', () => {
const source: CoreSecurityDelegateContract = { authc: { getCurrentUser: jest.fn() } };
const source: CoreSecurityDelegateContract = {
authc: {
getCurrentUser: jest.fn(),
},
audit: {
asScoped: jest.fn().mockReturnValue(createAuditLoggerMock.create()),
withoutRequest: createAuditLoggerMock.create(),
},
};
const output = convertSecurityApi(source);
expect(output.authc.getCurrentUser).toBe(source.authc.getCurrentUser);
expect(output.audit.asScoped).toBe(source.audit.asScoped);
expect(output.audit.withoutRequest).toBe(source.audit.withoutRequest);
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,19 @@ describe('getDefaultSecurityImplementation', () => {
expect(user).toBeNull();
});
});

describe('audit.asScoped', () => {
it('returns null', async () => {
const logger = implementation.audit.asScoped({} as any);
expect(logger.log({ message: 'something' })).toBeUndefined();
});
});

describe('audit.withoutRequest', () => {
it('does not log', async () => {
const logger = implementation.audit.withoutRequest;
expect(logger.enabled).toBe(false);
expect(logger.log({ message: 'no request' })).toBeUndefined();
});
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,14 @@ export const getDefaultSecurityImplementation = (): CoreSecurityDelegateContract
authc: {
getCurrentUser: () => null,
},
audit: {
asScoped: () => {
return { log: () => undefined, enabled: false };
},
withoutRequest: {
log: () => undefined,
enabled: false,
},
},
};
};
2 changes: 2 additions & 0 deletions packages/core/security/core-security-server-mocks/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@
*/

export { securityServiceMock } from './src/security_service.mock';
export type { InternalSecurityStartMock, SecurityStartMock } from './src/security_service.mock';
export { auditLoggerMock } from './src/audit.mock';
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import type { KibanaRequest } from '@kbn/core-http-server';
import type { AuditLogger } from '@kbn/core-security-server';

export type MockedAuditLogger = jest.Mocked<AuditLogger>;

export const auditLoggerMock = {
create(): MockedAuditLogger {
return {
log: jest.fn(),
enabled: true,
};
},
};

export interface MockedAuditService {
asScoped: (request: KibanaRequest) => MockedAuditLogger;
withoutRequest: MockedAuditLogger;
}

export const auditServiceMock = {
create(): MockedAuditService {
return {
asScoped: jest.fn().mockReturnValue(auditLoggerMock.create()),
withoutRequest: auditLoggerMock.create(),
};
},
};
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
* Side Public License, v 1.
*/

import type {
import {
SecurityServiceSetup,
SecurityServiceStart,
SecurityRequestHandlerContext,
Expand All @@ -15,6 +15,7 @@ import type {
InternalSecurityServiceSetup,
InternalSecurityServiceStart,
} from '@kbn/core-security-server-internal';
import { auditServiceMock, type MockedAuditService } from './audit.mock';

const createSetupMock = () => {
const mock: jest.Mocked<SecurityServiceSetup> = {
Expand All @@ -24,11 +25,16 @@ const createSetupMock = () => {
return mock;
};

const createStartMock = () => {
const mock: jest.MockedObjectDeep<SecurityServiceStart> = {
export type SecurityStartMock = jest.MockedObjectDeep<Omit<SecurityServiceStart, 'audit'>> & {
audit: MockedAuditService;
};

const createStartMock = (): SecurityStartMock => {
const mock = {
authc: {
getCurrentUser: jest.fn(),
},
audit: auditServiceMock.create(),
};

return mock;
Expand All @@ -42,11 +48,18 @@ const createInternalSetupMock = () => {
return mock;
};

const createInternalStartMock = () => {
const mock: jest.MockedObjectDeep<InternalSecurityServiceStart> = {
export type InternalSecurityStartMock = jest.MockedObjectDeep<
Omit<InternalSecurityServiceStart, 'audit'>
> & {
audit: MockedAuditService;
};

const createInternalStartMock = (): InternalSecurityStartMock => {
const mock = {
authc: {
getCurrentUser: jest.fn(),
},
audit: auditServiceMock.create(),
};

return mock;
Expand All @@ -67,6 +80,12 @@ const createRequestHandlerContextMock = () => {
authc: {
getCurrentUser: jest.fn(),
},
audit: {
logger: {
log: jest.fn(),
enabled: true,
},
},
};
return mock;
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,6 @@
"kbn_references": [
"@kbn/core-security-server",
"@kbn/core-security-server-internal",
"@kbn/core-http-server",
]
}
10 changes: 10 additions & 0 deletions packages/core/security/core-security-server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,21 @@

export type { SecurityServiceSetup, SecurityServiceStart } from './src/contracts';
export type { CoreAuthenticationService } from './src/authc';
export type { CoreAuditService } from './src/audit';
export type {
CoreSecurityDelegateContract,
AuthenticationServiceContract,
AuditServiceContract,
} from './src/api_provider';
export type {
SecurityRequestHandlerContext,
AuthcRequestHandlerContext,
AuditRequestHandlerContext,
} from './src/request_handler_context';
export type {
AuditEvent,
AuditHttp,
AuditKibana,
AuditRequest,
} from './src/audit_logging/audit_events';
export type { AuditLogger } from './src/audit_logging/audit_logger';
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
* Side Public License, v 1.
*/

import type { CoreAuditService } from './audit';
import type { CoreAuthenticationService } from './authc';

/**
Expand All @@ -16,9 +17,12 @@ import type { CoreAuthenticationService } from './authc';
*/
export interface CoreSecurityDelegateContract {
authc: AuthenticationServiceContract;
audit: AuditServiceContract;
}

/**
* @public
*/
export type AuthenticationServiceContract = CoreAuthenticationService;

export type AuditServiceContract = CoreAuditService;
40 changes: 40 additions & 0 deletions packages/core/security/core-security-server/src/audit.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import type { KibanaRequest } from '@kbn/core-http-server';

import type { AuditLogger } from './audit_logging/audit_logger';

export interface CoreAuditService {
/**
* Creates an {@link AuditLogger} scoped to the current request.
*
* This audit logger logs events with all required user and session info and should be used for
* all user-initiated actions.
*
* @example
* ```typescript
* const auditLogger = securitySetup.audit.asScoped(request);
* auditLogger.log(event);
* ```
*/
asScoped: (request: KibanaRequest) => AuditLogger;

/**
* {@link AuditLogger} for background tasks only.
*
* This audit logger logs events without any user or session info and should never be used to log
* user-initiated actions.
*
* @example
* ```typescript
* securitySetup.audit.withoutRequest.log(event);
* ```
*/
withoutRequest: AuditLogger;
}
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import type { LogMeta } from '@kbn/core/server';
import type { LogMeta } from '@kbn/logging';

/**
* Audit kibana schema using ECS format
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import type { AuditEvent } from './audit_events';
Expand Down
6 changes: 5 additions & 1 deletion packages/core/security/core-security-server/src/contracts.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

import type { CoreAuthenticationService } from './authc';
import type { CoreSecurityDelegateContract } from './api_provider';

import type { CoreAuditService } from './audit';
/**
* Setup contract for Core's security service.
*
Expand All @@ -33,4 +33,8 @@ export interface SecurityServiceStart {
* The {@link CoreAuthenticationService | authentication service}
*/
authc: CoreAuthenticationService;
/**
* The {@link CoreAuditService | audit service}
*/
audit: CoreAuditService;
}
Loading

0 comments on commit 8374d6d

Please sign in to comment.