Change files.

elastic · Dec 9, 2019 · 94018c1 · 94018c1
1 parent 4189b08
commit 94018c1
Show file tree

Hide file tree

Showing 75 changed files with 2,340 additions and 2,062 deletions.
diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc
@@ -163,7 +163,7 @@ required by {kib}. If you want to use Third Party initiated SSO , then you must
 +
 [source,yaml]
 --------------------------------------------------------------------------------
-server.xsrf.whitelist: [/api/security/v1/oidc]
+server.xsrf.whitelist: [/api/security/oidc/initiate_login]
 --------------------------------------------------------------------------------
 
 [float]

diff --git a/test/common/services/security/user.ts b/test/common/services/security/user.ts
@@ -38,7 +38,7 @@ export class User {
   public async create(username: string, user: any) {
     this.log.debug(`creating user ${username}`);
     const { data, status, statusText } = await this.axios.post(
-      `/api/security/v1/users/${username}`,
+      `/internal/security/users/${username}`,
       {
         username,
         ...user,
@@ -55,7 +55,7 @@ export class User {
   public async delete(username: string) {
     this.log.debug(`deleting user ${username}`);
     const { data, status, statusText } = await this.axios.delete(
-      `/api/security/v1/users/${username}`
+      `/internal/security/users/${username}`
     );
     if (status !== 204) {
       throw new Error(

diff --git a/x-pack/legacy/plugins/security/common/constants.ts b/x-pack/legacy/plugins/security/common/constants.ts
diff --git a/x-pack/legacy/plugins/security/common/model.ts b/x-pack/legacy/plugins/security/common/model.ts
@@ -4,8 +4,9 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { ApiKey } from './api_key';
 export {
+  ApiKey,
+  ApiKeyToInvalidate,
   AuthenticatedUser,
   BuiltinESPrivileges,
   EditUser,
@@ -19,4 +20,4 @@ export {
   User,
   canUserChangePassword,
   getUserDisplayName,
-} from '../../../../../plugins/security/common/model';
+} from '../../../../plugins/security/common/model';
diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js
@@ -5,10 +5,6 @@
  */
 
 import { resolve } from 'path';
-import { initAuthenticateApi } from './server/routes/api/v1/authenticate';
-import { initUsersApi } from './server/routes/api/v1/users';
-import { initApiKeysApi } from './server/routes/api/v1/api_keys';
-import { initIndicesApi } from './server/routes/api/v1/indices';
 import { initOverwrittenSessionView } from './server/routes/views/overwritten_session';
 import { initLoginView } from './server/routes/views/login';
 import { initLogoutView } from './server/routes/views/logout';
@@ -34,7 +30,7 @@ export const security = (kibana) => new kibana.Plugin({
         lifespan: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
       }).default(),
       secureCookies: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
-      loginAssistanceMessage: Joi.string().default(),
+      loginAssistanceMessage: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
       authorization: Joi.object({
         legacyFallback: Joi.object({
           enabled: Joi.boolean().default(true) // deprecated
@@ -144,10 +140,6 @@ export const security = (kibana) => new kibana.Plugin({
 
     server.expose({ getUser: request => securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)) });
 
-    initAuthenticateApi(securityPlugin, server);
-    initUsersApi(securityPlugin, server);
-    initApiKeysApi(server);
-    initIndicesApi(server);
     initLoginView(securityPlugin, server);
     initLogoutView(server);
     initLoggedOutView(securityPlugin, server);

diff --git a/x-pack/legacy/plugins/security/public/hacks/on_unauthorized_response.js b/x-pack/legacy/plugins/security/public/hacks/on_unauthorized_response.js
@@ -11,8 +11,8 @@ import 'plugins/security/services/auto_logout';
 
 function isUnauthorizedResponseAllowed(response) {
   const API_WHITELIST = [
-    '/api/security/v1/login',
-    '/api/security/v1/users/.*/password'
+    '/internal/security/login',
+    '/internal/security/users/.*/password'
   ];
 
   const url = response.config.url;

diff --git a/x-pack/legacy/plugins/security/public/lib/api.ts b/x-pack/legacy/plugins/security/public/lib/api.ts
@@ -7,12 +7,12 @@
 import { kfetch } from 'ui/kfetch';
 import { AuthenticatedUser, Role, User, EditUser } from '../../common/model';
 
-const usersUrl = '/api/security/v1/users';
+const usersUrl = '/internal/security/users';
 const rolesUrl = '/api/security/role';
 
 export class UserAPIClient {
   public async getCurrentUser(): Promise<AuthenticatedUser> {
-    return await kfetch({ pathname: `/api/security/v1/me` });
+    return await kfetch({ pathname: `/internal/security/me` });
   }
 
   public async getUsers(): Promise<User[]> {

diff --git a/x-pack/legacy/plugins/security/public/lib/api_keys_api.ts b/x-pack/legacy/plugins/security/public/lib/api_keys_api.ts
@@ -5,8 +5,7 @@
  */
 
 import { kfetch } from 'ui/kfetch';
-import { ApiKey, ApiKeyToInvalidate } from '../../common/model/api_key';
-import { INTERNAL_API_BASE_PATH } from '../../common/constants';
+import { ApiKey, ApiKeyToInvalidate } from '../../common/model';
 
 interface CheckPrivilegesResponse {
   areApiKeysEnabled: boolean;
@@ -22,7 +21,7 @@ interface GetApiKeysResponse {
   apiKeys: ApiKey[];
 }
 
-const apiKeysUrl = `${INTERNAL_API_BASE_PATH}/api_key`;
+const apiKeysUrl = `/internal/security/api_key`;
 
 export class ApiKeysApi {
   public static async checkPrivileges(): Promise<CheckPrivilegesResponse> {

diff --git a/x-pack/legacy/plugins/security/public/objects/lib/get_fields.ts b/x-pack/legacy/plugins/security/public/objects/lib/get_fields.ts
@@ -6,7 +6,7 @@
 import { IHttpResponse } from 'angular';
 import chrome from 'ui/chrome';
 
-const apiBase = chrome.addBasePath(`/api/security/v1/fields`);
+const apiBase = chrome.addBasePath(`/internal/security/fields`);
 
 export async function getFields($http: any, query: string): Promise<string[]> {
   return await $http

diff --git a/x-pack/legacy/plugins/security/public/services/shield_indices.js b/x-pack/legacy/plugins/security/public/services/shield_indices.js
@@ -10,7 +10,7 @@ const module = uiModules.get('security', []);
 module.service('shieldIndices', ($http, chrome) => {
   return {
     getFields: (query) => {
-      return $http.get(chrome.addBasePath(`/api/security/v1/fields/${query}`))
+      return $http.get(chrome.addBasePath(`/internal/security/fields/${query}`))
         .then(response => response.data);
     }
   };

diff --git a/x-pack/legacy/plugins/security/public/services/shield_user.js b/x-pack/legacy/plugins/security/public/services/shield_user.js
@@ -10,7 +10,7 @@ import { uiModules } from 'ui/modules';
 
 const module = uiModules.get('security', ['ngResource']);
 module.service('ShieldUser', ($resource, chrome) => {
-  const baseUrl = chrome.addBasePath('/api/security/v1/users/:username');
+  const baseUrl = chrome.addBasePath('/internal/security/users/:username');
   const ShieldUser = $resource(baseUrl, {
     username: '@username'
   }, {
@@ -21,7 +21,7 @@ module.service('ShieldUser', ($resource, chrome) => {
     },
     getCurrent: {
       method: 'GET',
-      url: chrome.addBasePath('/api/security/v1/me')
+      url: chrome.addBasePath('/internal/security/me')
     }
   });
 

diff --git a/...gacy/plugins/security/public/views/login/components/basic_login_form/basic_login_form.tsx b/...gacy/plugins/security/public/views/login/components/basic_login_form/basic_login_form.tsx
@@ -190,7 +190,7 @@ class BasicLoginFormUI extends Component<Props, State> {
 
     const { username, password } = this.state;
 
-    http.post('./api/security/v1/login', { username, password }).then(
+    http.post('./internal/security/login', { username, password }).then(
       () => (window.location.href = next),
       (error: any) => {
         const { statusCode = 500 } = error.data || {};

diff --git a/x-pack/legacy/plugins/security/public/views/logout/logout.js b/x-pack/legacy/plugins/security/public/views/logout/logout.js
@@ -12,5 +12,5 @@ chrome
     $window.sessionStorage.clear();
 
     // Redirect user to the server logout endpoint to complete logout.
-    $window.location.href = chrome.addBasePath(`/api/security/v1/logout${$window.location.search}`);
+    $window.location.href = chrome.addBasePath(`/api/security/logout${$window.location.search}`);
   });
diff --git a/.../plugins/security/public/views/management/api_keys_grid/components/api_keys_grid_page.tsx b/.../plugins/security/public/views/management/api_keys_grid/components/api_keys_grid_page.tsx
@@ -29,7 +29,7 @@ import _ from 'lodash';
 import { toastNotifications } from 'ui/notify';
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { SectionLoading } from '../../../../../../../../../src/plugins/es_ui_shared/public/components/section_loading';
-import { ApiKey, ApiKeyToInvalidate } from '../../../../../common/model/api_key';
+import { ApiKey, ApiKeyToInvalidate } from '../../../../../common/model';
 import { ApiKeysApi } from '../../../../lib/api_keys_api';
 import { PermissionDenied } from './permission_denied';
 import { EmptyPrompt } from './empty_prompt';

diff --git a/...lic/views/management/api_keys_grid/components/invalidate_provider/invalidate_provider.tsx b/...lic/views/management/api_keys_grid/components/invalidate_provider/invalidate_provider.tsx
@@ -8,7 +8,7 @@ import React, { Fragment, useRef, useState } from 'react';
 import { EuiConfirmModal, EuiOverlayMask } from '@elastic/eui';
 import { toastNotifications } from 'ui/notify';
 import { i18n } from '@kbn/i18n';
-import { ApiKeyToInvalidate } from '../../../../../../common/model/api_key';
+import { ApiKeyToInvalidate } from '../../../../../../common/model';
 import { ApiKeysApi } from '../../../../../lib/api_keys_api';
 
 interface Props {

diff --git a/x-pack/legacy/plugins/siem/cypress/integration/lib/login/helpers.ts b/x-pack/legacy/plugins/siem/cypress/integration/lib/login/helpers.ts
@@ -39,7 +39,7 @@ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD';
 /**
  * The Kibana server endpoint used for authentication
  */
-const LOGIN_API_ENDPOINT = '/api/security/v1/login';
+const LOGIN_API_ENDPOINT = '/internal/security/login';
 
 /**
  * Authenticates with Kibana using, if specified, credentials specified by
@@ -68,7 +68,7 @@ const credentialsProvidedByEnvironment = (): boolean =>
  * Authenticates with Kibana by reading credentials from the
  * `CYPRESS_ELASTICSEARCH_USERNAME` and `CYPRESS_ELASTICSEARCH_PASSWORD`
  * environment variables, and POSTing the username and password directly to
- * Kibana's `security/v1/login` endpoint, bypassing the login page (for speed).
+ * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed).
  */
 const loginViaEnvironmentCredentials = () => {
   cy.log(
@@ -90,7 +90,7 @@ const loginViaEnvironmentCredentials = () => {
 /**
  * Authenticates with Kibana by reading credentials from the
  * `kibana.dev.yml` file and POSTing the username and password directly to
- * Kibana's `security/v1/login` endpoint, bypassing the login page (for speed).
+ * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed).
  */
 const loginViaConfig = () => {
   cy.log(

diff --git a/x-pack/plugins/security/common/constants.ts b/x-pack/plugins/security/common/constants.ts
@@ -7,4 +7,3 @@
 export const GLOBAL_RESOURCE = '*';
 export const APPLICATION_PREFIX = 'kibana-';
 export const RESERVED_PRIVILEGES_APPLICATION_WILDCARD = 'kibana-*';
-export const INTERNAL_API_BASE_PATH = '/internal/security';
diff --git a/x-pack/plugins/security/common/model/index.ts b/x-pack/plugins/security/common/model/index.ts
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export { ApiKey, ApiKeyToInvalidate } from './api_key';
 export { User, EditUser, getUserDisplayName } from './user';
 export { AuthenticatedUser, canUserChangePassword } from './authenticated_user';
 export { BuiltinESPrivileges } from './builtin_es_privileges';

diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts
@@ -42,7 +42,7 @@ describe('OIDCAuthenticationProvider', () => {
 
   describe('`login` method', () => {
     it('redirects third party initiated login attempts to the OpenId Connect Provider.', async () => {
-      const request = httpServerMock.createKibanaRequest({ path: '/api/security/v1/oidc' });
+      const request = httpServerMock.createKibanaRequest({ path: '/api/security/oidc' });
 
       mockOptions.client.callAsInternalUser.withArgs('shield.oidcPrepare').resolves({
         state: 'statevalue',
@@ -205,28 +205,27 @@ describe('OIDCAuthenticationProvider', () => {
     describe('authorization code flow', () => {
       defineAuthenticationFlowTests(() => ({
         request: httpServerMock.createKibanaRequest({
-          path: '/api/security/v1/oidc?code=somecodehere&state=somestatehere',
+          path: '/api/security/oidc?code=somecodehere&state=somestatehere',
         }),
         attempt: {
           flow: OIDCAuthenticationFlow.AuthorizationCode,
-          authenticationResponseURI: '/api/security/v1/oidc?code=somecodehere&state=somestatehere',
+          authenticationResponseURI: '/api/security/oidc?code=somecodehere&state=somestatehere',
         },
-        expectedRedirectURI: '/api/security/v1/oidc?code=somecodehere&state=somestatehere',
+        expectedRedirectURI: '/api/security/oidc?code=somecodehere&state=somestatehere',
       }));
     });
 
     describe('implicit flow', () => {
       defineAuthenticationFlowTests(() => ({
         request: httpServerMock.createKibanaRequest({
           path:
-            '/api/security/v1/oidc?authenticationResponseURI=http://kibana/api/security/v1/oidc/implicit#id_token=sometoken',
+            '/api/security/oidc?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken',
         }),
         attempt: {
           flow: OIDCAuthenticationFlow.Implicit,
-          authenticationResponseURI:
-            'http://kibana/api/security/v1/oidc/implicit#id_token=sometoken',
+          authenticationResponseURI: 'http://kibana/api/security/oidc/implicit#id_token=sometoken',
         },
-        expectedRedirectURI: 'http://kibana/api/security/v1/oidc/implicit#id_token=sometoken',
+        expectedRedirectURI: 'http://kibana/api/security/oidc/implicit#id_token=sometoken',
       }));
     });
   });