From e67cc8514aa7aeb2e5a54bc1af2a61da19470fe3 Mon Sep 17 00:00:00 2001 From: spalger Date: Thu, 23 Jan 2020 23:32:10 -0700 Subject: [PATCH] Revert "[csp] allow blob styles when running from source (#54991)" This reverts commit 375f0b42a7b449cc5d0b73f15595f40de8fa998b. --- ...lugin-server.coresetup.getstartservices.md | 34 +++++----- .../server/kibana-plugin-server.coresetup.md | 64 +++++++++---------- ...kibana-plugin-server.cspconfig.default.md} | 6 +- .../server/kibana-plugin-server.cspconfig.md | 2 +- .../server/kibana-plugin-server.icspconfig.md | 1 - ...rver.icspconfig.ruleschangedfromdefault.md | 13 ---- .../src/kbn_client/kbn_client_status.ts | 6 -- packages/kbn-pm/dist/index.js | 4 -- src/core/server/config/env.mock.ts | 29 --------- src/core/server/csp/csp_config.test.ts | 47 ++++++-------- src/core/server/csp/csp_config.ts | 31 ++------- src/core/server/http/http_config.ts | 5 +- src/core/server/http/http_service.mock.ts | 3 +- src/core/server/http/http_service.ts | 2 +- src/core/server/http/http_tools.test.ts | 7 +- src/core/server/legacy/legacy_service.ts | 4 +- src/core/server/mocks.ts | 3 +- src/core/server/server.api.md | 7 +- .../csp_usage_collector/csp_collector.test.ts | 6 +- .../lib/csp_usage_collector/csp_collector.ts | 9 +-- .../status/routes/api/register_status.js | 3 - test/api_integration/apis/general/csp.js | 4 +- .../apis/implicit_flow/oidc_auth.ts | 8 +-- .../apis/security/saml_login.ts | 8 +-- x-pack/test/saml_api_integration/config.ts | 1 - 25 files changed, 96 insertions(+), 211 deletions(-) rename docs/development/core/server/{kibana-plugin-server.cspconfig.ruleschangedfromdefault.md => kibana-plugin-server.cspconfig.default.md} (56%) delete mode 100644 docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md delete mode 100644 src/core/server/config/env.mock.ts diff --git a/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md b/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md index 589529cf2a7f7..b05d28899f9d2 100644 --- a/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md +++ b/docs/development/core/server/kibana-plugin-server.coresetup.getstartservices.md @@ -1,17 +1,17 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) > [getStartServices](./kibana-plugin-server.coresetup.getstartservices.md) - -## CoreSetup.getStartServices() method - -Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed `start`. This should only be used inside handlers registered during `setup` that will only be executed after `start` lifecycle. - -Signature: - -```typescript -getStartServices(): Promise<[CoreStart, TPluginsStart]>; -``` -Returns: - -`Promise<[CoreStart, TPluginsStart]>` - + + +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) > [getStartServices](./kibana-plugin-server.coresetup.getstartservices.md) + +## CoreSetup.getStartServices() method + +Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed `start`. This should only be used inside handlers registered during `setup` that will only be executed after `start` lifecycle. + +Signature: + +```typescript +getStartServices(): Promise<[CoreStart, TPluginsStart]>; +``` +Returns: + +`Promise<[CoreStart, TPluginsStart]>` + diff --git a/docs/development/core/server/kibana-plugin-server.coresetup.md b/docs/development/core/server/kibana-plugin-server.coresetup.md index 325f7216122b5..c36d649837e8a 100644 --- a/docs/development/core/server/kibana-plugin-server.coresetup.md +++ b/docs/development/core/server/kibana-plugin-server.coresetup.md @@ -1,32 +1,32 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) - -## CoreSetup interface - -Context passed to the plugins `setup` method. - -Signature: - -```typescript -export interface CoreSetup -``` - -## Properties - -| Property | Type | Description | -| --- | --- | --- | -| [capabilities](./kibana-plugin-server.coresetup.capabilities.md) | CapabilitiesSetup | [CapabilitiesSetup](./kibana-plugin-server.capabilitiessetup.md) | -| [context](./kibana-plugin-server.coresetup.context.md) | ContextSetup | [ContextSetup](./kibana-plugin-server.contextsetup.md) | -| [elasticsearch](./kibana-plugin-server.coresetup.elasticsearch.md) | ElasticsearchServiceSetup | [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) | -| [http](./kibana-plugin-server.coresetup.http.md) | HttpServiceSetup | [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | -| [savedObjects](./kibana-plugin-server.coresetup.savedobjects.md) | SavedObjectsServiceSetup | [SavedObjectsServiceSetup](./kibana-plugin-server.savedobjectsservicesetup.md) | -| [uiSettings](./kibana-plugin-server.coresetup.uisettings.md) | UiSettingsServiceSetup | [UiSettingsServiceSetup](./kibana-plugin-server.uisettingsservicesetup.md) | -| [uuid](./kibana-plugin-server.coresetup.uuid.md) | UuidServiceSetup | [UuidServiceSetup](./kibana-plugin-server.uuidservicesetup.md) | - -## Methods - -| Method | Description | -| --- | --- | -| [getStartServices()](./kibana-plugin-server.coresetup.getstartservices.md) | Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed start. This should only be used inside handlers registered during setup that will only be executed after start lifecycle. | - + + +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CoreSetup](./kibana-plugin-server.coresetup.md) + +## CoreSetup interface + +Context passed to the plugins `setup` method. + +Signature: + +```typescript +export interface CoreSetup +``` + +## Properties + +| Property | Type | Description | +| --- | --- | --- | +| [capabilities](./kibana-plugin-server.coresetup.capabilities.md) | CapabilitiesSetup | [CapabilitiesSetup](./kibana-plugin-server.capabilitiessetup.md) | +| [context](./kibana-plugin-server.coresetup.context.md) | ContextSetup | [ContextSetup](./kibana-plugin-server.contextsetup.md) | +| [elasticsearch](./kibana-plugin-server.coresetup.elasticsearch.md) | ElasticsearchServiceSetup | [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) | +| [http](./kibana-plugin-server.coresetup.http.md) | HttpServiceSetup | [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | +| [savedObjects](./kibana-plugin-server.coresetup.savedobjects.md) | SavedObjectsServiceSetup | [SavedObjectsServiceSetup](./kibana-plugin-server.savedobjectsservicesetup.md) | +| [uiSettings](./kibana-plugin-server.coresetup.uisettings.md) | UiSettingsServiceSetup | [UiSettingsServiceSetup](./kibana-plugin-server.uisettingsservicesetup.md) | +| [uuid](./kibana-plugin-server.coresetup.uuid.md) | UuidServiceSetup | [UuidServiceSetup](./kibana-plugin-server.uuidservicesetup.md) | + +## Methods + +| Method | Description | +| --- | --- | +| [getStartServices()](./kibana-plugin-server.coresetup.getstartservices.md) | Allows plugins to get access to APIs available in start inside async handlers. Promise will not resolve until Core and plugin dependencies have completed start. This should only be used inside handlers registered during setup that will only be executed after start lifecycle. | + diff --git a/docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md b/docs/development/core/server/kibana-plugin-server.cspconfig.default.md similarity index 56% rename from docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md rename to docs/development/core/server/kibana-plugin-server.cspconfig.default.md index 3320785935b21..56e6cf35cdd13 100644 --- a/docs/development/core/server/kibana-plugin-server.cspconfig.ruleschangedfromdefault.md +++ b/docs/development/core/server/kibana-plugin-server.cspconfig.default.md @@ -1,11 +1,11 @@ -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CspConfig](./kibana-plugin-server.cspconfig.md) > [rulesChangedFromDefault](./kibana-plugin-server.cspconfig.ruleschangedfromdefault.md) +[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [CspConfig](./kibana-plugin-server.cspconfig.md) > [DEFAULT](./kibana-plugin-server.cspconfig.default.md) -## CspConfig.rulesChangedFromDefault property +## CspConfig.DEFAULT property Signature: ```typescript -readonly rulesChangedFromDefault: boolean; +static readonly DEFAULT: CspConfig; ``` diff --git a/docs/development/core/server/kibana-plugin-server.cspconfig.md b/docs/development/core/server/kibana-plugin-server.cspconfig.md index 6f12d64676ce9..7e491cb0df912 100644 --- a/docs/development/core/server/kibana-plugin-server.cspconfig.md +++ b/docs/development/core/server/kibana-plugin-server.cspconfig.md @@ -20,9 +20,9 @@ The constructor for this class is marked as internal. Third-party code should no | Property | Modifiers | Type | Description | | --- | --- | --- | --- | +| [DEFAULT](./kibana-plugin-server.cspconfig.default.md) | static | CspConfig | | | [header](./kibana-plugin-server.cspconfig.header.md) | | string | | | [rules](./kibana-plugin-server.cspconfig.rules.md) | | string[] | | -| [rulesChangedFromDefault](./kibana-plugin-server.cspconfig.ruleschangedfromdefault.md) | | boolean | | | [strict](./kibana-plugin-server.cspconfig.strict.md) | | boolean | | | [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md) | | boolean | | diff --git a/docs/development/core/server/kibana-plugin-server.icspconfig.md b/docs/development/core/server/kibana-plugin-server.icspconfig.md index 00107d561873f..fb8188386a376 100644 --- a/docs/development/core/server/kibana-plugin-server.icspconfig.md +++ b/docs/development/core/server/kibana-plugin-server.icspconfig.md @@ -18,7 +18,6 @@ export interface ICspConfig | --- | --- | --- | | [header](./kibana-plugin-server.icspconfig.header.md) | string | The CSP rules in a formatted directives string for use in a Content-Security-Policy header. | | [rules](./kibana-plugin-server.icspconfig.rules.md) | string[] | The CSP rules used for Kibana. | -| [rulesChangedFromDefault](./kibana-plugin-server.icspconfig.ruleschangedfromdefault.md) | boolean | Flag indicating that the configuraion changes the csp rules from the defaults | | [strict](./kibana-plugin-server.icspconfig.strict.md) | boolean | Specify whether browsers that do not support CSP should be able to use Kibana. Use true to block and false to allow. | | [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md) | boolean | Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance. | diff --git a/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md b/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md deleted file mode 100644 index 427c07d2d1e4d..0000000000000 --- a/docs/development/core/server/kibana-plugin-server.icspconfig.ruleschangedfromdefault.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [ICspConfig](./kibana-plugin-server.icspconfig.md) > [rulesChangedFromDefault](./kibana-plugin-server.icspconfig.ruleschangedfromdefault.md) - -## ICspConfig.rulesChangedFromDefault property - -Flag indicating that the configuraion changes the csp rules from the defaults - -Signature: - -```typescript -readonly rulesChangedFromDefault: boolean; -``` diff --git a/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts b/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts index 3775aecb2db09..22baf4a330416 100644 --- a/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts +++ b/packages/kbn-dev-utils/src/kbn_client/kbn_client_status.ts @@ -32,7 +32,6 @@ interface Status { interface ApiResponseStatus { name: string; uuid: string; - running_from_source?: true; version: { number: string; build_hash: string; @@ -59,11 +58,6 @@ export class KbnClientStatus { }); } - public async isDistributable() { - const status = await this.get(); - return !status.running_from_source; - } - /** * Get the overall/merged state */ diff --git a/packages/kbn-pm/dist/index.js b/packages/kbn-pm/dist/index.js index 364b91a30841c..8bded9d403c21 100644 --- a/packages/kbn-pm/dist/index.js +++ b/packages/kbn-pm/dist/index.js @@ -43639,10 +43639,6 @@ class KbnClientStatus { path: 'api/status', }); } - async isDistributable() { - const status = await this.get(); - return !status.running_from_source; - } /** * Get the overall/merged state */ diff --git a/src/core/server/config/env.mock.ts b/src/core/server/config/env.mock.ts deleted file mode 100644 index f9b4e0732c1cb..0000000000000 --- a/src/core/server/config/env.mock.ts +++ /dev/null @@ -1,29 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import { Env } from './env'; - -export function createMockEnv(options: { dist?: boolean } = {}): Env { - return { - // required by CspConfig - packageInfo: { - dist: options.dist ?? true, - }, - } as any; -} diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts index 15cddc6fccd34..45fa8445791b0 100644 --- a/src/core/server/csp/csp_config.test.ts +++ b/src/core/server/csp/csp_config.test.ts @@ -18,7 +18,6 @@ */ import { CspConfig } from '.'; -import { createMockEnv } from '../config/env.mock'; // CSP rules aren't strictly additive, so any change can potentially expand or // restrict the policy in a way we consider a breaking change. For that reason, @@ -34,10 +33,23 @@ import { createMockEnv } from '../config/env.mock'; // the nature of a change in defaults during a PR review. describe('CspConfig', () => { - test('defaults from config', () => { - const cspConfig = new CspConfig(createMockEnv()); + test('DEFAULT', () => { + expect(CspConfig.DEFAULT).toMatchInlineSnapshot(` + CspConfig { + "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "rules": Array [ + "script-src 'unsafe-eval' 'self'", + "worker-src blob: 'self'", + "style-src 'unsafe-inline' 'self'", + ], + "strict": true, + "warnLegacyBrowsers": true, + } + `); + }); - expect(cspConfig).toMatchInlineSnapshot(` + test('defaults from config', () => { + expect(new CspConfig()).toMatchInlineSnapshot(` CspConfig { "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "rules": Array [ @@ -45,7 +57,6 @@ describe('CspConfig', () => { "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'", ], - "rulesChangedFromDefault": false, "strict": true, "warnLegacyBrowsers": true, } @@ -53,9 +64,7 @@ describe('CspConfig', () => { }); test('creates from partial config', () => { - const cspConfig = new CspConfig(createMockEnv(), { strict: false, warnLegacyBrowsers: false }); - - expect(cspConfig).toMatchInlineSnapshot(` + expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(` CspConfig { "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "rules": Array [ @@ -63,7 +72,6 @@ describe('CspConfig', () => { "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'", ], - "rulesChangedFromDefault": false, "strict": false, "warnLegacyBrowsers": false, } @@ -71,7 +79,7 @@ describe('CspConfig', () => { }); test('computes header from rules', () => { - const cspConfig = new CspConfig(createMockEnv(), { rules: ['alpha', 'beta', 'gamma'] }); + const cspConfig = new CspConfig({ rules: ['alpha', 'beta', 'gamma'] }); expect(cspConfig).toMatchInlineSnapshot(` CspConfig { @@ -81,25 +89,6 @@ describe('CspConfig', () => { "beta", "gamma", ], - "rulesChangedFromDefault": true, - "strict": true, - "warnLegacyBrowsers": true, - } - `); - }); - - test(`includes blob: style-src if env indicates we're running from source`, () => { - const cspConfig = new CspConfig(createMockEnv({ dist: false })); - - expect(cspConfig).toMatchInlineSnapshot(` - CspConfig { - "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src blob: 'unsafe-inline' 'self'", - "rules": Array [ - "script-src 'unsafe-eval' 'self'", - "worker-src blob: 'self'", - "style-src blob: 'unsafe-inline' 'self'", - ], - "rulesChangedFromDefault": false, "strict": true, "warnLegacyBrowsers": true, } diff --git a/src/core/server/csp/csp_config.ts b/src/core/server/csp/csp_config.ts index 592a7209f4364..bb57702a4a241 100644 --- a/src/core/server/csp/csp_config.ts +++ b/src/core/server/csp/csp_config.ts @@ -18,7 +18,6 @@ */ import { config } from './config'; -import { Env } from '../config'; const DEFAULT_CONFIG = Object.freeze(config.schema.validate({})); @@ -49,12 +48,6 @@ export interface ICspConfig { * in a `Content-Security-Policy` header. */ readonly header: string; - - /** - * Flag indicating that the configuraion changes the csp - * rules from the defaults - */ - readonly rulesChangedFromDefault: boolean; } /** @@ -62,37 +55,23 @@ export interface ICspConfig { * @public */ export class CspConfig implements ICspConfig { + static readonly DEFAULT = new CspConfig(); + public readonly rules: string[]; public readonly strict: boolean; public readonly warnLegacyBrowsers: boolean; public readonly header: string; - public readonly rulesChangedFromDefault: boolean; /** * Returns the default CSP configuration when passed with no config * @internal */ - constructor(env: Env, rawCspConfig?: Partial>) { + constructor(rawCspConfig: Partial> = {}) { const source = { ...DEFAULT_CONFIG, ...rawCspConfig }; - this.rules = source.rules.map(rule => { - // if we receive an env, and it indicates that this isn't a distributable, add `blob:` to the style csp rules - if (env && !env.packageInfo.dist && rule.startsWith('style-src ')) { - return rule.replace(/^style-src /, 'style-src blob: '); - } - - return rule; - }); + this.rules = source.rules; this.strict = source.strict; this.warnLegacyBrowsers = source.warnLegacyBrowsers; - this.header = this.rules.join('; '); - - // only check to see if the csp values are customized when `rawCspConfig` was received. - if (!rawCspConfig) { - this.rulesChangedFromDefault = false; - } else { - const defaultCsp = new CspConfig(env); - this.rulesChangedFromDefault = defaultCsp.header !== this.header; - } + this.header = source.rules.join('; '); } } diff --git a/src/core/server/http/http_config.ts b/src/core/server/http/http_config.ts index b249dbb5b6a04..73f44f3c5ab5c 100644 --- a/src/core/server/http/http_config.ts +++ b/src/core/server/http/http_config.ts @@ -22,7 +22,6 @@ import { hostname } from 'os'; import { CspConfigType, CspConfig, ICspConfig } from '../csp'; import { SslConfig, sslSchema } from './ssl_config'; -import { Env } from '../config'; const validBasePathRegex = /(^$|^\/.*[^\/]$)/; const uuidRegexp = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i; @@ -149,7 +148,7 @@ export class HttpConfig { /** * @internal */ - constructor(rawHttpConfig: HttpConfigType, rawCspConfig: CspConfigType, env: Env) { + constructor(rawHttpConfig: HttpConfigType, rawCspConfig: CspConfigType) { this.autoListen = rawHttpConfig.autoListen; this.host = rawHttpConfig.host; this.port = rawHttpConfig.port; @@ -163,7 +162,7 @@ export class HttpConfig { this.rewriteBasePath = rawHttpConfig.rewriteBasePath; this.ssl = new SslConfig(rawHttpConfig.ssl || {}); this.compression = rawHttpConfig.compression; - this.csp = new CspConfig(env, rawCspConfig); + this.csp = new CspConfig(rawCspConfig); this.xsrf = rawHttpConfig.xsrf; } } diff --git a/src/core/server/http/http_service.mock.ts b/src/core/server/http/http_service.mock.ts index 7fc2f5d990824..6db1ca80ab437 100644 --- a/src/core/server/http/http_service.mock.ts +++ b/src/core/server/http/http_service.mock.ts @@ -21,7 +21,6 @@ import { Server } from 'hapi'; import { CspConfig } from '../csp'; import { mockRouter } from './router/router.mock'; import { configMock } from '../config/config.mock'; -import { createMockEnv } from '../config/env.mock'; import { InternalHttpServiceSetup } from './types'; import { HttpService } from './http_service'; import { OnPreAuthToolkit } from './lifecycle/on_pre_auth'; @@ -62,7 +61,7 @@ const createSetupContractMock = () => { registerOnPreResponse: jest.fn(), createRouter: jest.fn().mockImplementation(() => mockRouter.create({})), basePath: createBasePathMock(), - csp: new CspConfig(createMockEnv()), + csp: CspConfig.DEFAULT, auth: { get: jest.fn(), isAuthenticated: jest.fn(), diff --git a/src/core/server/http/http_service.ts b/src/core/server/http/http_service.ts index 8a86667a1a6bc..ae9d53f9fd3db 100644 --- a/src/core/server/http/http_service.ts +++ b/src/core/server/http/http_service.ts @@ -70,7 +70,7 @@ export class HttpService implements CoreService(httpConfig.path), configService.atPath(cspConfig.path), - ]).pipe(map(([http, csp]) => new HttpConfig(http, csp, env))); + ]).pipe(map(([http, csp]) => new HttpConfig(http, csp))); this.httpServer = new HttpServer(logger, 'Kibana'); this.httpsRedirectServer = new HttpsRedirectServer(logger.get('http', 'redirect', 'server')); } diff --git a/src/core/server/http/http_tools.test.ts b/src/core/server/http/http_tools.test.ts index d552339f1ea1c..c1322a5aa94db 100644 --- a/src/core/server/http/http_tools.test.ts +++ b/src/core/server/http/http_tools.test.ts @@ -29,7 +29,6 @@ import { defaultValidationErrorHandler, HapiValidationError, getServerOptions } import { HttpServer } from './http_server'; import { HttpConfig, config } from './http_config'; import { Router } from './router'; -import { createMockEnv } from '../config/env.mock'; import { loggingServiceMock } from '../logging/logging_service.mock'; import { ByteSizeValue } from '@kbn/config-schema'; @@ -121,8 +120,7 @@ describe('getServerOptions', () => { certificate: 'some-certificate-path', }, }), - {} as any, - createMockEnv() + {} as any ); expect(getServerOptions(httpConfig).tls).toMatchInlineSnapshot(` @@ -151,8 +149,7 @@ describe('getServerOptions', () => { clientAuthentication: 'required', }, }), - {} as any, - createMockEnv() + {} as any ); expect(getServerOptions(httpConfig).tls).toMatchInlineSnapshot(` diff --git a/src/core/server/legacy/legacy_service.ts b/src/core/server/legacy/legacy_service.ts index ca1204f0ac05c..0cb717e3832aa 100644 --- a/src/core/server/legacy/legacy_service.ts +++ b/src/core/server/legacy/legacy_service.ts @@ -86,7 +86,7 @@ export class LegacyService implements CoreService { public legacyInternals?: ILegacyInternals; constructor(private readonly coreContext: CoreContext) { - const { logger, configService, env } = coreContext; + const { logger, configService } = coreContext; this.log = logger.get('legacy-service'); this.devConfig$ = configService @@ -95,7 +95,7 @@ export class LegacyService implements CoreService { this.httpConfig$ = combineLatest( configService.atPath(httpConfig.path), configService.atPath(cspConfig.path) - ).pipe(map(([http, csp]) => new HttpConfig(http, csp, env))); + ).pipe(map(([http, csp]) => new HttpConfig(http, csp))); } public async discoverPlugins(): Promise { diff --git a/src/core/server/mocks.ts b/src/core/server/mocks.ts index 846c2e4d8c507..c0a8973d98a54 100644 --- a/src/core/server/mocks.ts +++ b/src/core/server/mocks.ts @@ -33,7 +33,6 @@ import { capabilitiesServiceMock } from './capabilities/capabilities_service.moc export { httpServerMock } from './http/http_server.mocks'; export { sessionStorageMock } from './http/cookie_session_storage.mocks'; export { configServiceMock } from './config/config_service.mock'; -import { createMockEnv } from './config/env.mock'; export { elasticsearchServiceMock } from './elasticsearch/elasticsearch_service.mock'; export { httpServiceMock } from './http/http_service.mock'; export { loggingServiceMock } from './logging/logging_service.mock'; @@ -98,7 +97,7 @@ function createCoreSetupMock() { registerOnPostAuth: httpService.registerOnPostAuth, registerOnPreResponse: httpService.registerOnPreResponse, basePath: httpService.basePath, - csp: new CspConfig(createMockEnv()), + csp: CspConfig.DEFAULT, isTlsEnabled: httpService.isTlsEnabled, createRouter: jest.fn(), registerRouteHandlerContext: jest.fn(), diff --git a/src/core/server/server.api.md b/src/core/server/server.api.md index 629e6a881199b..a179e1f35a937 100644 --- a/src/core/server/server.api.md +++ b/src/core/server/server.api.md @@ -583,14 +583,14 @@ export interface CoreStart { // @public export class CspConfig implements ICspConfig { // @internal - constructor(env: Env, rawCspConfig?: Partial>); + constructor(rawCspConfig?: Partial>); + // (undocumented) + static readonly DEFAULT: CspConfig; // (undocumented) readonly header: string; // (undocumented) readonly rules: string[]; // (undocumented) - readonly rulesChangedFromDefault: boolean; - // (undocumented) readonly strict: boolean; // (undocumented) readonly warnLegacyBrowsers: boolean; @@ -774,7 +774,6 @@ export type IContextProvider, TContextName export interface ICspConfig { readonly header: string; readonly rules: string[]; - readonly rulesChangedFromDefault: boolean; readonly strict: boolean; readonly warnLegacyBrowsers: boolean; } diff --git a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts index 584621a1ce13f..395cb60587832 100644 --- a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts +++ b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.test.ts @@ -18,8 +18,6 @@ */ import { CspConfig, ICspConfig } from '../../../../../../core/server'; -// eslint-disable-next-line @kbn/eslint/no-restricted-paths -import { createMockEnv } from '../../../../../../core/server/config/env.mock'; import { createCspCollector } from './csp_collector'; const createMockKbnServer = () => ({ @@ -27,7 +25,7 @@ const createMockKbnServer = () => ({ setup: { core: { http: { - csp: new CspConfig(createMockEnv()), + csp: new CspConfig(), }, }, }, @@ -38,7 +36,7 @@ describe('csp collector', () => { let kbnServer: ReturnType; function updateCsp(config: Partial) { - kbnServer.newPlatform.setup.core.http.csp = new CspConfig(createMockEnv(), config); + kbnServer.newPlatform.setup.core.http.csp = new CspConfig(config); } beforeEach(() => { diff --git a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts index dce4c7fe6fefc..6622ed4bef478 100644 --- a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts +++ b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts @@ -18,6 +18,7 @@ */ import { Server } from 'hapi'; +import { CspConfig } from '../../../../../../core/server'; import { UsageCollectionSetup } from '../../../../../../plugins/usage_collection/server'; export function createCspCollector(server: Server) { @@ -25,11 +26,7 @@ export function createCspCollector(server: Server) { type: 'csp', isReady: () => true, async fetch() { - const { - strict, - warnLegacyBrowsers, - rulesChangedFromDefault, - } = server.newPlatform.setup.core.http.csp; + const { strict, warnLegacyBrowsers, header } = server.newPlatform.setup.core.http.csp; return { strict, @@ -37,7 +34,7 @@ export function createCspCollector(server: Server) { // It's important that we do not send the value of csp.header here as it // can be customized with values that can be identifiable to given // installs, such as URLs - rulesChangedFromDefault, + rulesChangedFromDefault: header !== CspConfig.DEFAULT.header, }; }, }; diff --git a/src/legacy/server/status/routes/api/register_status.js b/src/legacy/server/status/routes/api/register_status.js index 55bf81f2c5f9a..259a00667810f 100644 --- a/src/legacy/server/status/routes/api/register_status.js +++ b/src/legacy/server/status/routes/api/register_status.js @@ -18,7 +18,6 @@ */ import { wrapAuthConfig } from '../../wrap_auth_config'; -import { IS_KIBANA_DISTRIBUTABLE } from '../../../../utils/artifact_type'; const matchSnapshot = /-SNAPSHOT$/; @@ -36,8 +35,6 @@ export function registerStatusApi(kbnServer, server, config) { return { name: config.get('server.name'), uuid: config.get('server.uuid'), - // flag to help tests know that kibana is running from source, not included in distributable response - ...(IS_KIBANA_DISTRIBUTABLE ? {} : { running_from_source: true }), version: { number: config.get('pkg.version').replace(matchSnapshot, ''), build_hash: config.get('pkg.buildSha'), diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js index 38893c371fb52..8c191703070d8 100644 --- a/test/api_integration/apis/general/csp.js +++ b/test/api_integration/apis/general/csp.js @@ -21,7 +21,6 @@ import expect from '@kbn/expect'; export default function({ getService }) { const supertest = getService('supertest'); - const kibanaServer = getService('kibanaServer'); describe('csp smoke test', () => { it('app response sends content security policy headers', async () => { @@ -37,12 +36,11 @@ export default function({ getService }) { }) ); - const isDist = await kibanaServer.status.isDistributable(); const entries = Array.from(parsed.entries()); expect(entries).to.eql([ ['script-src', ["'unsafe-eval'", "'self'"]], ['worker-src', ['blob:', "'self'"]], - ['style-src', [...(isDist ? [] : ['blob:']), "'unsafe-inline'", "'self'"]], + ['style-src', ["'unsafe-inline'", "'self'"]], ]); }); }); diff --git a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts index 87979ca643a19..1f5a64835416a 100644 --- a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts +++ b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts @@ -15,7 +15,6 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); const config = getService('config'); - const kibanaServer = getService('kibanaServer'); describe('OpenID Connect Implicit Flow authentication', () => { describe('finishing handshake', () => { @@ -57,17 +56,12 @@ export default function({ getService }: FtrProviderContext) { }); await (dom.window as Record).__isScriptExecuted__; - const isDist = await kibanaServer.status.isDistributable(); // Check that proxy page is returned with proper headers. expect(response.headers['content-type']).to.be('text/html; charset=utf-8'); expect(response.headers['cache-control']).to.be('private, no-cache, no-store'); expect(response.headers['content-security-policy']).to.be( - [ - `script-src 'unsafe-eval' 'self';`, - `worker-src blob: 'self';`, - `style-src ${isDist ? '' : 'blob: '}'unsafe-inline' 'self'`, - ].join(' ') + `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); // Check that script that forwards URL fragment worked correctly. diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts index d4de4d601a36c..0436d59906ea8 100644 --- a/x-pack/test/saml_api_integration/apis/security/saml_login.ts +++ b/x-pack/test/saml_api_integration/apis/security/saml_login.ts @@ -17,7 +17,6 @@ export default function({ getService }: FtrProviderContext) { const randomness = getService('randomness'); const supertest = getService('supertestWithoutAuth'); const config = getService('config'); - const kibanaServer = getService('kibanaServer'); const kibanaServerConfig = config.get('servers.kibana'); @@ -138,17 +137,12 @@ export default function({ getService }: FtrProviderContext) { }); await (dom.window as Record).__isScriptExecuted__; - const isDist = await kibanaServer.status.isDistributable(); // Check that proxy page is returned with proper headers. expect(response.headers['content-type']).to.be('text/html; charset=utf-8'); expect(response.headers['cache-control']).to.be('private, no-cache, no-store'); expect(response.headers['content-security-policy']).to.be( - [ - `script-src 'unsafe-eval' 'self';`, - `worker-src blob: 'self';`, - `style-src ${isDist ? '' : 'blob: '}'unsafe-inline' 'self'`, - ].join(' ') + `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); // Check that script that forwards URL fragment worked correctly. diff --git a/x-pack/test/saml_api_integration/config.ts b/x-pack/test/saml_api_integration/config.ts index 1d83f374e966c..6ea29b0d9e56e 100644 --- a/x-pack/test/saml_api_integration/config.ts +++ b/x-pack/test/saml_api_integration/config.ts @@ -20,7 +20,6 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('./apis')], servers: xPackAPITestsConfig.get('servers'), services: { - kibanaServer: kibanaAPITestsConfig.get('services.kibanaServer'), randomness: kibanaAPITestsConfig.get('services.randomness'), legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'),