From 54d2f23ee7fa45b92e980c120e50f721c7823d49 Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Thu, 14 Jul 2022 12:42:49 -0400 Subject: [PATCH 01/13] Adding deprecation warning for Interactive Users using ApiKeys --- docs/user/security/api-keys/index.asciidoc | 5 ++ .../security/authentication/index.asciidoc | 6 ++ .../analytics/authentication_type.test.ts | 87 +++++++++++++++++++ .../routes/analytics/authentication_type.ts | 30 +++++++ 4 files changed, 128 insertions(+) diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index bc277609d43e4..458a6a73bb04a 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -45,6 +45,11 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \ --header 'kbn-xsrf: true' \ --header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \ +[IMPORTANT] +============================================================================ +Interactive users authenticating via ApiKey is deprecated and will be removed in a future version. +============================================================================ + [float] [[view-api-keys]] === View and delete API keys diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index 007d1af017df3..7c6f7d0d0e8df 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -394,6 +394,12 @@ HTTP protocol provides a simple authentication framework that can be used by a c This type of authentication is usually useful for machine-to-machine interaction that requires authentication and where human intervention is not desired or just infeasible. There are a number of use cases when HTTP authentication support comes in handy for {kib} users as well. +[IMPORTANT] +============================================================================ +Interactive users authenticating via ApiKey is deprecated and will be removed in a future version. +============================================================================ + + By default {kib} supports <> authentication scheme _and_ any scheme supported by the currently enabled authentication provider. For example, `Basic` authentication scheme is automatically supported when basic authentication provider is enabled, or `Bearer` scheme when any of the token based authentication providers is enabled (Token, SAML, OpenID Connect, PKI or Kerberos). But it's also possible to add support for any other authentication scheme in the `kibana.yml` configuration file, as follows: NOTE: Don't forget to explicitly specify the default `apikey` and `bearer` schemes when you just want to add a new one to the list. diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index 3ea35308347a1..34334833fe849 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -19,6 +19,7 @@ import { routeDefinitionParamsMock } from '../index.mock'; import { defineRecordAnalyticsOnAuthTypeRoutes } from './authentication_type'; const FAKE_TIMESTAMP = 1637665318135; + function getMockContext( licenseCheckResult: { state: string; message?: string } = { state: 'valid' } ) { @@ -33,14 +34,18 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); let routeHandler: RequestHandler; + let routeParamsMock: DeeplyMockedKeys; + beforeEach(() => { routeParamsMock = routeDefinitionParamsMock.create(); + defineRecordAnalyticsOnAuthTypeRoutes(routeParamsMock); const [, recordAnalyticsOnAuthTypeRouteHandler] = routeParamsMock.router.post.mock.calls.find( ([{ path }]) => path === '/internal/security/analytics/_record_auth_type' )!; + routeHandler = recordAnalyticsOnAuthTypeRouteHandler; }); @@ -49,6 +54,10 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); expect(response.status).toBe(204); + expect(routeParamsMock.logger.warn).toBeCalledWith( + 'Cannot record authentication type: current user could not be retrieved.' + ); + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).not.toHaveBeenCalled(); }); @@ -286,19 +295,23 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); const mockAuthc = authenticationServiceMock.createStart(); + mockAuthc.getCurrentUser.mockReturnValue( mockAuthenticatedUser({ authentication_provider: { type: HTTPAuthenticationProvider.type, name: '__http__' }, }) ); + routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc); const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); + expect(response.status).toBe(200); expect(response.payload).toEqual({ timestamp: FAKE_TIMESTAMP, signature: 'f4f6b485690816127c33d5aa13cd6cd12c9892641ba23b5d58e5c6590cd43db0', }); + routeParamsMock.analyticsService.reportAuthenticationTypeEvent.mockClear(); initialTimestamp = response.payload.timestamp; @@ -312,16 +325,20 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); + expect(response.status).toBe(200); + expect(response.payload).toEqual({ timestamp: initialTimestamp, signature: '46d5841ad21d29ca6c7c1c639adc6294c176c394adb0b40dfc05797cfe29218e', }); + expect(response.payload.signature).not.toEqual(initialSignature); expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( 1 ); + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ authenticationProviderType: 'http', authenticationRealmType: 'native', @@ -329,4 +346,74 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); }); }); + + describe('logApiKeyWithInteractiveUserDeprecated', () => { + it('should log a deprecation warning if interactive user is using API Key', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'ApiKey' }, + }); + + const mockAuthc = authenticationServiceMock.createStart(); + + mockAuthc.getCurrentUser.mockReturnValue( + mockAuthenticatedUser({ + authentication_provider: { type: 'http', name: '__http__' }, + }) + ); + + routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc); + + const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); + + expect(response.status).toBe(200); + + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( + 1 + ); + + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ + authenticationProviderType: 'http', + authenticationRealmType: 'native', + httpAuthenticationScheme: 'ApiKey', + }); + + expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1); + expect(routeParamsMock.logger.warn).toBeCalledWith( + 'Using API Key authentication as an interactive user is deprecated and will stop working in the next major version.', + { tags: ['deprecation'] } + ); + }); + + it('should not log a deprecation warning if interactive user is using API Key', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Basic' }, + }); + + const mockAuthc = authenticationServiceMock.createStart(); + + mockAuthc.getCurrentUser.mockReturnValue( + mockAuthenticatedUser({ + authentication_provider: { type: 'http', name: '__http__' }, + }) + ); + + routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc); + + const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); + + expect(response.status).toBe(200); + + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( + 1 + ); + + expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ + authenticationProviderType: 'http', + authenticationRealmType: 'native', + httpAuthenticationScheme: 'Basic', + }); + + expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(0); + }); + }); }); diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts index c3246667c1aa7..6ff12664a62bd 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts @@ -8,6 +8,7 @@ import { createHash } from 'crypto'; import { schema } from '@kbn/config-schema'; +import type { Logger } from '@kbn/logging'; import type { RouteDefinitionParams } from '..'; import type { AuthenticationTypeAnalyticsEvent } from '../../analytics'; @@ -39,12 +40,15 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ createLicensedRouteHandler(async (context, request, response) => { try { const authUser = getAuthenticationService().getCurrentUser(request); + if (!authUser) { logger.warn('Cannot record authentication type: current user could not be retrieved.'); + return response.noContent(); } let timestamp = new Date().getTime(); + const { signature: previouslyRegisteredSignature, timestamp: previousRegistrationTimestamp, @@ -69,11 +73,17 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ .digest('hex'); const elapsedTimeInHrs = (timestamp - previousRegistrationTimestamp) / (1000 * 60 * 60); + if ( elapsedTimeInHrs >= MINIMUM_ELAPSED_TIME_HOURS || previouslyRegisteredSignature !== signature ) { analyticsService.reportAuthenticationTypeEvent(authTypeEventToReport); + + logApiKeyWithInteractiveUserDeprecated( + authTypeEventToReport.httpAuthenticationScheme, + logger + ); } else { timestamp = previousRegistrationTimestamp; } @@ -88,3 +98,23 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ }) ); } + +/** + * API Key authentication by interactive users is deprecated, this method logs a deprecation warning + * + * @param httpAuthenticationScheme A string representing the authentication type event's scheme (ApiKey, etc.) by an interactive user + * @param logger A reference to the Logger to log the deprecation message + */ +function logApiKeyWithInteractiveUserDeprecated( + httpAuthenticationScheme: string = '', + logger: Logger +): void { + const isUsingApiKey = httpAuthenticationScheme?.toLowerCase() === 'apikey'; + + if (isUsingApiKey) { + logger.warn( + `Using API Key authentication as an interactive user is deprecated and will not be supported in a future version`, + { tags: ['deprecation'] } + ); + } +} From 59cd9966fc7dc4556dee57f42715d102ab623880 Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Thu, 14 Jul 2022 13:56:50 -0400 Subject: [PATCH 02/13] Fixing unit test verbiage --- .../server/routes/analytics/authentication_type.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index 34334833fe849..69a11863b1fca 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -379,7 +379,7 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1); expect(routeParamsMock.logger.warn).toBeCalledWith( - 'Using API Key authentication as an interactive user is deprecated and will stop working in the next major version.', + 'Using API Key authentication as an interactive user is deprecated and will not be supported in a future version', { tags: ['deprecation'] } ); }); From 350bbfe494ba29b8dc95dadd7268d85fb7e476f4 Mon Sep 17 00:00:00 2001 From: Kurt Date: Mon, 18 Jul 2022 16:29:19 -0400 Subject: [PATCH 03/13] Update docs/user/security/authentication/index.asciidoc Co-authored-by: Larry Gregory --- docs/user/security/authentication/index.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index 7c6f7d0d0e8df..cf18918447c9f 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -396,7 +396,7 @@ This type of authentication is usually useful for machine-to-machine interaction [IMPORTANT] ============================================================================ -Interactive users authenticating via ApiKey is deprecated and will be removed in a future version. +API Keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. ============================================================================ From 242f8c2719c66ca58b8d9a7118dc83d0d6b90578 Mon Sep 17 00:00:00 2001 From: Kurt Date: Mon, 18 Jul 2022 16:29:36 -0400 Subject: [PATCH 04/13] Update docs/user/security/api-keys/index.asciidoc Co-authored-by: Larry Gregory --- docs/user/security/api-keys/index.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index 458a6a73bb04a..f2c102af9ef5f 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -47,7 +47,7 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \ [IMPORTANT] ============================================================================ -Interactive users authenticating via ApiKey is deprecated and will be removed in a future version. +API Keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. ============================================================================ [float] From 9a0a7d1c7f22c556d0a3e2c0f7404c7c7f6aa4d9 Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Mon, 18 Jul 2022 16:34:02 -0400 Subject: [PATCH 05/13] Changing capitalization on 'keys' to avoid confusion with the UI API Keys --- docs/user/security/api-keys/index.asciidoc | 2 +- docs/user/security/authentication/index.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index f2c102af9ef5f..8dec4f864b549 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -47,7 +47,7 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \ [IMPORTANT] ============================================================================ -API Keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. +API keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. ============================================================================ [float] diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index cf18918447c9f..dcdfbf2d277bb 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -396,7 +396,7 @@ This type of authentication is usually useful for machine-to-machine interaction [IMPORTANT] ============================================================================ -API Keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. +API keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. ============================================================================ From 0467550f38ccf1713d4bea99361e8e48cd79f3ef Mon Sep 17 00:00:00 2001 From: Kurt Date: Tue, 19 Jul 2022 13:50:39 -0400 Subject: [PATCH 06/13] Update docs/user/security/api-keys/index.asciidoc Co-authored-by: Larry Gregory --- docs/user/security/api-keys/index.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index 8dec4f864b549..3011f17ee08c8 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -47,7 +47,7 @@ curl --location --request GET 'http://localhost:5601/api/security/role' \ [IMPORTANT] ============================================================================ -API keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. +API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser. ============================================================================ [float] From 7e489e9c1ccc7ef30b7d027eb011b5ec8ec7b280 Mon Sep 17 00:00:00 2001 From: Kurt Date: Tue, 19 Jul 2022 13:50:49 -0400 Subject: [PATCH 07/13] Update docs/user/security/authentication/index.asciidoc Co-authored-by: Larry Gregory --- docs/user/security/authentication/index.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index dcdfbf2d277bb..9b3d4b0f831f8 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -396,7 +396,7 @@ This type of authentication is usually useful for machine-to-machine interaction [IMPORTANT] ============================================================================ -API keys are intended for programmatic access to {kib} and {es}, and should not be used to authenticate access via a web browser. +API keys are intended for programatic access to {kib} and {es). Do not use API keys to authenticate access via a web browser. ============================================================================ From e97bb03cad7f580963d96bc2db3c69eebeb2032e Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Tue, 19 Jul 2022 14:35:22 -0400 Subject: [PATCH 08/13] Changing the logging message and unit test descriptions based on PR review feedback --- .../server/routes/analytics/authentication_type.test.ts | 6 +++--- .../security/server/routes/analytics/authentication_type.ts | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index 69a11863b1fca..a08b9b8c506a3 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -348,7 +348,7 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); describe('logApiKeyWithInteractiveUserDeprecated', () => { - it('should log a deprecation warning if interactive user is using API Key', async () => { + it('should log a deprecation warning if API key is being used for access via a web browser', async () => { const request = httpServerMock.createKibanaRequest({ headers: { authorization: 'ApiKey' }, }); @@ -379,12 +379,12 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1); expect(routeParamsMock.logger.warn).toBeCalledWith( - 'Using API Key authentication as an interactive user is deprecated and will not be supported in a future version', + 'API keys are intended for programatic access. Do not use API keys to authenticate access via a web browser.', { tags: ['deprecation'] } ); }); - it('should not log a deprecation warning if interactive user is using API Key', async () => { + it('should not log a deprecation warning if other http auth scheme is being used for access via a web browser', async () => { const request = httpServerMock.createKibanaRequest({ headers: { authorization: 'Basic' }, }); diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts index 6ff12664a62bd..80e0498d9601d 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts @@ -113,7 +113,7 @@ function logApiKeyWithInteractiveUserDeprecated( if (isUsingApiKey) { logger.warn( - `Using API Key authentication as an interactive user is deprecated and will not be supported in a future version`, + `API keys are intended for programatic access. Do not use API keys to authenticate access via a web browser.`, { tags: ['deprecation'] } ); } From edcfa7fa57e328e3f896690db7e9fe2cd7ddcb6b Mon Sep 17 00:00:00 2001 From: Kurt Date: Wed, 20 Jul 2022 07:56:03 -0400 Subject: [PATCH 09/13] Update x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts Co-authored-by: Aleh Zasypkin --- .../server/routes/analytics/authentication_type.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index a08b9b8c506a3..7c014ece1f389 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -350,7 +350,7 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { describe('logApiKeyWithInteractiveUserDeprecated', () => { it('should log a deprecation warning if API key is being used for access via a web browser', async () => { const request = httpServerMock.createKibanaRequest({ - headers: { authorization: 'ApiKey' }, + headers: { authorization: 'ApiKey xxxx' }, }); const mockAuthc = authenticationServiceMock.createStart(); From e7493d63bae1da6182502d6d7cc8e1b2dfef4f97 Mon Sep 17 00:00:00 2001 From: Kurt Date: Wed, 20 Jul 2022 07:56:09 -0400 Subject: [PATCH 10/13] Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts Co-authored-by: Aleh Zasypkin --- .../security/server/routes/analytics/authentication_type.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts index 80e0498d9601d..c80f541506134 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts @@ -113,7 +113,7 @@ function logApiKeyWithInteractiveUserDeprecated( if (isUsingApiKey) { logger.warn( - `API keys are intended for programatic access. Do not use API keys to authenticate access via a web browser.`, + `API keys are intended for programmatic access. Do not use API keys to authenticate access via a web browser.`, { tags: ['deprecation'] } ); } From b571d6e4894072b463ef0eba25a9220483c19acd Mon Sep 17 00:00:00 2001 From: Kurt Date: Wed, 20 Jul 2022 07:56:17 -0400 Subject: [PATCH 11/13] Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts Co-authored-by: Aleh Zasypkin --- .../security/server/routes/analytics/authentication_type.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts index c80f541506134..2d9e510736d40 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts @@ -100,10 +100,10 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ } /** - * API Key authentication by interactive users is deprecated, this method logs a deprecation warning + * API Key authentication by interactive users is deprecated, this method logs a deprecation warning. * - * @param httpAuthenticationScheme A string representing the authentication type event's scheme (ApiKey, etc.) by an interactive user - * @param logger A reference to the Logger to log the deprecation message + * @param httpAuthenticationScheme A string representing the authentication type event's scheme (ApiKey, etc.) by an interactive user. + * @param logger A reference to the Logger to log the deprecation message. */ function logApiKeyWithInteractiveUserDeprecated( httpAuthenticationScheme: string = '', From 0d6e16462116e812bfe7a37b62ba913c36cebbaf Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Wed, 20 Jul 2022 08:03:08 -0400 Subject: [PATCH 12/13] Removing unnecessary whitespace --- .../routes/analytics/authentication_type.test.ts | 15 --------------- .../routes/analytics/authentication_type.ts | 4 ---- 2 files changed, 19 deletions(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index 7c014ece1f389..a42170c934ef1 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -34,18 +34,15 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); let routeHandler: RequestHandler; - let routeParamsMock: DeeplyMockedKeys; beforeEach(() => { routeParamsMock = routeDefinitionParamsMock.create(); - defineRecordAnalyticsOnAuthTypeRoutes(routeParamsMock); const [, recordAnalyticsOnAuthTypeRouteHandler] = routeParamsMock.router.post.mock.calls.find( ([{ path }]) => path === '/internal/security/analytics/_record_auth_type' )!; - routeHandler = recordAnalyticsOnAuthTypeRouteHandler; }); @@ -295,13 +292,11 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); const mockAuthc = authenticationServiceMock.createStart(); - mockAuthc.getCurrentUser.mockReturnValue( mockAuthenticatedUser({ authentication_provider: { type: HTTPAuthenticationProvider.type, name: '__http__' }, }) ); - routeParamsMock.getAuthenticationService.mockReturnValue(mockAuthc); const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); @@ -327,18 +322,14 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); expect(response.status).toBe(200); - expect(response.payload).toEqual({ timestamp: initialTimestamp, signature: '46d5841ad21d29ca6c7c1c639adc6294c176c394adb0b40dfc05797cfe29218e', }); - expect(response.payload.signature).not.toEqual(initialSignature); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( 1 ); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ authenticationProviderType: 'http', authenticationRealmType: 'native', @@ -366,17 +357,14 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); expect(response.status).toBe(200); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( 1 ); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ authenticationProviderType: 'http', authenticationRealmType: 'native', httpAuthenticationScheme: 'ApiKey', }); - expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1); expect(routeParamsMock.logger.warn).toBeCalledWith( 'API keys are intended for programatic access. Do not use API keys to authenticate access via a web browser.', @@ -402,17 +390,14 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { const response = await routeHandler(getMockContext(), request, kibanaResponseFactory); expect(response.status).toBe(200); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledTimes( 1 ); - expect(routeParamsMock.analyticsService.reportAuthenticationTypeEvent).toHaveBeenCalledWith({ authenticationProviderType: 'http', authenticationRealmType: 'native', httpAuthenticationScheme: 'Basic', }); - expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(0); }); }); diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts index 2d9e510736d40..f2bf76c71b1ab 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.ts @@ -40,15 +40,12 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ createLicensedRouteHandler(async (context, request, response) => { try { const authUser = getAuthenticationService().getCurrentUser(request); - if (!authUser) { logger.warn('Cannot record authentication type: current user could not be retrieved.'); - return response.noContent(); } let timestamp = new Date().getTime(); - const { signature: previouslyRegisteredSignature, timestamp: previousRegistrationTimestamp, @@ -73,7 +70,6 @@ export function defineRecordAnalyticsOnAuthTypeRoutes({ .digest('hex'); const elapsedTimeInHrs = (timestamp - previousRegistrationTimestamp) / (1000 * 60 * 60); - if ( elapsedTimeInHrs >= MINIMUM_ELAPSED_TIME_HOURS || previouslyRegisteredSignature !== signature From 1d792f95c7a65572d6920c911c2ceeaaafeaaca7 Mon Sep 17 00:00:00 2001 From: Kurt Greiner Date: Wed, 20 Jul 2022 09:41:12 -0400 Subject: [PATCH 13/13] Fixing spelling in unit test assertion --- .../server/routes/analytics/authentication_type.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts index a42170c934ef1..5a298421815e4 100644 --- a/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts +++ b/x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts @@ -367,7 +367,7 @@ describe('POST /internal/security/analytics/_record_auth_type', () => { }); expect(routeParamsMock.logger.warn).toHaveBeenCalledTimes(1); expect(routeParamsMock.logger.warn).toBeCalledWith( - 'API keys are intended for programatic access. Do not use API keys to authenticate access via a web browser.', + 'API keys are intended for programmatic access. Do not use API keys to authenticate access via a web browser.', { tags: ['deprecation'] } ); });