Prepare the Security domain HTTP APIs for Serverless

config/serverless.yml

@@ -77,3 +77,6 @@ console.autocompleteDefinitions.endpointsAvailability: serverless
 
 # Allow authentication via the Elasticsearch JWT realm with the `shared_secret` client authentication type.
 elasticsearch.requestHeadersWhitelist: ["authorization", "es-client-authentication"]
+
+# FOR LOCAL TESTING - AWAITING MERGE OF https://github.com/elastic/kibana/pull/162149
+server.restrictInternalApis: true

x-pack/plugins/encrypted_saved_objects/server/plugin.ts

@@ -95,19 +95,21 @@ export class EncryptedSavedObjectsPlugin
       getStartServices: core.getStartServices,
     });
 
-    defineRoutes({
-      router: core.http.createRouter(),
-      logger: this.initializerContext.logger.get('routes'),
-      encryptionKeyRotationService: Object.freeze(
-        new EncryptionKeyRotationService({
-          logger: this.logger.get('key-rotation-service'),
-          service,
-          getStartServices: core.getStartServices,
-          security: deps.security,
-        })
-      ),
-      config,
-    });
+    if (this.initializerContext.env.packageInfo.buildFlavor !== 'serverless') {
+      defineRoutes({
+        router: core.http.createRouter(),
+        logger: this.initializerContext.logger.get('routes'),
+        encryptionKeyRotationService: Object.freeze(
+          new EncryptionKeyRotationService({
+            logger: this.logger.get('key-rotation-service'),
+            service,
+            getStartServices: core.getStartServices,
+            security: deps.security,
+          })
+        ),
+        config,
+      });
+    }
 
     return {
       canEncrypt,

x-pack/plugins/security/server/plugin.ts

@@ -359,6 +359,7 @@ export class SecurityPlugin
       getAnonymousAccessService: this.getAnonymousAccess,
       getUserProfileService: this.getUserProfileService,
       analyticsService: this.analyticsService.setup({ analytics: core.analytics }),
+      buildFlavor: this.initializerContext.env.packageInfo.buildFlavor,
     });
 
     return Object.freeze<SecurityPluginSetup>({

x-pack/plugins/security/server/routes/authentication/common.ts

@@ -32,9 +32,14 @@ export function defineCommonRoutes({
   basePath,
   license,
   logger,
+  buildFlavor,
 }: RouteDefinitionParams) {
   // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used.
-  for (const path of ['/api/security/logout', '/api/security/v1/logout']) {
+  // For a serverless build, do not register deprecated versioned routes
+  for (const path of [
+    '/api/security/logout',
+    ...(buildFlavor !== 'serverless' ? ['/api/security/v1/logout'] : []),
+  ]) {
     router.get(
       {
         path,
@@ -79,7 +84,11 @@ export function defineCommonRoutes({
   }
 
   // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used.
-  for (const path of ['/internal/security/me', '/api/security/v1/me']) {
+  // For a serverless build, do not register deprecated versioned routes
+  for (const path of [
+    '/internal/security/me',
+    ...(buildFlavor !== 'serverless' ? ['/api/security/v1/me'] : []),
+  ]) {
     router.get(
       { path, validate: false },
       createLicensedRouteHandler((context, request, response) => {
@@ -123,66 +132,68 @@ export function defineCommonRoutes({
     return undefined;
   }
 
-  router.post(
-    {
-      path: '/internal/security/login',
-      validate: {
-        body: schema.object({
-          providerType: schema.string(),
-          providerName: schema.string(),
-          currentURL: schema.string(),
-          params: schema.conditional(
-            schema.siblingRef('providerType'),
-            schema.oneOf([
-              schema.literal(BasicAuthenticationProvider.type),
-              schema.literal(TokenAuthenticationProvider.type),
-            ]),
-            basicParamsSchema,
-            schema.never()
-          ),
-        }),
+  if (buildFlavor !== 'serverless') {
+    router.post(
+      {
+        path: '/internal/security/login',
+        validate: {
+          body: schema.object({
+            providerType: schema.string(),
+            providerName: schema.string(),
+            currentURL: schema.string(),
+            params: schema.conditional(
+              schema.siblingRef('providerType'),
+              schema.oneOf([
+                schema.literal(BasicAuthenticationProvider.type),
+                schema.literal(TokenAuthenticationProvider.type),
+              ]),
+              basicParamsSchema,
+              schema.never()
+            ),
+          }),
+        },
+        options: { authRequired: false },
       },
-      options: { authRequired: false },
-    },
-    createLicensedRouteHandler(async (context, request, response) => {
-      const { providerType, providerName, currentURL, params } = request.body;
-      logger.info(`Logging in with provider "${providerName}" (${providerType})`);
-
-      const redirectURL = parseNext(currentURL, basePath.serverBasePath);
-      const authenticationResult = await getAuthenticationService().login(request, {
-        provider: { name: providerName },
-        redirectURL,
-        value: getLoginAttemptForProviderType(providerType, redirectURL, params),
-      });
-
-      if (authenticationResult.redirected() || authenticationResult.succeeded()) {
-        return response.ok({
-          body: { location: authenticationResult.redirectURL || redirectURL },
-          headers: authenticationResult.authResponseHeaders,
+      createLicensedRouteHandler(async (context, request, response) => {
+        const { providerType, providerName, currentURL, params } = request.body;
+        logger.info(`Logging in with provider "${providerName}" (${providerType})`);
+
+        const redirectURL = parseNext(currentURL, basePath.serverBasePath);
+        const authenticationResult = await getAuthenticationService().login(request, {
+          provider: { name: providerName },
+          redirectURL,
+          value: getLoginAttemptForProviderType(providerType, redirectURL, params),
         });
-      }
 
-      return response.unauthorized({
-        body: authenticationResult.error,
-        headers: authenticationResult.authResponseHeaders,
-      });
-    })
-  );
-
-  router.post(
-    { path: '/internal/security/access_agreement/acknowledge', validate: false },
-    createLicensedRouteHandler(async (context, request, response) => {
-      // If license doesn't allow access agreement we shouldn't handle request.
-      if (!license.getFeatures().allowAccessAgreement) {
-        logger.warn(`Attempted to acknowledge access agreement when license doesn't allow it.`);
-        return response.forbidden({
-          body: { message: `Current license doesn't support access agreement.` },
+        if (authenticationResult.redirected() || authenticationResult.succeeded()) {
+          return response.ok({
+            body: { location: authenticationResult.redirectURL || redirectURL },
+            headers: authenticationResult.authResponseHeaders,
+          });
+        }
+
+        return response.unauthorized({
+          body: authenticationResult.error,
+          headers: authenticationResult.authResponseHeaders,
         });
-      }
+      })
+    );
+
+    router.post(
+      { path: '/internal/security/access_agreement/acknowledge', validate: false },
+      createLicensedRouteHandler(async (context, request, response) => {
+        // If license doesn't allow access agreement we shouldn't handle request.
+        if (!license.getFeatures().allowAccessAgreement) {
+          logger.warn(`Attempted to acknowledge access agreement when license doesn't allow it.`);
+          return response.forbidden({
+            body: { message: `Current license doesn't support access agreement.` },
+          });
+        }
 
-      await getAuthenticationService().acknowledgeAccessAgreement(request);
+        await getAuthenticationService().acknowledgeAccessAgreement(request);
 
-      return response.noContent();
-    })
-  );
+        return response.noContent();
+      })
+    );
+  }
 }

x-pack/plugins/security/server/routes/authentication/index.ts

@@ -17,7 +17,10 @@ export function defineAuthenticationRoutes(params: RouteDefinitionParams) {
     defineSAMLRoutes(params);
   }
 
-  if (params.config.authc.sortedProviders.some(({ type }) => type === 'oidc')) {
+  if (
+    params.buildFlavor !== 'serverless' &&
+    params.config.authc.sortedProviders.some(({ type }) => type === 'oidc')
+  ) {
     defineOIDCRoutes(params);
   }
 }

x-pack/plugins/security/server/routes/authentication/saml.ts

@@ -19,9 +19,14 @@ export function defineSAMLRoutes({
   getAuthenticationService,
   basePath,
   logger,
+  buildFlavor,
 }: RouteDefinitionParams) {
   // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used.
-  for (const path of ['/api/security/saml/callback', '/api/security/v1/saml']) {
+  // For a serverless build, do not register deprecated versioned routes
+  for (const path of [
+    '/api/security/saml/callback',
+    ...(buildFlavor !== 'serverless' ? ['/api/security/v1/saml'] : []),
+  ]) {
     router.post(
       {
         path,

x-pack/plugins/security/server/routes/index.ts

@@ -7,6 +7,7 @@
 
 import type { Observable } from 'rxjs';
 
+import type { BuildFlavor } from '@kbn/config/src/types';
 import type { HttpResources, IBasePath, Logger } from '@kbn/core/server';
 import type { KibanaFeature } from '@kbn/features-plugin/server';
 import type { PublicMethodsOf } from '@kbn/utility-types';
@@ -54,20 +55,24 @@ export interface RouteDefinitionParams {
   getUserProfileService: () => UserProfileServiceStartInternal;
   getAnonymousAccessService: () => AnonymousAccessServiceStart;
   analyticsService: AnalyticsServiceSetup;
+  buildFlavor: BuildFlavor;
 }
 
 export function defineRoutes(params: RouteDefinitionParams) {
+  defineAnalyticsRoutes(params);
+  defineApiKeysRoutes(params);
   defineAuthenticationRoutes(params);
-  defineAuthorizationRoutes(params);
   defineSessionManagementRoutes(params);
-  defineApiKeysRoutes(params);
-  defineIndicesRoutes(params);
-  defineUsersRoutes(params);
-  defineUserProfileRoutes(params);
-  defineRoleMappingRoutes(params);
   defineViewRoutes(params);
-  defineDeprecationsRoutes(params);
-  defineAnonymousAccessRoutes(params);
-  defineSecurityCheckupGetStateRoutes(params);
-  defineAnalyticsRoutes(params);
+
+  if (params.buildFlavor !== 'serverless') {
+    defineAnonymousAccessRoutes(params);
+    defineAuthorizationRoutes(params);
+    defineDeprecationsRoutes(params);
+    defineIndicesRoutes(params);
+    defineRoleMappingRoutes(params);
+    defineSecurityCheckupGetStateRoutes(params);
+    defineUserProfileRoutes(params);
+    defineUsersRoutes(params);
+  }
 }

x-pack/plugins/security/server/routes/session_management/index.ts

@@ -13,5 +13,8 @@ import { defineInvalidateSessionsRoutes } from './invalidate';
 export function defineSessionManagementRoutes(params: RouteDefinitionParams) {
   defineSessionInfoRoutes(params);
   defineSessionExtendRoutes(params);
-  defineInvalidateSessionsRoutes(params);
+
+  if (params.buildFlavor !== 'serverless') {
+    defineInvalidateSessionsRoutes(params);
+  }
 }

x-pack/plugins/security/server/routes/views/index.test.ts

@@ -19,12 +19,12 @@ describe('View routes', () => {
     expect(routeParamsMock.httpResources.register.mock.calls.map(([{ path }]) => path))
       .toMatchInlineSnapshot(`
       Array [
-        "/security/access_agreement",
         "/security/account",
+        "/internal/security/capture-url",
         "/security/logged_out",
         "/logout",
         "/security/overwritten_session",
-        "/internal/security/capture-url",
+        "/security/access_agreement",
       ]
     `);
     expect(routeParamsMock.router.get.mock.calls.map(([{ path }]) => path)).toMatchInlineSnapshot(`
@@ -44,19 +44,19 @@ describe('View routes', () => {
     expect(routeParamsMock.httpResources.register.mock.calls.map(([{ path }]) => path))
       .toMatchInlineSnapshot(`
       Array [
-        "/login",
-        "/security/access_agreement",
         "/security/account",
+        "/internal/security/capture-url",
         "/security/logged_out",
         "/logout",
         "/security/overwritten_session",
-        "/internal/security/capture-url",
+        "/security/access_agreement",
+        "/login",
       ]
     `);
     expect(routeParamsMock.router.get.mock.calls.map(([{ path }]) => path)).toMatchInlineSnapshot(`
       Array [
-        "/internal/security/login_state",
         "/internal/security/access_agreement/state",
+        "/internal/security/login_state",
       ]
     `);
   });
@@ -71,19 +71,19 @@ describe('View routes', () => {
     expect(routeParamsMock.httpResources.register.mock.calls.map(([{ path }]) => path))
       .toMatchInlineSnapshot(`
       Array [
-        "/login",
-        "/security/access_agreement",
         "/security/account",
+        "/internal/security/capture-url",
         "/security/logged_out",
         "/logout",
         "/security/overwritten_session",
-        "/internal/security/capture-url",
+        "/security/access_agreement",
+        "/login",
       ]
     `);
     expect(routeParamsMock.router.get.mock.calls.map(([{ path }]) => path)).toMatchInlineSnapshot(`
       Array [
-        "/internal/security/login_state",
         "/internal/security/access_agreement/state",
+        "/internal/security/login_state",
       ]
     `);
   });
@@ -98,19 +98,19 @@ describe('View routes', () => {
     expect(routeParamsMock.httpResources.register.mock.calls.map(([{ path }]) => path))
       .toMatchInlineSnapshot(`
       Array [
-        "/login",
-        "/security/access_agreement",
         "/security/account",
+        "/internal/security/capture-url",
         "/security/logged_out",
         "/logout",
         "/security/overwritten_session",
-        "/internal/security/capture-url",
+        "/security/access_agreement",
+        "/login",
       ]
     `);
     expect(routeParamsMock.router.get.mock.calls.map(([{ path }]) => path)).toMatchInlineSnapshot(`
       Array [
-        "/internal/security/login_state",
         "/internal/security/access_agreement/state",
+        "/internal/security/login_state",
       ]
     `);
   });