Sets logout and saml callback APIs as public in serverless #162523
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nternal headers for spaces API tests.
jeramysoucy
added
Team:Security
jeramysoucy
changed the title
💚 Build Succeeded
Metrics [docs]
To update your PR or re-run it, just comment with: |
|
Pinging @elastic/kibana-security (Team:Security) |
azasypkin
approved these changes
Jul 26, 2023
| @@ -54,6 +54,7 @@ describe('SAML authentication routes', () => { | |||
|
|
|||
| it('correctly defines route.', () => { | |||
| expect(routeConfig.options).toEqual({ | |||
| access: 'public', | |||
There was a problem hiding this comment.
note: not for this PR, just thinking aloud, we'll definitely need to have some SAML tests in the serverless test suite as it's the only way to authenticated to Kibana there.
ThomThomson
pushed a commit
to ThomThomson/kibana
that referenced
this pull request
Aug 1, 2023
…62523) Subset of elastic#161337 Unblocks elastic#162149 ## Summary This PR uses the access 'public' option when registering the `GET /api/security/logout` and `POST /api/security/saml/callback` APIs. This will ensure they have public access in serverless, while all other APIs will default to internal. PR elastic#161672 changes default access of registered endpoints to 'internal', meaning that API owners have to explicitly set access: public to pass the API protection restriction. This PR also adds internal headers to the existing serverless Spaces API tests. This unblocks the PR to enable API protection in serverless (elastic#162149). --------- Co-authored-by: kibanamachine <[email protected]>
azasypkin
added a commit
that referenced
this pull request
Aug 23, 2023
Closes #161337 ## Summary Uses build flavor(see #161930) to disable specific Kibana security, spaces, and encrypted saved objects HTTP API routes in serverless (see details in #161337). HTTP APIs that will be public in serverless have been handled in #162523. **IMPORTANT: This PR leaves login, user, and role routes enabled. The primary reason for this is due to several testing mechanisms that rely on basic authentication and custom roles (UI, Cypress). These tests will be modified to use SAML authentication and serverless roles in the immediate future. Once this occurs, we will disable these routes.** ### Testing This PR also implements testing API access in serverless. - The testing strategy for disabled routes in serverless is to verify a `404 not found `response. - The testing strategy for internal access routes in serverless is to verify that without the internal request header (`x-elastic-internal-origin`), a `400 bad request response` is received, then verify that with the internal request header, a `200 ok response` is received. - The strategy for public routes in serverless is to verify a `200 ok` or `203 redirect` is received. ~~blocked by #161930~~ ~~blocked by #162149 for test implementation~~ --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Aleh Zasypkin <[email protected]> Co-authored-by: Aleh Zasypkin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Subset of #161337
Unblocks #162149
Summary
This PR uses the access 'public' option when registering the
GET /api/security/logoutandPOST /api/security/saml/callbackAPIs. This will ensure they have public access in serverless, while all other APIs will default to internal. PR #161672 changes default access of registered endpoints to 'internal', meaning that API owners have to explicitly set access: public to pass the API protection restriction.This PR also adds internal headers to the existing serverless Spaces API tests. This unblocks the PR to enable API protection in serverless (#162149).