Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security in Core] Exposes apiKeys from core.security.authc #186910

Merged
Merged
Show file tree
Hide file tree
Changes from 47 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
083b1b4
[Security-in-Core]initial work for exposing api keys service in core
SiddharthMantri Jun 25, 2024
25f0509
move public security types to core-security-common
SiddharthMantri Jun 25, 2024
3c0f0c8
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 25, 2024
eb130eb
remove unused types
SiddharthMantri Jun 25, 2024
99ba029
update jest test for api keys
SiddharthMantri Jun 26, 2024
73dc2f0
remove cyclical ts deps, update tsdocs partial
SiddharthMantri Jun 26, 2024
0b13f8d
update security plugin unit test
SiddharthMantri Jun 26, 2024
d021ddd
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 26, 2024
1987f8c
fix cyclical dependency on kibana/core
SiddharthMantri Jun 26, 2024
1042962
fix formatting
SiddharthMantri Jun 26, 2024
7892ff2
update delegate api test
SiddharthMantri Jun 26, 2024
471f939
simplify api key type exports
SiddharthMantri Jun 26, 2024
5ac332d
update comments for public ts docs
SiddharthMantri Jun 26, 2024
0dfc26e
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 26, 2024
10a38b6
fix types
SiddharthMantri Jun 26, 2024
b83a4c4
Merge branch 'main' into security-in-core-api-keys
kibanamachine Jun 26, 2024
fc8af4d
remove unneeded comma
SiddharthMantri Jun 26, 2024
f8d8fae
remove unneeded comma
SiddharthMantri Jun 26, 2024
114bfc1
consolidate exported types
SiddharthMantri Jun 26, 2024
219d8f6
fix eslint type issue
SiddharthMantri Jun 26, 2024
381316a
properly await apiKeysEnabled
SiddharthMantri Jun 26, 2024
fa37f7d
move changes to core-security-server, expose update in public schema
SiddharthMantri Jun 27, 2024
2b6438e
update imports
SiddharthMantri Jun 27, 2024
a8c7795
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 27, 2024
9a21a9a
update mocks
SiddharthMantri Jun 27, 2024
11844e5
fix types
SiddharthMantri Jun 27, 2024
43c8a07
revert formatting changes for tsconfig
SiddharthMantri Jun 27, 2024
850a22a
update mocks for update fn
SiddharthMantri Jun 27, 2024
1932f53
remove unused kbn reference
SiddharthMantri Jun 27, 2024
ec18b5b
remove empty comment
SiddharthMantri Jun 27, 2024
7aa2dd3
fix import name
SiddharthMantri Jun 27, 2024
5c12825
update mocks
SiddharthMantri Jun 27, 2024
d04f88b
update default implementation to be stub
SiddharthMantri Jun 27, 2024
fb9a78f
create explicit decoupled public types, move schema back to plugin
SiddharthMantri Jun 27, 2024
54952ea
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 27, 2024
50c100f
remove typeguards
SiddharthMantri Jun 27, 2024
6b1235e
fix types, update context to expose only contract we need
SiddharthMantri Jun 28, 2024
087db06
add reject when api disabled
SiddharthMantri Jun 28, 2024
06d897d
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 28, 2024
b079606
Update api_keys_context.ts
SiddharthMantri Jun 28, 2024
51b5177
Update api_keys.ts
SiddharthMantri Jun 28, 2024
7b2c26f
revert changes to api keys class constructor
SiddharthMantri Jun 28, 2024
caddc90
update type guard to use correct key
SiddharthMantri Jun 28, 2024
2f1915e
Merge branch 'main' into security-in-core-api-keys
SiddharthMantri Jun 28, 2024
7435d87
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Jun 28, 2024
8fb77d3
Merge branch 'main' into security-in-core-api-keys
kibanamachine Jun 29, 2024
df6e945
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Jun 29, 2024
1faeaa4
use arrow functions instead of bind
SiddharthMantri Jul 2, 2024
6c85ea3
Merge branch 'main' into security-in-core-api-keys
SiddharthMantri Jul 4, 2024
b65a666
Merge branch 'main' into security-in-core-api-keys
elasticmachine Jul 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,26 @@ export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerCo
if (this.#authc == null) {
this.#authc = {
getCurrentUser: () => this.securityStart.authc.getCurrentUser(this.request),
apiKeys: {
areAPIKeysEnabled: this.securityStart.authc.apiKeys.areAPIKeysEnabled.bind(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can use arrow function instead of bind, like getCurrentUser

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! Addressed in 1faeaa4

this.securityStart.authc.apiKeys
),
create: this.securityStart.authc.apiKeys.create.bind(
this.securityStart.authc.apiKeys,
this.request
),
update: this.securityStart.authc.apiKeys.update.bind(
this.securityStart.authc.apiKeys,
this.request
),
validate: this.securityStart.authc.apiKeys.validate.bind(
this.securityStart.authc.apiKeys
),
invalidate: this.securityStart.authc.apiKeys.invalidate.bind(
this.securityStart.authc.apiKeys,
this.request
),
},
};
}
return this.#authc;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,16 @@ describe('convertSecurityApi', () => {
const source: CoreSecurityDelegateContract = {
authc: {
getCurrentUser: jest.fn(),
apiKeys: {
areAPIKeysEnabled: jest.fn(),
areCrossClusterAPIKeysEnabled: jest.fn(),
validate: jest.fn(),
invalidate: jest.fn(),
invalidateAsInternalUser: jest.fn(),
grantAsInternalUser: jest.fn(),
create: jest.fn(),
update: jest.fn(),
},
},
audit: {
asScoped: jest.fn().mockReturnValue(createAuditLoggerMock.create()),
Expand All @@ -23,6 +33,7 @@ describe('convertSecurityApi', () => {
};
const output = convertSecurityApi(source);
expect(output.authc.getCurrentUser).toBe(source.authc.getCurrentUser);
expect(output.authc.apiKeys).toBe(source.authc.apiKeys);
expect(output.audit.asScoped).toBe(source.audit.asScoped);
expect(output.audit.withoutRequest).toBe(source.audit.withoutRequest);
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ describe('getDefaultSecurityImplementation', () => {
});
});

describe('authc.apiKeys', () => {
it('returns stub object', async () => {
const { apiKeys } = implementation.authc;
const areAPIKeysEnabled = await apiKeys.areAPIKeysEnabled();

expect(areAPIKeysEnabled).toBe(false);
});
});

describe('audit.asScoped', () => {
it('returns null', async () => {
const logger = implementation.audit.asScoped({} as any);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,23 @@

import type { CoreSecurityDelegateContract } from '@kbn/core-security-server';

const API_KEYS_DISABLED_ERROR = new Error('API keys are disabled');
const REJECT_WHEN_API_KEYS_DISABLED = () => Promise.reject(API_KEYS_DISABLED_ERROR);

export const getDefaultSecurityImplementation = (): CoreSecurityDelegateContract => {
return {
authc: {
getCurrentUser: () => null,
apiKeys: {
areAPIKeysEnabled: () => Promise.resolve(false),
areCrossClusterAPIKeysEnabled: () => Promise.resolve(false),
create: REJECT_WHEN_API_KEYS_DISABLED,
update: REJECT_WHEN_API_KEYS_DISABLED,
grantAsInternalUser: REJECT_WHEN_API_KEYS_DISABLED,
validate: REJECT_WHEN_API_KEYS_DISABLED,
invalidate: REJECT_WHEN_API_KEYS_DISABLED,
invalidateAsInternalUser: REJECT_WHEN_API_KEYS_DISABLED,
},
},
audit: {
asScoped: () => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@
export { securityServiceMock } from './src/security_service.mock';
export type { InternalSecurityStartMock, SecurityStartMock } from './src/security_service.mock';
export { auditLoggerMock } from './src/audit.mock';
export { apiKeysMock } from './src/api_keys.mock';
Original file line number Diff line number Diff line change
@@ -1,16 +1,15 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/

import type { PublicMethodsOf } from '@kbn/utility-types';

import type { APIKeys } from './api_keys';
import type { APIKeysService } from '@kbn/core-security-server';

export const apiKeysMock = {
create: (): jest.Mocked<PublicMethodsOf<APIKeys>> => ({
create: (): jest.MockedObjectDeep<APIKeysService> => ({
areAPIKeysEnabled: jest.fn(),
areCrossClusterAPIKeysEnabled: jest.fn(),
create: jest.fn(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import type {
InternalSecurityServiceSetup,
InternalSecurityServiceStart,
} from '@kbn/core-security-server-internal';
import { apiKeysMock } from './api_keys.mock';
import { auditServiceMock, type MockedAuditService } from './audit.mock';

const createSetupMock = () => {
Expand All @@ -33,6 +34,7 @@ const createStartMock = (): SecurityStartMock => {
const mock = {
authc: {
getCurrentUser: jest.fn(),
apiKeys: apiKeysMock.create(),
},
audit: auditServiceMock.create(),
};
Expand All @@ -58,6 +60,7 @@ const createInternalStartMock = (): InternalSecurityStartMock => {
const mock = {
authc: {
getCurrentUser: jest.fn(),
apiKeys: apiKeysMock.create(),
},
audit: auditServiceMock.create(),
};
Expand All @@ -79,6 +82,13 @@ const createRequestHandlerContextMock = () => {
const mock: jest.MockedObjectDeep<SecurityRequestHandlerContext> = {
authc: {
getCurrentUser: jest.fn(),
apiKeys: {
areAPIKeysEnabled: jest.fn(),
create: jest.fn(),
update: jest.fn(),
validate: jest.fn(),
invalidate: jest.fn(),
},
},
audit: {
logger: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@
"kbn_references": [
"@kbn/core-security-server",
"@kbn/core-security-server-internal",
"@kbn/core-http-server",
"@kbn/core-http-server"
]
}
22 changes: 22 additions & 0 deletions packages/core/security/core-security-server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,25 @@ export type {
AuditRequest,
} from './src/audit_logging/audit_events';
export type { AuditLogger } from './src/audit_logging/audit_logger';

export type {
APIKeysServiceWithContext,
APIKeysService,
CreateAPIKeyParams,
CreateAPIKeyResult,
InvalidateAPIKeyResult,
InvalidateAPIKeysParams,
ValidateAPIKeyParams,
CreateRestAPIKeyParams,
CreateRestAPIKeyWithKibanaPrivilegesParams,
CreateCrossClusterAPIKeyParams,
GrantAPIKeyResult,
UpdateAPIKeyParams,
UpdateAPIKeyResult,
UpdateCrossClusterAPIKeyParams,
UpdateRestAPIKeyParams,
UpdateRestAPIKeyWithKibanaPrivilegesParams,
} from './src/authentication/api_keys';

export type { KibanaPrivilegesType, ElasticsearchPrivilegesType } from './src/roles';
export { isCreateRestAPIKeyParams } from './src/authentication/api_keys';
2 changes: 2 additions & 0 deletions packages/core/security/core-security-server/src/authc.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

import type { KibanaRequest } from '@kbn/core-http-server';
import type { AuthenticatedUser } from '@kbn/core-security-common';
import type { APIKeysService } from './authentication/api_keys';

/**
* Core's authentication service
Expand All @@ -22,4 +23,5 @@ export interface CoreAuthenticationService {
* @param request The request to retrieve the authenticated user for.
*/
getCurrentUser(request: KibanaRequest): AuthenticatedUser | null;
apiKeys: APIKeysService;
}
Loading