[Alerting] Secret Service

src/legacy/server/kbn_server.js

@@ -43,6 +43,7 @@ import { serverExtensionsMixin } from './server_extensions';
 import { uiMixin } from '../ui';
 import { sassMixin } from './sass';
 import { i18nMixin } from './i18n';
+import { keystoreMixin } from './keystore';
 
 const rootDir = fromRoot('.');
 
@@ -88,6 +89,7 @@ export default class KbnServer {
       warningsMixin,
       usageMixin,
       statusMixin,
+      keystoreMixin,
 
       // writes pid file
       pidMixin,

src/legacy/server/keystore/index.js

@@ -18,3 +18,4 @@
  */
 
 export { Keystore } from './keystore';
+export { keystoreMixin } from './keystore_mixin';

src/legacy/server/keystore/keystore.js

@@ -116,6 +116,10 @@ export class Keystore {
     return this.keys().indexOf(key) > -1;
   }
 
+  get(key) {
+    return this.data[key];
+  }
+
   add(key, value) {
     this.data[key] = value;
   }

src/legacy/server/keystore/keystore.test.js

@@ -150,6 +150,21 @@ describe('Keystore', () => {
     });
   });
 
+  describe('get', () => {
+    it('gets a value by key', () => {
+      const keystore = new Keystore('/data/unprotected.keystore');
+      expect(keystore.get('a2')).toEqual('bar');
+      keystore.add('foo', 'baz');
+      expect(keystore.get('foo')).toEqual('baz');
+    });
+
+    it('gets a value that has been added', () => {
+      const keystore = new Keystore('/data/unprotected.keystore');
+      keystore.add('foo', 'baz');
+      expect(keystore.get('foo')).toEqual('baz');
+    });
+  });
+
   describe('add', () => {
     it('adds a key/value pair', () => {
       const keystore = new Keystore('/data/unprotected.keystore');

src/legacy/server/keystore/keystore_mixin.js

@@ -0,0 +1,24 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { Keystore } from './keystore';
+
+export function keystoreMixin(_, server) {
+  server.decorate('server', 'Keystore', Keystore);
+}

src/legacy/server/saved_objects/migrations/kibana/kibana_migrator.ts

@@ -74,9 +74,6 @@ export class KibanaMigrator {
   public awaitMigration = once(async () => {
     const { server } = this.kbnServer;
 
-    // Wait until the plugins have been found an initialized...
-    await this.kbnServer.ready();
-
     // We can't do anything if the elasticsearch plugin has been disabled.
     if (!server.plugins.elasticsearch) {
       server.log(

src/legacy/server/saved_objects/service/lib/repository.js

@@ -48,6 +48,7 @@ export class SavedObjectsRepository {
     //
     // The migrator performs double-duty, and validates the documents prior
     // to returning them.
+    this.errors = errors;
     this._migrator = migrator;
     this._index = index;
     this._mappings = mappings;

x-pack/index.js

@@ -36,6 +36,7 @@ import { crossClusterReplication } from './plugins/cross_cluster_replication';
 import { translations } from './plugins/translations';
 import { upgradeAssistant } from './plugins/upgrade_assistant';
 import { uptime } from './plugins/uptime';
+import { secretService } from './plugins/secret_service';
 import { ossTelemetry } from './plugins/oss_telemetry';
 
 module.exports = function (kibana) {
@@ -72,6 +73,7 @@ module.exports = function (kibana) {
     translations(kibana),
     upgradeAssistant(kibana),
     uptime(kibana),
+    secretService(kibana),
     ossTelemetry(kibana),
   ];
 };

x-pack/package.json

@@ -52,6 +52,7 @@
     "@types/jsonwebtoken": "^7.2.7",
     "@types/lodash": "^3.10.1",
     "@types/mocha": "^5.2.6",
+    "@types/object-hash": "^1.2.0",
     "@types/pngjs": "^3.3.1",
     "@types/prop-types": "^15.5.3",
     "@types/react": "^16.8.0",
@@ -226,6 +227,7 @@
     "ngreact": "^0.5.1",
     "node-fetch": "^2.1.2",
     "nodemailer": "^4.6.4",
+    "object-hash": "^1.3.1",
     "object-path-immutable": "^0.5.3",
     "oppsy": "^2.0.0",
     "papaparse": "^4.6.0",

x-pack/plugins/secret_service/index.test.ts

@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { secretService } from './';
+import { Keystore, PluginSpec } from './mocks';
+
+describe('The SecretService', function TestSecretService() {
+  const mockKbn = {
+    Plugin: PluginSpec,
+  };
+  const subject = secretService(mockKbn);
+
+  beforeAll(() => {
+    expect(subject).not.toBeNull();
+    mockKbn.Plugin = jest.fn();
+  });
+
+  it('should expose itself to other plugins', () => {
+    expect(subject).not.toBeNull();
+  });
+
+  it('should expose a method to encrypt data', async () => {
+    const stubConfigGet = jest.fn();
+    let secret: string;
+    const core = {
+      expose: jest.fn(),
+      log: jest.fn(),
+      savedObjects: {
+        addScopedSavedObjectsClientWrapperFactory: jest.fn(),
+        getSavedObjectsRepository: jest.fn(() => {
+          return {
+            create: jest.fn((type, attributes, { id }) => {
+              secret = attributes.secret;
+              return {
+                id,
+                type,
+                attributes,
+              };
+            }),
+            get: jest.fn((type, id) => {
+              return {
+                id,
+                type,
+                attributes: {
+                  secret,
+                },
+              };
+            }),
+          };
+        }),
+      },
+      config: () => {
+        return {
+          get: stubConfigGet,
+        };
+      },
+      Keystore,
+      plugins: {
+        elasticsearch: {
+          getCluster: () => {
+            return { callWithInternalUser: jest.fn() };
+          },
+        },
+      },
+    };
+    stubConfigGet.mockReturnValueOnce('test-kibana-keystore');
+    stubConfigGet.mockReturnValueOnce(false);
+    stubConfigGet.mockReturnValue('bogusencryptionkey');
+    await subject.init(core);
+    expect(core.expose).toHaveBeenCalledWith('secretService', expect.any(Object));
+  });
+});

x-pack/plugins/secret_service/index.ts

@@ -0,0 +1,80 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import crypto from 'crypto';
+import { join, resolve } from 'path';
+// @ts-ignore
+import { AuditLogger } from '../../server/lib/audit_logger';
+import mappings from './mappings.json';
+import { SecretService } from './server';
+
+export const secretService = (kibana: any) => {
+  return new kibana.Plugin({
+    id: 'SecretService',
+    require: ['kibana', 'elasticsearch', 'xpack_main'],
+    configPrefix: 'xpack.secret_service',
+    publicDir: resolve(__dirname, 'public'),
+    uiExports: {
+      mappings,
+      savedObjectSchemas: {
+        secret: {
+          hidden: true,
+        },
+      },
+    },
+
+    config(Joi: any) {
+      return Joi.object({
+        enabled: Joi.boolean().default(true),
+        secret: Joi.string().default(undefined),
+        audit: Joi.object({
+          enabled: Joi.boolean().default(false),
+        }),
+      }).default();
+    },
+
+    async init(server: any) {
+      const warn = (message: string | any) => server.log(['secret-service', 'warning'], message);
+
+      const configKey = 'xpack.secret_service.secret';
+      const filePath = join(server.config().get('path.data'), 'kibana.keystore');
+      const keystore: any = new server.Keystore(filePath);
+
+      if (!keystore.has(configKey)) {
+        keystore.add(configKey, crypto.randomBytes(128).toString('hex'));
+        if (!keystore.exists()) {
+          warn(`Keystore missing, new keystore created ${keystore.path}`);
+        }
+        warn('Missing key - one has been auto-generated for use.');
+        keystore.save();
+      }
+
+      const { callWithInternalUser } = server.plugins.elasticsearch.getCluster('admin');
+      const repository = server.savedObjects.getSavedObjectsRepository(callWithInternalUser, [
+        'secret',
+      ]);
+
+      const auditEnabled = server.config().get('xpack.secret_service.audit.enabled');
+      let auditor;
+      if (auditEnabled) {
+        auditor = new AuditLogger(server, this.id);
+      }
+      const encryptionKey = keystore.get(configKey);
+      const service = new SecretService(repository, 'secret', encryptionKey, auditor);
+
+      // validate key used
+      const invalidMessage =
+        'Could not validate encryption key, please make sure that the right key is in the keystore!';
+
+      const valid = await service.validateKey();
+
+      if (!valid) {
+        throw new Error(invalidMessage);
+      }
+      server.expose('secretService', service);
+    },
+  });
+};

x-pack/plugins/secret_service/mappings.json

@@ -0,0 +1,9 @@
+{
+  "secret": {
+    "properties": {
+      "secret": {
+        "type": "text"
+      }
+    }
+  }
+}

x-pack/plugins/secret_service/mocks/index.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { Keystore } from './keystore';
+export { PluginSpec } from './plugin_spec';

x-pack/plugins/secret_service/mocks/keystore.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class Keystore {
+  constructor(key: string) {
+    return this;
+  }
+  public exists() {
+    return false;
+  }
+  public reset() {
+    return undefined;
+  }
+  public save() {
+    return undefined;
+  }
+  public has() {
+    return undefined;
+  }
+  public add(key: string, value: any) {
+    return undefined;
+  }
+  public get(key: string): any {
+    return undefined;
+  }
+}

x-pack/plugins/secret_service/mocks/plugin_spec.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export class PluginSpec {
+  constructor(object: any) {
+    return object;
+  }
+}

x-pack/plugins/secret_service/server/index.ts

@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { SecretService } from './service/secret_service';