Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security - Reorder Saved Objects Client wrappers #38444

Closed
wants to merge 50 commits into from
Closed
Show file tree
Hide file tree
Changes from 36 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
c7acf55
convert SecureSavedObjectsClientWrapper to TypeScript
legrego Jun 6, 2019
7a410c7
change spaces soc wrapper order. allow space id to be set on the request
legrego Jun 6, 2019
e23adc0
change security soc wrapper order. Extract privilege checking
legrego Jun 6, 2019
4b97e2c
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 7, 2019
30d0641
add namespace tests for SOC wrapper
legrego Jun 7, 2019
6f06c67
testing checkSavedObjectsPrivileges
legrego Jun 7, 2019
764322c
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 7, 2019
c98c1cd
revert changes to spaces saved objects client wrapper
legrego Jun 7, 2019
2c95f6c
cleanup
legrego Jun 10, 2019
0b4a769
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 10, 2019
93d01cb
SOC Reordering nitpicks (#20)
kobelb Jun 12, 2019
dfff4ab
revert changes to spaces service
legrego Jun 12, 2019
b2c5884
Revert "revert changes to spaces saved objects client wrapper"
legrego Jun 12, 2019
d66cfae
testing namespace passing
legrego Jun 12, 2019
5bf4ea6
Merge branch 'reorder-soc-wrappers' of github.com:legrego/kibana into…
legrego Jun 12, 2019
5a8e987
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 12, 2019
3096d56
assert checkPrivilegesWithRequest is called with the incoming request
legrego Jun 12, 2019
1be8f53
exploring a 'classed' namespace
legrego Jun 13, 2019
b09c26e
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 17, 2019
f601e42
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 18, 2019
9f80cf4
rename Namespace => SavedObjectsNamespace, fixing merge from master a…
legrego Jun 18, 2019
61b203d
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 18, 2019
5854319
saved objects service test updates
legrego Jun 18, 2019
1e481ab
update deleteByNamespace
legrego Jun 18, 2019
c0fa8cc
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 19, 2019
591153a
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 19, 2019
7209f43
introducing DEFAULT_SPACE_NAMESPACE symbol
legrego Jun 19, 2019
bc06c38
additional tests
legrego Jun 19, 2019
9ab8289
revert exposing SavedObjectsRepository
legrego Jun 20, 2019
f6f6803
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 20, 2019
f18e865
fix doc warning
legrego Jun 20, 2019
cb0d974
fix build
legrego Jun 20, 2019
348ef98
use relative imports for SavedObjectsNamespace
legrego Jun 20, 2019
8353f0f
assert that the repository cannot accept Symbol namespaces
legrego Jun 20, 2019
fd91f37
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 20, 2019
739cd86
updating api docs
legrego Jun 20, 2019
0e40f5b
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 20, 2019
f46e46b
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 20, 2019
968d8f8
readd snapshots
legrego Jun 20, 2019
e2796ff
Revert "use relative imports for SavedObjectsNamespace"
legrego Jun 24, 2019
7c6bbfd
Revert "assert that the repository cannot accept Symbol namespaces"
legrego Jun 24, 2019
cada7ea
Revert "updating api docs"
legrego Jun 24, 2019
016479d
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 24, 2019
0530155
assert that the repository cannot accept Symbol namespaces
legrego Jun 20, 2019
4bfeb3b
update namespace assertions
legrego Jun 24, 2019
d44ab61
fix typings
legrego Jun 24, 2019
ba8d21f
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 24, 2019
fee5532
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 25, 2019
49956c2
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jun 26, 2019
b5ffdac
Merge branch 'master' of github.com:elastic/kibana into reorder-soc-w…
legrego Jul 1, 2019
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/development/core/server/kibana-plugin-server.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,4 +83,5 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| [RouteMethod](./kibana-plugin-server.routemethod.md) | The set of common HTTP methods supported by Kibana routing. |
| [SavedObjectsClientContract](./kibana-plugin-server.savedobjectsclientcontract.md) | \#\# SavedObjectsClient errors<!-- -->Since the SavedObjectsClient has its hands in everything we are a little paranoid about the way we present errors back to to application code. Ideally, all errors will be either:<!-- -->1. Caused by bad implementation (ie. undefined is not a function) and as such unpredictable 2. An error that has been classified and decorated appropriately by the decorators in [SavedObjectsErrorHelpers](./kibana-plugin-server.savedobjectserrorhelpers.md)<!-- -->Type 1 errors are inevitable, but since all expected/handle-able errors should be Type 2 the <code>isXYZError()</code> helpers exposed at <code>SavedObjectsErrorHelpers</code> should be used to understand and manage error responses from the <code>SavedObjectsClient</code>.<!-- -->Type 2 errors are decorated versions of the source error, so if the elasticsearch client threw an error it will be decorated based on its type. That means that rather than looking for <code>error.body.error.type</code> or doing substring checks on <code>error.body.error.reason</code>, just use the helpers to understand the meaning of the error:<!-- -->\`\`\`<!-- -->js if (SavedObjectsErrorHelpers.isNotFoundError(error)) { // handle 404 }<!-- -->if (SavedObjectsErrorHelpers.isNotAuthorizedError(error)) { // 401 handling should be automatic, but in case you wanted to know }<!-- -->// always rethrow the error unless you handle it throw error; \`\`\`<!-- -->\#\#\# 404s from missing index<!-- -->From the perspective of application code and APIs the SavedObjectsClient is a black box that persists objects. One of the internal details that users have no control over is that we use an elasticsearch index for persistance and that index might be missing.<!-- -->At the time of writing we are in the process of transitioning away from the operating assumption that the SavedObjects index is always available. Part of this transition is handling errors resulting from an index missing. These used to trigger a 500 error in most cases, and in others cause 404s with different error messages.<!-- -->From my (Spencer) perspective, a 404 from the SavedObjectsApi is a 404; The object the request/call was targeting could not be found. This is why \#14141 takes special care to ensure that 404 errors are generic and don't distinguish between index missing or document missing.<!-- -->\#\#\# 503s from missing index<!-- -->Unlike all other methods, create requests are supposed to succeed even when the Kibana index does not exist because it will be automatically created by elasticsearch. When that is not the case it is because Elasticsearch's <code>action.auto_create_index</code> setting prevents it from being created automatically so we throw a special 503 with the intention of informing the user that their Elasticsearch settings need to be updated.<!-- -->See [SavedObjectsErrorHelpers](./kibana-plugin-server.savedobjectserrorhelpers.md) |
| [SavedObjectsClientWrapperFactory](./kibana-plugin-server.savedobjectsclientwrapperfactory.md) | |
| [SavedObjectsNamespace](./kibana-plugin-server.savedobjectsnamespace.md) | Saved Objects Namespace. |

Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ export interface SavedObjectsBaseOptions

| Property | Type | Description |
| --- | --- | --- |
| [namespace](./kibana-plugin-server.savedobjectsbaseoptions.namespace.md) | <code>string</code> | Specify the namespace for this operation |
| [namespace](./kibana-plugin-server.savedobjectsbaseoptions.namespace.md) | <code>SavedObjectsNamespace</code> | Specify the namespace for this operation |

Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ Specify the namespace for this operation
<b>Signature:</b>

```typescript
namespace?: string;
namespace?: SavedObjectsNamespace;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [SavedObjectsNamespace](./kibana-plugin-server.savedobjectsnamespace.md)

## SavedObjectsNamespace type

Saved Objects Namespace.

<b>Signature:</b>

```typescript
export declare type SavedObjectsNamespace = string | undefined | symbol;
```
1 change: 1 addition & 0 deletions src/core/server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ export {
SavedObjectsFindOptions,
SavedObjectsFindResponse,
SavedObjectsMigrationVersion,
SavedObjectsNamespace,
SavedObjectsService,
SavedObjectsUpdateOptions,
SavedObjectsUpdateResponse,
Expand Down
19 changes: 14 additions & 5 deletions src/core/server/saved_objects/serialization/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
/* eslint-disable @typescript-eslint/camelcase */

import uuid from 'uuid';
import { SavedObjectsNamespace } from '../';
import { SavedObjectsSchema } from '../schema';
import { decodeVersion, encodeVersion } from '../version';
import {
Expand Down Expand Up @@ -53,7 +54,7 @@ interface SavedObjectDoc {
attributes: object;
id?: string; // NOTE: SavedObjectDoc is used for uncreated objects where `id` is optional
type: string;
namespace?: string;
namespace?: SavedObjectsNamespace;
migrationVersion?: SavedObjectsMigrationVersion;
version?: string;
updated_at?: string;
Expand All @@ -80,6 +81,12 @@ function assertNonEmptyString(value: string, name: string) {
}
}

function assertNotSymbol(value: unknown, name: string) {
if (typeof value === 'symbol') {
throw new TypeError(`Expected "${String(value)}" to be a ${name}`);
}
}

export class SavedObjectsSerializer {
private readonly schema: SavedObjectsSchema;

Expand Down Expand Up @@ -167,18 +174,20 @@ export class SavedObjectsSerializer {
* @param {string} type - The saved object type
* @param {string} id - The id of the saved object
*/
public generateRawId(namespace: string | undefined, type: string, id?: string) {
public generateRawId(namespace: SavedObjectsNamespace, type: string, id?: string) {
assertNotSymbol(namespace, 'namespace');
const namespacePrefix =
namespace && !this.schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
namespace && !this.schema.isNamespaceAgnostic(type) ? `${String(namespace)}:` : '';
return `${namespacePrefix}${type}:${id || uuid.v1()}`;
}

private trimIdPrefix(namespace: string | undefined, type: string, id: string) {
private trimIdPrefix(namespace: SavedObjectsNamespace, type: string, id: string) {
assertNonEmptyString(id, 'document id');
assertNonEmptyString(type, 'saved object type');
assertNotSymbol(namespace, 'namespace');

const namespacePrefix =
namespace && !this.schema.isNamespaceAgnostic(type) ? `${namespace}:` : '';
namespace && !this.schema.isNamespaceAgnostic(type) ? `${String(namespace)}:` : '';
const prefix = `${namespacePrefix}${type}:`;

if (!id.startsWith(prefix)) {
Expand Down
1 change: 1 addition & 0 deletions src/core/server/saved_objects/service/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ export {
ScopedSavedObjectsClientProvider,
SavedObjectsClientWrapperFactory,
SavedObjectsClientWrapperOptions,
SavedObjectsNamespace,
SavedObjectsErrorHelpers,
} from './lib';

Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions src/core/server/saved_objects/service/lib/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,8 @@ export {
ScopedSavedObjectsClientProvider,
} from './scoped_client_provider';

export { SavedObjectsNamespace } from './namespace';

import * as errors from './errors';
export { errors };
export { SavedObjectsErrorHelpers } from './errors';
24 changes: 24 additions & 0 deletions src/core/server/saved_objects/service/lib/namespace.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

/**
* Saved Objects Namespace.
* @public
*/
export type SavedObjectsNamespace = string | undefined | symbol;
87 changes: 87 additions & 0 deletions src/core/server/saved_objects/service/lib/repository.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,19 @@ describe('SavedObjectsRepository', () => {
);
expect(onBeforeWrite).toHaveBeenCalledTimes(1);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.create(
'index-pattern',
{
title: 'Logstash',
},
{
id: 'foo-id',
namespace: Symbol('foo-namespace'),
}
)).rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#bulkCreate', () => {
Expand Down Expand Up @@ -993,6 +1006,15 @@ describe('SavedObjectsRepository', () => {
expect(onBeforeWrite).toHaveBeenCalledTimes(1);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.bulkCreate(
[{ type: 'globaltype', id: 'one', attributes: { title: 'Test One' } }],
{
namespace: Symbol('foo-namespace'),
}
)).rejects.toThrowErrorMatchingSnapshot();
});

it('should return objects in the same order regardless of type', () => {});
});

Expand Down Expand Up @@ -1071,6 +1093,12 @@ describe('SavedObjectsRepository', () => {

expect(onBeforeWrite).toHaveBeenCalledTimes(1);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.delete('globaltype', 'logstash-*', {
namespace: Symbol('foo-namespace'),
})).rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#deleteByNamespace', () => {
Expand All @@ -1090,6 +1118,15 @@ describe('SavedObjectsRepository', () => {
expect(onBeforeWrite).not.toHaveBeenCalled();
});

it(`doesn't support Symbol namespaces`, async () => {
callAdminCluster.mockReturnValue(deleteByQueryResults);
expect(
savedObjectsRepository.deleteByNamespace(Symbol('namespace-1'))
).rejects.toThrowErrorMatchingSnapshot();
expect(callAdminCluster).not.toHaveBeenCalled();
expect(onBeforeWrite).not.toHaveBeenCalled();
});

it('constructs a deleteByQuery call using all types that are namespace aware', async () => {
callAdminCluster.mockReturnValue(deleteByQueryResults);
const result = await savedObjectsRepository.deleteByNamespace('my-namespace');
Expand Down Expand Up @@ -1283,6 +1320,11 @@ describe('SavedObjectsRepository', () => {
expect(callAdminCluster).toHaveBeenCalledTimes(1);
expect(callAdminCluster.mock.calls[0][1]).toHaveProperty('rest_total_hits_as_int', true);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.find({ type: 'foo', namespace: Symbol('foo') }))
.rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#get', () => {
Expand Down Expand Up @@ -1404,6 +1446,12 @@ describe('SavedObjectsRepository', () => {
})
);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.get('globaltype', 'logstash-*', {
namespace: Symbol('foo-namespace'),
})).rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#bulkGet', () => {
Expand Down Expand Up @@ -1645,6 +1693,17 @@ describe('SavedObjectsRepository', () => {
},
]);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.bulkGet([
{ id: 'one', type: 'config' },
{ id: 'two', type: 'invalidtype' },
{ id: 'three', type: 'config' },
{ id: 'four', type: 'invalidtype' },
{ id: 'five', type: 'config' },
], { namespace: Symbol('foo') }))
.rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#update', () => {
Expand Down Expand Up @@ -1857,6 +1916,26 @@ describe('SavedObjectsRepository', () => {

expect(onBeforeWrite).toHaveBeenCalledTimes(1);
});

it(`doesn't support Symbol namespaces`, async () => {
expect(savedObjectsRepository.update(
'index-pattern',
'foo',
{
name: 'bar',
},
{
namespace: Symbol('foo-namespace'),
references: [
{
name: 'ref_0',
type: 'test',
id: '1',
},
],
}
)).rejects.toThrowErrorMatchingSnapshot();
});
});

describe('#incrementCounter', () => {
Expand Down Expand Up @@ -2053,6 +2132,14 @@ describe('SavedObjectsRepository', () => {
)
).rejects.toEqual(new Error('"counterFieldName" argument must be a string'));
});

it(`doesn't support Symbol namespaces`, async () => {
expect(
savedObjectsRepository.incrementCounter('globaltype', 'foo', 'counter', {
namespace: Symbol('foo-namespace'),
})
).rejects.toThrowErrorMatchingSnapshot();
});
});

describe('onBeforeWrite', () => {
Expand Down
4 changes: 4 additions & 0 deletions src/core/server/saved_objects/service/lib/repository.ts
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,10 @@ export class SavedObjectsRepository {
throw new TypeError('options.fields must be an array');
}

if (typeof namespace === 'symbol') {
throw new TypeError('options.namespace must not be a Symbol');
}

const esOptions = {
index: this.getIndicesForTypes(allowedTypes),
size: perPage,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
* under the License.
*/

import { SavedObjectsNamespace } from '../namespace';
import { getRootPropertiesObjects, IndexMapping } from '../../../mappings';
import { SavedObjectsSchema } from '../../../schema';

Expand Down Expand Up @@ -59,7 +60,11 @@ function getFieldsForTypes(types: string[], searchFields?: string[]) {
* Gets the clause that will filter for the type in the namespace.
* Some types are namespace agnostic, so they must be treated differently.
*/
function getClauseForType(schema: SavedObjectsSchema, namespace: string | undefined, type: string) {
function getClauseForType(
schema: SavedObjectsSchema,
namespace: SavedObjectsNamespace,
type: string
) {
if (namespace && !schema.isNamespaceAgnostic(type)) {
return {
bool: {
Expand All @@ -82,7 +87,7 @@ function getClauseForType(schema: SavedObjectsSchema, namespace: string | undefi
export function getQueryParams(
mappings: IndexMapping,
schema: SavedObjectsSchema,
namespace?: string,
namespace?: SavedObjectsNamespace,
type?: string | string[],
search?: string,
searchFields?: string[],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import Boom from 'boom';

import { SavedObjectsNamespace } from '../namespace';
import { IndexMapping } from '../../../mappings';
import { SavedObjectsSchema } from '../../../schema';
import { getQueryParams } from './query_params';
Expand All @@ -31,7 +32,7 @@ interface GetSearchDslOptions {
searchFields?: string[];
sortField?: string;
sortOrder?: string;
namespace?: string;
namespace?: SavedObjectsNamespace;
hasReference?: {
type: string;
id: string;
Expand Down
6 changes: 2 additions & 4 deletions src/core/server/saved_objects/service/saved_objects_client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/

import { SavedObjectsRepository } from './lib';

import { SavedObjectsRepository, SavedObjectsNamespace } from './lib';
import { SavedObjectsErrorHelpers } from './lib/errors';

type Omit<T, K extends keyof T> = Pick<T, Exclude<keyof T, K>>;
Expand All @@ -29,7 +27,7 @@ type Omit<T, K extends keyof T> = Pick<T, Exclude<keyof T, K>>;
*/
export interface SavedObjectsBaseOptions {
/** Specify the namespace for this operation */
namespace?: string;
namespace?: SavedObjectsNamespace;
}

/**
Expand Down
Loading