Add ability to specify CORS accepted origins

docs/setup/settings.asciidoc

@@ -445,6 +445,15 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
 | [[server-compression]] `server.compression.enabled:`
  | Set to `false` to disable HTTP compression for all responses. *Default: `true`*
 
+| `server.cors.enabled:`
+ | experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false`
+
+| `server.cors.credentials:`
+ | experimental[] Set to `true` to allow browser code to access response body whenever request performed with user credentials. *Default:* `false`
+
+| `server.cors.origin:`
+ | experimental[] List of origins permitted to access resources. You must specify `server.cors.origin` when `server.cors.credentials: true`. *Default:* "*"
+
 | `server.compression.referrerWhitelist:`
  | Specifies an array of trusted hostnames, such as the {kib} host, or a reverse
 proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header.

package.json

@@ -571,7 +571,7 @@
     "@typescript-eslint/parser": "^4.8.1",
     "@welldone-software/why-did-you-render": "^5.0.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "abab": "^1.0.4",
+    "abab": "^2.0.4",
     "angular-aria": "^1.8.0",
     "angular-mocks": "^1.7.9",
     "angular-recursion": "^1.0.5",

src/core/server/config/deprecation/core_deprecations.test.ts

@@ -93,6 +93,25 @@ describe('core deprecations', () => {
     });
   });
 
+  describe('server.cors', () => {
+    it('renames server.cors to server.cors.enabled', () => {
+      const { migrated } = applyCoreDeprecations({
+        server: { cors: true },
+      });
+      expect(migrated.server.cors).toEqual({ enabled: true });
+    });
+    it('logs a warning message about server.cors renaming', () => {
+      const { messages } = applyCoreDeprecations({
+        server: { cors: true },
+      });
+      expect(messages).toMatchInlineSnapshot(`
+        Array [
+          "\\"server.cors\\" is deprecated and has been replaced by \\"server.cors.enabled\\"",
+        ]
+      `);
+    });
+  });
+
   describe('rewriteBasePath', () => {
     it('logs a warning is server.basePath is set and server.rewriteBasePath is not', () => {
       const { messages } = applyCoreDeprecations({

src/core/server/config/deprecation/core_deprecations.ts

@@ -60,6 +60,17 @@ const rewriteBasePathDeprecation: ConfigDeprecation = (settings, fromPath, log)
   return settings;
 };
 
+const rewriteCorsSettings: ConfigDeprecation = (settings, fromPath, log) => {
+  const corsSettings = get(settings, 'server.cors');
+  if (typeof get(settings, 'server.cors') === 'boolean') {
+    log('"server.cors" is deprecated and has been replaced by "server.cors.enabled"');
+    settings.server.cors = {
+      enabled: corsSettings,
+    };
+  }
+  return settings;
+};
+
 const cspRulesDeprecation: ConfigDeprecation = (settings, fromPath, log) => {
   const NONCE_STRING = `{nonce}`;
   // Policies that should include the 'self' source
@@ -140,6 +151,7 @@ export const coreDeprecationProvider: ConfigDeprecationProvider = ({ rename, unu
   unusedFromRoot('elasticsearch.startupTimeout'),
   rename('cpu.cgroup.path.override', 'ops.cGroupOverrides.cpuPath'),
   rename('cpuacct.cgroup.path.override', 'ops.cGroupOverrides.cpuAcctPath'),
+  rewriteCorsSettings,
   configPathDeprecation,
   dataPathDeprecation,
   rewriteBasePathDeprecation,

src/core/server/http/cookie_session_storage.test.ts

@@ -67,6 +67,9 @@ configService.atPath.mockReturnValue(
       allowFromAnyIp: true,
       ipAllowlist: [],
     },
+    cors: {
+      enabled: false,
+    },
   } as any)
 );
 

src/core/server/http/http_config.test.ts

@@ -261,6 +261,51 @@ describe('with compression', () => {
   });
 });
 
+describe('cors', () => {
+  describe('origin', () => {
+    it('list cannot be empty', () => {
+      expect(() =>
+        config.schema.validate({
+          cors: {
+            origin: [],
+          },
+        })
+      ).toThrowErrorMatchingInlineSnapshot(`
+              "[cors.origin]: types that failed validation:
+              - [cors.origin.0]: expected value to equal [*]
+              - [cors.origin.1]: array size is [0], but cannot be smaller than [1]"
+          `);
+    });
+
+    it('consist of list of valid URLs', () => {
+      const origin = ['http://127.0.0.1:3000', 'https://elastic.co'];
+      expect(
+        config.schema.validate({
+          cors: { origin },
+        }).cors.origin
+      ).toStrictEqual(origin);
+    });
+
+    it('can be configures as "*" wildcard', () => {
+      expect(config.schema.validate({ cors: { origin: '*' } }).cors.origin).toBe('*');
+    });
+  });
+  describe('credentials', () => {
+    it('cannot use wildcard origin if "credentials: true"', () => {
+      expect(
+        () => config.schema.validate({ cors: { credentials: true, origin: '*' } }).cors.origin
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
+      );
+      expect(
+        () => config.schema.validate({ cors: { credentials: true } }).cors.origin
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
+      );
+    });
+  });
+});
+
 describe('HttpConfig', () => {
   it('converts customResponseHeaders to strings or arrays of strings', () => {
     const httpSchema = config.schema;

src/core/server/http/http_config.ts

@@ -25,7 +25,7 @@ import { SslConfig, sslSchema } from './ssl_config';
 
 const validBasePathRegex = /^\/.*[^\/]$/;
 const uuidRegexp = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-
+const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
 const match = (regex: RegExp, errorMsg: string) => (str: string) =>
   regex.test(str) ? undefined : errorMsg;
 
@@ -42,7 +42,25 @@ export const config = {
           validate: match(validBasePathRegex, "must start with a slash, don't end with one"),
         })
       ),
-      cors: schema.boolean({ defaultValue: false }),
+      cors: schema.object(
+        {
+          enabled: schema.boolean({ defaultValue: false }),
+          credentials: schema.boolean({ defaultValue: false }),
+          origin: schema.oneOf(
+            [schema.literal('*'), schema.arrayOf(hostURISchema, { minSize: 1 })],
+            {
+              defaultValue: '*',
+            }
+          ),
+        },
+        {
+          validate(value) {
+            if (value.credentials === true && value.origin === '*') {
+              return 'Cannot specify wildcard origin "*" with "credentials: true". Please provide a list of allowed origins.';
+            }
+          },
+        }
+      ),
       customResponseHeaders: schema.recordOf(schema.string(), schema.any(), {
         defaultValue: {},
       }),
@@ -134,7 +152,11 @@ export class HttpConfig {
   public keepaliveTimeout: number;
   public socketTimeout: number;
   public port: number;
-  public cors: boolean | { origin: string[] };
+  public cors: {
+    enabled: boolean;
+    credentials: boolean;
+    origin: '*' | string[];
+  };
   public customResponseHeaders: Record<string, string | string[]>;
   public maxPayload: ByteSizeValue;
   public basePath?: string;

src/core/server/http/http_server.test.ts

@@ -72,6 +72,9 @@ beforeEach(() => {
       allowFromAnyIp: true,
       ipAllowlist: [],
     },
+    cors: {
+      enabled: false,
+    },
   } as any;
 
   configWithSSL = {

src/core/server/http/http_tools.test.ts

@@ -102,6 +102,9 @@ describe('timeouts', () => {
       host: '127.0.0.1',
       maxPayload: new ByteSizeValue(1024),
       ssl: {},
+      cors: {
+        enabled: false,
+      },
       compression: { enabled: true },
       requestId: {
         allowFromAnyIp: true,

src/core/server/http/http_tools.ts

@@ -16,11 +16,18 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
-import { Lifecycle, Request, ResponseToolkit, Server, ServerOptions, Util } from '@hapi/hapi';
+import { Server } from '@hapi/hapi';
+import type {
+  Lifecycle,
+  Request,
+  ResponseToolkit,
+  RouteOptionsCors,
+  ServerOptions,
+  Util,
+} from '@hapi/hapi';
 import Hoek from '@hapi/hoek';
-import { ServerOptions as TLSOptions } from 'https';
-import { ValidationError } from 'joi';
+import type { ServerOptions as TLSOptions } from 'https';
+import type { ValidationError } from 'joi';
 import uuid from 'uuid';
 import { HttpConfig } from './http_config';
 import { validateObject } from './prototype_pollution';
@@ -29,6 +36,12 @@ import { validateObject } from './prototype_pollution';
  * Converts Kibana `HttpConfig` into `ServerOptions` that are accepted by the Hapi server.
  */
 export function getServerOptions(config: HttpConfig, { configureTLS = true } = {}) {
+  const cors: RouteOptionsCors | false = config.cors.enabled
+    ? {
+        credentials: config.cors.credentials,
+        origin: config.cors.origin,
+      }
+    : false;
   // Note that all connection options configured here should be exactly the same
   // as in the legacy platform server (see `src/legacy/server/http/index`). Any change
   // SHOULD BE applied in both places. The only exception is TLS-specific options,
@@ -41,7 +54,7 @@ export function getServerOptions(config: HttpConfig, { configureTLS = true } = {
         privacy: 'private',
         otherwise: 'private, no-cache, no-store, must-revalidate',
       },
-      cors: config.cors,
+      cors,
       payload: {
         maxBytes: config.maxPayload.getValueInBytes(),
       },

src/core/server/http/https_redirect_server.test.ts

@@ -48,6 +48,9 @@ beforeEach(() => {
       enabled: true,
       redirectHttpFromPort: chance.integer({ min: 20000, max: 30000 }),
     },
+    cors: {
+      enabled: false,
+    },
   } as HttpConfig;
 
   server = new HttpsRedirectServer(loggingSystemMock.create().get());

src/core/server/http/integration_tests/lifecycle_handlers.test.ts

@@ -58,6 +58,9 @@ describe('core lifecycle handlers', () => {
         ssl: {
           enabled: false,
         },
+        cors: {
+          enabled: false,
+        },
         compression: { enabled: true },
         name: kibanaName,
         customResponseHeaders: {

src/core/server/http/test_utils.ts

@@ -40,6 +40,9 @@ configService.atPath.mockReturnValue(
     ssl: {
       enabled: false,
     },
+    cors: {
+      enabled: false,
+    },
     compression: { enabled: true },
     xsrf: {
       disableProtection: true,

x-pack/scripts/functional_tests.js

@@ -15,6 +15,7 @@ const alwaysImportedTests = [
   require.resolve('../test/security_functional/oidc.config.ts'),
   require.resolve('../test/security_functional/saml.config.ts'),
   require.resolve('../test/functional_embedded/config.ts'),
+  require.resolve('../test/functional_cors/config.ts'),
   require.resolve('../test/functional_enterprise_search/without_host_configured.config.ts'),
 ];
 const onlyNotInCoverageTests = [

x-pack/test/functional_cors/config.ts

@@ -0,0 +1,63 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import Url from 'url';
+import Path from 'path';
+import getPort from 'get-port';
+import type { FtrConfigProviderContext } from '@kbn/test/types/ftr';
+import { kbnTestConfig } from '@kbn/test';
+import { pageObjects } from '../functional/page_objects';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const kibanaFunctionalConfig = await readConfigFile(require.resolve('../functional/config.js'));
+
+  const corsTestPlugin = Path.resolve(__dirname, './plugins/kibana_cors_test');
+
+  const servers = {
+    ...kibanaFunctionalConfig.get('servers'),
+    elasticsearch: {
+      ...kibanaFunctionalConfig.get('servers.elasticsearch'),
+    },
+    kibana: {
+      ...kibanaFunctionalConfig.get('servers.kibana'),
+    },
+  };
+
+  const { protocol, hostname } = kbnTestConfig.getUrlParts();
+  const pluginPort = await getPort({ port: 9000 });
+  const originUrl = Url.format({
+    protocol,
+    hostname,
+    port: pluginPort,
+  });
+
+  return {
+    testFiles: [require.resolve('./tests')],
+    servers,
+    services: kibanaFunctionalConfig.get('services'),
+    pageObjects,
+    junit: {
+      reportName: 'Kibana CORS with X-Pack Security',
+    },
+
+    esTestCluster: kibanaFunctionalConfig.get('esTestCluster'),
+    apps: {
+      ...kibanaFunctionalConfig.get('apps'),
+    },
+
+    kbnTestServer: {
+      ...kibanaFunctionalConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...kibanaFunctionalConfig.get('kbnTestServer.serverArgs'),
+        `--plugin-path=${corsTestPlugin}`,
+        `--test.cors.port=${pluginPort}`,
+        '--server.cors.enabled=true',
+        '--server.cors.credentials=true',
+        `--server.cors.origin=["${originUrl}"]`,
+      ],
+    },
+  };
+}

x-pack/test/functional_cors/ftr_provider_context.d.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { GenericFtrProviderContext } from '@kbn/test/types/ftr';
+import { pageObjects } from '../functional/page_objects';
+import { services } from './services';
+
+export type FtrProviderContext = GenericFtrProviderContext<typeof services, typeof pageObjects>;
+export { pageObjects };

x-pack/test/functional_cors/plugins/kibana_cors_test/kibana.json

@@ -0,0 +1,8 @@
+{
+  "id": "kibana_cors_test",
+  "version": "1.0.0",
+  "kibanaVersion": "kibana",
+  "configPath": ["test", "cors"],
+  "server": true,
+  "ui": false
+}