Migrate /bootstrap.js endpoint to core
#92784
Conversation
pgayvallet
force-pushed
the
kbn-54375-migrate-bootstrap-endpoint
branch
from
9ab1025
to
cd32213
Compare
| { | ||
| path: '/bootstrap.js', | ||
| options: { | ||
| authRequired: 'optional', |
There was a problem hiding this comment.
This PR moves the /bootstrap.js endpoint out of legacy and into core -- as part of this change, the route went from hapi's authMode of try to optional.
This caused a lot of x-pack test failures, because some test suites ended up loading Kibana with an incorrect Authorization header (invalid credentials). In the legacy world where this used try, the invalid credentials allowed the /bootstrap.js request to succeed. Now that this route is using authMode: 'optional', the request fails when presented with invalid credentials.
We previously asked the core team to implement authMode: 'optional' for the KP, because we needed to detect if the user had a valid session or not, without directly relying on the existence of the session cookie (#58589). Now that we have server-side sessions, it's not clear to me if we need to keep these routes as optional, or if we can move them to try.
My gut feeling is that we don't need the behavior that optional gives us anymore, but I wanted to double check with you, since you're well-versed on the different auth flows and states.
There was a problem hiding this comment.
FWIW I went with adding the try auth mode for now.
There was a problem hiding this comment.
Sorry for the delayed reply, just caught up on the emails after PTO.
This caused a lot of x-pack test failures, because some test suites ended up loading Kibana with an incorrect Authorization header (invalid credentials).
Interesting, why do we do that? Is there any legitimate case when it makes sense?
We previously asked the core team to implement authMode: 'optional' for the KP, because we needed to detect if the user had a valid session or not, without directly relying on the existence of the session cookie (#58589).
Right, we wanted to abstract away from the fact that session is stored in the cookie running the Core authentication hook instead. But the hook shouldn't fail, or redirect to IdP (for SAML/OIDC), or automatically initiate new session (PKI/Kerberos) if credentials aren't provided.
Now that we have server-side sessions, it's not clear to me if we need to keep these routes as optional, or if we can move them to try.
I'm not sure how server-side sessions would change anything here to be honest, can you please elaborate a bit?
At that time we picked optional as seemingly the safest option (if you send any credentials you likely expect them to be respected) and the one with the behavior similar to the ES behavior when anonymous access is enabled there (requests without credentials are treated as anonymous and requests with invalid credentials are rejected). I still feel that try behavior is a bit confusing (any request credentials are attempted authentication, but if the credentials are invalid, the request proceeds regardless of the authentication error).
Having said that I believe we can safely switch our routes (login, logged_out etc.) to try since our authentication pipeline only cares if authentication is strictly required or not. So we won't need optional anymore.
…-bootstrap-endpoint
pgayvallet
added
chore
Feature:Legacy Removal
| resources.register( | ||
| { | ||
| path: '/app/{id}/{any*}', | ||
| validate: false, | ||
| options: { | ||
| authRequired: true, | ||
| }, | ||
| }, | ||
| async (context, request, response) => { | ||
| return response.renderCoreApp(); | ||
| } | ||
| ); |
There was a problem hiding this comment.
/app/{id}is registered from theCoreAppservice- We are using
renderCoreAppwhich ensure consistency between the 'default route' apps and the manually registered app endpoints.
| if (authRequired === 'try') { | ||
| return { mode: 'try' }; | ||
| } |
There was a problem hiding this comment.
See #92784 (comment) for more context about the addition of the try auth mode.
@elastic/kibana-security tell me if you'd prefer that I replace the behavior of the optional mode instead (but imho having both makes sense)
There was a problem hiding this comment.
I'm happy with the approach you have here. I don't see why we can't support both try and optional
| describe('when authRequired is `true`', () => { | ||
| it('allows authenticated access when auth returns `authenticated`', async () => { | ||
| const { http } = await root.setup(); | ||
| const { registerAuth, createRouter, auth } = http; | ||
|
|
||
| registerAuth((req, res, toolkit) => toolkit.authenticated()); | ||
|
|
||
| const router = createRouter(''); | ||
| registerRoute(router, auth, true); | ||
|
|
||
| await root.start(); |
There was a problem hiding this comment.
Those can look similar to the auth tests we have in core_services.test.ts, but these added IT are testing the behavior of the interaction between the registered auth provider's response and the endpoint response directly (and more in depth)
| load([ | ||
| {{#each styleSheetPaths}} | ||
| '{{this}}', | ||
| {{/each}} | ||
| ]); |
There was a problem hiding this comment.
Stylesheets are now directly included in the document generated by RenderingServiceSetup.render instead.
| const isAuthenticated = (request: KibanaRequest) => { | ||
| if (!auth.isEnabled()) { | ||
| return true; | ||
| } | ||
| const { status: authStatus } = auth.get(request); | ||
| // status is 'unknown' when auth is disabled. we just need to not be `unauthenticated` here. | ||
| return authStatus !== 'unauthenticated'; | ||
| }; |
There was a problem hiding this comment.
This isAuthenticated function could be renamed amIAuthorizedToQueryElasticsearch, as it returns true either when auth is disabled (no security), or if auth is enabled AND the user is authenticated.
(Long) note: now that we moved the stylesheet loading to RenderingServiceSetup.render, the only remaining reason to load uiSettings stored in ES when rendering bootstrap.js is to compute the __kbnThemeTag__ (themeTag below) variable (that is used as a prefix by our client-side loader for stylesheets). I tried to move that variable initialization to the rendered document instead, however, because of our CSP policy, we can't use inline scripts (and injecting the variable from the client-side core code is too late)
An improvement would be to (re-)add a nonce-XXX option to our CSP, to let the rendering service have inlined scripts, but doing that properly (aka not as it was done in legacy before we removed it) would require to generate the nonce value per-request and to have the rendering service access this value when rendering the document. If technically doable, it is not trivial and require some thinking, so imho (given that we really want that) it should be done as a follow-up (we would even be able to inline the whole bootstrap.js script in the rendered document in that case).
cc @legrego @joshdover this is the reason why I was speaking about reintroducing nonce-
There was a problem hiding this comment.
Mind creating a follow-up issue?
| const darkMode = getSettingValue('theme:darkMode', settings, Boolean); | ||
| const themeVersion = getSettingValue('theme:version', settings, String); | ||
|
|
||
| const stylesheetPaths = getStylesheetPaths({ | ||
| darkMode, | ||
| themeVersion, | ||
| basePath: serverBasePath, | ||
| buildNum, | ||
| }); |
There was a problem hiding this comment.
Moving the stylesheets loading from bootstrap.js to the core/app document introduced a slight behavior change:
- In
bootstrap.js, we were checking if we were allowed to query ES to retrieve the user settings (security off OR security ON + user authenticated) - In the rendering service, we depends on the
includeUserSettingsinput parameter, which is alwaysfalsefor unauthenticated routes (such aslogin)
In short: previously, an authenticated user accessing the login page would be able to use the persisted user settings, and now, the default setting values will always be used. As we are reloading the app when logging in, I think this is okay.
If not, we will have to re-use the isAuthenticated method/logic from rendering/bootstrap/bootstrap_renderer.ts instead of this includeUserSettings parameter (which could then be totally removed from the render API)
No strong opinion on that one, tell me what you think.
| @@ -72,8 +71,6 @@ export default class KbnServer { | |||
| // tell the config we are done loading plugins | |||
| configCompleteMixin, | |||
|
|
|||
| uiMixin, | |||
…-bootstrap-endpoint
…-bootstrap-endpoint
|
|
||
| // These paths should align with the bundle routes configured in | ||
| // src/optimize/bundles_route/bundles_route.ts | ||
| const publicPathMap = JSON.stringify({ |
There was a problem hiding this comment.
I'm surprised src/optimize/bundles_route/bundles_route.ts doesn't have a similar comment.
There was a problem hiding this comment.
My next step is to migrate the bundle_route anyway, will add the comment when moving the route to core.
| etag: string; | ||
| } | ||
|
|
||
| export const bootstrapRendererFactory: BootstrapRendererFactory = ({ |
There was a problem hiding this comment.
optional: this file contains some logic, but I don't see bootstrapRendererFactory is tested
| let darkMode = false; | ||
| let themeVersion = 'v7'; | ||
|
|
||
| try { | ||
| const authenticated = isAuthenticated(request); | ||
| darkMode = authenticated ? await uiSettingsClient.get('theme:darkMode') : false; | ||
| themeVersion = authenticated ? await uiSettingsClient.get('theme:version') : 'v7'; | ||
| } catch (e) { | ||
| // just use the default values in case of connectivity issues with ES | ||
| } | ||
|
|
||
| const themeTag = `${themeVersion === 'v7' ? 'v7' : 'v8'}${darkMode ? 'dark' : 'light'}`; |
There was a problem hiding this comment.
optional: we can keep it as is, but I'd extract themeTag calculation to a separate function to simplify reading.
Also, it's not obvious without a comment how __kbnThemeTag__ is used.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
* move bootstrap endpoint to core * some initial cleanup * hack around the 'try' auth status * some UT * more UT * add try/catch around uISettings access * add 'auth.isEnabled' * remove dead files * use `try` authent mode * adapt UT * revert themeTag movearound * migrate apps route to core * some cleanup * nit * add integration tests * update generated doc * add UT for /app route * add etag IT * nits * remove auth.isEnabled API * add tests on get_apm_config * use string template instead of handlebars for bootstrap template * improve plugin bundle tests * update generated doc * remove response.etag API * update generated doc * update generated doc * update generated doc again * extract getThemeTag * add more unit tests
* move bootstrap endpoint to core * some initial cleanup * hack around the 'try' auth status * some UT * more UT * add try/catch around uISettings access * add 'auth.isEnabled' * remove dead files * use `try` authent mode * adapt UT * revert themeTag movearound * migrate apps route to core * some cleanup * nit * add integration tests * update generated doc * add UT for /app route * add etag IT * nits * remove auth.isEnabled API * add tests on get_apm_config * use string template instead of handlebars for bootstrap template * improve plugin bundle tests * update generated doc * remove response.etag API * update generated doc * update generated doc * update generated doc again * extract getThemeTag * add more unit tests
Summary
Fix #54375
This PR migrates the
/bootstrap.jsand/app/{id}/{any*}endpoints from legacy to core.authRequired: 'try'mode for routes (required for thebootstrap.jslogic)Add thehttp.auth.isEnabledAPI (required for thebootstrap.jslogic)Add theHttpResponseOptions.etagAPI (required for thebootstrap.jslogic)/bootstrap.jsendpoint tocore/app/{id}/{any*}endpoint tocorehttpResourcesroutesuiRendermixinChecklist