Extract License service from CCR and Watcher into license_api_guard plugin in x-pack

src/plugins/es_ui_shared/server/index.ts

@@ -7,6 +7,7 @@
  */
 
 export { isEsError, handleEsError, parseEsError } from './errors';
+export { License } from './license';
 
 /** dummy plugin*/
 export function plugin() {

src/plugins/es_ui_shared/server/license/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export { License } from './license';

src/plugins/es_ui_shared/server/license/license.test.ts

@@ -0,0 +1,102 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { License } from './license';
+
+describe('license_pre_routing_factory', () => {
+  describe('#reportingFeaturePreRoutingFactory', () => {
+    const pluginName = 'testPlugin';
+    const currentLicenseType = 'currentLicenseType';
+
+    const testRoute = ({ licenseState }) => {
+      const license = new License();
+      const logger = {
+        warn: jest.fn(),
+      };
+
+      const licensingMock = {
+        license$: {
+          subscribe: (callback) =>
+            callback({
+              type: currentLicenseType,
+              check: () => ({ state: licenseState }),
+              getFeature: () => ({}),
+            }),
+        },
+        refresh: jest.fn(),
+        createLicensePoller: jest.fn(),
+        featureUsage: {},
+      };
+
+      license.setup({ pluginName, logger });
+      license.start({
+        pluginId: 'id',
+        minimumLicenseType: 'basic',
+        licensing: licensingMock,
+      });
+
+      const route = jest.fn();
+      const guardedRoute = license.guardApiRoute(route);
+      const customError = jest.fn();
+      guardedRoute({}, {}, { customError });
+
+      return {
+        errorResponse:
+          customError.mock.calls.length > 0
+            ? customError.mock.calls[customError.mock.calls.length - 1][0]
+            : undefined,
+        logMesssage:
+          logger.warn.mock.calls.length > 0
+            ? logger.warn.mock.calls[logger.warn.mock.calls.length - 1][0]
+            : undefined,
+        route,
+      };
+    };
+
+    describe('valid license', () => {
+      it('the original route is called and nothing is logged', () => {
+        const { errorResponse, logMesssage, route } = testRoute({ licenseState: 'valid' });
+
+        expect(errorResponse).toBeUndefined();
+        expect(logMesssage).toBeUndefined();
+        expect(route).toHaveBeenCalled();
+      });
+    });
+
+    [
+      {
+        licenseState: 'invalid',
+        expectedMessage: `Your ${currentLicenseType} license does not support ${pluginName}. Please upgrade your license.`,
+      },
+      {
+        licenseState: 'expired',
+        expectedMessage: `You cannot use ${pluginName} because your ${currentLicenseType} license has expired.`,
+      },
+      {
+        licenseState: 'unavailable',
+        expectedMessage: `You cannot use ${pluginName} because license information is not available at this time.`,
+      },
+    ].forEach(({ licenseState, expectedMessage }) => {
+      describe(`${licenseState} license`, () => {
+        it('replies with 403 and message and logs the message', () => {
+          const { errorResponse, logMesssage, route } = testRoute({ licenseState });
+
+          expect(errorResponse).toEqual({
+            body: {
+              message: expectedMessage,
+            },
+            statusCode: 403,
+          });
+
+          expect(logMesssage).toBe(expectedMessage);
+          expect(route).not.toHaveBeenCalled();
+        });
+      });
+    });
+  });
+});

src/plugins/es_ui_shared/server/license/license.ts

@@ -0,0 +1,120 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { i18n } from '@kbn/i18n';
+import {
+  Logger,
+  KibanaRequest,
+  KibanaResponseFactory,
+  RequestHandler,
+  RequestHandlerContext,
+} from 'src/core/server';
+
+/* eslint-disable @kbn/eslint/no-restricted-paths */
+import type {
+  LicenseType,
+  LicenseCheckState,
+} from '../../../../../x-pack/plugins/licensing/common/types';
+import type { LicensingPluginStart } from '../../../../../x-pack/plugins/licensing/server/types';
+/* eslint-enable @kbn/eslint/no-restricted-paths */
+
+interface SetupSettings {
+  pluginName: string;
+  logger: Logger;
+}
+
+interface StartSettings {
+  pluginId: string;
+  minimumLicenseType: LicenseType;
+  licensing: LicensingPluginStart;
+}
+
+export class License {
+  private pluginName?: string;
+  private logger?: Logger;
+  private licenseCheckState: LicenseCheckState = 'unavailable';
+  private licenseType?: LicenseType;
+
+  private _isEsSecurityEnabled: boolean = false;
+
+  setup({ pluginName, logger }: SetupSettings) {
+    this.pluginName = pluginName;
+    this.logger = logger;
+  }
+
+  start({ pluginId, minimumLicenseType, licensing }: StartSettings) {
+    licensing.license$.subscribe((license) => {
+      this.licenseType = license.type;
+      this.licenseCheckState = license.check(pluginId, minimumLicenseType!).state;
+
+      // Retrieving security checks the results of GET /_xpack as well as license state,
+      // so we're also checking whether security is disabled in elasticsearch.yml.
+      this._isEsSecurityEnabled = license.getFeature('security').isEnabled;
+    });
+  }
+
+  getLicenseErrorMessage(licenseCheckState: LicenseCheckState): string {
+    switch (licenseCheckState) {
+      case 'invalid':
+        return i18n.translate('esUi.license.errorUnsupportedMessage', {
+          defaultMessage:
+            'Your {licenseType} license does not support {pluginName}. Please upgrade your license.',
+          values: { licenseType: this.licenseType!, pluginName: this.pluginName },
+        });
+
+      case 'expired':
+        return i18n.translate('esUi.license.errorExpiredMessage', {
+          defaultMessage:
+            'You cannot use {pluginName} because your {licenseType} license has expired.',
+          values: { licenseType: this.licenseType!, pluginName: this.pluginName },
+        });
+
+      case 'unavailable':
+        return i18n.translate('esUi.license.errorUnavailableMessage', {
+          defaultMessage:
+            'You cannot use {pluginName} because license information is not available at this time.',
+          values: { pluginName: this.pluginName },
+        });
+    }
+
+    return i18n.translate('esUi.license.genericErrorMessage', {
+      defaultMessage: 'You cannot use {pluginName} because the license check failed.',
+      values: { pluginName: this.pluginName },
+    });
+  }
+
+  guardApiRoute<Context extends RequestHandlerContext, Params, Query, Body>(
+    handler: RequestHandler<Params, Query, Body, Context>
+  ) {
+    return (
+      ctx: Context,
+      request: KibanaRequest<Params, Query, Body>,
+      response: KibanaResponseFactory
+    ) => {
+      // We'll only surface license errors if users attempt disallowed access to the API.
+      if (this.licenseCheckState !== 'valid') {
+        const licenseErrorMessage = this.getLicenseErrorMessage(this.licenseCheckState);
+        this.logger?.warn(licenseErrorMessage);
+
+        return response.customError({
+          body: {
+            message: licenseErrorMessage,
+          },
+          statusCode: 403,
+        });
+      }
+
+      return handler(ctx, request, response);
+    };
+  }
+
+  // eslint-disable-next-line @typescript-eslint/explicit-member-accessibility
+  get isEsSecurityEnabled() {
+    return this._isEsSecurityEnabled;
+  }
+}

src/plugins/es_ui_shared/tsconfig.json

@@ -15,6 +15,7 @@
     "static/**/*"
   ],
   "references": [
+    { "path": "../../../x-pack/plugins/licensing/tsconfig.json" },
     { "path": "../../core/tsconfig.json" },
     { "path": "../data/tsconfig.json" },
   ]

x-pack/plugins/cross_cluster_replication/server/plugin.ts

@@ -7,9 +7,9 @@
 
 import { Observable } from 'rxjs';
 import { first } from 'rxjs/operators';
-import { i18n } from '@kbn/i18n';
 import {
   CoreSetup,
+  CoreStart,
   ILegacyCustomClusterClient,
   Plugin,
   Logger,
@@ -19,12 +19,11 @@ import {
 
 import { Index } from '../../index_management/server';
 import { PLUGIN } from '../common/constants';
-import type { Dependencies, CcrRequestHandlerContext } from './types';
+import { SetupDependencies, StartDependencies, CcrRequestHandlerContext } from './types';
 import { registerApiRoutes } from './routes';
-import { License } from './services';
 import { elasticsearchJsPlugin } from './client/elasticsearch_ccr';
 import { CrossClusterReplicationConfig } from './config';
-import { isEsError } from './shared_imports';
+import { License, isEsError } from './shared_imports';
 import { formatEsError } from './lib/format_es_error';
 
 async function getCustomEsClient(getStartServices: CoreSetup['getStartServices']) {
@@ -77,7 +76,7 @@ export class CrossClusterReplicationServerPlugin implements Plugin<void, void, a
 
   setup(
     { http, getStartServices }: CoreSetup,
-    { features, licensing, indexManagement, remoteClusters }: Dependencies
+    { features, licensing, indexManagement, remoteClusters }: SetupDependencies
   ) {
     this.config$
       .pipe(first())
@@ -97,22 +96,10 @@ export class CrossClusterReplicationServerPlugin implements Plugin<void, void, a
         }
       });
 
-    this.license.setup(
-      {
-        pluginId: PLUGIN.ID,
-        minimumLicenseType: PLUGIN.minimumLicenseType,
-        defaultErrorMessage: i18n.translate(
-          'xpack.crossClusterReplication.licenseCheckErrorMessage',
-          {
-            defaultMessage: 'License check failed',
-          }
-        ),
-      },
-      {
-        licensing,
-        logger: this.logger,
-      }
-    );
+    this.license.setup({
+      pluginName: PLUGIN.TITLE,
+      logger: this.logger,
+    });
 
     features.registerElasticsearchFeature({
       id: 'cross_cluster_replication',
@@ -147,7 +134,13 @@ export class CrossClusterReplicationServerPlugin implements Plugin<void, void, a
     });
   }
 
-  start() {}
+  start(core: CoreStart, { licensing }: StartDependencies) {
+    this.license.start({
+      pluginId: PLUGIN.ID,
+      minimumLicenseType: PLUGIN.minimumLicenseType,
+      licensing,
+    });
+  }
 
   stop() {
     if (this.ccrEsClient) {

x-pack/plugins/cross_cluster_replication/server/services/index.ts

@@ -5,5 +5,4 @@
  * 2.0.
  */
 
-export { License } from './license';
 export { addBasePath } from './add_base_path';