Skip to content

Commit

Permalink
Use savedObjects provided by the platform instead of legacy shim. (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
azasypkin authored Dec 20, 2019
1 parent ec4fca6 commit e582277
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 55 deletions.
1 change: 0 additions & 1 deletion x-pack/legacy/plugins/security/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,6 @@ export const security = kibana =>
const config = server.config();
const xpackInfo = server.plugins.xpack_main.info;
securityPlugin.__legacyCompat.registerLegacyAPI({
savedObjects: server.savedObjects,
auditLogger: new AuditLogger(server, 'security', config, xpackInfo),
isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind(
server.plugins.kibana.systemApi
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security/server/audit/audit_logger.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ const createMockAuditLogger = () => {
describe(`#savedObjectsAuthorizationFailure`, () => {
test('logs via auditLogger', () => {
const auditLogger = createMockAuditLogger();
const securityAuditLogger = new SecurityAuditLogger(auditLogger);
const securityAuditLogger = new SecurityAuditLogger(() => auditLogger);
const username = 'foo-user';
const action = 'foo-action';
const types = ['foo-type-1', 'foo-type-2'];
Expand Down Expand Up @@ -43,7 +43,7 @@ describe(`#savedObjectsAuthorizationFailure`, () => {
describe(`#savedObjectsAuthorizationSuccess`, () => {
test('logs via auditLogger when xpack.security.audit.enabled is true', () => {
const auditLogger = createMockAuditLogger();
const securityAuditLogger = new SecurityAuditLogger(auditLogger);
const securityAuditLogger = new SecurityAuditLogger(() => auditLogger);
const username = 'foo-user';
const action = 'foo-action';
const types = ['foo-type-1', 'foo-type-2'];
Expand Down
6 changes: 3 additions & 3 deletions x-pack/plugins/security/server/audit/audit_logger.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import { LegacyAPI } from '../plugin';

export class SecurityAuditLogger {
constructor(private readonly auditLogger: LegacyAPI['auditLogger']) {}
constructor(private readonly getAuditLogger: () => LegacyAPI['auditLogger']) {}

savedObjectsAuthorizationFailure(
username: string,
Expand All @@ -16,7 +16,7 @@ export class SecurityAuditLogger {
missing: string[],
args?: Record<string, unknown>
) {
this.auditLogger.log(
this.getAuditLogger().log(
'saved_objects_authorization_failure',
`${username} unauthorized to ${action} ${types.join(',')}, missing ${missing.join(',')}`,
{
Expand All @@ -35,7 +35,7 @@ export class SecurityAuditLogger {
types: string[],
args?: Record<string, unknown>
) {
this.auditLogger.log(
this.getAuditLogger().log(
'saved_objects_authorization_success',
`${username} authorized to ${action} ${types.join(',')}`,
{
Expand Down
21 changes: 7 additions & 14 deletions x-pack/plugins/security/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ import {
Logger,
PluginInitializerContext,
RecursiveReadonly,
SavedObjectsLegacyService,
LegacyRequest,
} from '../../../../src/core/server';
import { deepFreeze } from '../../../../src/core/utils';
import { SpacesPluginSetup } from '../../spaces/server';
Expand Down Expand Up @@ -43,7 +41,6 @@ export type FeaturesService = Pick<FeaturesSetupContract, 'getFeatures'>;
*/
export interface LegacyAPI {
isSystemAPIRequest: (request: KibanaRequest) => boolean;
savedObjects: SavedObjectsLegacyService<KibanaRequest | LegacyRequest>;
auditLogger: {
log: (eventType: string, message: string, data?: Record<string, unknown>) => void;
};
Expand Down Expand Up @@ -153,6 +150,12 @@ export class Plugin {
featuresService: features,
});

setupSavedObjects({
auditLogger: new SecurityAuditLogger(() => this.getLegacyAPI().auditLogger),
authz,
savedObjects: core.savedObjects,
});

core.capabilities.registerSwitcher(authz.disableUnauthorizedCapabilities);

defineRoutes({
Expand All @@ -166,7 +169,6 @@ export class Plugin {
csp: core.http.csp,
});

const adminClient = await core.elasticsearch.adminClient$.pipe(first()).toPromise();
return deepFreeze({
authc,

Expand All @@ -185,16 +187,7 @@ export class Plugin {
},

__legacyCompat: {
registerLegacyAPI: (legacyAPI: LegacyAPI) => {
this.legacyAPI = legacyAPI;

setupSavedObjects({
auditLogger: new SecurityAuditLogger(legacyAPI.auditLogger),
adminClusterClient: adminClient,
authz,
legacyAPI,
});
},
registerLegacyAPI: (legacyAPI: LegacyAPI) => (this.legacyAPI = legacyAPI),

registerPrivilegesWithCluster: async () => await authz.registerPrivilegesWithCluster(),

Expand Down
57 changes: 22 additions & 35 deletions x-pack/plugins/security/server/saved_objects/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,60 +4,47 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { IClusterClient, KibanaRequest, LegacyRequest } from '../../../../../src/core/server';
import {
CoreSetup,
KibanaRequest,
LegacyRequest,
SavedObjectsClient,
} from '../../../../../src/core/server';
import { SecureSavedObjectsClientWrapper } from './secure_saved_objects_client_wrapper';
import { LegacyAPI } from '../plugin';
import { Authorization } from '../authorization';
import { SecurityAuditLogger } from '../audit';

interface SetupSavedObjectsParams {
adminClusterClient: IClusterClient;
auditLogger: SecurityAuditLogger;
authz: Pick<Authorization, 'mode' | 'actions' | 'checkSavedObjectsPrivilegesWithRequest'>;
legacyAPI: Pick<LegacyAPI, 'savedObjects'>;
savedObjects: CoreSetup['savedObjects'];
}

export function setupSavedObjects({
adminClusterClient,
auditLogger,
authz,
legacyAPI: { savedObjects },
}: SetupSavedObjectsParams) {
export function setupSavedObjects({ auditLogger, authz, savedObjects }: SetupSavedObjectsParams) {
const getKibanaRequest = (request: KibanaRequest | LegacyRequest) =>
request instanceof KibanaRequest ? request : KibanaRequest.from(request);
savedObjects.setScopedSavedObjectsClientFactory(({ request }) => {
const kibanaRequest = getKibanaRequest(request);
if (authz.mode.useRbacForRequest(kibanaRequest)) {
const internalRepository = savedObjects.getSavedObjectsRepository(
adminClusterClient.callAsInternalUser
);
return new savedObjects.SavedObjectsClient(internalRepository);
}

const callAsCurrentUserRepository = savedObjects.getSavedObjectsRepository(
adminClusterClient.asScoped(kibanaRequest).callAsCurrentUser
savedObjects.setClientFactory(({ request }) => {
const kibanaRequest = getKibanaRequest(request);
return new SavedObjectsClient(
authz.mode.useRbacForRequest(kibanaRequest)
? savedObjects.createInternalRepository()
: savedObjects.createScopedRepository(kibanaRequest)
);
return new savedObjects.SavedObjectsClient(callAsCurrentUserRepository);
});

savedObjects.addScopedSavedObjectsClientWrapperFactory(
Number.MAX_SAFE_INTEGER - 1,
'security',
({ client, request }) => {
const kibanaRequest = getKibanaRequest(request);
if (authz.mode.useRbacForRequest(kibanaRequest)) {
return new SecureSavedObjectsClientWrapper({
savedObjects.addClientWrapper(Number.MAX_SAFE_INTEGER - 1, 'security', ({ client, request }) => {
const kibanaRequest = getKibanaRequest(request);
return authz.mode.useRbacForRequest(kibanaRequest)
? new SecureSavedObjectsClientWrapper({
actions: authz.actions,
auditLogger,
baseClient: client,
checkSavedObjectsPrivilegesAsCurrentUser: authz.checkSavedObjectsPrivilegesWithRequest(
kibanaRequest
),
errors: savedObjects.SavedObjectsClient.errors,
});
}

return client;
}
);
errors: SavedObjectsClient.errors,
})
: client;
});
}

0 comments on commit e582277

Please sign in to comment.