diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js index e505a8fb55d90..6ee8b5f8b2b10 100644 --- a/x-pack/legacy/plugins/security/index.js +++ b/x-pack/legacy/plugins/security/index.js @@ -130,7 +130,6 @@ export const security = kibana => const config = server.config(); const xpackInfo = server.plugins.xpack_main.info; securityPlugin.__legacyCompat.registerLegacyAPI({ - savedObjects: server.savedObjects, auditLogger: new AuditLogger(server, 'security', config, xpackInfo), isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind( server.plugins.kibana.systemApi diff --git a/x-pack/plugins/security/server/audit/audit_logger.test.ts b/x-pack/plugins/security/server/audit/audit_logger.test.ts index 2ae8b6762c5d4..01cde02b7dfdd 100644 --- a/x-pack/plugins/security/server/audit/audit_logger.test.ts +++ b/x-pack/plugins/security/server/audit/audit_logger.test.ts @@ -14,7 +14,7 @@ const createMockAuditLogger = () => { describe(`#savedObjectsAuthorizationFailure`, () => { test('logs via auditLogger', () => { const auditLogger = createMockAuditLogger(); - const securityAuditLogger = new SecurityAuditLogger(auditLogger); + const securityAuditLogger = new SecurityAuditLogger(() => auditLogger); const username = 'foo-user'; const action = 'foo-action'; const types = ['foo-type-1', 'foo-type-2']; @@ -43,7 +43,7 @@ describe(`#savedObjectsAuthorizationFailure`, () => { describe(`#savedObjectsAuthorizationSuccess`, () => { test('logs via auditLogger when xpack.security.audit.enabled is true', () => { const auditLogger = createMockAuditLogger(); - const securityAuditLogger = new SecurityAuditLogger(auditLogger); + const securityAuditLogger = new SecurityAuditLogger(() => auditLogger); const username = 'foo-user'; const action = 'foo-action'; const types = ['foo-type-1', 'foo-type-2']; diff --git a/x-pack/plugins/security/server/audit/audit_logger.ts b/x-pack/plugins/security/server/audit/audit_logger.ts index 4c2c57d0e029e..df8df35f97b49 100644 --- a/x-pack/plugins/security/server/audit/audit_logger.ts +++ b/x-pack/plugins/security/server/audit/audit_logger.ts @@ -7,7 +7,7 @@ import { LegacyAPI } from '../plugin'; export class SecurityAuditLogger { - constructor(private readonly auditLogger: LegacyAPI['auditLogger']) {} + constructor(private readonly getAuditLogger: () => LegacyAPI['auditLogger']) {} savedObjectsAuthorizationFailure( username: string, @@ -16,7 +16,7 @@ export class SecurityAuditLogger { missing: string[], args?: Record ) { - this.auditLogger.log( + this.getAuditLogger().log( 'saved_objects_authorization_failure', `${username} unauthorized to ${action} ${types.join(',')}, missing ${missing.join(',')}`, { @@ -35,7 +35,7 @@ export class SecurityAuditLogger { types: string[], args?: Record ) { - this.auditLogger.log( + this.getAuditLogger().log( 'saved_objects_authorization_success', `${username} authorized to ${action} ${types.join(',')}`, { diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index 14dd1e6ac00d3..cdd2a024310bb 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -13,8 +13,6 @@ import { Logger, PluginInitializerContext, RecursiveReadonly, - SavedObjectsLegacyService, - LegacyRequest, } from '../../../../src/core/server'; import { deepFreeze } from '../../../../src/core/utils'; import { SpacesPluginSetup } from '../../spaces/server'; @@ -43,7 +41,6 @@ export type FeaturesService = Pick; */ export interface LegacyAPI { isSystemAPIRequest: (request: KibanaRequest) => boolean; - savedObjects: SavedObjectsLegacyService; auditLogger: { log: (eventType: string, message: string, data?: Record) => void; }; @@ -153,6 +150,12 @@ export class Plugin { featuresService: features, }); + setupSavedObjects({ + auditLogger: new SecurityAuditLogger(() => this.getLegacyAPI().auditLogger), + authz, + savedObjects: core.savedObjects, + }); + core.capabilities.registerSwitcher(authz.disableUnauthorizedCapabilities); defineRoutes({ @@ -166,7 +169,6 @@ export class Plugin { csp: core.http.csp, }); - const adminClient = await core.elasticsearch.adminClient$.pipe(first()).toPromise(); return deepFreeze({ authc, @@ -185,16 +187,7 @@ export class Plugin { }, __legacyCompat: { - registerLegacyAPI: (legacyAPI: LegacyAPI) => { - this.legacyAPI = legacyAPI; - - setupSavedObjects({ - auditLogger: new SecurityAuditLogger(legacyAPI.auditLogger), - adminClusterClient: adminClient, - authz, - legacyAPI, - }); - }, + registerLegacyAPI: (legacyAPI: LegacyAPI) => (this.legacyAPI = legacyAPI), registerPrivilegesWithCluster: async () => await authz.registerPrivilegesWithCluster(), diff --git a/x-pack/plugins/security/server/saved_objects/index.ts b/x-pack/plugins/security/server/saved_objects/index.ts index 2bd7440d3ee70..556dc4fda85cf 100644 --- a/x-pack/plugins/security/server/saved_objects/index.ts +++ b/x-pack/plugins/security/server/saved_objects/index.ts @@ -4,60 +4,47 @@ * you may not use this file except in compliance with the Elastic License. */ -import { IClusterClient, KibanaRequest, LegacyRequest } from '../../../../../src/core/server'; +import { + CoreSetup, + KibanaRequest, + LegacyRequest, + SavedObjectsClient, +} from '../../../../../src/core/server'; import { SecureSavedObjectsClientWrapper } from './secure_saved_objects_client_wrapper'; -import { LegacyAPI } from '../plugin'; import { Authorization } from '../authorization'; import { SecurityAuditLogger } from '../audit'; interface SetupSavedObjectsParams { - adminClusterClient: IClusterClient; auditLogger: SecurityAuditLogger; authz: Pick; - legacyAPI: Pick; + savedObjects: CoreSetup['savedObjects']; } -export function setupSavedObjects({ - adminClusterClient, - auditLogger, - authz, - legacyAPI: { savedObjects }, -}: SetupSavedObjectsParams) { +export function setupSavedObjects({ auditLogger, authz, savedObjects }: SetupSavedObjectsParams) { const getKibanaRequest = (request: KibanaRequest | LegacyRequest) => request instanceof KibanaRequest ? request : KibanaRequest.from(request); - savedObjects.setScopedSavedObjectsClientFactory(({ request }) => { - const kibanaRequest = getKibanaRequest(request); - if (authz.mode.useRbacForRequest(kibanaRequest)) { - const internalRepository = savedObjects.getSavedObjectsRepository( - adminClusterClient.callAsInternalUser - ); - return new savedObjects.SavedObjectsClient(internalRepository); - } - const callAsCurrentUserRepository = savedObjects.getSavedObjectsRepository( - adminClusterClient.asScoped(kibanaRequest).callAsCurrentUser + savedObjects.setClientFactory(({ request }) => { + const kibanaRequest = getKibanaRequest(request); + return new SavedObjectsClient( + authz.mode.useRbacForRequest(kibanaRequest) + ? savedObjects.createInternalRepository() + : savedObjects.createScopedRepository(kibanaRequest) ); - return new savedObjects.SavedObjectsClient(callAsCurrentUserRepository); }); - savedObjects.addScopedSavedObjectsClientWrapperFactory( - Number.MAX_SAFE_INTEGER - 1, - 'security', - ({ client, request }) => { - const kibanaRequest = getKibanaRequest(request); - if (authz.mode.useRbacForRequest(kibanaRequest)) { - return new SecureSavedObjectsClientWrapper({ + savedObjects.addClientWrapper(Number.MAX_SAFE_INTEGER - 1, 'security', ({ client, request }) => { + const kibanaRequest = getKibanaRequest(request); + return authz.mode.useRbacForRequest(kibanaRequest) + ? new SecureSavedObjectsClientWrapper({ actions: authz.actions, auditLogger, baseClient: client, checkSavedObjectsPrivilegesAsCurrentUser: authz.checkSavedObjectsPrivilegesWithRequest( kibanaRequest ), - errors: savedObjects.SavedObjectsClient.errors, - }); - } - - return client; - } - ); + errors: SavedObjectsClient.errors, + }) + : client; + }); }