[Code] don't allow access secured routes before x-pack info is availa…

…ble (#34994)

x-pack/plugins/code/server/routes/file.ts

@@ -23,7 +23,7 @@ import { detectLanguage } from '../utils/detect_language';
 const TEXT_FILE_LIMIT = 1024 * 1024; // 1mb
 
 export function fileRoute(server: hapi.Server, options: ServerOptions) {
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/tree/{ref}/{path*}',
     method: 'GET',
     async handler(req: hapi.Request) {
@@ -58,7 +58,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/blob/{ref}/{path*}',
     method: 'GET',
     async handler(req: hapi.Request, h: hapi.ResponseToolkit) {
@@ -108,7 +108,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/app/code/repo/{uri*3}/raw/{ref}/{path*}',
     method: 'GET',
     async handler(req, h: hapi.ResponseToolkit) {
@@ -131,7 +131,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/history/{ref}',
     method: 'GET',
     handler: historyHandler,
@@ -176,7 +176,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
       }
     }
   }
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/references',
     method: 'GET',
     async handler(req, reply) {
@@ -197,7 +197,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/diff/{revision}',
     method: 'GET',
     async handler(req) {
@@ -216,7 +216,7 @@ export function fileRoute(server: hapi.Server, options: ServerOptions) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}/blame/{revision}/{path*}',
     method: 'GET',
     async handler(req) {

x-pack/plugins/code/server/routes/install.ts

@@ -29,7 +29,7 @@ export function installRoute(
     pluginName: def.pluginName,
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/install',
     handler() {
       return LanguageServers.map(status);

x-pack/plugins/code/server/routes/lsp.ts

@@ -35,7 +35,7 @@ export function lspRoute(
   serverOptions: ServerOptions
 ) {
   const log = new Logger(server);
-  server.route({
+  server.securedRoute({
     path: '/api/code/lsp/textDocument/{method}',
     async handler(req, h: hapi.ResponseToolkit) {
       if (typeof req.payload === 'object' && req.payload != null) {
@@ -77,7 +77,7 @@ export function lspRoute(
     method: 'POST',
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/lsp/findReferences',
     method: 'POST',
     async handler(req, h: hapi.ResponseToolkit) {
@@ -170,7 +170,7 @@ export function lspRoute(
 }
 
 export function symbolByQnameRoute(server: hapi.Server, log: Logger) {
-  server.route({
+  server.securedRoute({
     path: '/api/code/lsp/symbol/{qname}',
     method: 'GET',
     async handler(req) {

x-pack/plugins/code/server/routes/repository.ts

@@ -131,7 +131,7 @@ export function repositoryRoute(
   });
 
   // Get a git repository
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/{uri*3}',
     method: 'GET',
     async handler(req) {
@@ -149,7 +149,7 @@ export function repositoryRoute(
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/status/{uri*3}',
     method: 'GET',
     async handler(req) {
@@ -192,7 +192,7 @@ export function repositoryRoute(
   });
 
   // Get all git repositories
-  server.route({
+  server.securedRoute({
     path: '/api/code/repos',
     method: 'GET',
     async handler(req) {
@@ -212,9 +212,10 @@ export function repositoryRoute(
   // Issue a repository index task.
   // TODO(mengwei): This is just temporary API stub to trigger the index job. Eventually in the near
   // future, this route will be removed. The scheduling strategy is still in discussion.
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/index/{uri*3}',
     method: 'POST',
+    requireAdmin: true,
     async handler(req) {
       const repoUri = req.params.uri as string;
       const log = new Logger(req.server);
@@ -238,9 +239,10 @@ export function repositoryRoute(
   });
 
   // Update a repo config
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/config/{uri*3}',
     method: 'PUT',
+    requireAdmin: true,
     async handler(req, h) {
       const config: RepositoryConfig = req.payload as RepositoryConfig;
       const repoUri: RepositoryUri = config.uri;
@@ -269,7 +271,7 @@ export function repositoryRoute(
   });
 
   // Get repository config
-  server.route({
+  server.securedRoute({
     path: '/api/code/repo/config/{uri*3}',
     method: 'GET',
     async handler(req) {

x-pack/plugins/code/server/routes/search.ts

@@ -13,7 +13,7 @@ import { DocumentSearchClient, RepositorySearchClient, SymbolSearchClient } from
 import { EsClientWithRequest } from '../utils/esclient_with_request';
 
 export function repositorySearchRoute(server: hapi.Server, log: Logger) {
-  server.route({
+  server.securedRoute({
     path: '/api/code/search/repo',
     method: 'GET',
     async handler(req) {
@@ -43,7 +43,7 @@ export function repositorySearchRoute(server: hapi.Server, log: Logger) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/suggestions/repo',
     method: 'GET',
     async handler(req) {
@@ -75,7 +75,7 @@ export function repositorySearchRoute(server: hapi.Server, log: Logger) {
 }
 
 export function documentSearchRoute(server: hapi.Server, log: Logger) {
-  server.route({
+  server.securedRoute({
     path: '/api/code/search/doc',
     method: 'GET',
     async handler(req) {
@@ -107,7 +107,7 @@ export function documentSearchRoute(server: hapi.Server, log: Logger) {
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/suggestions/doc',
     method: 'GET',
     async handler(req) {
@@ -166,12 +166,12 @@ export function symbolSearchRoute(server: hapi.Server, log: Logger) {
   };
 
   // Currently these 2 are the same.
-  server.route({
+  server.securedRoute({
     path: '/api/code/suggestions/symbol',
     method: 'GET',
     handler: symbolSearchHandler,
   });
-  server.route({
+  server.securedRoute({
     path: '/api/code/search/symbol',
     method: 'GET',
     handler: symbolSearchHandler,

x-pack/plugins/code/server/routes/workspace.ts

@@ -15,16 +15,17 @@ import { EsClientWithRequest } from '../utils/esclient_with_request';
 import { ServerLoggerFactory } from '../utils/server_logger_factory';
 
 export function workspaceRoute(server: hapi.Server, serverOptions: ServerOptions) {
-  server.route({
+  server.securedRoute({
     path: '/api/code/workspace',
     method: 'GET',
     async handler() {
       return serverOptions.repoConfigs;
     },
   });
 
-  server.route({
+  server.securedRoute({
     path: '/api/code/workspace/{uri*3}/{revision}',
+    requireAdmin: true,
     method: 'POST',
     async handler(req: hapi.Request, reply) {
       const repoUri = req.params.uri as string;

x-pack/plugins/code/server/security.ts

@@ -65,9 +65,12 @@ export class SecureRoute {
 
   private isSecurityEnabledInEs() {
     const xpackInfo = this.server.plugins.xpack_main.info;
+    if (!xpackInfo.isAvailable()) {
+      throw Boom.serverUnavailable('x-pack info is not available yet.');
+    }
     if (
-      xpackInfo.isAvailable() &&
-      (!xpackInfo.feature('security').isEnabled() || xpackInfo.license.isOneOf('basic'))
+      !xpackInfo.feature('security').isEnabled() ||
+      !xpackInfo.feature('security').isAvailable()
     ) {
       return false;
     }