Enables preventing access to internal APIs

.github/CODEOWNERS

@@ -922,6 +922,7 @@ x-pack/test/observability_functional @elastic/actionable-observability
 /WORKSPACE.bazel @elastic/kibana-operations
 /.buildkite/ @elastic/kibana-operations
 /kbn_pm/ @elastic/kibana-operations
+/x-pack/dev-tools @elastic/kibana-operations
 
 # Appex QA
 /src/dev/code_coverage @elastic/appex-qa

config/serverless.yml

@@ -18,6 +18,8 @@ xpack.license_management.enabled: false
 #xpack.canvas.enabled: false #only disabable in dev-mode
 xpack.reporting.enabled: false
 
+# Enforce restring access to internal APIs see https://github.com/elastic/kibana/issues/151940
+# server.restrictInternalApis: true
 # Telemetry enabled by default and not disableable via UI
 telemetry.optIn: true
 telemetry.allowChangingOptInStatus: false

packages/core/http/core-http-browser-internal/src/fetch.test.ts

@@ -160,6 +160,7 @@ describe('Fetch', () => {
       expect(fetchMock.lastOptions()!.headers).toMatchObject({
         'content-type': 'application/json',
         'kbn-version': 'VERSION',
+        'x-elastic-internal-origin': 'Kibana',
         myheader: 'foo',
       });
     });
@@ -168,13 +169,30 @@ describe('Fetch', () => {
       fetchMock.get('*', {});
       await expect(
         fetchInstance.fetch('/my/path', {
-          headers: { myHeader: 'foo', 'kbn-version': 'CUSTOM!' },
+          headers: {
+            myHeader: 'foo',
+            'kbn-version': 'CUSTOM!',
+          },
         })
       ).rejects.toThrowErrorMatchingInlineSnapshot(
         `"Invalid fetch headers, headers beginning with \\"kbn-\\" are not allowed: [kbn-version]"`
       );
     });
 
+    it('should not allow overwriting of x-elastic-internal-origin header', async () => {
+      fetchMock.get('*', {});
+      await expect(
+        fetchInstance.fetch('/my/path', {
+          headers: {
+            myHeader: 'foo',
+            'x-elastic-internal-origin': 'anything',
+          },
+        })
+      ).rejects.toThrowErrorMatchingInlineSnapshot(
+        `"Invalid fetch headers, headers beginning with \\"x-elastic-internal-\\" are not allowed: [x-elastic-internal-origin]"`
+      );
+    });
+
     it('should not set kbn-system-request header by default', async () => {
       fetchMock.get('*', {});
       await fetchInstance.fetch('/my/path', {
@@ -310,6 +328,7 @@ describe('Fetch', () => {
         headers: {
           'content-type': 'application/json',
           'kbn-version': 'VERSION',
+          'x-elastic-internal-origin': 'Kibana',
         },
       });
     });

packages/core/http/core-http-browser-internal/src/fetch.ts

@@ -19,7 +19,10 @@ import type {
   HttpResponse,
   HttpFetchOptionsWithPath,
 } from '@kbn/core-http-browser';
-import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import {
+  ELASTIC_HTTP_VERSION_HEADER,
+  X_ELASTIC_INTERNAL_ORIGIN_REQUEST,
+} from '@kbn/core-http-common';
 import { HttpFetchError } from './http_fetch_error';
 import { HttpInterceptController } from './http_intercept_controller';
 import { interceptRequest, interceptResponse } from './intercept';
@@ -131,6 +134,7 @@ export class Fetch {
         ...options.headers,
         'kbn-version': this.params.kibanaVersion,
         [ELASTIC_HTTP_VERSION_HEADER]: version,
+        [X_ELASTIC_INTERNAL_ORIGIN_REQUEST]: 'Kibana',
         ...(!isEmpty(context) ? new ExecutionContextContainer(context).toHeader() : {}),
       }),
     };
@@ -223,12 +227,23 @@ const validateFetchArguments = (
     );
   }
 
-  const invalidHeaders = Object.keys(fullOptions.headers ?? {}).filter((headerName) =>
+  const invalidKbnHeaders = Object.keys(fullOptions.headers ?? {}).filter((headerName) =>
     headerName.startsWith('kbn-')
   );
-  if (invalidHeaders.length) {
+  const invalidInternalOriginProducHeader = Object.keys(fullOptions.headers ?? {}).filter(
+    (headerName) => headerName.includes(X_ELASTIC_INTERNAL_ORIGIN_REQUEST)
+  );
+
+  if (invalidKbnHeaders.length) {
+    throw new Error(
+      `Invalid fetch headers, headers beginning with "kbn-" are not allowed: [${invalidKbnHeaders.join(
+        ','
+      )}]`
+    );
+  }
+  if (invalidInternalOriginProducHeader.length) {
     throw new Error(
-      `Invalid fetch headers, headers beginning with "kbn-" are not allowed: [${invalidHeaders.join(
+      `Invalid fetch headers, headers beginning with "x-elastic-internal-" are not allowed: [${invalidInternalOriginProducHeader.join(
         ','
       )}]`
     );

packages/core/http/core-http-browser/src/types.ts

@@ -148,6 +148,7 @@ export interface IAnonymousPaths {
 /**
  * Headers to append to the request. Any headers that begin with `kbn-` are considered private to Core and will cause
  * {@link HttpHandler} to throw an error.
+ * Includes the required Header that validates internal requests to internal APIs
  * @public
  */
 export interface HttpHeadersInit {

packages/core/http/core-http-common/index.ts

@@ -9,4 +9,4 @@
 export type { IExternalUrlPolicy } from './src/external_url_policy';
 
 export type { ApiVersion } from './src/versioning';
-export { ELASTIC_HTTP_VERSION_HEADER } from './src/constants';
+export { ELASTIC_HTTP_VERSION_HEADER, X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from './src/constants';

packages/core/http/core-http-common/src/constants.ts

@@ -8,3 +8,5 @@
 
 /** @internal */
 export const ELASTIC_HTTP_VERSION_HEADER = 'elastic-api-version' as const;
+
+export const X_ELASTIC_INTERNAL_ORIGIN_REQUEST = 'x-elastic-internal-origin' as const;

packages/core/http/core-http-server-internal/src/http_config.ts

@@ -150,6 +150,7 @@ const configSchema = schema.object(
         },
       }
     ),
+    restrictInternalApis: schema.boolean({ defaultValue: false }), // allow access to internal routes by default to prevent breaking changes in current offerings
   },
   {
     validate: (rawConfig) => {
@@ -223,6 +224,7 @@ export class HttpConfig implements IHttpConfig {
   public xsrf: { disableProtection: boolean; allowlist: string[] };
   public requestId: { allowFromAnyIp: boolean; ipAllowlist: string[] };
   public shutdownTimeout: Duration;
+  public restrictInternalApis: boolean;
 
   /**
    * @internal
@@ -263,6 +265,7 @@ export class HttpConfig implements IHttpConfig {
     this.xsrf = rawHttpConfig.xsrf;
     this.requestId = rawHttpConfig.requestId;
     this.shutdownTimeout = rawHttpConfig.shutdownTimeout;
+    this.restrictInternalApis = rawHttpConfig.restrictInternalApis;
   }
 }
 

packages/core/http/core-http-server-internal/src/lifecycle_handlers.test.ts

@@ -13,10 +13,12 @@ import type {
   OnPreResponseToolkit,
   OnPostAuthToolkit,
   OnPreRoutingToolkit,
+  OnPostAuthHandler,
 } from '@kbn/core-http-server';
 import { mockRouter } from '@kbn/core-http-router-server-mocks';
 import {
   createCustomHeadersPreResponseHandler,
+  createRestrictInternalRoutesPostAuthHandler,
   createVersionCheckPostAuthHandler,
   createXsrfPostAuthHandler,
 } from './lifecycle_handlers';
@@ -242,6 +244,108 @@ describe('versionCheck post-auth handler', () => {
   });
 });
 
+describe('restrictInternal post-auth handler', () => {
+  let toolkit: ToolkitMock;
+  let responseFactory: ReturnType<typeof mockRouter.createResponseFactory>;
+
+  beforeEach(() => {
+    toolkit = createToolkit();
+    responseFactory = mockRouter.createResponseFactory();
+  });
+  const createForgeRequest = (
+    access: 'internal' | 'public',
+    headers: Record<string, string> | undefined = {}
+  ) => {
+    return forgeRequest({
+      method: 'get',
+      headers,
+      path: `/${access}/some-path`,
+      kibanaRouteOptions: {
+        xsrfRequired: false,
+        access,
+      },
+    });
+  };
+
+  const createForwardSuccess = (handler: OnPostAuthHandler, request: KibanaRequest) => {
+    toolkit.next.mockReturnValue('next' as any);
+    const result = handler(request, responseFactory, toolkit);
+
+    expect(toolkit.next).toHaveBeenCalledTimes(1);
+    expect(responseFactory.badRequest).not.toHaveBeenCalled();
+    expect(result).toBe('next');
+  };
+
+  describe('when restriction is enabled', () => {
+    const config = createConfig({
+      name: 'my-server-name',
+      restrictInternalApis: true,
+    });
+    it('returns a bad request if called without internal origin header for internal API', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('internal');
+
+      responseFactory.badRequest.mockReturnValue('badRequest' as any);
+
+      const result = handler(request, responseFactory, toolkit);
+
+      expect(toolkit.next).not.toHaveBeenCalled();
+      expect(responseFactory.badRequest.mock.calls[0][0]?.body).toMatch(
+        /uri \[.*\/internal\/some-path\] with method \[get\] exists but is not available with the current configuration/
+      );
+      expect(result).toBe('badRequest');
+    });
+
+    it('forward the request to the next interceptor if called with internal origin header for internal API', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('internal', { 'x-elastic-internal-origin': 'Kibana' });
+      createForwardSuccess(handler, request);
+    });
+
+    it('forward the request to the next interceptor if called with internal origin header for public APIs', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('public', { 'x-elastic-internal-origin': 'Kibana' });
+      createForwardSuccess(handler, request);
+    });
+
+    it('forward the request to the next interceptor if called without internal origin header for public APIs', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('public');
+      createForwardSuccess(handler, request);
+    });
+  });
+
+  describe('when restriction is not enabled', () => {
+    const config = createConfig({
+      name: 'my-server-name',
+      restrictInternalApis: false,
+    });
+    it('forward the request to the next interceptor if called without internal origin header for internal APIs', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('internal');
+      createForwardSuccess(handler, request);
+    });
+
+    it('forward the request to the next interceptor if called with internal origin header for internal API', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('internal', { 'x-elastic-internal-origin': 'Kibana' });
+      createForwardSuccess(handler, request);
+    });
+
+    it('forward the request to the next interceptor if called without internal origin header for public APIs', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('public');
+      createForwardSuccess(handler, request);
+    });
+
+    it('forward the request to the next interceptor if called with internal origin header for public APIs', () => {
+      const handler = createRestrictInternalRoutesPostAuthHandler(config as HttpConfig);
+      const request = createForgeRequest('public', { 'x-elastic-internal-origin': 'Kibana' });
+      createForwardSuccess(handler, request);
+    });
+  });
+});
+
 describe('customHeaders pre-response handler', () => {
   let toolkit: ToolkitMock;
 

packages/core/http/core-http-server-internal/src/lifecycle_handlers.ts

@@ -9,6 +9,7 @@
 import { Env } from '@kbn/config';
 import type { OnPostAuthHandler, OnPreResponseHandler } from '@kbn/core-http-server';
 import { isSafeMethod } from '@kbn/core-http-router-server-internal';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common/src/constants';
 import { HttpConfig } from './http_config';
 import { LifecycleRegistrar } from './http_server';
 
@@ -39,6 +40,27 @@ export const createXsrfPostAuthHandler = (config: HttpConfig): OnPostAuthHandler
   };
 };
 
+export const createRestrictInternalRoutesPostAuthHandler = (
+  config: HttpConfig
+): OnPostAuthHandler => {
+  const isRestrictionEnabled = config.restrictInternalApis;
+
+  return (request, response, toolkit) => {
+    const isInternalRoute = request.route.options.access === 'internal';
+
+    // only check if the header is present, not it's content.
+    const hasInternalKibanaRequestHeader = X_ELASTIC_INTERNAL_ORIGIN_REQUEST in request.headers;
+
+    if (isRestrictionEnabled && isInternalRoute && !hasInternalKibanaRequestHeader) {
+      // throw 400
+      return response.badRequest({
+        body: `uri [${request.url}] with method [${request.route.method}] exists but is not available with the current configuration`,
+      });
+    }
+    return toolkit.next();
+  };
+};
+
 export const createVersionCheckPostAuthHandler = (kibanaVersion: string): OnPostAuthHandler => {
   return (request, response, toolkit) => {
     const requestVersion = request.headers[VERSION_HEADER];
@@ -60,7 +82,6 @@ export const createVersionCheckPostAuthHandler = (kibanaVersion: string): OnPost
   };
 };
 
-// TODO: implement header required for accessing internal routes. See https://github.com/elastic/kibana/issues/151940
 export const createCustomHeadersPreResponseHandler = (config: HttpConfig): OnPreResponseHandler => {
   const {
     name: serverName,
@@ -76,7 +97,6 @@ export const createCustomHeadersPreResponseHandler = (config: HttpConfig): OnPre
       'Content-Security-Policy': cspHeader,
       [KIBANA_NAME_HEADER]: serverName,
     };
-
     return toolkit.next({ headers: additionalHeaders });
   };
 };
@@ -86,7 +106,12 @@ export const registerCoreHandlers = (
   config: HttpConfig,
   env: Env
 ) => {
+  // add headers based on config
   registrar.registerOnPreResponse(createCustomHeadersPreResponseHandler(config));
+  // add extra request checks stuff
   registrar.registerOnPostAuth(createXsrfPostAuthHandler(config));
+  // add check on version
   registrar.registerOnPostAuth(createVersionCheckPostAuthHandler(env.packageInfo.version));
+  // add check on header if the route is internal
+  registrar.registerOnPostAuth(createRestrictInternalRoutesPostAuthHandler(config)); // strictly speaking, we should have access to route.options.access from the request on postAuth
 };

packages/core/http/core-http-server-mocks/src/test_utils.ts

@@ -50,6 +50,7 @@ const createConfigService = () => {
         shutdownTimeout: moment.duration(30, 'seconds'),
         keepaliveTimeout: 120_000,
         socketTimeout: 120_000,
+        restrictInternalApis: false,
       } as any);
     }
     if (path === 'externalUrl') {

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.test.ts

@@ -347,7 +347,11 @@ describe('throwIfAnyTypeNotVisibleByAPI', () => {
 
 describe('logWarnOnExternalRequest', () => {
   let logger: MockedLogger;
-  const firstPartyRequestHeaders = { 'kbn-version': 'a', referer: 'b' };
+  const firstPartyRequestHeaders = {
+    'kbn-version': 'a',
+    referer: 'b',
+    'x-elastic-internal-origin': 'foo',
+  };
   const kibRequest = httpServerMock.createKibanaRequest({ headers: firstPartyRequestHeaders });
   const extRequest = httpServerMock.createKibanaRequest();
 

packages/core/saved-objects/core-saved-objects-server-internal/src/routes/utils.ts

@@ -157,7 +157,9 @@ export interface BulkGetItem {
 export function isKibanaRequest({ headers }: KibanaRequest) {
   // The presence of these two request headers gives us a good indication that this is a first-party request from the Kibana client.
   // We can't be 100% certain, but this is a reasonable attempt.
-  return headers && headers['kbn-version'] && headers.referer;
+  return (
+    headers && headers['kbn-version'] && headers.referer && headers['x-elastic-internal-origin']
+  );
 }
 
 export interface LogWarnOnExternalRequest {