From 898e2d53579d0f531ad9f7517fe7899d575e6690 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Fri, 7 Feb 2020 14:14:00 -0500 Subject: [PATCH 1/6] Fix detection of "system requests" This aligns plugin usage with the new way that the Kibana Platform handles checking for system requests. --- src/legacy/core_plugins/kibana/server/lib/system_api.js | 8 ++++++-- src/plugins/kibana_legacy/public/utils/system_api.ts | 9 ++++++--- x-pack/legacy/plugins/security/index.js | 3 --- .../security/server/authentication/authenticator.ts | 9 ++++----- x-pack/plugins/security/server/authentication/index.ts | 4 ---- x-pack/plugins/security/server/plugin.ts | 3 --- 6 files changed, 16 insertions(+), 20 deletions(-) diff --git a/src/legacy/core_plugins/kibana/server/lib/system_api.js b/src/legacy/core_plugins/kibana/server/lib/system_api.js index 3e2ab667dd98b..1e6954473a57a 100644 --- a/src/legacy/core_plugins/kibana/server/lib/system_api.js +++ b/src/legacy/core_plugins/kibana/server/lib/system_api.js @@ -17,7 +17,8 @@ * under the License. */ -const SYSTEM_API_HEADER_NAME = 'kbn-system-api'; +const SYSTEM_REQUEST_HEADER_NAME = 'kbn-system-request'; +const LEGACY_SYSTEM_API_HEADER_NAME = 'kbn-system-api'; /** * Checks on the *server-side*, if an HTTP request is a system API request @@ -27,5 +28,8 @@ const SYSTEM_API_HEADER_NAME = 'kbn-system-api'; * @deprecated Use KibanaRequest#isSystemApi */ export function isSystemApiRequest(request) { - return !!request.headers[SYSTEM_API_HEADER_NAME]; + return ( + !!request.headers[SYSTEM_REQUEST_HEADER_NAME] || + !!request.headers[LEGACY_SYSTEM_API_HEADER_NAME] + ); } diff --git a/src/plugins/kibana_legacy/public/utils/system_api.ts b/src/plugins/kibana_legacy/public/utils/system_api.ts index 397de4dcc2bb3..49d4a78584737 100644 --- a/src/plugins/kibana_legacy/public/utils/system_api.ts +++ b/src/plugins/kibana_legacy/public/utils/system_api.ts @@ -19,7 +19,8 @@ import { IRequestConfig } from 'angular'; -const SYSTEM_API_HEADER_NAME = 'kbn-system-api'; +const SYSTEM_REQUEST_HEADER_NAME = 'kbn-system-request'; +const LEGACY_SYSTEM_API_HEADER_NAME = 'kbn-system-api'; /** * Adds a custom header designating request as system API @@ -28,7 +29,7 @@ const SYSTEM_API_HEADER_NAME = 'kbn-system-api'; */ export function addSystemApiHeader(originalHeaders: Record) { const systemApiHeaders = { - [SYSTEM_API_HEADER_NAME]: true, + [SYSTEM_REQUEST_HEADER_NAME]: true, }; return { ...originalHeaders, @@ -44,5 +45,7 @@ export function addSystemApiHeader(originalHeaders: Record) { */ export function isSystemApiRequest(request: IRequestConfig) { const { headers } = request; - return headers && !!headers[SYSTEM_API_HEADER_NAME]; + return ( + headers && (!!headers[SYSTEM_REQUEST_HEADER_NAME] || !!headers[LEGACY_SYSTEM_API_HEADER_NAME]) + ); } diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js index 9016398463b5f..bf9f8c9a01beb 100644 --- a/x-pack/legacy/plugins/security/index.js +++ b/x-pack/legacy/plugins/security/index.js @@ -114,9 +114,6 @@ export const security = kibana => const xpackInfo = server.plugins.xpack_main.info; securityPlugin.__legacyCompat.registerLegacyAPI({ auditLogger: new AuditLogger(server, 'security', config, xpackInfo), - isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind( - server.plugins.kibana.systemApi - ), }); // Legacy xPack Info endpoint returns whatever we return in a callback for `registerLicenseCheckResultsGenerator` diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index ea7792e902ec1..3ab49d3c5b124 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -88,7 +88,6 @@ export interface AuthenticatorOptions { loggers: LoggerFactory; clusterClient: IClusterClient; sessionStorageFactory: SessionStorageFactory; - isSystemAPIRequest: (request: KibanaRequest) => boolean; } // Mapping between provider key defined in the config and authentication @@ -310,7 +309,7 @@ export class Authenticator { this.updateSessionValue(sessionStorage, { providerType, - isSystemAPIRequest: this.options.isSystemAPIRequest(request), + isSystemRequest: request.isSystemRequest, authenticationResult, existingSession: ownsSession ? existingSession : null, }); @@ -434,12 +433,12 @@ export class Authenticator { providerType, authenticationResult, existingSession, - isSystemAPIRequest, + isSystemRequest, }: { providerType: string; authenticationResult: AuthenticationResult; existingSession: ProviderSession | null; - isSystemAPIRequest: boolean; + isSystemRequest: boolean; } ) { if (!existingSession && !authenticationResult.shouldUpdateState()) { @@ -451,7 +450,7 @@ export class Authenticator { // state we should store it in the session regardless of whether it's a system API request or not. const sessionCanBeUpdated = (authenticationResult.succeeded() || authenticationResult.redirected()) && - (authenticationResult.shouldUpdateState() || !isSystemAPIRequest); + (authenticationResult.shouldUpdateState() || !isSystemRequest); // If provider owned the session, but failed to authenticate anyway, that likely means that // session is not valid and we should clear it. Also provider can specifically ask to clear diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts index 4b73430ff13c4..467afe0034025 100644 --- a/x-pack/plugins/security/server/authentication/index.ts +++ b/x-pack/plugins/security/server/authentication/index.ts @@ -14,7 +14,6 @@ import { AuthenticatedUser } from '../../common/model'; import { ConfigType } from '../config'; import { getErrorStatusCode } from '../errors'; import { Authenticator, ProviderSession } from './authenticator'; -import { LegacyAPI } from '../plugin'; import { APIKeys, CreateAPIKeyParams, InvalidateAPIKeyParams } from './api_keys'; import { SecurityLicense } from '../../common/licensing'; @@ -36,7 +35,6 @@ interface SetupAuthenticationParams { config: ConfigType; license: SecurityLicense; loggers: LoggerFactory; - getLegacyAPI(): Pick; } export type Authentication = UnwrapPromise>; @@ -47,7 +45,6 @@ export async function setupAuthentication({ config, license, loggers, - getLegacyAPI, }: SetupAuthenticationParams) { const authLogger = loggers.get('authentication'); @@ -83,7 +80,6 @@ export async function setupAuthentication({ clusterClient, basePath: http.basePath, config: { session: config.session, authc: config.authc }, - isSystemAPIRequest: (request: KibanaRequest) => getLegacyAPI().isSystemAPIRequest(request), loggers, sessionStorageFactory: await http.createCookieSessionStorageFactory({ encryptionKey: config.encryptionKey, diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index 5764418234739..328f2917fd550 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -9,7 +9,6 @@ import { first } from 'rxjs/operators'; import { ICustomClusterClient, CoreSetup, - KibanaRequest, Logger, PluginInitializerContext, RecursiveReadonly, @@ -40,7 +39,6 @@ export type FeaturesService = Pick; * to function properly. */ export interface LegacyAPI { - isSystemAPIRequest: (request: KibanaRequest) => boolean; auditLogger: { log: (eventType: string, message: string, data?: Record) => void; }; @@ -133,7 +131,6 @@ export class Plugin { config, license, loggers: this.initializerContext.logger, - getLegacyAPI: this.getLegacyAPI, }); const authz = await setupAuthorization({ From 34987b1c52556f619ed5d6912873376b60718bb2 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Fri, 7 Feb 2020 15:16:02 -0500 Subject: [PATCH 2/6] Update tests --- .../kibana/server/lib/__tests__/system_api.js | 11 ++++++++++- .../ui/public/system_api/__tests__/system_api.js | 15 ++++++++++++--- .../test/api_integration/apis/security/session.ts | 2 +- .../apis/security/kerberos_login.ts | 2 +- .../apis/authorization_code_flow/oidc_auth.js | 2 +- .../apis/security/saml_login.ts | 2 +- 6 files changed, 26 insertions(+), 8 deletions(-) diff --git a/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js b/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js index a63a93f3a70d5..2676087c320b3 100644 --- a/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js +++ b/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js @@ -22,7 +22,16 @@ import { isSystemApiRequest } from '../system_api'; describe('system_api', () => { describe('#isSystemApiRequest', () => { - it('returns true for a system API HTTP request', () => { + it('returns true for a system HTTP request', () => { + const mockHapiRequest = { + headers: { + 'kbn-system-request': true, + }, + }; + expect(isSystemApiRequest(mockHapiRequest)).to.be(true); + }); + + it('returns true for a legacy system API HTTP request', () => { const mockHapiRequest = { headers: { 'kbn-system-api': true, diff --git a/src/legacy/ui/public/system_api/__tests__/system_api.js b/src/legacy/ui/public/system_api/__tests__/system_api.js index 822edaa08fdd6..816024f13f8b2 100644 --- a/src/legacy/ui/public/system_api/__tests__/system_api.js +++ b/src/legacy/ui/public/system_api/__tests__/system_api.js @@ -31,8 +31,8 @@ describe('system_api', () => { }; const newHeaders = addSystemApiHeader(headers); - expect(newHeaders).to.have.property('kbn-system-api'); - expect(newHeaders['kbn-system-api']).to.be(true); + expect(newHeaders).to.have.property('kbn-system-request'); + expect(newHeaders['kbn-system-request']).to.be(true); expect(newHeaders).to.have.property('kbn-version'); expect(newHeaders['kbn-version']).to.be('4.6.0'); @@ -40,7 +40,16 @@ describe('system_api', () => { }); describe('#isSystemApiRequest', () => { - it('returns true for a system API HTTP request', () => { + it('returns true for a system HTTP request', () => { + const mockRequest = { + headers: { + 'kbn-system-request': true, + }, + }; + expect(isSystemApiRequest(mockRequest)).to.be(true); + }); + + it('returns true for a legacy system API HTTP request', () => { const mockRequest = { headers: { 'kbn-system-api': true, diff --git a/x-pack/test/api_integration/apis/security/session.ts b/x-pack/test/api_integration/apis/security/session.ts index 5d0935bb1ae2d..d819dd38dddb1 100644 --- a/x-pack/test/api_integration/apis/security/session.ts +++ b/x-pack/test/api_integration/apis/security/session.ts @@ -28,7 +28,7 @@ export default function({ getService }: FtrProviderContext) { supertest .get('/internal/security/session') .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .send() .expect(200); diff --git a/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts b/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts index 570d7026cf99e..55853f8b0fbde 100644 --- a/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts +++ b/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts @@ -199,7 +199,7 @@ export default function({ getService }: FtrProviderContext) { const systemAPIResponse = await supertest .get('/internal/security/me') .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .expect(200); diff --git a/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js b/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js index 094537fd61436..abb65e46263ab 100644 --- a/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js +++ b/x-pack/test/oidc_api_integration/apis/authorization_code_flow/oidc_auth.js @@ -285,7 +285,7 @@ export default function({ getService }) { const systemAPIResponse = await supertest .get('/internal/security/me') .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .expect(200); diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts index 6ede8aadeb5a7..cfbec50557835 100644 --- a/x-pack/test/saml_api_integration/apis/security/saml_login.ts +++ b/x-pack/test/saml_api_integration/apis/security/saml_login.ts @@ -330,7 +330,7 @@ export default function({ getService }: FtrProviderContext) { const systemAPIResponse = await supertest .get('/internal/security/me') .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .expect(200); From 04a78cd4761ff22fe36e953e775e91851e143197 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Fri, 7 Feb 2020 18:26:04 -0500 Subject: [PATCH 3/6] Update tests again --- .../authentication/authenticator.test.ts | 71 +++++++++++-------- .../server/authentication/index.test.ts | 3 - 2 files changed, 42 insertions(+), 32 deletions(-) diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index 8be1762133db6..65874ba3a461e 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -28,7 +28,6 @@ function getMockOptions(config: Partial = {}) { clusterClient: elasticsearchServiceMock.createClusterClient(), basePath: httpServiceMock.createSetupContract().basePath, loggers: loggingServiceMock.create(), - isSystemAPIRequest: jest.fn(), config: { session: { idleTimeout: null, lifespan: null }, authc: { providers: [], oidc: {}, saml: {} }, @@ -286,10 +285,11 @@ describe('Authenticator', () => { it('creates session whenever authentication provider returns state for system API requests', async () => { const user = mockAuthenticatedUser(); - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); const authorization = `Basic ${Buffer.from('foo:bar').toString('base64')}`; - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user, { state: { authorization } }) ); @@ -307,10 +307,11 @@ describe('Authenticator', () => { it('creates session whenever authentication provider returns state for non-system API requests', async () => { const user = mockAuthenticatedUser(); - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); const authorization = `Basic ${Buffer.from('foo:bar').toString('base64')}`; - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user, { state: { authorization } }) ); @@ -328,9 +329,10 @@ describe('Authenticator', () => { it('does not extend session for system API calls.', async () => { const user = mockAuthenticatedUser(); - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user) ); @@ -346,9 +348,10 @@ describe('Authenticator', () => { it('extends session for non-system API calls.', async () => { const user = mockAuthenticatedUser(); - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user) ); @@ -510,9 +513,10 @@ describe('Authenticator', () => { }); it('does not touch session for system API calls if authentication fails with non-401 reason.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.failed(new Error('some error')) ); @@ -526,9 +530,10 @@ describe('Authenticator', () => { }); it('does not touch session for non-system API calls if authentication fails with non-401 reason.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.failed(new Error('some error')) ); @@ -544,9 +549,10 @@ describe('Authenticator', () => { it('replaces existing session with the one returned by authentication provider for system API requests', async () => { const user = mockAuthenticatedUser(); const newState = { authorization: 'Basic yyy' }; - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user, { state: newState }) ); @@ -567,9 +573,10 @@ describe('Authenticator', () => { it('replaces existing session with the one returned by authentication provider for non-system API requests', async () => { const user = mockAuthenticatedUser(); const newState = { authorization: 'Basic yyy' }; - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.succeeded(user, { state: newState }) ); @@ -588,9 +595,10 @@ describe('Authenticator', () => { }); it('clears session if provider failed to authenticate system API request with 401 with active session.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.failed(Boom.unauthorized()) ); @@ -604,9 +612,10 @@ describe('Authenticator', () => { }); it('clears session if provider failed to authenticate non-system API request with 401 with active session.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.failed(Boom.unauthorized()) ); @@ -635,9 +644,10 @@ describe('Authenticator', () => { }); it('does not clear session if provider can not handle system API request authentication with active session.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); @@ -651,9 +661,10 @@ describe('Authenticator', () => { }); it('does not clear session if provider can not handle non-system API request authentication with active session.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); @@ -667,9 +678,10 @@ describe('Authenticator', () => { }); it('clears session for system API request if it belongs to not configured provider.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'true' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(true); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); @@ -683,9 +695,10 @@ describe('Authenticator', () => { }); it('clears session for non-system API request if it belongs to not configured provider.', async () => { - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ + headers: { 'kbn-system-request': 'false' }, + }); - mockOptions.isSystemAPIRequest.mockReturnValue(false); mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); diff --git a/x-pack/plugins/security/server/authentication/index.test.ts b/x-pack/plugins/security/server/authentication/index.test.ts index d0de6d571b7a0..3727b1fc13dac 100644 --- a/x-pack/plugins/security/server/authentication/index.test.ts +++ b/x-pack/plugins/security/server/authentication/index.test.ts @@ -32,7 +32,6 @@ import { } from '../../../../../src/core/server'; import { AuthenticatedUser } from '../../common/model'; import { ConfigType, createConfig$ } from '../config'; -import { LegacyAPI } from '../plugin'; import { AuthenticationResult } from './authentication_result'; import { setupAuthentication } from '.'; import { @@ -47,7 +46,6 @@ describe('setupAuthentication()', () => { let mockSetupAuthenticationParams: { config: ConfigType; loggers: LoggerFactory; - getLegacyAPI(): Pick; http: jest.Mocked; clusterClient: jest.Mocked; license: jest.Mocked; @@ -73,7 +71,6 @@ describe('setupAuthentication()', () => { clusterClient: elasticsearchServiceMock.createClusterClient(), license: licenseMock.create(), loggers: loggingServiceMock.create(), - getLegacyAPI: jest.fn(), }; mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); From e158fc42f71ece9917824f89bc78ce973e6f0e47 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:44:19 -0500 Subject: [PATCH 4/6] PR review feedback --- x-pack/test/api_integration/apis/security/basic_login.js | 2 +- x-pack/test/pki_api_integration/apis/security/pki_auth.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/api_integration/apis/security/basic_login.js b/x-pack/test/api_integration/apis/security/basic_login.js index d4b41603944f6..9b6f49a9a916b 100644 --- a/x-pack/test/api_integration/apis/security/basic_login.js +++ b/x-pack/test/api_integration/apis/security/basic_login.js @@ -201,7 +201,7 @@ export default function({ getService }) { const systemAPIResponse = await supertest .get('/internal/security/me') .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .expect(200); diff --git a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts index 1ae7488fcf379..6cb92585de36e 100644 --- a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts +++ b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts @@ -242,7 +242,7 @@ export default function({ getService }: FtrProviderContext) { .ca(CA_CERT) .pfx(FIRST_CLIENT_CERT) .set('kbn-xsrf', 'xxx') - .set('kbn-system-api', 'true') + .set('kbn-system-request', 'true') .set('Cookie', sessionCookie.cookieString()) .expect(200); From 1e0509190f35d857758ab6a5e87f7ea3eb5abe31 Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Thu, 13 Feb 2020 10:12:33 -0500 Subject: [PATCH 5/6] Remove unused internal system API --- .../kibana/server/lib/__tests__/system_api.js | 50 ------------------- .../kibana/server/lib/system_api.js | 35 ------------- 2 files changed, 85 deletions(-) delete mode 100644 src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js delete mode 100644 src/legacy/core_plugins/kibana/server/lib/system_api.js diff --git a/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js b/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js deleted file mode 100644 index 2676087c320b3..0000000000000 --- a/src/legacy/core_plugins/kibana/server/lib/__tests__/system_api.js +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -import expect from '@kbn/expect'; -import { isSystemApiRequest } from '../system_api'; - -describe('system_api', () => { - describe('#isSystemApiRequest', () => { - it('returns true for a system HTTP request', () => { - const mockHapiRequest = { - headers: { - 'kbn-system-request': true, - }, - }; - expect(isSystemApiRequest(mockHapiRequest)).to.be(true); - }); - - it('returns true for a legacy system API HTTP request', () => { - const mockHapiRequest = { - headers: { - 'kbn-system-api': true, - }, - }; - expect(isSystemApiRequest(mockHapiRequest)).to.be(true); - }); - - it('returns false for a non-system API HTTP request', () => { - const mockHapiRequest = { - headers: {}, - }; - expect(isSystemApiRequest(mockHapiRequest)).to.be(false); - }); - }); -}); diff --git a/src/legacy/core_plugins/kibana/server/lib/system_api.js b/src/legacy/core_plugins/kibana/server/lib/system_api.js deleted file mode 100644 index 1e6954473a57a..0000000000000 --- a/src/legacy/core_plugins/kibana/server/lib/system_api.js +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -const SYSTEM_REQUEST_HEADER_NAME = 'kbn-system-request'; -const LEGACY_SYSTEM_API_HEADER_NAME = 'kbn-system-api'; - -/** - * Checks on the *server-side*, if an HTTP request is a system API request - * - * @param request HAPI request object - * @return true if request is a system API request; false, otherwise - * @deprecated Use KibanaRequest#isSystemApi - */ -export function isSystemApiRequest(request) { - return ( - !!request.headers[SYSTEM_REQUEST_HEADER_NAME] || - !!request.headers[LEGACY_SYSTEM_API_HEADER_NAME] - ); -} From 3fcab8c4b09295fa88ec19034db7b03d359c6a0e Mon Sep 17 00:00:00 2001 From: Joe Portner <5295965+jportner@users.noreply.github.com> Date: Thu, 13 Feb 2020 11:29:34 -0500 Subject: [PATCH 6/6] Remove code that exposes internal system API --- src/legacy/core_plugins/kibana/index.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/legacy/core_plugins/kibana/index.js b/src/legacy/core_plugins/kibana/index.js index 395e0da218307..36563ba8cbe45 100644 --- a/src/legacy/core_plugins/kibana/index.js +++ b/src/legacy/core_plugins/kibana/index.js @@ -25,7 +25,6 @@ import { migrations } from './migrations'; import { importApi } from './server/routes/api/import'; import { exportApi } from './server/routes/api/export'; import { managementApi } from './server/routes/api/management'; -import * as systemApi from './server/lib/system_api'; import mappings from './mappings.json'; import { getUiSettingDefaults } from './ui_setting_defaults'; import { registerCspCollector } from './server/lib/csp_usage_collector'; @@ -323,7 +322,6 @@ export default function(kibana) { exportApi(server); managementApi(server); registerCspCollector(usageCollection, server); - server.expose('systemApi', systemApi); server.injectUiAppVars('kibana', () => injectVars(server)); }, });