From 7604fd7c8034012436161127f8091cf228bbcc63 Mon Sep 17 00:00:00 2001 From: Stacey Gammon Date: Wed, 9 Jun 2021 08:01:48 -0400 Subject: [PATCH] Improve security server types (#101661) * Remove RecursiveReadonly wrapper on public API items * Remove Pick and export some types that are part of the public API * Udpate api docs * Export API items that are part of the public API * Add extra comments * update api docs --- api_docs/cases.json | 162 ++- api_docs/licensing.json | 2 +- api_docs/security.json | 1054 ++++++++++++----- api_docs/security.mdx | 6 + api_docs/spaces.json | 10 +- x-pack/plugins/security/common/index.ts | 1 + .../authentication_service.mock.ts | 4 +- .../authentication/authentication_service.ts | 19 +- .../security/server/authentication/index.ts | 6 +- .../authorization/authorization_service.tsx | 19 +- .../security/server/authorization/index.ts | 6 +- x-pack/plugins/security/server/index.ts | 2 + x-pack/plugins/security/server/plugin.ts | 42 +- .../server/routes/api_keys/create.test.ts | 4 +- .../server/routes/api_keys/enabled.test.ts | 4 +- .../routes/authentication/common.test.ts | 4 +- .../server/routes/authentication/saml.test.ts | 4 +- .../plugins/security/server/routes/index.ts | 8 +- .../routes/users/change_password.test.ts | 4 +- .../security/server/saved_objects/index.ts | 4 +- .../secure_spaces_client_wrapper.test.ts | 9 +- 21 files changed, 911 insertions(+), 463 deletions(-) diff --git a/api_docs/cases.json b/api_docs/cases.json index 55ec344cb0bcb2..bc92995dff6e91 100644 --- a/api_docs/cases.json +++ b/api_docs/cases.json @@ -1035,7 +1035,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 53 + "lineNumber": 49 }, "deprecated": false, "children": [ @@ -1051,7 +1051,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 53 + "lineNumber": 49 }, "deprecated": false, "isRequired": true @@ -1074,7 +1074,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 59 + "lineNumber": 55 }, "deprecated": false, "children": [ @@ -1091,7 +1091,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 60 + "lineNumber": 56 }, "deprecated": false, "isRequired": true @@ -1108,7 +1108,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 61 + "lineNumber": 57 }, "deprecated": false, "isRequired": true @@ -1129,7 +1129,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 75 + "lineNumber": 71 }, "deprecated": false, "children": [ @@ -1145,7 +1145,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 76 + "lineNumber": 72 }, "deprecated": false, "isRequired": true @@ -1170,7 +1170,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 24 + "lineNumber": 20 }, "deprecated": true, "references": [], @@ -1187,7 +1187,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 24 + "lineNumber": 20 }, "deprecated": false, "isRequired": true @@ -1634,62 +1634,6 @@ "returnComment": [], "initialIsOpen": false }, - { - "parentPluginId": "cases", - "id": "def-common.OmitProp", - "type": "Function", - "tags": [], - "label": "OmitProp", - "description": [], - "signature": [ - "(o: O, k: K) => Pick>" - ], - "source": { - "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 17 - }, - "deprecated": false, - "children": [ - { - "parentPluginId": "cases", - "id": "def-common.OmitProp.$1", - "type": "Uncategorized", - "tags": [], - "label": "o", - "description": [], - "signature": [ - "O" - ], - "source": { - "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 17 - }, - "deprecated": false, - "isRequired": true - }, - { - "parentPluginId": "cases", - "id": "def-common.OmitProp.$2", - "type": "Uncategorized", - "tags": [], - "label": "k", - "description": [], - "signature": [ - "K" - ], - "source": { - "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 17 - }, - "deprecated": false, - "isRequired": true - } - ], - "returnComment": [], - "initialIsOpen": false - }, { "parentPluginId": "cases", "id": "def-common.throwErrors", @@ -1704,7 +1648,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 55 + "lineNumber": 51 }, "deprecated": false, "children": [ @@ -1720,7 +1664,7 @@ ], "source": { "path": "x-pack/plugins/cases/common/api/runtime_types.ts", - "lineNumber": 55 + "lineNumber": 51 }, "deprecated": false, "isRequired": true @@ -5278,7 +5222,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; } & { mappings: { action_type: \"append\" | \"overwrite\" | \"nothing\"; source: \"description\" | \"title\" | \"comments\"; target: string; }[]; owner: string; } & { id: string; version: string; error: string | null; owner: string; })[]" + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; } & { mappings: { action_type: \"append\" | \"overwrite\" | \"nothing\"; source: \"description\" | \"title\" | \"comments\"; target: string; }[]; owner: string; } & { id: string; version: string; error: string | null; owner: string; })[]" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", @@ -5335,7 +5279,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; }" + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; }" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", @@ -5392,7 +5336,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; }" + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; }" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", @@ -5506,7 +5450,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; }" + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; }" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", @@ -5563,7 +5507,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; } & { mappings: { action_type: \"append\" | \"overwrite\" | \"nothing\"; source: \"description\" | \"title\" | \"comments\"; target: string; }[]; owner: string; } & { id: string; version: string; error: string | null; owner: string; }" + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; } & { mappings: { action_type: \"append\" | \"overwrite\" | \"nothing\"; source: \"description\" | \"title\" | \"comments\"; target: string; }[]; owner: string; } & { id: string; version: string; error: string | null; owner: string; }" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", @@ -7187,7 +7131,7 @@ "section": "def-common.ConnectorTypes", "text": "ConnectorTypes" }, - ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; }, \"updated_at\" | \"owner\" | \"created_at\" | \"created_by\" | \"updated_by\" | \"closure_type\"> & { connector: ", + ".none; fields: null; }); closure_type: \"close-by-user\" | \"close-by-pushing\"; } & { owner: string; } & { created_at: string; created_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; }; updated_at: string | null; updated_by: { email: string | null | undefined; full_name: string | null | undefined; username: string | null | undefined; } | null; }, \"updated_at\" | \"owner\" | \"created_at\" | \"created_by\" | \"updated_by\" | \"closure_type\"> & { connector: ", { "pluginId": "cases", "scope": "common", @@ -7359,6 +7303,40 @@ "deprecated": false, "initialIsOpen": false }, + { + "parentPluginId": "cases", + "id": "def-common.MAX_CONCURRENT_SEARCHES", + "type": "number", + "tags": [], + "label": "MAX_CONCURRENT_SEARCHES", + "description": [], + "signature": [ + "10" + ], + "source": { + "path": "x-pack/plugins/cases/common/constants.ts", + "lineNumber": 97 + }, + "deprecated": false, + "initialIsOpen": false + }, + { + "parentPluginId": "cases", + "id": "def-common.MAX_DOCS_PER_PAGE", + "type": "number", + "tags": [], + "label": "MAX_DOCS_PER_PAGE", + "description": [], + "signature": [ + "10000" + ], + "source": { + "path": "x-pack/plugins/cases/common/constants.ts", + "lineNumber": 96 + }, + "deprecated": false, + "initialIsOpen": false + }, { "parentPluginId": "cases", "id": "def-common.MAX_GENERATED_ALERTS_PER_SUB_CASE", @@ -9365,6 +9343,8 @@ "<[", "IntersectionC", "<[", + "IntersectionC", + "<[", "TypeC", "<{ connector: ", "IntersectionC", @@ -9572,9 +9552,11 @@ "LiteralC", "<\"close-by-user\">, ", "LiteralC", - "<\"close-by-pushing\">]>; owner: ", + "<\"close-by-pushing\">]>; }>, ", + "TypeC", + "<{ owner: ", "StringC", - "; }>, ", + "; }>]>, ", "TypeC", "<{ created_at: ", "StringC", @@ -9701,6 +9683,8 @@ "label": "CaseConfigureAttributesRt", "description": [], "signature": [ + "IntersectionC", + "<[", "IntersectionC", "<[", "TypeC", @@ -9910,9 +9894,11 @@ "LiteralC", "<\"close-by-user\">, ", "LiteralC", - "<\"close-by-pushing\">]>; owner: ", + "<\"close-by-pushing\">]>; }>, ", + "TypeC", + "<{ owner: ", "StringC", - "; }>, ", + "; }>]>, ", "TypeC", "<{ created_at: ", "StringC", @@ -10019,6 +10005,8 @@ "<[", "IntersectionC", "<[", + "IntersectionC", + "<[", "TypeC", "<{ connector: ", "IntersectionC", @@ -10226,9 +10214,11 @@ "LiteralC", "<\"close-by-user\">, ", "LiteralC", - "<\"close-by-pushing\">]>; owner: ", + "<\"close-by-pushing\">]>; }>, ", + "TypeC", + "<{ owner: ", "StringC", - "; }>, ", + "; }>]>, ", "TypeC", "<{ created_at: ", "StringC", @@ -12728,7 +12718,7 @@ "IntersectionC", "<[", "PartialC", - ", ", "LiteralC", - "<\"close-by-pushing\">]>; owner: ", - "StringC", - "; }, \"connector\" | \"closure_type\">>, ", + "<\"close-by-pushing\">]>; }>, ", "TypeC", "<{ version: ", "StringC", @@ -12957,6 +12945,8 @@ "label": "CasesConfigureRequestRt", "description": [], "signature": [ + "IntersectionC", + "<[", "TypeC", "<{ connector: ", "IntersectionC", @@ -13164,9 +13154,11 @@ "LiteralC", "<\"close-by-user\">, ", "LiteralC", - "<\"close-by-pushing\">]>; owner: ", + "<\"close-by-pushing\">]>; }>, ", + "TypeC", + "<{ owner: ", "StringC", - "; }>" + "; }>]>" ], "source": { "path": "x-pack/plugins/cases/common/api/cases/configure.ts", diff --git a/api_docs/licensing.json b/api_docs/licensing.json index 6959c5fc0e5114..862a00e65215f4 100644 --- a/api_docs/licensing.json +++ b/api_docs/licensing.json @@ -3074,7 +3074,7 @@ "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 225 + "lineNumber": 229 } }, { diff --git a/api_docs/security.json b/api_docs/security.json index e0fd2a6bb33f2e..f7547221cec666 100644 --- a/api_docs/security.json +++ b/api_docs/security.json @@ -14,7 +14,13 @@ "\nRepresents the currently authenticated user." ], "signature": [ - "AuthenticatedUser", + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, " extends ", "User" ], @@ -120,7 +126,13 @@ ], "signature": [ "() => Promise<", - "AuthenticatedUser", + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, ">" ], "source": { @@ -943,6 +955,121 @@ ], "initialIsOpen": false }, + { + "parentPluginId": "security", + "id": "def-server.AuditServiceSetup", + "type": "Interface", + "tags": [], + "label": "AuditServiceSetup", + "description": [], + "source": { + "path": "x-pack/plugins/security/server/audit/audit_service.ts", + "lineNumber": 40 + }, + "deprecated": false, + "children": [ + { + "parentPluginId": "security", + "id": "def-server.AuditServiceSetup.asScoped", + "type": "Function", + "tags": [], + "label": "asScoped", + "description": [], + "signature": [ + "(request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + ") => ", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.AuditLogger", + "text": "AuditLogger" + } + ], + "source": { + "path": "x-pack/plugins/security/server/audit/audit_service.ts", + "lineNumber": 41 + }, + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "security", + "id": "def-server.request", + "type": "Object", + "tags": [], + "label": "request", + "description": [], + "signature": [ + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + "" + ], + "source": { + "path": "x-pack/plugins/security/server/audit/audit_service.ts", + "lineNumber": 41 + }, + "deprecated": false + } + ] + }, + { + "parentPluginId": "security", + "id": "def-server.AuditServiceSetup.getLogger", + "type": "Function", + "tags": [], + "label": "getLogger", + "description": [], + "signature": [ + "(id?: string | undefined) => ", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.LegacyAuditLogger", + "text": "LegacyAuditLogger" + } + ], + "source": { + "path": "x-pack/plugins/security/server/audit/audit_service.ts", + "lineNumber": 42 + }, + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "security", + "id": "def-server.id", + "type": "string", + "tags": [], + "label": "id", + "description": [], + "signature": [ + "string | undefined" + ], + "source": { + "path": "x-pack/plugins/security/server/audit/audit_service.ts", + "lineNumber": 42 + }, + "deprecated": false + } + ] + } + ], + "initialIsOpen": false + }, { "parentPluginId": "security", "id": "def-server.AuthenticatedUser", @@ -953,7 +1080,13 @@ "\nRepresents the currently authenticated user." ], "signature": [ - "AuthenticatedUser", + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, " extends ", "User" ], @@ -1035,6 +1168,174 @@ ], "initialIsOpen": false }, + { + "parentPluginId": "security", + "id": "def-server.AuthenticationServiceStart", + "type": "Interface", + "tags": [], + "label": "AuthenticationServiceStart", + "description": [ + "\nAuthentication services available on the security plugin's start contract." + ], + "source": { + "path": "x-pack/plugins/security/server/authentication/authentication_service.ts", + "lineNumber": 72 + }, + "deprecated": false, + "children": [ + { + "parentPluginId": "security", + "id": "def-server.AuthenticationServiceStart.apiKeys", + "type": "Object", + "tags": [], + "label": "apiKeys", + "description": [], + "signature": [ + "{ create: (request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + ", params: ", + "CreateAPIKeyParams", + ") => Promise<", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.CreateAPIKeyResult", + "text": "CreateAPIKeyResult" + }, + " | null>; areAPIKeysEnabled: () => Promise; invalidate: (request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + ", params: ", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.InvalidateAPIKeysParams", + "text": "InvalidateAPIKeysParams" + }, + ") => Promise<", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.InvalidateAPIKeyResult", + "text": "InvalidateAPIKeyResult" + }, + " | null>; grantAsInternalUser: (request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + ", createParams: ", + "CreateAPIKeyParams", + ") => Promise<", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.GrantAPIKeyResult", + "text": "GrantAPIKeyResult" + }, + " | null>; invalidateAsInternalUser: (params: ", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.InvalidateAPIKeysParams", + "text": "InvalidateAPIKeysParams" + }, + ") => Promise<", + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.InvalidateAPIKeyResult", + "text": "InvalidateAPIKeyResult" + }, + " | null>; }" + ], + "source": { + "path": "x-pack/plugins/security/server/authentication/authentication_service.ts", + "lineNumber": 73 + }, + "deprecated": false + }, + { + "parentPluginId": "security", + "id": "def-server.AuthenticationServiceStart.getCurrentUser", + "type": "Function", + "tags": [], + "label": "getCurrentUser", + "description": [], + "signature": [ + "(request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + ") => ", + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, + " | null" + ], + "source": { + "path": "x-pack/plugins/security/server/authentication/authentication_service.ts", + "lineNumber": 81 + }, + "deprecated": false, + "returnComment": [], + "children": [ + { + "parentPluginId": "security", + "id": "def-server.request", + "type": "Object", + "tags": [], + "label": "request", + "description": [], + "signature": [ + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" + }, + "" + ], + "source": { + "path": "x-pack/plugins/security/server/authentication/authentication_service.ts", + "lineNumber": 81 + }, + "deprecated": false + } + ] + } + ], + "initialIsOpen": false + }, { "parentPluginId": "security", "id": "def-server.CheckPrivilegesPayload", @@ -1496,385 +1797,484 @@ } ], "initialIsOpen": false + } + ], + "enums": [], + "misc": [ + { + "parentPluginId": "security", + "id": "def-server.AuthorizationServiceSetup", + "type": "Type", + "tags": [], + "label": "AuthorizationServiceSetup", + "description": [], + "source": { + "path": "x-pack/plugins/security/server/index.ts", + "lineNumber": 31 + }, + "deprecated": false, + "initialIsOpen": false }, { "parentPluginId": "security", - "id": "def-server.SecurityPluginSetup", - "type": "Interface", + "id": "def-server.ROUTE_TAG_CAN_REDIRECT", + "type": "string", "tags": [], - "label": "SecurityPluginSetup", + "label": "ROUTE_TAG_CAN_REDIRECT", "description": [ - "\nDescribes public Security plugin contract returned at the `setup` stage." + "\nIf the route is marked with this tag Security can safely assume that the calling party that sends\nrequest to this route can handle redirect responses. It's particularly important if we want the\nspecific route to be able to initiate or participate in the authentication handshake that may\ninvolve redirects and will eventually redirect authenticated user to this route." + ], + "signature": [ + "\"security:canRedirect\"" ], "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 69 + "path": "x-pack/plugins/security/server/routes/tags.ts", + "lineNumber": 21 }, "deprecated": false, - "children": [ - { - "parentPluginId": "security", - "id": "def-server.SecurityPluginSetup.authc", - "type": "Object", - "tags": [ - "deprecated" - ], - "label": "authc", - "description": [], - "signature": [ - "{ getCurrentUser: (request: ", - { - "pluginId": "core", - "scope": "server", - "docId": "kibCoreHttpPluginApi", - "section": "def-server.KibanaRequest", - "text": "KibanaRequest" - }, - ") => ", - "AuthenticatedUser", - " | null; }" - ], - "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 73 + "initialIsOpen": false + } + ], + "objects": [], + "setup": { + "parentPluginId": "security", + "id": "def-server.SecurityPluginSetup", + "type": "Interface", + "tags": [], + "label": "SecurityPluginSetup", + "description": [ + "\nDescribes public Security plugin contract returned at the `setup` stage." + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 72 + }, + "deprecated": false, + "children": [ + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginSetup.authc", + "type": "Object", + "tags": [ + "deprecated" + ], + "label": "authc", + "description": [], + "signature": [ + "{ getCurrentUser: (request: ", + { + "pluginId": "core", + "scope": "server", + "docId": "kibCoreHttpPluginApi", + "section": "def-server.KibanaRequest", + "text": "KibanaRequest" }, - "deprecated": true, - "references": [ - { - "plugin": "reporting", - "link": { - "path": "x-pack/plugins/reporting/server/routes/lib/get_user.ts", - "lineNumber": 13 - } - }, - { - "plugin": "encryptedSavedObjects", - "link": { - "path": "x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts", - "lineNumber": 107 - } - }, - { - "plugin": "encryptedSavedObjects", - "link": { - "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts", - "lineNumber": 67 - } - }, - { - "plugin": "actions", - "link": { - "path": "x-pack/plugins/actions/server/plugin.ts", - "lineNumber": 444 - } - }, - { - "plugin": "ml", - "link": { - "path": "x-pack/plugins/ml/server/routes/annotations.ts", - "lineNumber": 105 - } - }, - { - "plugin": "dashboardMode", - "link": { - "path": "x-pack/plugins/dashboard_mode/server/interceptors/dashboard_mode_request_interceptor.ts", - "lineNumber": 33 - } - }, - { - "plugin": "dataEnhanced", - "link": { - "path": "x-pack/plugins/data_enhanced/server/search/session/session_service.ts", - "lineNumber": 448 - } - }, - { - "plugin": "logstash", - "link": { - "path": "x-pack/plugins/logstash/server/routes/pipeline/save.ts", - "lineNumber": 41 - } - }, - { - "plugin": "securitySolution", - "link": { - "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts", - "lineNumber": 48 - } - }, - { - "plugin": "securitySolution", - "link": { - "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts", - "lineNumber": 45 - } - }, - { - "plugin": "securitySolution", - "link": { - "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts", - "lineNumber": 45 - } - }, - { - "plugin": "securitySolution", - "link": { - "path": "x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts", - "lineNumber": 28 - } + ") => ", + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, + " | null; }" + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 76 + }, + "deprecated": true, + "references": [ + { + "plugin": "reporting", + "link": { + "path": "x-pack/plugins/reporting/server/routes/lib/get_user.ts", + "lineNumber": 13 } - ] + }, + { + "plugin": "encryptedSavedObjects", + "link": { + "path": "x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts", + "lineNumber": 107 + } + }, + { + "plugin": "encryptedSavedObjects", + "link": { + "path": "x-pack/plugins/encrypted_saved_objects/server/saved_objects/index.ts", + "lineNumber": 67 + } + }, + { + "plugin": "actions", + "link": { + "path": "x-pack/plugins/actions/server/plugin.ts", + "lineNumber": 444 + } + }, + { + "plugin": "ml", + "link": { + "path": "x-pack/plugins/ml/server/routes/annotations.ts", + "lineNumber": 105 + } + }, + { + "plugin": "dashboardMode", + "link": { + "path": "x-pack/plugins/dashboard_mode/server/interceptors/dashboard_mode_request_interceptor.ts", + "lineNumber": 33 + } + }, + { + "plugin": "dataEnhanced", + "link": { + "path": "x-pack/plugins/data_enhanced/server/search/session/session_service.ts", + "lineNumber": 448 + } + }, + { + "plugin": "logstash", + "link": { + "path": "x-pack/plugins/logstash/server/routes/pipeline/save.ts", + "lineNumber": 41 + } + }, + { + "plugin": "securitySolution", + "link": { + "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/create_signals_migration_route.ts", + "lineNumber": 48 + } + }, + { + "plugin": "securitySolution", + "link": { + "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/delete_signals_migration_route.ts", + "lineNumber": 45 + } + }, + { + "plugin": "securitySolution", + "link": { + "path": "x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/finalize_signals_migration_route.ts", + "lineNumber": 45 + } + }, + { + "plugin": "securitySolution", + "link": { + "path": "x-pack/plugins/security_solution/server/lib/timeline/utils/common.ts", + "lineNumber": 28 + } + } + ] + }, + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginSetup.authz", + "type": "Object", + "tags": [ + "deprecated" + ], + "label": "authz", + "description": [], + "signature": [ + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.AuthorizationServiceSetup", + "text": "AuthorizationServiceSetup" + } + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 80 }, - { - "parentPluginId": "security", - "id": "def-server.SecurityPluginSetup.authz", - "type": "Object", - "tags": [ - "deprecated" - ], - "label": "authz", - "description": [], - "signature": [ - "{ mode: ", - "AuthorizationMode", - "; actions: ", - "Actions", - "; checkPrivilegesDynamicallyWithRequest: ", - "CheckPrivilegesDynamicallyWithRequest", - "; checkPrivilegesWithRequest: ", - "CheckPrivilegesWithRequest", - "; }" - ], - "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 77 + "deprecated": true, + "references": [ + { + "plugin": "actions", + "link": { + "path": "x-pack/plugins/actions/server/plugin.ts", + "lineNumber": 443 + } }, - "deprecated": true, - "references": [ - { - "plugin": "actions", - "link": { - "path": "x-pack/plugins/actions/server/plugin.ts", - "lineNumber": 443 - } - }, - { - "plugin": "ml", - "link": { - "path": "x-pack/plugins/ml/server/saved_objects/initialization/initialization.ts", - "lineNumber": 54 - } - }, - { - "plugin": "ml", - "link": { - "path": "x-pack/plugins/ml/server/plugin.ts", - "lineNumber": 153 - } - }, - { - "plugin": "ml", - "link": { - "path": "x-pack/plugins/ml/server/plugin.ts", - "lineNumber": 203 - } - }, - { - "plugin": "enterpriseSearch", - "link": { - "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", - "lineNumber": 46 - } - }, - { - "plugin": "enterpriseSearch", - "link": { - "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", - "lineNumber": 86 - } - }, - { - "plugin": "enterpriseSearch", - "link": { - "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", - "lineNumber": 88 - } - }, - { - "plugin": "savedObjectsTagging", - "link": { - "path": "x-pack/plugins/saved_objects_tagging/server/request_handler_context.ts", - "lineNumber": 37 - } + { + "plugin": "ml", + "link": { + "path": "x-pack/plugins/ml/server/saved_objects/initialization/initialization.ts", + "lineNumber": 54 } - ] + }, + { + "plugin": "ml", + "link": { + "path": "x-pack/plugins/ml/server/plugin.ts", + "lineNumber": 153 + } + }, + { + "plugin": "ml", + "link": { + "path": "x-pack/plugins/ml/server/plugin.ts", + "lineNumber": 203 + } + }, + { + "plugin": "enterpriseSearch", + "link": { + "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", + "lineNumber": 46 + } + }, + { + "plugin": "enterpriseSearch", + "link": { + "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", + "lineNumber": 86 + } + }, + { + "plugin": "enterpriseSearch", + "link": { + "path": "x-pack/plugins/enterprise_search/server/lib/check_access.ts", + "lineNumber": 88 + } + }, + { + "plugin": "savedObjectsTagging", + "link": { + "path": "x-pack/plugins/saved_objects_tagging/server/request_handler_context.ts", + "lineNumber": 37 + } + } + ] + }, + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginSetup.license", + "type": "Object", + "tags": [], + "label": "license", + "description": [ + "\nExposes information about the available security features under the current license." + ], + "signature": [ + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.SecurityLicense", + "text": "SecurityLicense" + } + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 84 }, + "deprecated": false + }, + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginSetup.audit", + "type": "Object", + "tags": [], + "label": "audit", + "description": [ + "\nExposes services for audit logging." + ], + "signature": [ + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.AuditServiceSetup", + "text": "AuditServiceSetup" + } + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 88 + }, + "deprecated": false + } + ], + "lifecycle": "setup", + "initialIsOpen": true + }, + "start": { + "parentPluginId": "security", + "id": "def-server.SecurityPluginStart", + "type": "Interface", + "tags": [], + "label": "SecurityPluginStart", + "description": [ + "\nDescribes public Security plugin contract returned at the `start` stage." + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 94 + }, + "deprecated": false, + "children": [ + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginStart.authc", + "type": "Object", + "tags": [], + "label": "authc", + "description": [ + "\nAuthentication services to confirm the user is who they say they are." + ], + "signature": [ + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.AuthenticationServiceStart", + "text": "AuthenticationServiceStart" + } + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 98 + }, + "deprecated": false + }, + { + "parentPluginId": "security", + "id": "def-server.SecurityPluginStart.authz", + "type": "Object", + "tags": [], + "label": "authz", + "description": [ + "\nAuthorization services to manage and access the permissions a particular user has." + ], + "signature": [ + { + "pluginId": "security", + "scope": "server", + "docId": "kibSecurityPluginApi", + "section": "def-server.AuthorizationServiceSetup", + "text": "AuthorizationServiceSetup" + } + ], + "source": { + "path": "x-pack/plugins/security/server/plugin.ts", + "lineNumber": 102 + }, + "deprecated": false + } + ], + "lifecycle": "start", + "initialIsOpen": true + } + }, + "common": { + "classes": [], + "functions": [], + "interfaces": [ + { + "parentPluginId": "security", + "id": "def-common.AuthenticatedUser", + "type": "Interface", + "tags": [], + "label": "AuthenticatedUser", + "description": [ + "\nRepresents the currently authenticated user." + ], + "signature": [ + { + "pluginId": "security", + "scope": "common", + "docId": "kibSecurityPluginApi", + "section": "def-common.AuthenticatedUser", + "text": "AuthenticatedUser" + }, + " extends ", + "User" + ], + "source": { + "path": "x-pack/plugins/security/common/model/authenticated_user.ts", + "lineNumber": 21 + }, + "deprecated": false, + "children": [ { "parentPluginId": "security", - "id": "def-server.SecurityPluginSetup.license", + "id": "def-common.AuthenticatedUser.authentication_realm", "type": "Object", "tags": [], - "label": "license", - "description": [], + "label": "authentication_realm", + "description": [ + "\nThe name and type of the Realm that has authenticated the user." + ], "signature": [ - { - "pluginId": "security", - "scope": "common", - "docId": "kibSecurityPluginApi", - "section": "def-common.SecurityLicense", - "text": "SecurityLicense" - } + "UserRealm" ], "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 81 + "path": "x-pack/plugins/security/common/model/authenticated_user.ts", + "lineNumber": 25 }, "deprecated": false }, { "parentPluginId": "security", - "id": "def-server.SecurityPluginSetup.audit", + "id": "def-common.AuthenticatedUser.lookup_realm", "type": "Object", "tags": [], - "label": "audit", - "description": [], + "label": "lookup_realm", + "description": [ + "\nThe name and type of the Realm where the user information were retrieved from." + ], "signature": [ - "AuditServiceSetup" + "UserRealm" ], "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 82 + "path": "x-pack/plugins/security/common/model/authenticated_user.ts", + "lineNumber": 30 }, "deprecated": false - } - ], - "initialIsOpen": false - }, - { - "parentPluginId": "security", - "id": "def-server.SecurityPluginStart", - "type": "Interface", - "tags": [], - "label": "SecurityPluginStart", - "description": [ - "\nDescribes public Security plugin contract returned at the `start` stage." - ], - "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 88 - }, - "deprecated": false, - "children": [ + }, { "parentPluginId": "security", - "id": "def-server.SecurityPluginStart.authc", + "id": "def-common.AuthenticatedUser.authentication_provider", "type": "Object", "tags": [], - "label": "authc", - "description": [], + "label": "authentication_provider", + "description": [ + "\nThe authentication provider that used to authenticate user." + ], "signature": [ - "{ getCurrentUser: (request: ", - { - "pluginId": "core", - "scope": "server", - "docId": "kibCoreHttpPluginApi", - "section": "def-server.KibanaRequest", - "text": "KibanaRequest" - }, - ") => ", - "AuthenticatedUser", - " | null; apiKeys: Pick<", - "APIKeys", - ", \"create\" | \"areAPIKeysEnabled\" | \"invalidate\" | \"grantAsInternalUser\" | \"invalidateAsInternalUser\">; }" + "AuthenticationProvider" ], "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 89 + "path": "x-pack/plugins/security/common/model/authenticated_user.ts", + "lineNumber": 35 }, "deprecated": false }, { "parentPluginId": "security", - "id": "def-server.SecurityPluginStart.authz", - "type": "Object", + "id": "def-common.AuthenticatedUser.authentication_type", + "type": "string", "tags": [], - "label": "authz", - "description": [], - "signature": [ - "{ mode: ", - "AuthorizationMode", - "; actions: ", - "Actions", - "; checkPrivilegesDynamicallyWithRequest: ", - "CheckPrivilegesDynamicallyWithRequest", - "; checkPrivilegesWithRequest: ", - "CheckPrivilegesWithRequest", - "; }" + "label": "authentication_type", + "description": [ + "\nThe AuthenticationType used by ES to authenticate the user.\n" ], "source": { - "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 90 + "path": "x-pack/plugins/security/common/model/authenticated_user.ts", + "lineNumber": 42 }, "deprecated": false } ], "initialIsOpen": false - } - ], - "enums": [], - "misc": [ - { - "parentPluginId": "security", - "id": "def-server.AuthorizationServiceSetup", - "type": "Type", - "tags": [], - "label": "AuthorizationServiceSetup", - "description": [], - "signature": [ - "{ mode: ", - "AuthorizationMode", - "; actions: ", - "Actions", - "; checkPrivilegesDynamicallyWithRequest: ", - "CheckPrivilegesDynamicallyWithRequest", - "; checkPrivilegesWithRequest: ", - "CheckPrivilegesWithRequest", - "; }" - ], - "source": { - "path": "x-pack/plugins/security/server/index.ts", - "lineNumber": 30 - }, - "deprecated": false, - "initialIsOpen": false }, - { - "parentPluginId": "security", - "id": "def-server.ROUTE_TAG_CAN_REDIRECT", - "type": "string", - "tags": [], - "label": "ROUTE_TAG_CAN_REDIRECT", - "description": [ - "\nIf the route is marked with this tag Security can safely assume that the calling party that sends\nrequest to this route can handle redirect responses. It's particularly important if we want the\nspecific route to be able to initiate or participate in the authentication handshake that may\ninvolve redirects and will eventually redirect authenticated user to this route." - ], - "signature": [ - "\"security:canRedirect\"" - ], - "source": { - "path": "x-pack/plugins/security/server/routes/tags.ts", - "lineNumber": 21 - }, - "deprecated": false, - "initialIsOpen": false - } - ], - "objects": [] - }, - "common": { - "classes": [], - "functions": [], - "interfaces": [ { "parentPluginId": "security", "id": "def-common.SecurityLicense", diff --git a/api_docs/security.mdx b/api_docs/security.mdx index 07f219ce6e7715..250ceff429207b 100644 --- a/api_docs/security.mdx +++ b/api_docs/security.mdx @@ -27,6 +27,12 @@ import securityObj from './security.json'; ## Server +### Setup + + +### Start + + ### Interfaces diff --git a/api_docs/spaces.json b/api_docs/spaces.json index d24b3884ffac6f..002145f3b48db6 100644 --- a/api_docs/spaces.json +++ b/api_docs/spaces.json @@ -1203,7 +1203,7 @@ "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 263 + "lineNumber": 267 } }, { @@ -2002,28 +2002,28 @@ "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 57 + "lineNumber": 60 } }, { "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 263 + "lineNumber": 267 } }, { "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 281 + "lineNumber": 285 } }, { "plugin": "security", "link": { "path": "x-pack/plugins/security/server/plugin.ts", - "lineNumber": 297 + "lineNumber": 301 } }, { diff --git a/x-pack/plugins/security/common/index.ts b/x-pack/plugins/security/common/index.ts index 8b99ac3c5761b5..034c25758a1f0c 100644 --- a/x-pack/plugins/security/common/index.ts +++ b/x-pack/plugins/security/common/index.ts @@ -6,3 +6,4 @@ */ export { SecurityLicense } from './licensing'; +export { AuthenticatedUser } from './model'; diff --git a/x-pack/plugins/security/server/authentication/authentication_service.mock.ts b/x-pack/plugins/security/server/authentication/authentication_service.mock.ts index ba3297aeb5493e..ba73d3b196d2f8 100644 --- a/x-pack/plugins/security/server/authentication/authentication_service.mock.ts +++ b/x-pack/plugins/security/server/authentication/authentication_service.mock.ts @@ -8,10 +8,10 @@ import type { DeeplyMockedKeys } from '@kbn/utility-types/jest'; import { apiKeysMock } from './api_keys/api_keys.mock'; -import type { AuthenticationServiceStart } from './authentication_service'; +import type { AuthenticationServiceStartInternal } from './authentication_service'; export const authenticationServiceMock = { - createStart: (): DeeplyMockedKeys => ({ + createStart: (): DeeplyMockedKeys => ({ apiKeys: apiKeysMock.create(), login: jest.fn(), logout: jest.fn(), diff --git a/x-pack/plugins/security/server/authentication/authentication_service.ts b/x-pack/plugins/security/server/authentication/authentication_service.ts index e5895422e7a743..946fedbeee04ff 100644 --- a/x-pack/plugins/security/server/authentication/authentication_service.ts +++ b/x-pack/plugins/security/server/authentication/authentication_service.ts @@ -51,7 +51,7 @@ interface AuthenticationServiceStartParams { loggers: LoggerFactory; } -export interface AuthenticationServiceStart { +export interface AuthenticationServiceStartInternal extends AuthenticationServiceStart { apiKeys: Pick< APIKeys, | 'areAPIKeysEnabled' @@ -66,6 +66,21 @@ export interface AuthenticationServiceStart { getCurrentUser: (request: KibanaRequest) => AuthenticatedUser | null; } +/** + * Authentication services available on the security plugin's start contract. + */ +export interface AuthenticationServiceStart { + apiKeys: Pick< + APIKeys, + | 'areAPIKeysEnabled' + | 'create' + | 'invalidate' + | 'grantAsInternalUser' + | 'invalidateAsInternalUser' + >; + getCurrentUser: (request: KibanaRequest) => AuthenticatedUser | null; +} + export class AuthenticationService { private license!: SecurityLicense; private authenticator?: Authenticator; @@ -212,7 +227,7 @@ export class AuthenticationService { legacyAuditLogger, loggers, session, - }: AuthenticationServiceStartParams): AuthenticationServiceStart { + }: AuthenticationServiceStartParams): AuthenticationServiceStartInternal { const apiKeys = new APIKeys({ clusterClient, logger: this.logger.get('api-key'), diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts index f7f5f82d2858b1..4f82c5653baa9a 100644 --- a/x-pack/plugins/security/server/authentication/index.ts +++ b/x-pack/plugins/security/server/authentication/index.ts @@ -6,7 +6,11 @@ */ export { canRedirectRequest } from './can_redirect_request'; -export { AuthenticationService, AuthenticationServiceStart } from './authentication_service'; +export { + AuthenticationService, + AuthenticationServiceStart, + AuthenticationServiceStartInternal, +} from './authentication_service'; export { AuthenticationResult } from './authentication_result'; export { DeauthenticationResult } from './deauthentication_result'; export { diff --git a/x-pack/plugins/security/server/authorization/authorization_service.tsx b/x-pack/plugins/security/server/authorization/authorization_service.tsx index 1e2588dafe2337..c5adb3aff670e0 100644 --- a/x-pack/plugins/security/server/authorization/authorization_service.tsx +++ b/x-pack/plugins/security/server/authorization/authorization_service.tsx @@ -72,7 +72,7 @@ interface AuthorizationServiceStartParams { online$: Observable; } -export interface AuthorizationServiceSetup { +export interface AuthorizationServiceSetupInternal extends AuthorizationServiceSetup { actions: Actions; checkPrivilegesWithRequest: CheckPrivilegesWithRequest; checkPrivilegesDynamicallyWithRequest: CheckPrivilegesDynamicallyWithRequest; @@ -82,6 +82,21 @@ export interface AuthorizationServiceSetup { privileges: PrivilegesService; } +/** + * Authorization services available on the setup contract of the security plugin. + */ +export interface AuthorizationServiceSetup { + /** + * Actions are used to create the "actions" that are associated with Elasticsearch's + * application privileges, and are used to perform the authorization checks implemented + * by the various `checkPrivilegesWithRequest` derivatives + */ + actions: Actions; + checkPrivilegesWithRequest: CheckPrivilegesWithRequest; + checkPrivilegesDynamicallyWithRequest: CheckPrivilegesDynamicallyWithRequest; + mode: AuthorizationMode; +} + export class AuthorizationService { private logger!: Logger; private applicationName!: string; @@ -101,7 +116,7 @@ export class AuthorizationService { kibanaIndexName, getSpacesService, getCurrentUser, - }: AuthorizationServiceSetupParams): AuthorizationServiceSetup { + }: AuthorizationServiceSetupParams): AuthorizationServiceSetupInternal { this.logger = loggers.get('authorization'); this.applicationName = `${APPLICATION_PREFIX}${kibanaIndexName}`; diff --git a/x-pack/plugins/security/server/authorization/index.ts b/x-pack/plugins/security/server/authorization/index.ts index 16a3c2ae50058c..4d67f3435e7dab 100644 --- a/x-pack/plugins/security/server/authorization/index.ts +++ b/x-pack/plugins/security/server/authorization/index.ts @@ -6,6 +6,10 @@ */ export { Actions } from './actions'; -export { AuthorizationService, AuthorizationServiceSetup } from './authorization_service'; +export { + AuthorizationService, + AuthorizationServiceSetup, + AuthorizationServiceSetupInternal, +} from './authorization_service'; export { CheckSavedObjectsPrivileges } from './check_saved_objects_privileges'; export { CheckPrivilegesPayload } from './types'; diff --git a/x-pack/plugins/security/server/index.ts b/x-pack/plugins/security/server/index.ts index e50ab66a92547e..a48c6833096ccb 100644 --- a/x-pack/plugins/security/server/index.ts +++ b/x-pack/plugins/security/server/index.ts @@ -25,6 +25,7 @@ export type { InvalidateAPIKeysParams, InvalidateAPIKeyResult, GrantAPIKeyResult, + AuthenticationServiceStart, } from './authentication'; export type { CheckPrivilegesPayload } from './authorization'; export type AuthorizationServiceSetup = SecurityPluginStart['authz']; @@ -32,6 +33,7 @@ export { LegacyAuditLogger, AuditLogger, AuditEvent } from './audit'; export type { SecurityPluginSetup, SecurityPluginStart }; export type { AuthenticatedUser } from '../common/model'; export { ROUTE_TAG_CAN_REDIRECT } from './routes/tags'; +export { AuditServiceSetup } from './audit'; export const config: PluginConfigDescriptor> = { schema: ConfigSchema, diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index 57be308525fddd..98f1335b534505 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -10,7 +10,6 @@ import { combineLatest } from 'rxjs'; import { map } from 'rxjs/operators'; import type { TypeOf } from '@kbn/config-schema'; -import type { RecursiveReadonly } from '@kbn/utility-types'; import type { CoreSetup, CoreStart, @@ -36,10 +35,14 @@ import type { AnonymousAccessServiceStart } from './anonymous_access'; import { AnonymousAccessService } from './anonymous_access'; import type { AuditServiceSetup } from './audit'; import { AuditService, SecurityAuditLogger } from './audit'; -import type { AuthenticationServiceStart } from './authentication'; +import type { + AuthenticationServiceStart, + AuthenticationServiceStartInternal, +} from './authentication'; import { AuthenticationService } from './authentication'; import type { AuthorizationServiceSetup } from './authorization'; import { AuthorizationService } from './authorization'; +import type { AuthorizationServiceSetupInternal } from './authorization/authorization_service'; import type { ConfigSchema, ConfigType } from './config'; import { createConfig } from './config'; import { ElasticsearchService } from './elasticsearch'; @@ -74,11 +77,14 @@ export interface SecurityPluginSetup { /** * @deprecated Use `authz` methods from the `SecurityServiceStart` contract instead. */ - authz: Pick< - AuthorizationServiceSetup, - 'actions' | 'checkPrivilegesDynamicallyWithRequest' | 'checkPrivilegesWithRequest' | 'mode' - >; + authz: AuthorizationServiceSetup; + /** + * Exposes information about the available security features under the current license. + */ license: SecurityLicense; + /** + * Exposes services for audit logging. + */ audit: AuditServiceSetup; } @@ -86,11 +92,14 @@ export interface SecurityPluginSetup { * Describes public Security plugin contract returned at the `start` stage. */ export interface SecurityPluginStart { - authc: Pick; - authz: Pick< - AuthorizationServiceSetup, - 'actions' | 'checkPrivilegesDynamicallyWithRequest' | 'checkPrivilegesWithRequest' | 'mode' - >; + /** + * Authentication services to confirm the user is who they say they are. + */ + authc: AuthenticationServiceStart; + /** + * Authorization services to manage and access the permissions a particular user has. + */ + authz: AuthorizationServiceSetup; } export interface PluginSetupDependencies { @@ -113,14 +122,9 @@ export interface PluginStartDependencies { * Represents Security Plugin instance that will be managed by the Kibana plugin system. */ export class SecurityPlugin - implements - Plugin< - RecursiveReadonly, - RecursiveReadonly, - PluginSetupDependencies - > { + implements Plugin { private readonly logger: Logger; - private authorizationSetup?: AuthorizationServiceSetup; + private authorizationSetup?: AuthorizationServiceSetupInternal; private auditSetup?: AuditServiceSetup; private anonymousAccessStart?: AnonymousAccessServiceStart; private configSubscription?: Subscription; @@ -152,7 +156,7 @@ export class SecurityPlugin private readonly authenticationService = new AuthenticationService( this.initializerContext.logger.get('authentication') ); - private authenticationStart?: AuthenticationServiceStart; + private authenticationStart?: AuthenticationServiceStartInternal; private readonly getAuthentication = () => { if (!this.authenticationStart) { throw new Error(`authenticationStart is not registered!`); diff --git a/x-pack/plugins/security/server/routes/api_keys/create.test.ts b/x-pack/plugins/security/server/routes/api_keys/create.test.ts index 502a7cb1246c49..ee28681adbd5f2 100644 --- a/x-pack/plugins/security/server/routes/api_keys/create.test.ts +++ b/x-pack/plugins/security/server/routes/api_keys/create.test.ts @@ -12,7 +12,7 @@ import type { RequestHandler } from 'src/core/server'; import { kibanaResponseFactory } from 'src/core/server'; import { httpServerMock } from 'src/core/server/mocks'; -import type { AuthenticationServiceStart } from '../../authentication'; +import type { AuthenticationServiceStartInternal } from '../../authentication'; import { authenticationServiceMock } from '../../authentication/authentication_service.mock'; import type { SecurityRequestHandlerContext } from '../../types'; import { routeDefinitionParamsMock } from '../index.mock'; @@ -28,7 +28,7 @@ describe('Create API Key route', () => { } let routeHandler: RequestHandler; - let authc: DeeplyMockedKeys; + let authc: DeeplyMockedKeys; beforeEach(() => { authc = authenticationServiceMock.createStart(); const mockRouteDefinitionParams = routeDefinitionParamsMock.create(); diff --git a/x-pack/plugins/security/server/routes/api_keys/enabled.test.ts b/x-pack/plugins/security/server/routes/api_keys/enabled.test.ts index da097faf8c6b27..1000e79563b571 100644 --- a/x-pack/plugins/security/server/routes/api_keys/enabled.test.ts +++ b/x-pack/plugins/security/server/routes/api_keys/enabled.test.ts @@ -12,7 +12,7 @@ import type { RequestHandler } from 'src/core/server'; import { kibanaResponseFactory } from 'src/core/server'; import { httpServerMock } from 'src/core/server/mocks'; -import type { AuthenticationServiceStart } from '../../authentication'; +import type { AuthenticationServiceStartInternal } from '../../authentication'; import { authenticationServiceMock } from '../../authentication/authentication_service.mock'; import type { SecurityRequestHandlerContext } from '../../types'; import { routeDefinitionParamsMock } from '../index.mock'; @@ -28,7 +28,7 @@ describe('API keys enabled', () => { } let routeHandler: RequestHandler; - let authc: DeeplyMockedKeys; + let authc: DeeplyMockedKeys; beforeEach(() => { authc = authenticationServiceMock.createStart(); const mockRouteDefinitionParams = routeDefinitionParamsMock.create(); diff --git a/x-pack/plugins/security/server/routes/authentication/common.test.ts b/x-pack/plugins/security/server/routes/authentication/common.test.ts index 1e0b6784a45c82..5acc5817bfb3e9 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.test.ts @@ -13,7 +13,7 @@ import { httpServerMock } from 'src/core/server/mocks'; import type { SecurityLicense, SecurityLicenseFeatures } from '../../../common/licensing'; import { mockAuthenticatedUser } from '../../../common/model/authenticated_user.mock'; -import type { AuthenticationServiceStart } from '../../authentication'; +import type { AuthenticationServiceStartInternal } from '../../authentication'; import { AuthenticationResult, DeauthenticationResult, @@ -28,7 +28,7 @@ import { defineCommonRoutes } from './common'; describe('Common authentication routes', () => { let router: jest.Mocked; - let authc: DeeplyMockedKeys; + let authc: DeeplyMockedKeys; let license: jest.Mocked; let mockContext: SecurityRequestHandlerContext; beforeEach(() => { diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts index 3b2497ed9f30ba..c28c435217ef3a 100644 --- a/x-pack/plugins/security/server/routes/authentication/saml.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/saml.test.ts @@ -11,7 +11,7 @@ import type { RequestHandler, RouteConfig } from 'src/core/server'; import { httpServerMock } from 'src/core/server/mocks'; import { mockAuthenticatedUser } from '../../../common/model/authenticated_user.mock'; -import type { AuthenticationServiceStart } from '../../authentication'; +import type { AuthenticationServiceStartInternal } from '../../authentication'; import { AuthenticationResult, SAMLLogin } from '../../authentication'; import { authenticationServiceMock } from '../../authentication/authentication_service.mock'; import type { SecurityRouter } from '../../types'; @@ -21,7 +21,7 @@ import { defineSAMLRoutes } from './saml'; describe('SAML authentication routes', () => { let router: jest.Mocked; - let authc: DeeplyMockedKeys; + let authc: DeeplyMockedKeys; beforeEach(() => { const routeParamsMock = routeDefinitionParamsMock.create(); router = routeParamsMock.router; diff --git a/x-pack/plugins/security/server/routes/index.ts b/x-pack/plugins/security/server/routes/index.ts index cdb3a2fa289fdd..e36ca1b9ab72e5 100644 --- a/x-pack/plugins/security/server/routes/index.ts +++ b/x-pack/plugins/security/server/routes/index.ts @@ -10,8 +10,8 @@ import type { HttpResources, IBasePath, Logger } from 'src/core/server'; import type { KibanaFeature } from '../../../features/server'; import type { SecurityLicense } from '../../common/licensing'; -import type { AuthenticationServiceStart } from '../authentication'; -import type { AuthorizationServiceSetup } from '../authorization'; +import type { AuthenticationServiceStartInternal } from '../authentication'; +import type { AuthorizationServiceSetupInternal } from '../authorization'; import type { ConfigType } from '../config'; import type { SecurityFeatureUsageServiceStart } from '../feature_usage'; import type { Session } from '../session_management'; @@ -34,12 +34,12 @@ export interface RouteDefinitionParams { httpResources: HttpResources; logger: Logger; config: ConfigType; - authz: AuthorizationServiceSetup; + authz: AuthorizationServiceSetupInternal; getSession: () => PublicMethodsOf; license: SecurityLicense; getFeatures: () => Promise; getFeatureUsageService: () => SecurityFeatureUsageServiceStart; - getAuthenticationService: () => AuthenticationServiceStart; + getAuthenticationService: () => AuthenticationServiceStartInternal; } export function defineRoutes(params: RouteDefinitionParams) { diff --git a/x-pack/plugins/security/server/routes/users/change_password.test.ts b/x-pack/plugins/security/server/routes/users/change_password.test.ts index a97fce7ea4b190..e5f4381a204212 100644 --- a/x-pack/plugins/security/server/routes/users/change_password.test.ts +++ b/x-pack/plugins/security/server/routes/users/change_password.test.ts @@ -15,8 +15,8 @@ import { kibanaResponseFactory } from 'src/core/server'; import { coreMock, httpServerMock } from 'src/core/server/mocks'; import { mockAuthenticatedUser } from '../../../common/model/authenticated_user.mock'; -import type { AuthenticationServiceStart } from '../../authentication'; import { AuthenticationResult } from '../../authentication'; +import type { AuthenticationServiceStartInternal } from '../../authentication/authentication_service'; import { authenticationServiceMock } from '../../authentication/authentication_service.mock'; import type { Session } from '../../session_management'; import { sessionMock } from '../../session_management/session.mock'; @@ -26,7 +26,7 @@ import { defineChangeUserPasswordRoutes } from './change_password'; describe('Change password', () => { let router: jest.Mocked; - let authc: DeeplyMockedKeys; + let authc: DeeplyMockedKeys; let session: jest.Mocked>; let routeHandler: RequestHandler; let routeConfig: RouteConfig; diff --git a/x-pack/plugins/security/server/saved_objects/index.ts b/x-pack/plugins/security/server/saved_objects/index.ts index e052fd1c7ab6a4..837b3c594d3968 100644 --- a/x-pack/plugins/security/server/saved_objects/index.ts +++ b/x-pack/plugins/security/server/saved_objects/index.ts @@ -9,7 +9,7 @@ import type { CoreSetup, LegacyRequest } from 'src/core/server'; import { KibanaRequest, SavedObjectsClient } from '../../../../../src/core/server'; import type { AuditServiceSetup, SecurityAuditLogger } from '../audit'; -import type { AuthorizationServiceSetup } from '../authorization'; +import type { AuthorizationServiceSetupInternal } from '../authorization/authorization_service'; import type { SpacesService } from '../plugin'; import { SecureSavedObjectsClientWrapper } from './secure_saved_objects_client_wrapper'; @@ -17,7 +17,7 @@ interface SetupSavedObjectsParams { legacyAuditLogger: SecurityAuditLogger; audit: AuditServiceSetup; authz: Pick< - AuthorizationServiceSetup, + AuthorizationServiceSetupInternal, 'mode' | 'actions' | 'checkSavedObjectsPrivilegesWithRequest' >; savedObjects: CoreSetup['savedObjects']; diff --git a/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts b/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts index 0b8a7abab23828..bc7cb727edd805 100644 --- a/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts +++ b/x-pack/plugins/security/server/spaces/secure_spaces_client_wrapper.test.ts @@ -15,7 +15,10 @@ import { spacesClientMock } from '../../../spaces/server/mocks'; import type { AuditEvent, AuditLogger } from '../audit'; import { SpaceAuditAction } from '../audit'; import { auditServiceMock } from '../audit/index.mock'; -import type { AuthorizationServiceSetup } from '../authorization'; +import type { + AuthorizationServiceSetup, + AuthorizationServiceSetupInternal, +} from '../authorization'; import { authorizationMock } from '../authorization/index.mock'; import type { CheckPrivilegesResponse } from '../authorization/types'; import type { LegacySpacesAuditLogger } from './legacy_audit_logger'; @@ -85,7 +88,9 @@ const setup = ({ securityEnabled = false }: Opts = {}) => { }; }; -const expectNoAuthorizationCheck = (authorization: jest.Mocked) => { +const expectNoAuthorizationCheck = ( + authorization: jest.Mocked +) => { expect(authorization.checkPrivilegesDynamicallyWithRequest).not.toHaveBeenCalled(); expect(authorization.checkPrivilegesWithRequest).not.toHaveBeenCalled(); expect(authorization.checkSavedObjectsPrivilegesWithRequest).not.toHaveBeenCalled();