[7.x] Migrate authentication subsystem to the new platform. (#41593)

src/test_utils/kbn_server.ts

@@ -75,7 +75,7 @@ export function createRootWithSettings(
       repl: false,
       basePath: false,
       optimize: false,
-      oss: false,
+      oss: true,
       ...cliArgs,
     },
     isDevClusterMaster: false,

x-pack/legacy/plugins/security/common/model/index.ts

@@ -8,6 +8,9 @@ export { Role, RoleIndexPrivilege, RoleKibanaPrivilege } from './role';
 export { FeaturesPrivileges } from './features_privileges';
 export { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';
 export { KibanaPrivileges } from './kibana_privileges';
-export { User, EditUser, getUserDisplayName } from './user';
-export { AuthenticatedUser, canUserChangePassword } from './authenticated_user';
+export { User, EditUser, getUserDisplayName } from '../../../../../plugins/security/common/model';
+export {
+  AuthenticatedUser,
+  canUserChangePassword,
+} from '../../../../../plugins/security/common/model';
 export { BuiltinESPrivileges } from './builtin_es_privileges';

x-pack/legacy/plugins/security/index.d.ts

@@ -6,16 +6,12 @@
 
 import { Legacy } from 'kibana';
 import { AuthenticatedUser } from './common/model';
-import { AuthenticationResult, DeauthenticationResult } from './server/lib/authentication';
 import { AuthorizationService } from './server/lib/authorization/service';
 
 /**
  * Public interface of the security plugin.
  */
 export interface SecurityPlugin {
   authorization: Readonly<AuthorizationService>;
-  authenticate: (request: Legacy.Request) => Promise<AuthenticationResult>;
-  deauthenticate: (request: Legacy.Request) => Promise<DeauthenticationResult>;
   getUser: (request: Legacy.Request) => Promise<AuthenticatedUser>;
-  isAuthenticated: (request: Legacy.Request) => Promise<boolean>;
 }

x-pack/legacy/plugins/security/index.js

@@ -6,7 +6,6 @@
 
 import { resolve } from 'path';
 import { get, has } from 'lodash';
-import { getUserProvider } from './server/lib/get_user';
 import { initAuthenticateApi } from './server/routes/api/v1/authenticate';
 import { initUsersApi } from './server/routes/api/v1/users';
 import { initExternalRolesApi } from './server/routes/api/external/roles';
@@ -17,10 +16,7 @@ import { initOverwrittenSessionView } from './server/routes/views/overwritten_se
 import { initLoginView } from './server/routes/views/login';
 import { initLogoutView } from './server/routes/views/logout';
 import { initLoggedOutView } from './server/routes/views/logged_out';
-import { validateConfig } from './server/lib/validate_config';
-import { authenticateFactory } from './server/lib/auth_redirect';
 import { checkLicense } from './server/lib/check_license';
-import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
 import {
@@ -35,6 +31,7 @@ import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status
 import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/secure_saved_objects_client_wrapper';
 import { deepFreeze } from './server/lib/deep_freeze';
 import { createOptionalPlugin } from '../../server/lib/optional_plugin';
+import { KibanaRequest } from '../../../../src/core/server';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -43,28 +40,13 @@ export const security = (kibana) => new kibana.Plugin({
   require: ['kibana', 'elasticsearch', 'xpack_main'],
 
   config(Joi) {
-    const providerOptionsSchema = (providerName, schema) => Joi.any()
-      .when('providers', {
-        is: Joi.array().items(Joi.string().valid(providerName).required(), Joi.string()),
-        then: schema,
-        otherwise: Joi.any().forbidden(),
-      });
-
     return Joi.object({
       enabled: Joi.boolean().default(true),
-      cookieName: Joi.string().default('sid'),
-      encryptionKey: Joi.when(Joi.ref('$dist'), {
-        is: true,
-        then: Joi.string(),
-        otherwise: Joi.string().default('a'.repeat(32)),
-      }),
-      sessionTimeout: Joi.number().allow(null).default(null),
-      secureCookies: Joi.boolean().default(false),
-      public: Joi.object({
-        protocol: Joi.string().valid(['http', 'https']),
-        hostname: Joi.string().hostname(),
-        port: Joi.number().integer().min(0).max(65535)
-      }).default(),
+      cookieName: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      encryptionKey: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      sessionTimeout: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      secureCookies: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
+      public: Joi.any().description('This key is handled in the new platform security plugin ONLY'),
       authorization: Joi.object({
         legacyFallback: Joi.object({
           enabled: Joi.boolean().default(true) // deprecated
@@ -73,11 +55,7 @@ export const security = (kibana) => new kibana.Plugin({
       audit: Joi.object({
         enabled: Joi.boolean().default(false)
       }).default(),
-      authc: Joi.object({
-        providers: Joi.array().items(Joi.string()).default(['basic']),
-        oidc: providerOptionsSchema('oidc', Joi.object({ realm: Joi.string().required() }).required()),
-        saml: providerOptionsSchema('saml', Joi.object({ realm: Joi.string() })),
-      }).default()
+      authc: Joi.any().description('This key is handled in the new platform security plugin ONLY')
     }).default();
   },
 
@@ -130,15 +108,18 @@ export const security = (kibana) => new kibana.Plugin({
       'plugins/security/hacks/on_unauthorized_response'
     ],
     home: ['plugins/security/register_feature'],
-    injectDefaultVars: function (server) {
-      const config = server.config();
+    injectDefaultVars: (server) => {
+      const securityPlugin = server.newPlatform.setup.plugins.security;
+      if (!securityPlugin) {
+        throw new Error('New Platform XPack Security plugin is not available.');
+      }
 
       return {
-        secureCookies: config.get('xpack.security.secureCookies'),
-        sessionTimeout: config.get('xpack.security.sessionTimeout'),
-        enableSpaceAwarePrivileges: config.get('xpack.spaces.enabled'),
+        secureCookies: securityPlugin.config.secureCookies,
+        sessionTimeout: securityPlugin.config.sessionTimeout,
+        enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'),
       };
-    }
+    },
   },
 
   async postInit(server) {
@@ -156,28 +137,34 @@ export const security = (kibana) => new kibana.Plugin({
   },
 
   async init(server) {
-    const plugin = this;
+    const securityPlugin = server.newPlatform.setup.plugins.security;
+    if (!securityPlugin) {
+      throw new Error('New Platform XPack Security plugin is not available.');
+    }
 
     const config = server.config();
     const xpackMainPlugin = server.plugins.xpack_main;
     const xpackInfo = xpackMainPlugin.info;
+    securityPlugin.registerLegacyAPI({
+      xpackInfo,
+      serverConfig: {
+        protocol: server.info.protocol,
+        hostname: config.get('server.host'),
+        port: config.get('server.port'),
+      },
+      isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind(
+        server.plugins.kibana.systemApi
+      ),
+    });
 
+    const plugin = this;
     const xpackInfoFeature = xpackInfo.feature(plugin.id);
 
     // Register a function that is called whenever the xpack info changes,
     // to re-compute the license check results for this plugin
     xpackInfoFeature.registerLicenseCheckResultsGenerator(checkLicense);
 
-    validateConfig(config, message => server.log(['security', 'warning'], message));
-
-    // Create a Hapi auth scheme that should be applied to each request.
-    server.auth.scheme('login', () => ({ authenticate: authenticateFactory(server) }));
-
-    server.auth.strategy('session', 'login');
-
-    // The default means that the `session` strategy that is based on `login` schema defined above will be
-    // automatically assigned to all routes that don't contain an auth config.
-    server.auth.default('session');
+    server.expose({ getUser: request => securityPlugin.authc.getCurrentUser(KibanaRequest.from(request)) });
 
     const { savedObjects } = server;
 
@@ -221,20 +208,17 @@ export const security = (kibana) => new kibana.Plugin({
       return client;
     });
 
-    getUserProvider(server);
-
-    await initAuthenticator(server);
-    initAuthenticateApi(server);
+    initAuthenticateApi(securityPlugin, server);
     initAPIAuthorization(server, authorization);
     initAppAuthorization(server, xpackMainPlugin, authorization);
-    initUsersApi(server);
+    initUsersApi(securityPlugin, server);
     initExternalRolesApi(server);
     initIndicesApi(server);
     initPrivilegesApi(server);
     initGetBuiltinPrivilegesApi(server);
-    initLoginView(server, xpackMainPlugin);
+    initLoginView(securityPlugin, server, xpackMainPlugin);
     initLogoutView(server);
-    initLoggedOutView(server);
+    initLoggedOutView(securityPlugin, server);
     initOverwrittenSessionView(server);
 
     server.injectUiAppVars('login', () => {

x-pack/legacy/plugins/security/public/components/management/change_password_form/change_password_form.test.tsx

@@ -7,7 +7,7 @@ import { EuiFieldText } from '@elastic/eui';
 import { ReactWrapper } from 'enzyme';
 import React from 'react';
 import { mountWithIntl } from 'test_utils/enzyme_helpers';
-import { User } from '../../../../common/model/user';
+import { User } from '../../../../common/model';
 import { UserAPIClient } from '../../../lib/api';
 import { ChangePasswordForm } from './change_password_form';