From e5354fc56e5c4095c76b2211a59c871375540f71 Mon Sep 17 00:00:00 2001
From: Eli Perelman <eli@eliperelman.com>
Date: Thu, 12 Dec 2019 16:46:14 -0600
Subject: [PATCH] Remove legacy CSP configuration calls, migrate to platform
 properties

---
 src/core/server/csp/csp_config.ts                   | 13 +++++--------
 .../server/lib/csp_usage_collector/csp_collector.ts | 11 ++++++-----
 src/legacy/ui/ui_render/ui_render_mixin.js          |  9 ++++-----
 x-pack/legacy/plugins/security/index.js             |  2 +-
 4 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/src/core/server/csp/csp_config.ts b/src/core/server/csp/csp_config.ts
index 3d795239ff0ef54..827193c859442d2 100644
--- a/src/core/server/csp/csp_config.ts
+++ b/src/core/server/csp/csp_config.ts
@@ -29,25 +29,25 @@ export class CspConfig {
   /**
    * The CSP rules used for Kibana.
    */
-  public rules: string[];
+  public readonly rules: string[];
 
   /**
    * Specify whether browsers that do not support CSP should be
    * able to use Kibana. Use `true` to block and `false` to allow.
    */
-  public strict: boolean;
+  public readonly strict: boolean;
 
   /**
    * Specify whether users with legacy browsers should be warned
    * about their lack of Kibana security compliance.
    */
-  public warnLegacyBrowsers: boolean;
+  public readonly warnLegacyBrowsers: boolean;
 
   /**
    * The CSP rules in a formatted directives string for use
    * in a `Content-Security-Policy` header.
    */
-  public header!: string;
+  public readonly header: string;
 
   /**
    * Returns the default CSP configuration when passed with no config
@@ -58,9 +58,6 @@ export class CspConfig {
     this.rules = source.rules;
     this.strict = source.strict;
     this.warnLegacyBrowsers = source.warnLegacyBrowsers;
-    Object.defineProperty(this, 'header', {
-      enumerable: true,
-      get: () => this.rules.join('; '),
-    });
+    this.header = source.rules.join('; ');
   }
 }
diff --git a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts
index 0af66a7145b6405..dadee4d1a5457a0 100644
--- a/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts
+++ b/src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts
@@ -26,16 +26,17 @@ export function createCspCollector(server: Server) {
     type: 'csp',
     isReady: () => true,
     async fetch() {
-      const config = server.config();
-      const { header } = new CspConfig();
+      const { strict, warnLegacyBrowsers, header } = server.newPlatform.setup.core.http.csp;
+      // This is used to get the default CSP header string.
+      const { header: defaultCspHeader } = new CspConfig();
 
       return {
-        strict: config.get('csp.strict'),
-        warnLegacyBrowsers: config.get('csp.warnLegacyBrowsers'),
+        strict,
+        warnLegacyBrowsers,
         // It's important that we do not send the value of csp.header here as it
         // can be customized with values that can be identifiable to given
         // installs, such as URLs
-        rulesChangedFromDefault: header !== config.get('csp.header'),
+        rulesChangedFromDefault: header !== defaultCspHeader,
       };
     },
   };
diff --git a/src/legacy/ui/ui_render/ui_render_mixin.js b/src/legacy/ui/ui_render/ui_render_mixin.js
index 3ee225fbd052c36..da67a6dc696b971 100644
--- a/src/legacy/ui/ui_render/ui_render_mixin.js
+++ b/src/legacy/ui/ui_render/ui_render_mixin.js
@@ -245,11 +245,10 @@ export function uiRenderMixin(kbnServer, server, config) {
         return { id, plugin, config: {} };
       }
     }));
-
-    console.log(config.get('csp'));
+    const { strict, warnLegacyBrowsers, header } = kbnServer.newPlatform.setup.core.http.csp;
 
     const response = h.view('ui_app', {
-      strictCsp: config.get('csp.strict'),
+      strictCsp: strict,
       uiPublicUrl: `${basePath}/ui`,
       bootstrapScriptUrl: `${basePath}/bundles/app/${app.getId()}/bootstrap.js`,
       i18n: (id, options) => i18n.translate(id, options),
@@ -267,7 +266,7 @@ export function uiRenderMixin(kbnServer, server, config) {
           translationsUrl: `${basePath}/translations/${i18n.getLocale()}.json`,
         },
         csp: {
-          warnLegacyBrowsers: config.get('csp.warnLegacyBrowsers'),
+          warnLegacyBrowsers,
         },
         vars: await replaceInjectedVars(
           request,
@@ -284,7 +283,7 @@ export function uiRenderMixin(kbnServer, server, config) {
       },
     });
 
-    response.header('content-security-policy', config.get('csp.header'));
+    response.header('content-security-policy', header);
 
     return response;
   }
diff --git a/x-pack/legacy/plugins/security/index.js b/x-pack/legacy/plugins/security/index.js
index ef6b207fbbe64e2..2e265c8be158a47 100644
--- a/x-pack/legacy/plugins/security/index.js
+++ b/x-pack/legacy/plugins/security/index.js
@@ -126,7 +126,7 @@ export const security = (kibana) => new kibana.Plugin({
       isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind(
         server.plugins.kibana.systemApi
       ),
-      cspRules: config.get('csp.header'),
+      cspRules: server.newPlatform.setup.core.http.csp.header,
     });
 
     // Legacy xPack Info endpoint returns whatever we return in a callback for `registerLicenseCheckResultsGenerator`