Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security in Core] Exposes apiKeys from core.security.authc #186910

Merged
merged 50 commits into from
Jul 9, 2024
Merged

[Security in Core] Exposes apiKeys from core.security.authc #186910

merged 50 commits into from
Jul 9, 2024

Conversation

SiddharthMantri
Copy link
Contributor

@SiddharthMantri SiddharthMantri commented Jun 25, 2024
edited
Loading

Summary

Expose apiKeys as a service under core.security.authc.apiKeys.

Closes #184764

Details

PR introduces a new API Keys Service which is accessible under the authc namespace in core.security. The service exposes the public API that was already available on the server-side in the security plugin.

The service is initialized and registered with core using the delegate_api - allowing access to the service within the core plugin without the need for the security plugin.

Note: I had to move quite a few types/functions around to prevent cyclical dependencies.

Plugins and the APIs that use the current apiKeys function from the security plugin

Expand for table with details
Plugin File API used Can be migrated
alerting x-pack/plugins/alerting/plugin/server.ts areApiKeysEnabled()
x-pack/plugins/alerting/server/rules_client_factory.ts grantAsInternalUser()
x-pack/plugins/alerting/server/task.ts invalidatedAsInternalUser()
enterprise_search x-pack/plugins/enterprise_search/server/routes/enterprise_search/api_keys create()
x-pack/plugins/enterprise_search/server/lib/indices/create_api_key.ts create()
fleet x-pack/plugins/fleet/server/routes/setup/handlers.ts areApiKeysEnabled()
x-pack/plugins/fleet/server/services/api_keys/security invalidateAsInternalUser()
x-pack/plugins/fleet/server/services/api_keys/transform_api_keys.ts grantAsInternalUser()
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts areApiKeysEnabled()
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts areAPIKeysEnabled()
x-pack/plugins/observability_solution/apm/server/routes/agent_keys/get_agent_keys_privileges.ts areAPIKeysEnabled()
observability_solution x-pack/plugins/observability_solution/entity_manager/server/lib/auth/api_key/api_key.ts areAPIKeysEnabled
validate
grantAsInternalUser
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/disable.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/enable.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/observability_onboarding/server/routes/flow/route.ts create
x-pack/plugins/observability_solution/synthetics/server/routes/synthetics_service/enablement.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/synthetics/server/synthetics_service/get_api_key.ts validate
areAPIKeysEnabled
grantAsInternalUser
create
serverless_search x-pack/plugins/serverless_search/server/routes/api_key_routes.ts create
x-pack/plugins/transform/server/routes/api/reauthorize_transforms/route_handler_factory.ts grantAsInternalUser
x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts grantAsInternalUser
invalidateAsInternalUser
areAPIKeysEnabled()

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri SiddharthMantri changed the title [Security in Core] Exposes apiKeys from core [Security in Core] Exposes apiKeys from core.security.authc Jun 26, 2024
@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri SiddharthMantri marked this pull request as ready for review June 26, 2024 13:29
@SiddharthMantri SiddharthMantri requested review from a team as code owners June 26, 2024 13:29
@SiddharthMantri SiddharthMantri added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Users/Roles/API Keys labels Jun 26, 2024
@SiddharthMantri
Copy link
Contributor Author

@elasticmachine merge upstream

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner June 29, 2024 11:45
@elena-shostak elena-shostak self-assigned this Jul 1, 2024
elena-shostak
elena-shostak approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@elena-shostak elena-shostak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

packages/core/security/core-security-server-internal/src/security_route_handler_context.ts Outdated
@@ -26,6 +26,26 @@ export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerCo
if (this.#authc == null) {
this.#authc = {
getCurrentUser: () => this.securityStart.authc.getCurrentUser(this.request),
apiKeys: {
areAPIKeysEnabled: this.securityStart.authc.apiKeys.areAPIKeysEnabled.bind(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can use arrow function instead of bind, like getCurrentUser

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! Addressed in 1faeaa4

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

The CI Stats report is too large to be displayed here, check out the CI build annotation for this information.

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @elena-shostak

@SiddharthMantri
Copy link
Contributor Author

@elasticmachine merge upstream

@SiddharthMantri SiddharthMantri removed the request for review from a team July 9, 2024 12:05
@SiddharthMantri SiddharthMantri enabled auto-merge (squash) July 9, 2024 12:05
@SiddharthMantri SiddharthMantri merged commit ff9a48e into elastic:main Jul 9, 2024
20 checks passed
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/core-security-server 16 63 +47
@kbn/core-security-server-mocks 13 15 +2
@kbn/security-plugin-types-server 121 154 +33
security 206 222 +16
total +98

Any counts in public APIs

Total count of every any typed public API. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats any for more detailed information.

id before after diff
@kbn/core-security-server 0 1 +1
@kbn/security-plugin-types-server 0 1 +1
total +2
Unknown metric groups

API count

id before after diff
@kbn/core-security-server 52 146 +94
@kbn/core-security-server-mocks 13 15 +2
@kbn/security-plugin-types-server 216 275 +59
security 415 438 +23
total +178

History

cc @elena-shostak

pgayvallet pushed a commit to pgayvallet/kibana that referenced this pull request Jul 11, 2024
@SiddharthMantri @kibanamachine
@elasticmachine @pgayvallet
[Security in Core] Exposes apiKeys from core.security.authc (elas…
ae84760 
…tic#186910)

## Summary
Expose `apiKeys` as a service under `core.security.authc.apiKeys`.

Closes elastic#184764

### Details
PR introduces a new API Keys Service which is accessible under the
`authc` namespace in core.security. The service exposes the public API
that was already available on the server-side in the security plugin.

The service is initialized and registered with core using the
`delegate_api` - allowing access to the service within the core plugin
without the need for the `security` plugin.

Note: I had to move quite a few types/functions around to prevent
cyclical dependencies.

### Plugins and the APIs that use the current `apiKeys` function from
the security plugin
<details>
<summary> Expand for table with details </summary>

| Plugin | File | API used | Can be migrated |
|--------|--------|--------|--------|
| alerting | x-pack/plugins/alerting/plugin/server.ts |
areApiKeysEnabled() | ✅ |
| | x-pack/plugins/alerting/server/rules_client_factory.ts |
grantAsInternalUser() | ❌ |
| | x-pack/plugins/alerting/server/task.ts | invalidatedAsInternalUser()
| ❌ |
| enterprise_search |
x-pack/plugins/enterprise_search/server/routes/enterprise_search/api_keys
| create() | ✅ |
| |
x-pack/plugins/enterprise_search/server/lib/indices/create_api_key.ts |
create() | ✅ |
| fleet | x-pack/plugins/fleet/server/routes/setup/handlers.ts |
areApiKeysEnabled() | ✅ |
| | x-pack/plugins/fleet/server/services/api_keys/security |
invalidateAsInternalUser() | ❌ |
| | x-pack/plugins/fleet/server/services/api_keys/transform_api_keys.ts
| grantAsInternalUser() | ❌ |
| |
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts
| areApiKeysEnabled() | ✅ |
| |
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts
| areAPIKeysEnabled() | ✅ |
| |
x-pack/plugins/observability_solution/apm/server/routes/agent_keys/get_agent_keys_privileges.ts
| areAPIKeysEnabled() | ✅ |
| observability_solution |
x-pack/plugins/observability_solution/entity_manager/server/lib/auth/api_key/api_key.ts
| areAPIKeysEnabled | ✅ |
| | | validate | ✅ |
| | | grantAsInternalUser | ❌ |
| |
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/disable.ts
| invalidateAsInternalUser | ❌ |
| |
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/enable.ts
| invalidateAsInternalUser | ❌ |
| |
x-pack/plugins/observability_solution/observability_onboarding/server/routes/flow/route.ts
| create | ✅ |
| |
x-pack/plugins/observability_solution/synthetics/server/routes/synthetics_service/enablement.ts
| invalidateAsInternalUser | ❌ |
| |
x-pack/plugins/observability_solution/synthetics/server/synthetics_service/get_api_key.ts
| validate | ✅ |
| | | areAPIKeysEnabled | ✅ |
| | | grantAsInternalUser | ❌ |
| | | create | ✅ |
| serverless_search |
x-pack/plugins/serverless_search/server/routes/api_key_routes.ts |
create | ✅ |
| |
x-pack/plugins/transform/server/routes/api/reauthorize_transforms/route_handler_factory.ts
| grantAsInternalUser | ❌ |
| |
x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts
| grantAsInternalUser | ❌ |
| | | invalidateAsInternalUser | ❌ |
| | | areAPIKeysEnabled() | ✅ |
</details>

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
@gbamparop gbamparop mentioned this pull request Jul 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pgayvallet pgayvallet pgayvallet approved these changes

@elena-shostak elena-shostak elena-shostak approved these changes

Assignees

@elena-shostak elena-shostak

Labels
backport:skip This commit does not require backporting Feature:Users/Roles/API Keys release_note:skip Skip the PR/issue when compiling release notes Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.15.0 v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security-in-core] Expose API Key service under core.security.authc
6 participants
@SiddharthMantri @elasticmachine @kibana-ci @pgayvallet @elena-shostak @kibanamachine