Introduce Access Agreement UI.

[azasypkin]

This PR introduces the Access Agreement UI that works like that:

• Every provider has an additional accessAgreement configuration option now. Option accepts markdown string as a value.
• Every authenticated request will be redirected to /security/access_agreement only if:
  • Request is authenticated by the provider that has accessAgreement.message configured
  • User hasn't yet acknowledged access notice in the current session (based on the flag we store in the session)
  • Request can be redirected (not API call)
  • And it's not a request to the Access Agreement UI itself
• When request is redirected to the Access Agreement UI original URL is captured and user will be redirected to it once access agreement is acknowledged

UI/UX:

Config:

xpack.security.authc.providers:
  basic.basic1:
    order: 0
    accessAgreement.message: "#### You are accessing a system with U.S. government information \n\n
                   By logging in, you acknowledge that information system usage may be monitored, recorded, and subject to audit. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties. Use of the information system indicates consent to monitoring and recording."

Blocked by: Design Team and stakeholders feedback is pending
Fixes: #18176

---

"Release Note: every provider can now be configured with the access agreement message (markdown syntax) that will be presented to the users after login. Users won't be able to use Kibana until they acknowledge this agreement."

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

note: motivation behind this change is that I wanted to make body of this component wider for access notice as we have much more text there (600px instead of 480px)

[azasypkin]

note: it doesn't seem like we want it to be a part of our public API, feels like our own internal thing.

[azasypkin]

note: if we wouldn't have plans to switch to server side sessions, I'd use a bitmask field here instead to save space 🙂 For now will just make it optional.

[legrego]

question I'm not opposed to this structure, but do you have other flags in mind that we'll add in the future?

[azasypkin]

That's actually a good point, I had something else in mind at the beginning, but now I can't think of anything. Maybe flags is too premature indeed, I'll switch to the top level property for now, thanks!

[azasypkin]

note: technically pathname can have a trailing slash, but I'm ignoring this here to simplify the check because of the following reasons:

• When we redirect to this page we don't add trailing slash
• If user goes directly to this page and adds a trailing slash, they will end up at /security/access_notice?next=%2Fsecurity%2Faccess_notice%2F assuming they haven't acknowledged access notice yet, that means after acknowledgement they will be redirect to /security/access_notice (since Kibana server will eventually issue a redirected to the same URL but without trailing slash), after second acknowledgement or just by navigating to another page everything will go back to normal.

I'm not worried about the second point since it's a user mistake after all and it doesn't have that bad consequences.

[azasypkin]

note: since we're adding more common config properties the amount of info we're duplicating in sortedProviders is increasing, so I decided to take a step back and keep authc.providers as the only source of truth.

[azasypkin]

note: technically it's a breaking change (if we already started to treat changed plugin contracts as such), but nobody in Kibana was using it and I'm not sure we want to expose this to 3rd party plugins yet. Starting from 8.0 I'd not do that 🙂

[legrego]

Yeah, now is a great time to clean this up!

[azasypkin]

note: extracting config from config.authc.providers is a bit ugly since we don't know what providers are configured and there is no "type link" between session provider field and this config (and may not be since session can rely on old config). If we see this pattern more and more, we'll create a helper method instead.

[ryankeairns]

@azasypkin A few design tweaks coming... I'll have a design PR for you to review.

[ryankeairns]

@azasypkin here is a design PR with a few changes that more closely aligns to the modal content styling we are after. If it looks good, simply merge: azasypkin#1

[azasypkin]

@azasypkin here is a design PR with a few changes that more closely aligns to the modal content styling we are after. If it looks good, simply merge: azasypkin#1

Looks great, thanks a lot! Merged and updated screenshot in description.

[ryankeairns]

@azasypkin I'll need to make some changes based upon some feedback I received from @cchaos . I'll get that going straight away.

[ryankeairns]

2nd design PR 👉 azasypkin#2

[cchaos]

should this screen be using the Elastic cluster logo instead of the Kibana logo? I know we recently made this change to the login and space selector screens

Yes indeed, the Kibana logo should now be the cluster logo.

[azasypkin]

should this screen be using the Elastic cluster logo instead of the Kibana logo? I know we recently made this change to the login and space selector screens
Yes indeed, the Kibana logo should now be the cluster logo.

Roger that, changed to logoElastic.

[azasypkin]

@legrego PR should be ready for another pass! But since we're still waiting for some details on this feature that will require a couple of changes here and there (in a separate commit though), feel free to postpone review.

[azasypkin]

note: this doesn't sound like an audit event, but rather as a developer mistake, hence just throwing error here.

[azasypkin]

note: I was considering two options here, either to return 403 or 404. I picked 404 and the rational is that license doesn't provide this feature and that basically means that feature is missing (not found).. What do you think?

[legrego]

I think a 403 would make more sense here (with reason in the response body), so that we're consistent with the base licensed route handler functionality:

kibana/x-pack/plugins/security/server/routes/licensed_route_handler.ts

Line 26 in de10976

return responseToolkit.forbidden({ body: { message: licenseCheck.message! } });

[azasypkin]

Okay, makes sense too, let's go with 403. By reason you mean our own custom message, right? Currently SecurityLicense doesn't keep the optional message that Licensing plugin would return in case of failed check...

[azasypkin]

Discussed over Slack, we'll go with custom Current license doesn't support access agreement. message.

[legrego]

Looks great, thanks @azasypkin! Just a couple nits/comments, then I think we're good to go!

[legrego]

I think a 403 would make more sense here (with reason in the response body), so that we're consistent with the base licensed route handler functionality:

kibana/x-pack/plugins/security/server/routes/licensed_route_handler.ts

Line 26 in de10976

return responseToolkit.forbidden({ body: { message: licenseCheck.message! } });

[legrego]

note for future us: we should consider updating this to accept a minimum license level once we have more than one route that requires an elevated license

[azasypkin]

To be honest I have mixed feelings about this since feature that depends on license level can rely on multiple endpoints and keeping all of them in sync may be tedious. Unless we refactor SecurityLicense to include something similar to feature <-> min license level mapping that will be the only source of truth.

[legrego]

That’s a great point, a single source of truth is much more beneficial than the potential duplication of license checks

[legrego]

This is getting a bit out of hand 😅What do you think about something like this?

Suggested change

	it('should show login page and other security elements, allow RBAC but forbid role mappings, access agreement, DLS, and sub-feature privileges if license is basic.', () => {
	it('should show login page and other security elements, allow RBAC but forbid paid features if license is basic.', () => {

[azasypkin]

🙂 yeah

[legrego]

Suggested change

	it('returns 404 if current license doesnt allow access agreement acknowledgement.', async () => {
	it(`returns 404 if current license doesn't allow access agreement acknowledgement.`, async () => {

[legrego]

Suggested change

	logger.warn(`Attempted to acknowledge access agreement when license doesn allow it.`);
	logger.warn(`Attempted to acknowledge access agreement when license doesn't allow it.`);

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 3c7cf49

History

• 💚 Build #43705 succeeded 99332b2
• 💚 Build #43025 succeeded 20f24a8
• 💔 Build #43000 failed 300877f
• 💚 Build #42790 succeeded b9d4713
• 💚 Build #41928 succeeded 45c51d6

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[azasypkin]

7.x/7.8.0: a3790c8