[HTTP] Only allow setting server.restrictInternalApis on serverless (…

…elastic#162475)
paul-tavares · Jul 25, 2023 · 492cfdf · 492cfdf
1 parent 0f7129d
commit 492cfdf
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 3 deletions.
diff --git a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap
diff --git a/packages/core/http/core-http-server-internal/src/http_config.test.ts b/packages/core/http/core-http-server-internal/src/http_config.test.ts
@@ -509,6 +509,27 @@ describe('versioned', () => {
   });
 });
 
+describe('restrictInternalApis', () => {
+  it('is only allowed on serverless', () => {
+    expect(() => config.schema.validate({ restrictInternalApis: false }, {})).toThrow(
+      /a value wasn't expected/
+    );
+    expect(() => config.schema.validate({ restrictInternalApis: true }, {})).toThrow(
+      /a value wasn't expected/
+    );
+    expect(
+      config.schema.validate({ restrictInternalApis: true }, { serverless: true })
+    ).toMatchObject({
+      restrictInternalApis: true,
+    });
+  });
+  it('defaults to false', () => {
+    expect(
+      config.schema.validate({ restrictInternalApis: undefined }, { serverless: true })
+    ).toMatchObject({ restrictInternalApis: false });
+  });
+});
+
 describe('HttpConfig', () => {
   it('converts customResponseHeaders to strings or arrays of strings', () => {
     const httpSchema = config.schema;
@@ -535,4 +556,11 @@ describe('HttpConfig', () => {
       nested: '{"foo":1,"bar":"dolly"}',
     });
   });
+
+  it('defaults restrictInternalApis to false', () => {
+    const rawConfig = config.schema.validate({}, {});
+    const rawCspConfig = cspConfig.schema.validate({});
+    const httpConfig = new HttpConfig(rawConfig, rawCspConfig, ExternalUrlConfig.DEFAULT);
+    expect(httpConfig.restrictInternalApis).toBe(false);
+  });
 });
diff --git a/packages/core/http/core-http-server-internal/src/http_config.ts b/packages/core/http/core-http-server-internal/src/http_config.ts
@@ -167,7 +167,14 @@ const configSchema = schema.object(
         },
       }
     ),
-    restrictInternalApis: schema.boolean({ defaultValue: false }), // allow access to internal routes by default to prevent breaking changes in current offerings
+    // allow access to internal routes by default to prevent breaking changes in current offerings
+    restrictInternalApis: schema.conditional(
+      schema.contextRef('serverless'),
+      true,
+      schema.boolean({ defaultValue: false }),
+      schema.never()
+    ),
+
     versioned: schema.object({
       /**
        * Which handler resolution algo to use: "newest" or "oldest".
@@ -316,7 +323,8 @@ export class HttpConfig implements IHttpConfig {
     this.requestId = rawHttpConfig.requestId;
     this.shutdownTimeout = rawHttpConfig.shutdownTimeout;
 
-    this.restrictInternalApis = rawHttpConfig.restrictInternalApis;
+    // default to `false` to prevent breaking changes in current offerings
+    this.restrictInternalApis = rawHttpConfig.restrictInternalApis ?? false;
     this.eluMonitor = rawHttpConfig.eluMonitor;
     this.versioned = rawHttpConfig.versioned;
   }