Merge remote-tracking branch 'upstream/main' into task/olm-7053-serve…

…rless-pli-authz # Conflicts: # x-pack/plugins/security_solution_serverless/server/plugin.ts
paul-tavares · Jul 26, 2023 · 54e7184 · 54e7184
2 parents dfb1736 + 7c16dd9
commit 54e7184
Show file tree

Hide file tree

Showing 529 changed files with 6,240 additions and 5,061 deletions.
diff --git a/.buildkite/scripts/steps/code_coverage/reporting/prokLinks.sh b/.buildkite/scripts/steps/code_coverage/reporting/prokLinks.sh
@@ -28,7 +28,7 @@ cat <<EOF >src/dev/code_coverage/www/index_partial_2.html
   </main>
   <footer class="mastfoot mt-auto">
     <div class="inner">
-      <p>Please slack us at <a href="https://app.slack.com/client/T0CUZ52US/C0TR0FAET">#kibana-qa</a> if youve questions</p>
+      <p>Please slack us at <a href="https://app.slack.com/client/T0CUZ52US/C0TR0FAET">#appex-qa</a> if youve questions</p>
     </div>
   </footer>
 </div>

diff --git a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundle_route.test.ts
@@ -42,6 +42,7 @@ describe('registerRouteForBundle', () => {
       {
         path: '/route-path/{path*}',
         options: {
+          access: 'public',
           authRequired: false,
         },
         validate: expect.any(Object),

diff --git a/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts b/packages/core/apps/core-apps-server-internal/src/bundle_routes/bundles_route.ts
@@ -32,6 +32,7 @@ export function registerRouteForBundle(
       path: `${routePath}{path*}`,
       options: {
         authRequired: false,
+        access: 'public',
       },
       validate: {
         params: schema.object({

diff --git a/packages/core/apps/core-apps-server-internal/src/core_app.ts b/packages/core/apps/core-apps-server-internal/src/core_app.ts
@@ -93,18 +93,21 @@ export class CoreAppsService {
     const router = httpSetup.createRouter<InternalCoreAppsServiceRequestHandlerContext>('');
     const resources = coreSetup.httpResources.createRegistrar(router);
 
-    router.get({ path: '/', validate: false }, async (context, req, res) => {
-      const { uiSettings } = await context.core;
-      const defaultRoute = await uiSettings.client.get<string>('defaultRoute');
-      const basePath = httpSetup.basePath.get(req);
-      const url = `${basePath}${defaultRoute}`;
-
-      return res.redirected({
-        headers: {
-          location: url,
-        },
-      });
-    });
+    router.get(
+      { path: '/', validate: false, options: { access: 'public' } },
+      async (context, req, res) => {
+        const { uiSettings } = await context.core;
+        const defaultRoute = await uiSettings.client.get<string>('defaultRoute');
+        const basePath = httpSetup.basePath.get(req);
+        const url = `${basePath}${defaultRoute}`;
+
+        return res.redirected({
+          headers: {
+            location: url,
+          },
+        });
+      }
+    );
 
     this.registerCommonDefaultRoutes({
       basePath: coreSetup.http.basePath,

diff --git a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.test.ts
@@ -62,6 +62,20 @@ describe('HttpResources service', () => {
           register = await initializer();
         });
 
+        it('registration defaults to "public" access', () => {
+          register(routeConfig, async (ctx, req, res) => res.ok());
+          const [[registeredRouteConfig]] = router.get.mock.calls;
+          expect(registeredRouteConfig.options?.access).toBe('public');
+        });
+
+        it('registration can set access to "internal"', () => {
+          register({ ...routeConfig, options: { access: 'internal' } }, async (ctx, req, res) =>
+            res.ok()
+          );
+          const [[registeredRouteConfig]] = router.get.mock.calls;
+          expect(registeredRouteConfig.options?.access).toBe('internal');
+        });
+
         describe('renderCoreApp', () => {
           it('formats successful response', async () => {
             register(routeConfig, async (ctx, req, res) => {

diff --git a/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts b/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts
@@ -85,12 +85,21 @@ export class HttpResourcesService implements CoreService<InternalHttpResourcesSe
         route: RouteConfig<P, Q, B, 'get'>,
         handler: HttpResourcesRequestHandler<P, Q, B, Context>
       ) => {
-        return router.get<P, Q, B>(route, (context, request, response) => {
-          return handler(context as Context, request, {
-            ...response,
-            ...this.createResponseToolkit(deps, context, request, response),
-          });
-        });
+        return router.get<P, Q, B>(
+          {
+            ...route,
+            options: {
+              access: 'public',
+              ...route.options,
+            },
+          },
+          (context, request, response) => {
+            return handler(context as Context, request, {
+              ...response,
+              ...this.createResponseToolkit(deps, context, request, response),
+            });
+          }
+        );
       },
     };
   }

diff --git a/packages/core/http/core-http-server-internal/src/http_server.test.ts b/packages/core/http/core-http-server-internal/src/http_server.test.ts
@@ -6,6 +6,14 @@
  * Side Public License, v 1.
  */
 
+jest.mock('@kbn/server-http-tools', () => {
+  const module = jest.requireActual('@kbn/server-http-tools');
+  return {
+    ...module,
+    createServer: jest.fn(module.createServer),
+  };
+});
+
 import { Server } from 'http';
 import { rm, mkdtemp, readFile, writeFile } from 'fs/promises';
 import supertest from 'supertest';
@@ -23,6 +31,7 @@ import type {
   RequestHandlerContextBase,
 } from '@kbn/core-http-server';
 import { Router, type RouterOptions } from '@kbn/core-http-router-server-internal';
+import { createServer } from '@kbn/server-http-tools';
 import { HttpConfig } from './http_config';
 import { HttpServer } from './http_server';
 import { Readable } from 'stream';
@@ -1506,6 +1515,29 @@ describe('setup contract', () => {
       }
     });
 
+    test('registers routes with expected options', async () => {
+      const { registerStaticDir } = await server.setup(config);
+      expect(createServer).toHaveBeenCalledTimes(1);
+      const [{ value: myServer }] = (createServer as jest.Mock).mock.results;
+      jest.spyOn(myServer, 'route');
+      expect(myServer.route).toHaveBeenCalledTimes(0);
+      registerStaticDir('/static/{path*}', assetFolder);
+      expect(myServer.route).toHaveBeenCalledTimes(1);
+      expect(myServer.route).toHaveBeenNthCalledWith(
+        1,
+        expect.objectContaining({
+          options: {
+            app: { access: 'public' },
+            auth: false,
+            cache: {
+              privacy: 'public',
+              otherwise: 'must-revalidate',
+            },
+          },
+        })
+      );
+    });
+
     test('does not throw if called after stop', async () => {
       const { registerStaticDir } = await server.setup(config);
       await server.stop();

diff --git a/packages/core/http/core-http-server-internal/src/http_server.ts b/packages/core/http/core-http-server-internal/src/http_server.ts
@@ -587,6 +587,7 @@ export class HttpServer {
         },
       },
       options: {
+        app: { access: 'public' },
         auth: false,
         cache: {
           privacy: 'public',

diff --git a/packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.test.ts
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { mockRouter } from '@kbn/core-http-router-server-mocks';
+import { registerTranslationsRoute } from './translations';
+
+describe('registerTranslationsRoute', () => {
+  test('registers route with expected options', () => {
+    const router = mockRouter.create();
+    registerTranslationsRoute(router, 'en');
+    expect(router.get).toHaveBeenCalledTimes(1);
+    expect(router.get).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({ options: { access: 'public', authRequired: false } }),
+      expect.any(Function)
+    );
+  });
+});
diff --git a/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts b/packages/core/i18n/core-i18n-server-internal/src/routes/translations.ts
@@ -28,6 +28,7 @@ export const registerTranslationsRoute = (router: IRouter, locale: string) => {
         }),
       },
       options: {
+        access: 'public',
         authRequired: false,
       },
     },

diff --git a/packages/core/i18n/core-i18n-server-internal/tsconfig.json b/packages/core/i18n/core-i18n-server-internal/tsconfig.json
@@ -25,6 +25,7 @@
     "@kbn/i18n",
     "@kbn/std",
     "@kbn/repo-packages",
+    "@kbn/core-http-router-server-mocks",
   ],
   "exclude": [
     "target/**/*",

diff --git a/...e/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts b/...e/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.test.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { registerBootstrapRoute } from './register_bootstrap_route';
+import { mockRouter } from '@kbn/core-http-router-server-mocks';
+
+describe('registerBootstrapRoute', () => {
+  test('register with expected options', () => {
+    const router = mockRouter.create();
+    const renderer = jest.fn();
+    registerBootstrapRoute({ router, renderer });
+    expect(router.get).toHaveBeenCalledTimes(2);
+    expect(router.get).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({ options: { access: 'public', tags: ['api'] } }),
+      expect.any(Function)
+    );
+    expect(router.get).toHaveBeenNthCalledWith(
+      2,
+      expect.objectContaining({
+        options: { access: 'public', tags: ['api'], authRequired: 'optional' },
+      }),
+      expect.any(Function)
+    );
+  });
+});
diff --git a/...s/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts b/...s/core/rendering/core-rendering-server-internal/src/bootstrap/register_bootstrap_route.ts
@@ -21,6 +21,7 @@ export const registerBootstrapRoute = ({
       path: '/bootstrap.js',
       options: {
         tags: ['api'],
+        access: 'public',
       },
       validate: false,
     },
@@ -44,6 +45,7 @@ export const registerBootstrapRoute = ({
       options: {
         authRequired: 'optional',
         tags: ['api'],
+        access: 'public',
       },
       validate: false,
     },

diff --git a/packages/core/status/core-status-server-internal/src/routes/status.ts b/packages/core/status/core-status-server-internal/src/routes/status.ts
@@ -83,6 +83,7 @@ export const registerStatusRoute = ({
       options: {
         authRequired: 'optional',
         tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page
+        access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes.
       },
       validate: {
         query: schema.object(

diff --git a/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts b/packages/core/status/core-status-server-internal/src/routes/status_preboot.ts
@@ -17,6 +17,7 @@ export const registerPrebootStatusRoute = ({ router }: { router: IRouter }) => {
       options: {
         authRequired: false,
         tags: ['api'],
+        access: 'public', // needs to be public to allow access from "system" users like k8s readiness probes.
       },
       validate: false,
     },

diff --git a/packages/core/status/core-status-server-internal/src/status_service.test.ts b/packages/core/status/core-status-server-internal/src/status_service.test.ts
@@ -82,7 +82,7 @@ describe('StatusService', () => {
       expect(prebootRouterMock.get).toHaveBeenCalledWith(
         {
           path: '/api/status',
-          options: { authRequired: false, tags: ['api'] },
+          options: { authRequired: false, tags: ['api'], access: 'public' },
           validate: false,
         },
         expect.any(Function)

diff --git a/packages/kbn-cases-components/src/status/types.ts b/packages/kbn-cases-components/src/status/types.ts
@@ -6,6 +6,14 @@
  * Side Public License, v 1.
  */
 
+/**
+ * This is being used by Cases in
+ * x-pack/plugins/cases/common/types/domain/case/v1.ts.
+ * Introducing a breaking change in this enum will
+ * force cases to create a version of the domain object
+ * which in turn will force cases to create a new version
+ * to most of the Cases APIs.
+ */
 export enum CaseStatuses {
   open = 'open',
   'in-progress' = 'in-progress',

diff --git a/packages/kbn-content-management-utils/index.ts b/packages/kbn-content-management-utils/index.ts
@@ -10,3 +10,4 @@ export * from './src/types';
 export * from './src/schema';
 export * from './src/saved_object_content_storage';
 export * from './src/utils';
+export * from './src/msearch';
diff --git a/packages/kbn-content-management-utils/src/msearch.ts b/packages/kbn-content-management-utils/src/msearch.ts
@@ -0,0 +1,96 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import Boom from '@hapi/boom';
+import { pick } from 'lodash';
+
+import type { StorageContext } from '@kbn/content-management-plugin/server';
+
+import type {
+  SavedObjectsFindResult,
+  SavedObject,
+  SavedObjectReference,
+} from '@kbn/core-saved-objects-api-server';
+
+import type { ServicesDefinitionSet, SOWithMetadata, SOWithMetadataPartial } from './types';
+
+type PartialSavedObject<T> = Omit<SavedObject<Partial<T>>, 'references'> & {
+  references: SavedObjectReference[] | undefined;
+};
+
+interface GetMSearchParams {
+  savedObjectType: string;
+  cmServicesDefinition: ServicesDefinitionSet;
+  allowedSavedObjectAttributes: string[];
+}
+
+function savedObjectToItem<Attributes extends object>(
+  savedObject: SavedObject<Attributes> | PartialSavedObject<Attributes>,
+  allowedSavedObjectAttributes: string[]
+): SOWithMetadata | SOWithMetadataPartial {
+  const {
+    id,
+    type,
+    updated_at: updatedAt,
+    created_at: createdAt,
+    attributes,
+    references,
+    error,
+    namespaces,
+    version,
+  } = savedObject;
+
+  return {
+    id,
+    type,
+    updatedAt,
+    createdAt,
+    attributes: pick(attributes, allowedSavedObjectAttributes),
+    references,
+    error,
+    namespaces,
+    version,
+  };
+}
+
+export interface GetMSearchType<ReturnItem> {
+  savedObjectType: string;
+  toItemResult: (ctx: StorageContext, savedObject: SavedObjectsFindResult) => ReturnItem;
+}
+
+export const getMSearch = <ReturnItem, SOAttributes extends object>({
+  savedObjectType,
+  cmServicesDefinition,
+  allowedSavedObjectAttributes,
+}: GetMSearchParams) => {
+  return {
+    savedObjectType,
+    toItemResult: (ctx: StorageContext, savedObject: SavedObjectsFindResult): ReturnItem => {
+      const transforms = ctx.utils.getTransforms(cmServicesDefinition);
+
+      // Validate DB response and DOWN transform to the request version
+      const { value, error: resultError } = transforms.mSearch.out.result.down<
+        ReturnItem,
+        ReturnItem
+      >(
+        // Ran into a case where a schema was broken by a SO attribute that wasn't part of the definition
+        // so we specify which attributes are allowed
+        savedObjectToItem<SOAttributes>(
+          savedObject as SavedObjectsFindResult<SOAttributes>,
+          allowedSavedObjectAttributes
+        )
+      );
+
+      if (resultError) {
+        throw Boom.badRequest(`Invalid response. ${resultError.message}`);
+      }
+
+      return value;
+    },
+  };
+};