[http] api_integration tests handle internal route restriction

packages/core/http/core-http-server-internal/src/http_config.test.ts

@@ -525,23 +525,27 @@ describe('versioned', () => {
 });
 
 describe('restrictInternalApis', () => {
-  it('is only allowed on serverless', () => {
-    expect(() => config.schema.validate({ restrictInternalApis: false }, {})).toThrow(
-      /a value wasn't expected/
-    );
-    expect(() => config.schema.validate({ restrictInternalApis: true }, {})).toThrow(
-      /a value wasn't expected/
-    );
+  it('is allowed on serverless and traditional', () => {
+    expect(() => config.schema.validate({ restrictInternalApis: false }, {})).not.toThrow();
+    expect(() => config.schema.validate({ restrictInternalApis: true }, {})).not.toThrow();
     expect(
       config.schema.validate({ restrictInternalApis: true }, { serverless: true })
     ).toMatchObject({
       restrictInternalApis: true,
     });
+    expect(
+      config.schema.validate({ restrictInternalApis: true }, { traditional: true })
+    ).toMatchObject({
+      restrictInternalApis: true,
+    });
   });
   it('defaults to false', () => {
     expect(
       config.schema.validate({ restrictInternalApis: undefined }, { serverless: true })
     ).toMatchObject({ restrictInternalApis: false });
+    expect(
+      config.schema.validate({ restrictInternalApis: undefined }, { traditional: true })
+    ).toMatchObject({ restrictInternalApis: false });
   });
 });
 

packages/core/http/core-http-server-internal/src/http_config.ts

@@ -208,6 +208,7 @@ const configSchema = schema.object(
     // allow access to internal routes by default to prevent breaking changes in current offerings
     restrictInternalApis: offeringBasedSchema({
       serverless: schema.boolean({ defaultValue: false }),
+      traditional: schema.boolean({ defaultValue: false }),
     }),
 
     versioned: schema.object({

packages/core/http/core-http-server/src/router/route.ts

@@ -107,7 +107,7 @@ export interface RouteConfigOptionsBody {
  * Public routes are stable and intended for external access and are subject to
  * stricter change management and have long term maintenance windows.
  *
- * @remark On serverless access to internal routes is restricted.
+ * @remark as of 9.0, access to internal routes is restricted by default. See https://github.com/elastic/kibana/issues/163654.
  */
 export type RouteAccess = 'public' | 'internal';
 

test/analytics/config.ts

@@ -36,6 +36,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
       serverArgs: [
         ...functionalConfig.get('kbnTestServer.serverArgs'),
         '--telemetry.optIn=true',
+        '--server.restrictInternalApis=false',
         `--plugin-path=${path.resolve(__dirname, './plugins/analytics_plugin_a')}`,
         `--plugin-path=${path.resolve(__dirname, './plugins/analytics_ftr_helpers')}`,
       ],

test/analytics/services/kibana_ebt.ts

@@ -9,6 +9,7 @@
 
 import '@kbn/analytics-ftr-helpers-plugin/public/types';
 import type { EBTHelpersContract } from '@kbn/analytics-ftr-helpers-plugin/common/types';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import type { FtrProviderContext } from '../../functional/ftr_provider_context';
 
 export function KibanaEBTServerProvider({ getService }: FtrProviderContext): EBTHelpersContract {
@@ -18,6 +19,7 @@ export function KibanaEBTServerProvider({ getService }: FtrProviderContext): EBT
     await supertest
       .post(`/internal/analytics_ftr_helpers/opt_in`)
       .set('kbn-xsrf', 'xxx')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .query({ consent: optIn })
       .expect(200);
   };
@@ -38,6 +40,7 @@ export function KibanaEBTServerProvider({ getService }: FtrProviderContext): EBT
           fromTimestamp,
         })
         .set('kbn-xsrf', 'xxx')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
         .expect(200);
 
       return resp.body;
@@ -48,6 +51,7 @@ export function KibanaEBTServerProvider({ getService }: FtrProviderContext): EBT
         .get(`/internal/analytics_ftr_helpers/count_events`)
         .query({ eventTypes: JSON.stringify(eventTypes), withTimeoutMs, fromTimestamp })
         .set('kbn-xsrf', 'xxx')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
         .expect(200);
 
       return resp.body.count;

test/analytics/tests/analytics_from_the_server.ts

@@ -10,6 +10,7 @@
 import expect from '@kbn/expect';
 import type { Event, TelemetryCounter } from '@kbn/core/server';
 import type { Action } from '@kbn/analytics-plugin-a-plugin/server/custom_shipper';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import type { FtrProviderContext } from '../services';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -23,6 +24,7 @@ export default function ({ getService }: FtrProviderContext) {
       .get(`/internal/analytics_plugin_a/stats`)
       .query({ takeNumberOfCounters, eventType: 'test-plugin-lifecycle' })
       .set('kbn-xsrf', 'xxx')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .expect(200);
 
     return resp.body;
@@ -32,6 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
     const resp = await supertest
       .get(`/internal/analytics_plugin_a/actions`)
       .set('kbn-xsrf', 'xxx')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
       .expect(200);
 
     return resp.body;

test/api_integration/apis/console/autocomplete_entities.ts

@@ -8,14 +8,18 @@
  */
 
 import expect from '@kbn/expect';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import type { FtrProviderContext } from '../../ftr_provider_context';
 
 export default ({ getService }: FtrProviderContext) => {
   const console = getService('console');
   const supertest = getService('supertest');
 
   const sendRequest = (query: object) =>
-    supertest.get('/api/console/autocomplete_entities').query(query);
+    supertest
+      .get('/api/console/autocomplete_entities')
+      .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+      .query(query);
 
   describe('/api/console/autocomplete_entities', function () {
     const indexName = 'test-index-1';

test/api_integration/apis/console/es_config.ts

@@ -8,6 +8,7 @@
  */
 
 import expect from '@kbn/expect';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -18,6 +19,7 @@ export default function ({ getService }: FtrProviderContext) {
       const { body } = await supertest
         .get('/api/console/es_config')
         .set('kbn-xsrf', 'true')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
         .expect(200);
       expect(body.host).to.be.ok();
     });

test/api_integration/apis/console/proxy_route.ts

@@ -8,6 +8,7 @@
  */
 
 import expect from '@kbn/expect';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -19,6 +20,7 @@ export default function ({ getService }: FtrProviderContext) {
         return await supertest
           .post('/api/console/proxy?method=GET&path=/.kibana/_settings')
           .set('kbn-xsrf', 'true')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .then((response) => {
             expect(response.header).to.have.property('warning');
             const { warning } = response.header as { warning: string };
@@ -28,12 +30,12 @@ export default function ({ getService }: FtrProviderContext) {
       });
 
       it('does not forward x-elastic-product-origin', async () => {
-        // If we pass the header and we still get the warning back, we assume that the header was not forwarded.
         return await supertest
           .post('/api/console/proxy?method=GET&path=/.kibana/_settings')
           .set('kbn-xsrf', 'true')
           .set('x-elastic-product-origin', 'kibana')
           .then((response) => {
+            expect(response.header).to.have.property('connection', 'close');
             expect(response.header).to.have.property('warning');
             const { warning } = response.header as { warning: string };
             expect(warning.startsWith('299')).to.be(true);

test/api_integration/apis/core/capabilities.ts

@@ -8,6 +8,7 @@
  */
 
 import expect from '@kbn/expect';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -17,6 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
     it(`returns a 400 when an invalid app id is provided`, async () => {
       const { body } = await supertest
         .post('/api/core/capabilities')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
         .send({
           applications: ['dashboard', 'discover', 'bad%app'],
         })

test/api_integration/apis/custom_integration/integrations.ts

@@ -8,6 +8,7 @@
  */
 
 import expect from '@kbn/expect';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -19,6 +20,7 @@ export default function ({ getService }: FtrProviderContext) {
         const resp = await supertest
           .get(`/internal/customIntegrations/appendCustomIntegrations`)
           .set('kbn-xsrf', 'kibana')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .expect(200);
 
         expect(resp.body).to.be.an('array');
@@ -37,6 +39,7 @@ export default function ({ getService }: FtrProviderContext) {
         const resp = await supertest
           .get(`/internal/customIntegrations/replacementCustomIntegrations`)
           .set('kbn-xsrf', 'kibana')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .expect(200);
 
         expect(resp.body).to.be.an('array');

test/api_integration/apis/data_view_field_editor/field_preview.ts

@@ -9,7 +9,10 @@
 
 import expect from '@kbn/expect';
 
-import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import {
+  ELASTIC_HTTP_VERSION_HEADER,
+  X_ELASTIC_INTERNAL_ORIGIN_REQUEST,
+} from '@kbn/core-http-common';
 import { getErrorCodeFromErrorReason } from '@kbn/data-view-field-editor-plugin/public/lib/runtime_field_validation';
 import {
   FIELD_PREVIEW_PATH,
@@ -92,6 +95,7 @@ export default function ({ getService }: FtrProviderContext) {
             .set(ELASTIC_HTTP_VERSION_HEADER, INITIAL_REST_VERSION)
             .send(payload)
             .set('kbn-xsrf', 'xxx')
+            .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
             .expect(200);
 
           expect(response.values).eql([test.expected]);
@@ -109,6 +113,7 @@ export default function ({ getService }: FtrProviderContext) {
             index: INDEX_NAME,
           })
           .set('kbn-xsrf', 'xxx')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .expect(400);
       });
 
@@ -121,6 +126,7 @@ export default function ({ getService }: FtrProviderContext) {
             index: INDEX_NAME,
           })
           .set('kbn-xsrf', 'xxx')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .expect(400);
       });
 
@@ -133,6 +139,7 @@ export default function ({ getService }: FtrProviderContext) {
             context: 'keyword_field',
           })
           .set('kbn-xsrf', 'xxx')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
           .expect(400);
       });
     });
@@ -150,7 +157,8 @@ export default function ({ getService }: FtrProviderContext) {
             context: 'keyword_field',
             index: INDEX_NAME,
           })
-          .set('kbn-xsrf', 'xxx');
+          .set('kbn-xsrf', 'xxx')
+          .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
 
         const errorCode = getErrorCodeFromErrorReason(response.error?.caused_by?.reason);
 

test/api_integration/apis/data_views/deprecations/scripted_fields.ts

@@ -9,6 +9,7 @@
 
 import expect from '@kbn/expect';
 import type { DeprecationsGetResponse } from '@kbn/core/server';
+import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -28,7 +29,9 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('no scripted fields deprecations', async () => {
-      const { body } = await supertest.get('/api/deprecations/');
+      const { body } = await supertest
+        .get('/api/deprecations/')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
 
       const { deprecations } = body as DeprecationsGetResponse;
       const dataPluginDeprecations = deprecations.filter(
@@ -40,27 +43,32 @@ export default function ({ getService }: FtrProviderContext) {
 
     it('scripted field deprecation', async () => {
       const title = `basic_index`;
-      await supertest.post('/api/index_patterns/index_pattern').send({
-        index_pattern: {
-          title,
-          fields: {
-            foo: {
-              name: 'foo',
-              type: 'string',
-              scripted: true,
-              script: "doc['field_name'].value",
-            },
-            bar: {
-              name: 'bar',
-              type: 'number',
-              scripted: true,
-              script: "doc['field_name'].value",
+      await supertest
+        .post('/api/index_patterns/index_pattern')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
+        .send({
+          index_pattern: {
+            title,
+            fields: {
+              foo: {
+                name: 'foo',
+                type: 'string',
+                scripted: true,
+                script: "doc['field_name'].value",
+              },
+              bar: {
+                name: 'bar',
+                type: 'number',
+                scripted: true,
+                script: "doc['field_name'].value",
+              },
             },
           },
-        },
-      });
+        });
 
-      const { body } = await supertest.get('/api/deprecations/');
+      const { body } = await supertest
+        .get('/api/deprecations/')
+        .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
       const { deprecations } = body as DeprecationsGetResponse;
       const dataPluginDeprecations = deprecations.filter(
         ({ domainId }) => domainId === 'dataViews'