diff --git a/x-pack/platform/plugins/shared/fleet/common/http_authorization_header.ts b/x-pack/platform/plugins/shared/fleet/common/http_authorization_header.ts deleted file mode 100644 index 0a209f5bc4eba..0000000000000 --- a/x-pack/platform/plugins/shared/fleet/common/http_authorization_header.ts +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type { KibanaRequest } from '@kbn/core/server'; - -// Extended version of x-pack/plugins/security/server/authentication/http_authentication/http_authorization_header.ts -// to prevent bundle being required in security_solution -export class HTTPAuthorizationHeader { - /** - * The authentication scheme. Should be consumed in a case-insensitive manner. - * https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes - */ - readonly scheme: string; - - /** - * The authentication credentials for the scheme. - */ - readonly credentials: string; - - /** - * The authentication credentials for the scheme. - */ - readonly username: string | undefined; - - constructor(scheme: string, credentials: string, username?: string) { - this.scheme = scheme; - this.credentials = credentials; - this.username = username; - } - - /** - * Parses request's `Authorization` HTTP header if present. - * @param request Request instance to extract the authorization header from. - */ - static parseFromRequest(request: KibanaRequest, username?: string) { - const authorizationHeaderValue = request.headers.authorization; - if (!authorizationHeaderValue || typeof authorizationHeaderValue !== 'string') { - return null; - } - - const [scheme] = authorizationHeaderValue.split(/\s+/); - const credentials = authorizationHeaderValue.substring(scheme.length + 1); - - return new HTTPAuthorizationHeader(scheme, credentials, username); - } - - toString() { - return `${this.scheme} ${this.credentials}`; - } - - getUsername() { - return this.username; - } -} diff --git a/x-pack/platform/plugins/shared/fleet/moon.yml b/x-pack/platform/plugins/shared/fleet/moon.yml index 200303537ae1a..53a06ac630cbe 100644 --- a/x-pack/platform/plugins/shared/fleet/moon.yml +++ b/x-pack/platform/plugins/shared/fleet/moon.yml @@ -103,7 +103,6 @@ dependsOn: - '@kbn/reporting-public' - '@kbn/field-formats-plugin' - '@kbn/core-security-server' - - '@kbn/core-http-server-utils' - '@kbn/core-notifications-browser-mocks' - '@kbn/handlebars' - '@kbn/lock-manager' diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/handlers.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/handlers.ts index bf61c40e33341..e55cc493fc53d 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/handlers.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/handlers.ts @@ -14,8 +14,6 @@ import { isEmpty, uniq } from 'lodash'; import { ALL_SPACES_ID, FIPS_AGENT_KUERY, inputsFormat } from '../../../common/constants'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; - import { fullAgentPolicyToYaml } from '../../../common/services'; import { appContextService, @@ -360,7 +358,6 @@ export const createAgentPolicyHandler: FleetRequestHandler< const { has_fleet_server: hasFleetServer, force, ...newPolicy } = request.body; const spaceId = fleetContext.spaceId; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); const { space_ids: spaceIds } = request.body; logger.debug(`Creating agent policy [${newPolicy.name}]`); @@ -399,7 +396,7 @@ export const createAgentPolicyHandler: FleetRequestHandler< monitoringEnabled, spaceId, user, - authorizationHeader, + request, force, }); diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/bulk_handler.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/bulk_handler.ts index 25d594b2439a9..d6cba05339f72 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/bulk_handler.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/bulk_handler.ts @@ -17,7 +17,6 @@ import type { FleetRequestHandler, GetOneBulkOperationPackagesRequestSchema, } from '../../types'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; import type { BulkOperationPackagesResponse, @@ -66,20 +65,21 @@ export const postBulkUpgradePackagesHandler: FleetRequestHandler< const fleetContext = await context.fleet; const savedObjectsClient = fleetContext.internalSoClient; const spaceId = fleetContext.spaceId; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); const taskManagerStart = getTaskManagerStart(); await validateInstalledPackages(savedObjectsClient, request.body.packages, 'upgrade'); - const taskId = await scheduleBulkUpgrade(taskManagerStart, { - authorizationHeader, - spaceId, - packages: request.body.packages, - upgradePackagePolicies: request.body.upgrade_package_policies, - force: request.body.force, - prerelease: request.body.prerelease, - }); + const taskId = await scheduleBulkUpgrade( + taskManagerStart, + { + spaceId, + packages: request.body.packages, + upgradePackagePolicies: request.body.upgrade_package_policies, + force: request.body.force, + prerelease: request.body.prerelease, + }, + request + ); const body: BulkOperationPackagesResponse = { taskId, @@ -98,10 +98,14 @@ export const postBulkUninstallPackagesHandler: FleetRequestHandler< const taskManagerStart = getTaskManagerStart(); await validateInstalledPackages(savedObjectsClient, request.body.packages, 'uninstall'); - const taskId = await scheduleBulkUninstall(taskManagerStart, { - packages: request.body.packages, - force: request.body.force, - }); + const taskId = await scheduleBulkUninstall( + taskManagerStart, + { + packages: request.body.packages, + force: request.body.force, + }, + request + ); const body: BulkOperationPackagesResponse = { taskId, @@ -158,14 +162,18 @@ export const postBulkRollbackPackagesHandler: FleetRequestHandler< const taskManagerStart = getTaskManagerStart(); await validateInstalledPackages(savedObjectsClient, request.body.packages, 'rollback'); - const taskId = await scheduleBulkRollback(taskManagerStart, { - packages: request.body.packages, - spaceId, - packagePolicyIdsForCurrentUser: await getPackagePolicyIdsForCurrentUser( - request, - request.body.packages - ), - }); + const taskId = await scheduleBulkRollback( + taskManagerStart, + { + packages: request.body.packages, + spaceId, + packagePolicyIdsForCurrentUser: await getPackagePolicyIdsForCurrentUser( + request, + request.body.packages + ), + }, + request + ); const body: BulkOperationPackagesResponse = { taskId, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/handlers.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/handlers.ts index f4d345c49bc15..e3d97a6ceeaa4 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/handlers.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/handlers.ts @@ -14,7 +14,6 @@ import { omit, pick } from 'lodash'; import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../common'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; import { generateTransformSecondaryAuthHeaders } from '../../services/api_keys/transform_api_keys'; import { handleTransformReauthorizeAndStart } from '../../services/epm/elasticsearch/transform/reauthorize'; @@ -335,12 +334,9 @@ export const installPackageFromRegistryHandler: FleetRequestHandler< const fleetContext = await context.fleet; const savedObjectsClient = fleetContext.internalSoClient; const esClient = coreContext.elasticsearch.client.asInternalUser; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; const { pkgName, pkgVersion } = request.params; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); - const spaceId = fleetContext.spaceId; const installSource = 'registry'; const res = await installPackage({ @@ -352,7 +348,7 @@ export const installPackageFromRegistryHandler: FleetRequestHandler< force: request.body?.force, ignoreConstraints: request.body?.ignore_constraints, prerelease: request.query?.prerelease, - authorizationHeader, + request, ignoreMappingUpdateErrors: request.query?.ignoreMappingUpdateErrors, skipDataStreamRollover: request.query?.skipDataStreamRollover, }); @@ -380,9 +376,7 @@ export const createCustomIntegrationHandler: FleetRequestHandler< const fleetContext = await context.fleet; const savedObjectsClient = fleetContext.internalSoClient; const esClient = coreContext.elasticsearch.client.asInternalUser; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; const kibanaVersion = appContextService.getKibanaVersion(); - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); const spaceId = fleetContext.spaceId; const { integrationName, force, datasets } = request.body; const installSource = 'custom'; @@ -395,7 +389,7 @@ export const createCustomIntegrationHandler: FleetRequestHandler< esClient, spaceId, force, - authorizationHeader, + request, kibanaVersion, }); @@ -481,8 +475,6 @@ export const bulkInstallPackagesFromRegistryHandler: FleetRequestHandler< const savedObjectsClient = fleetContext.internalSoClient; const esClient = coreContext.elasticsearch.client.asInternalUser; const spaceId = fleetContext.spaceId; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); const bulkInstalledResponses = await bulkInstallPackages({ savedObjectsClient, @@ -491,7 +483,7 @@ export const bulkInstallPackagesFromRegistryHandler: FleetRequestHandler< spaceId, prerelease: request.query.prerelease, force: request.body.force, - authorizationHeader, + request, }); const payload = bulkInstalledResponses.map(bulkInstallServiceResponseToHttpEntry); const body: BulkInstallPackagesResponse = { @@ -512,8 +504,6 @@ export const installPackageByUploadHandler: FleetRequestHandler< const contentType = request.headers['content-type'] as string; // from types it could also be string[] or undefined but this is checked later const archiveBuffer = Buffer.from(request.body); const spaceId = fleetContext.spaceId; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); const installSource = 'upload'; const res = await installPackage({ installSource, @@ -522,7 +512,7 @@ export const installPackageByUploadHandler: FleetRequestHandler< archiveBuffer, spaceId, contentType, - authorizationHeader, + request, ignoreMappingUpdateErrors: request.query?.ignoreMappingUpdateErrors, skipDataStreamRollover: request.query?.skipDataStreamRollover, }); @@ -616,9 +606,8 @@ export const reauthorizeTransformsHandler: FleetRequestHandler< } const logger = appContextService.getLogger(); - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, username); const secondaryAuth = await generateTransformSecondaryAuthHeaders({ - authorizationHeader, + request, logger, username, pkgName, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/install_assets_handler.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/install_assets_handler.ts index 52ab7edccc0cd..6597c39f9441c 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/install_assets_handler.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/install_assets_handler.ts @@ -8,7 +8,7 @@ import type { KibanaRequest } from '@kbn/core/server'; import type { TypeOf } from '@kbn/config-schema'; -import { FleetError, FleetNotFoundError, FleetUnauthorizedError } from '../../errors'; +import { FleetError, FleetNotFoundError } from '../../errors'; import { appContextService } from '../../services'; import { deleteKibanaAssetsAndReferencesForSpace, @@ -26,7 +26,6 @@ import type { } from '../../types'; import { createArchiveIteratorFromMap } from '../../services/epm/archive/archive_iterator'; import { stepCreateAlertingRules } from '../../services/epm/packages/install_state_machine/steps/step_create_alerting_rules'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; export async function checkIntegrationsAllPrivilegesForSpaces( request: KibanaRequest, @@ -162,13 +161,6 @@ export const installRuleAssetsHandler: FleetRequestHandler< throw new FleetNotFoundError('Requested version is not installed'); } - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); - - if (!authorizationHeader) { - throw new FleetUnauthorizedError('Authorization header is missing or invalid'); - } - const { packageInfo } = installedPkgWithAssets; await stepCreateAlertingRules({ @@ -180,7 +172,7 @@ export const installRuleAssetsHandler: FleetRequestHandler< archiveIterator: createArchiveIteratorFromMap(installedPkgWithAssets.assetsMap), }, spaceId, - authorizationHeader, + request, }); return response.ok({ body: { success: true } }); diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/handlers.ts b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/handlers.ts index 8439a44a1728f..dd875069f7adc 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/handlers.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/handlers.ts @@ -12,8 +12,6 @@ import type { RequestHandler } from '@kbn/core/server'; import { groupBy, isEmpty, isEqual, keyBy, uniq } from 'lodash'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; - import { populatePackagePolicyAssignedAgentsCount } from '../../services/package_policies/populate_package_policy_assigned_agents_count'; import { @@ -230,12 +228,12 @@ export const createPackagePolicyHandler: FleetRequestHandler< const fleetContext = await context.fleet; const soClient = fleetContext.internalSoClient; const esClient = coreContext.elasticsearch.client.asInternalUser; - const user = appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined; + const { force, id, package: pkg, ...newPolicy } = request.body; if ('spaceIds' in newPolicy) { delete newPolicy.spaceIds; } - const authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request, user?.username); + let wasPackageAlreadyInstalled = false; const spaceId = fleetContext.spaceId; @@ -289,7 +287,6 @@ export const createPackagePolicyHandler: FleetRequestHandler< id, force, spaceId, - authorizationHeader, }, context, request diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy.ts b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy.ts index d5d90dcc844e7..98f237801bfcc 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy.ts @@ -20,6 +20,7 @@ import type { SavedObjectsUpdateResponse, SavedObjectsFindOptions, Logger, + KibanaRequest, } from '@kbn/core/server'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import { SavedObjectsUtils } from '@kbn/core/server'; @@ -43,8 +44,6 @@ import { policyHasSyntheticsIntegration, } from '../../common/services'; -import type { HTTPAuthorizationHeader } from '../../common/http_authorization_header'; - import { LEGACY_AGENT_POLICY_SAVED_OBJECT_TYPE, AGENTS_PREFIX, @@ -422,7 +421,7 @@ class AgentPolicyService { options: { id?: string; user?: AuthenticatedUser; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; skipDeploy?: boolean; hasFleetServer?: boolean; } = {} @@ -516,7 +515,7 @@ class AgentPolicyService { monitoringEnabled, spaceId, user, - authorizationHeader, + request, force, forcePackagePolicyCreation, }, @@ -531,7 +530,7 @@ class AgentPolicyService { monitoringEnabled?: string[]; spaceId: string; user?: AuthenticatedUser; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; /** Pass force to all following calls: package install, policy creation */ force?: boolean; /** Pass force only to package policy creation */ @@ -552,7 +551,7 @@ class AgentPolicyService { monitoringEnabled, spaceId, user, - authorizationHeader, + request, force, forcePackagePolicyCreation, }); @@ -578,9 +577,10 @@ class AgentPolicyService { spaceId, user, bumpRevision: false, - authorizationHeader, force, - } + }, + undefined, + request ); createdPackagePolicyIds.push(createdPackagePolicy.id); @@ -962,7 +962,7 @@ class AgentPolicyService { user?: AuthenticatedUser; force?: boolean; spaceId?: string; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; skipValidation?: boolean; bumpRevision?: boolean; requestSpaceId?: string; @@ -1039,7 +1039,7 @@ class AgentPolicyService { esClient, packagesToInstall, spaceId: options?.spaceId || DEFAULT_SPACE_ID, - authorizationHeader: options?.authorizationHeader, + request: options?.request, force: options?.force, }); } diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.test.ts b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.test.ts index f7f17f840acaf..8679360cd2fdc 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.test.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.test.ts @@ -16,6 +16,7 @@ import { createAgentPolicyWithPackages } from './agent_policy_create'; import { bulkInstallPackages } from './epm/packages'; import { incrementPackageName } from './package_policies'; import { ensureDefaultEnrollmentAPIKeyForAgentPolicy } from './api_keys'; +import type { KibanaRequest } from '@kbn/core/server'; const mockedAgentPolicyService = agentPolicyService as jest.Mocked; const mockedPackagePolicyService = packagePolicyService as jest.Mocked; @@ -133,6 +134,7 @@ describe('createAgentPolicyWithPackages', () => { withSysMonitoring: true, monitoringEnabled: ['logs', 'metrics'], spaceId: 'default', + request: {} as KibanaRequest, }); expect(response.id).toEqual('fleet-server-policy'); @@ -142,17 +144,22 @@ describe('createAgentPolicyWithPackages', () => { esClient: esClientMock, packagesToInstall: ['fleet_server', 'system', 'elastic_agent'], spaceId: 'default', + request: expect.anything(), }); expect(mockedPackagePolicyService.create).toHaveBeenCalledWith( expect.anything(), expect.anything(), getPackagePolicy('system-1', 'fleet-server-policy'), + expect.anything(), + undefined, expect.anything() ); expect(mockedPackagePolicyService.create).toHaveBeenCalledWith( expect.anything(), expect.anything(), getPackagePolicy('fleet_server-1', 'fleet-server-policy'), + expect.anything(), + undefined, expect.anything() ); }); @@ -167,6 +174,7 @@ describe('createAgentPolicyWithPackages', () => { withSysMonitoring: false, monitoringEnabled: [], spaceId: 'default', + request: {} as KibanaRequest, }); expect(response.id).toEqual('new_id'); @@ -175,11 +183,14 @@ describe('createAgentPolicyWithPackages', () => { esClient: esClientMock, packagesToInstall: ['fleet_server'], spaceId: 'default', + request: expect.anything(), }); expect(mockedPackagePolicyService.create).toHaveBeenCalledWith( expect.anything(), expect.anything(), getPackagePolicy('fleet_server-1', 'new_id'), + expect.anything(), + undefined, expect.anything() ); }); @@ -191,6 +202,7 @@ describe('createAgentPolicyWithPackages', () => { newPolicy: { name: 'Agent policy 1', namespace: 'default' }, withSysMonitoring: true, spaceId: 'default', + request: {} as KibanaRequest, }); expect(response.id).toEqual('new_id'); @@ -199,11 +211,14 @@ describe('createAgentPolicyWithPackages', () => { esClient: esClientMock, packagesToInstall: ['system'], spaceId: 'default', + request: expect.anything(), }); expect(mockedPackagePolicyService.create).toHaveBeenCalledWith( expect.anything(), expect.anything(), getPackagePolicy('system-1', 'new_id'), + expect.anything(), + undefined, expect.anything() ); }); @@ -297,6 +312,7 @@ describe('createAgentPolicyWithPackages', () => { withSysMonitoring: true, spaceId: 'default', monitoringEnabled: ['logs'], + request: {} as KibanaRequest, }); expect(response.id).toEqual('new_id'); @@ -305,11 +321,14 @@ describe('createAgentPolicyWithPackages', () => { esClient: esClientMock, packagesToInstall: ['system', 'elastic_agent'], spaceId: 'default', + request: expect.anything(), }); expect(mockedPackagePolicyService.create).toHaveBeenCalledWith( expect.anything(), expect.anything(), getPackagePolicy('system-1', 'new_id'), + expect.anything(), + undefined, expect.anything() ); }); @@ -323,6 +342,7 @@ describe('createAgentPolicyWithPackages', () => { withSysMonitoring: false, spaceId: 'default', monitoringEnabled: [], + request: {} as KibanaRequest, }); expect(response.id).toEqual('policy-1'); @@ -337,6 +357,7 @@ describe('createAgentPolicyWithPackages', () => { withSysMonitoring: false, spaceId: 'default', monitoringEnabled: [], + request: {} as KibanaRequest, }); expect(response.id).toEqual('policy-1'); diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.ts b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.ts index 52e8b8d4cd007..ceecd7f318aa9 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/agent_policy_create.ts @@ -8,11 +8,11 @@ import type { AuthenticatedUser, ElasticsearchClient, + KibanaRequest, SavedObjectsClientContract, } from '@kbn/core/server'; import { getDefaultFleetServerpolicyId } from '../../common/services/agent_policies_helpers'; -import type { HTTPAuthorizationHeader } from '../../common/http_authorization_header'; import { FLEET_ELASTIC_AGENT_PACKAGE, @@ -69,7 +69,7 @@ async function createPackagePolicy( options: { spaceId: string; user: AuthenticatedUser | undefined; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; force?: boolean; } ) { @@ -97,13 +97,19 @@ async function createPackagePolicy( newPackagePolicy.supports_agentless = agentPolicy.supports_agentless; } - await packagePolicyService.create(soClient, esClient, newPackagePolicy, { - spaceId: options.spaceId, - user: options.user, - bumpRevision: false, - authorizationHeader: options.authorizationHeader, - force: options.force, - }); + await packagePolicyService.create( + soClient, + esClient, + newPackagePolicy, + { + spaceId: options.spaceId, + user: options.user, + bumpRevision: false, + force: options.force, + }, + undefined, + options.request + ); } interface CreateAgentPolicyParams { @@ -116,11 +122,11 @@ interface CreateAgentPolicyParams { monitoringEnabled?: string[]; spaceId: string; user?: AuthenticatedUser; - authorizationHeader?: HTTPAuthorizationHeader | null; /** Pass force to all following calls: package install, policy creation */ force?: boolean; /** Pass force only to package policy creation */ forcePackagePolicyCreation?: boolean; + request?: KibanaRequest; } export async function createAgentPolicyWithPackages({ @@ -133,7 +139,7 @@ export async function createAgentPolicyWithPackages({ monitoringEnabled: monitoringEnabledParams, spaceId, user, - authorizationHeader, + request, force, forcePackagePolicyCreation, }: CreateAgentPolicyParams) { @@ -190,7 +196,7 @@ export async function createAgentPolicyWithPackages({ esClient, packagesToInstall, spaceId, - authorizationHeader, + request, force, }); } @@ -204,7 +210,7 @@ export async function createAgentPolicyWithPackages({ { user, id: agentPolicyId, - authorizationHeader, + request, hasFleetServer, skipDeploy: true, // skip deploying the policy until package policies are added } @@ -227,7 +233,7 @@ export async function createAgentPolicyWithPackages({ { spaceId, user, - authorizationHeader, + request, force: force || forcePackagePolicyCreation, } ); @@ -244,7 +250,7 @@ export async function createAgentPolicyWithPackages({ { spaceId, user, - authorizationHeader, + request, force: force || forcePackagePolicyCreation, } ); diff --git a/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts b/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts index 5edad8cab677d..ff0ff7eb0a635 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/agentless/agentless_policies.ts @@ -23,7 +23,6 @@ import { AGENTLESS_AGENT_POLICY_INACTIVITY_TIMEOUT } from '../../../common/const import { simplifiedPackagePolicytoNewPackagePolicy } from '../../../common/services/simplified_package_policy_helper'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; import type { PackagePolicyClient } from '../package_policy_service'; import { agentPolicyService } from '../agent_policy'; @@ -100,9 +99,6 @@ export class AgentlessPoliciesServiceImpl implements AgentlessPoliciesService { const user = request ? appContextService.getSecurityCore().authc.getCurrentUser(request) || undefined : undefined; - const authorizationHeader = request - ? HTTPAuthorizationHeader.parseFromRequest(request, user?.username) - : null; const spaceId = this.soClient.getCurrentNamespace() || DEFAULT_SPACE_ID; @@ -167,7 +163,7 @@ export class AgentlessPoliciesServiceImpl implements AgentlessPoliciesService { data_output_id: outputId, is_protected: false, }, - { id: agentPolicyId, skipDeploy: true, authorizationHeader, user } + { id: agentPolicyId, skipDeploy: true, request, user } ); createdAgentPolicyId = agentPolicy.id; @@ -221,7 +217,6 @@ export class AgentlessPoliciesServiceImpl implements AgentlessPoliciesService { force, bumpRevision: false, spaceId, - authorizationHeader, user, }, context, diff --git a/x-pack/platform/plugins/shared/fleet/server/services/api_keys/transform_api_keys.ts b/x-pack/platform/plugins/shared/fleet/server/services/api_keys/transform_api_keys.ts index 77c0bc48bf3bc..6229b44ed9636 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/api_keys/transform_api_keys.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/api_keys/transform_api_keys.ts @@ -12,15 +12,14 @@ import type { import type { Logger } from '@kbn/logging'; -import { appContextService } from '..'; +import type { KibanaRequest } from '@kbn/core/server'; -import type { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; +import { appContextService } from '..'; import type { TransformAPIKey, SecondaryAuthorizationHeader, } from '../../../common/types/models/transform_api_key'; -import { createKibanaRequestFromAuth } from '../request_utils'; export function isTransformApiKey(arg: any): arg is TransformAPIKey { return ( @@ -33,31 +32,31 @@ export function isTransformApiKey(arg: any): arg is TransformAPIKey { /** This function generates a new API based on current Kibana's user request.headers.authorization * then formats it into a es-secondary-authorization header object - * @param authorizationHeader: + * @param request: The Kibana request to extract authorization from * @param createParams */ export async function generateTransformSecondaryAuthHeaders({ - authorizationHeader, + request, createParams, logger, username, pkgName, pkgVersion, }: { - authorizationHeader: HTTPAuthorizationHeader | null | undefined; + request?: KibanaRequest; logger: Logger; createParams?: CreateRestAPIKeyParams | CreateRestAPIKeyWithKibanaPrivilegesParams; username?: string; pkgName?: string; pkgVersion?: string; }): Promise { - if (!authorizationHeader) { + if (!request) { return; } - const fakeKibanaRequest = createKibanaRequestFromAuth(authorizationHeader); - - const user = username ?? authorizationHeader.getUsername(); + const user = request + ? appContextService.getSecurityCore().authc.getCurrentUser(request)?.username + : undefined; const name = pkgName ? `${pkgName}${pkgVersion ? '-' + pkgVersion : ''}-transform${user ? '-by-' + user : ''}` @@ -71,7 +70,7 @@ export async function generateTransformSecondaryAuthHeaders({ try { const apiKeyWithCurrentUserPermission = await security?.authc.apiKeys.grantAsInternalUser( - fakeKibanaRequest, + request, createParams ?? { name, metadata: { diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/install.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/install.ts index f525e66c53ea3..6f9d8e17a2a1a 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/install.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/install.ts @@ -5,15 +5,18 @@ * 2.0. */ -import type { ElasticsearchClient, Logger, SavedObjectsClientContract } from '@kbn/core/server'; +import type { + ElasticsearchClient, + Logger, + SavedObjectsClientContract, + KibanaRequest, +} from '@kbn/core/server'; import { errors } from '@elastic/elasticsearch'; import { load } from 'js-yaml'; import { isPopulatedObject } from '@kbn/ml-is-populated-object'; import { uniqBy } from 'lodash'; import pMap from 'p-map'; -import type { HTTPAuthorizationHeader } from '../../../../../common/http_authorization_header'; - import type { SecondaryAuthorizationHeader } from '../../../../../common/types/models/transform_api_key'; import { generateTransformSecondaryAuthHeaders } from '../../../api_keys/transform_api_keys'; @@ -54,6 +57,7 @@ import { import { deleteTransforms } from './remove'; import { getDestinationIndexAliases } from './transform_utils'; import { loadMappingForTransform } from './mappings'; +import { appContextService } from '../../../app_context'; const DEFAULT_TRANSFORM_TEMPLATES_PRIORITY = 250; enum TRANSFORM_SPECS_TYPES { @@ -459,10 +463,13 @@ const installTransformsAssets = async ( esReferences: EsAssetReference[] = [], previousInstalledTransformEsAssets: EsAssetReference[] = [], force?: boolean, - authorizationHeader?: HTTPAuthorizationHeader | null + request?: KibanaRequest ) => { let installedTransforms: EsAssetReference[] = []; - const username = authorizationHeader?.getUsername(); + + const username = request + ? appContextService.getSecurityCore().authc.getCurrentUser(request)?.username + : undefined; if (transformPaths.length > 0) { const { @@ -490,7 +497,7 @@ const installTransformsAssets = async ( // generate api key, and pass es-secondary-authorization in header when creating the transforms. const secondaryAuth = transforms.some((t) => t.runAsKibanaSystem === false) ? await generateTransformSecondaryAuthHeaders({ - authorizationHeader, + request, logger, pkgName: packageInstallContext.packageInfo.name, pkgVersion: packageInstallContext.packageInfo.version, @@ -669,10 +676,10 @@ interface InstallTransformsParams { */ force?: boolean; /** - * Authorization header parsed from original Kibana request, used to generate API key from user + * Original Kibana request, used to generate API key from user * to pass in secondary authorization info to transform */ - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; } export const installTransforms = async ({ packageInstallContext, @@ -681,7 +688,7 @@ export const installTransforms = async ({ logger, force, esReferences, - authorizationHeader, + request, }: InstallTransformsParams) => { const { paths, packageInfo } = packageInstallContext; const transformPaths = paths.filter((path) => isTransform(path)); @@ -733,7 +740,7 @@ export const installTransforms = async ({ esReferences, previousInstalledTransformEsAssets, force, - authorizationHeader + request ); }; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/transforms.test.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/transforms.test.ts index ddf684a6cffc9..4ff1e515e50d4 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/transforms.test.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/elasticsearch/transform/transforms.test.ts @@ -8,11 +8,9 @@ import type { SavedObject, SavedObjectsClientContract } from '@kbn/core/server'; import { loggerMock } from '@kbn/logging-mocks'; -import { savedObjectsClientMock } from '@kbn/core/server/mocks'; +import { savedObjectsClientMock, httpServerMock } from '@kbn/core/server/mocks'; import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks'; -import { HTTPAuthorizationHeader } from '../../../../../common/http_authorization_header'; - import { getInstallation, getInstallationObject } from '../../packages'; import type { Installation } from '../../../../types'; import { ElasticsearchAssetType } from '../../../../types'; @@ -38,10 +36,7 @@ describe('test transform install', () => { let esClient: ReturnType; let savedObjectsClient: jest.Mocked; - const authorizationHeader = new HTTPAuthorizationHeader( - 'Basic', - 'bW9uaXRvcmluZ191c2VyOm1scWFfYWRtaW4=' - ); + const mockRequest = httpServerMock.createKibanaRequest(); const getYamlTestData = ( autoStart: boolean | undefined = undefined, transformVersion: string = '0.1.0' @@ -1140,7 +1135,7 @@ _meta: savedObjectsClient, logger: loggerMock.create(), esReferences: previousInstallation.installed_es, - authorizationHeader, + request: mockRequest, }); expect(esClient.transform.putTransform.mock.calls).toEqual([ diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.test.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.test.ts index ea7586b9ebd78..efeb68d1bc058 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.test.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.test.ts @@ -187,8 +187,8 @@ function getTest( force: true, // Undefined es references esReferences: undefined, - // Undefined secondary authorization - authorizationHeader: undefined, + // Undefined request + request: undefined, }, ], spyResponse: { diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.ts index 76fe744c11b6d..82e1677474baf 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/package_service.ts @@ -18,8 +18,6 @@ import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common'; import type { TypeOf } from '@kbn/config-schema'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; - import type { PackageList } from '../../../common'; import type { @@ -200,8 +198,6 @@ export class PackageServiceImpl implements PackageService { } class PackageClientImpl implements PackageClient { - private authorizationHeader?: HTTPAuthorizationHeader | null = undefined; - constructor( private readonly internalEsClient: ElasticsearchClient, private readonly internalSoClient: SavedObjectsClientContract, @@ -212,13 +208,6 @@ class PackageClientImpl implements PackageClient { private readonly request?: KibanaRequest ) {} - private getAuthorizationHeader() { - if (this.request) { - this.authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(this.request); - return this.authorizationHeader; - } - } - public async getInstallation( pkgName: string, savedObjectsClient: SavedObjectsClientContract = this.internalSoClient @@ -313,7 +302,7 @@ class PackageClientImpl implements PackageClient { esClient: this.internalEsClient, savedObjectsClient: this.internalSoClient, neverIgnoreVerificationError: !force, - authorizationHeader: this.getAuthorizationHeader(), + request: this.request, }); } @@ -457,8 +446,6 @@ class PackageClientImpl implements PackageClient { } async #reinstallTransforms(packageInfo: InstallablePackage, paths: string[]) { - const authorizationHeader = this.getAuthorizationHeader(); - const installation = await this.getInstallation(packageInfo.name); if (!installation) { @@ -490,7 +477,7 @@ class PackageClientImpl implements PackageClient { logger: this.logger, force: true, esReferences: undefined, - authorizationHeader, + request: this.request, }); return installedTransforms; } diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/bulk_install_packages.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/bulk_install_packages.ts index dd155da3e6b74..a8a92ca0d27fb 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/bulk_install_packages.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/bulk_install_packages.ts @@ -5,13 +5,15 @@ * 2.0. */ -import type { ElasticsearchClient, SavedObjectsClientContract } from '@kbn/core/server'; +import type { + ElasticsearchClient, + SavedObjectsClientContract, + KibanaRequest, +} from '@kbn/core/server'; import pLimit from 'p-limit'; import { uniqBy } from 'lodash'; -import type { HTTPAuthorizationHeader } from '../../../../common/http_authorization_header'; - import { appContextService } from '../../app_context'; import * as Registry from '../registry'; @@ -31,7 +33,7 @@ interface BulkInstallPackagesParams { spaceId: string; preferredSource?: 'registry' | 'bundled'; prerelease?: boolean; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; skipIfInstalled?: boolean; } @@ -42,7 +44,7 @@ export async function bulkInstallPackages({ spaceId, force, prerelease, - authorizationHeader, + request, skipIfInstalled, }: BulkInstallPackagesParams): Promise { const logger = appContextService.getLogger(); @@ -144,7 +146,7 @@ export async function bulkInstallPackages({ spaceId, force, prerelease: prerelease || ('prerelease' in pkgKeyProps && pkgKeyProps.prerelease), - authorizationHeader, + request, skipDataStreamRollover: pkgKeyProps.skipDataStreamRollover, }); diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install.ts index 13d4a577836e6..fac23d94b2ba6 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install.ts @@ -16,6 +16,7 @@ import type { SavedObject, SavedObjectsClientContract, Logger, + KibanaRequest, } from '@kbn/core/server'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common/constants'; @@ -27,7 +28,6 @@ import type { PackageDataStreamTypes, PackageInstallContext, } from '../../../../common/types'; -import type { HTTPAuthorizationHeader } from '../../../../common/http_authorization_header'; import { isPackagePrerelease, getNormalizedDataStreams } from '../../../../common/services'; import { FLEET_INSTALL_FORMAT_VERSION } from '../../../constants/fleet_es_assets'; import { generateESIndexPatterns } from '../elasticsearch/template/template'; @@ -182,7 +182,7 @@ export async function ensureInstalledPackage(options: { pkgVersion?: string; spaceId?: string; force?: boolean; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; }): Promise { const { savedObjectsClient, @@ -191,7 +191,7 @@ export async function ensureInstalledPackage(options: { pkgVersion, force = false, spaceId = DEFAULT_SPACE_ID, - authorizationHeader, + request, } = options; // If pkgVersion isn't specified, find the latest package version @@ -222,7 +222,7 @@ export async function ensureInstalledPackage(options: { esClient, neverIgnoreVerificationError: !force, force: true, // Always force outdated packages to be installed if a later version isn't installed - authorizationHeader, + request, }); if ( @@ -276,7 +276,7 @@ export async function handleInstallPackageFailure({ installedPkg, esClient, spaceId, - authorizationHeader, + request, keepFailedInstallation, }: { savedObjectsClient: SavedObjectsClientContract; @@ -286,7 +286,7 @@ export async function handleInstallPackageFailure({ installedPkg: SavedObject | undefined; esClient: ElasticsearchClient; spaceId: string; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; keepFailedInstallation?: boolean; }) { if (error instanceof ConcurrentInstallOperationError) { @@ -343,7 +343,7 @@ export async function handleInstallPackageFailure({ pkgkey, esClient, spaceId, - authorizationHeader, + request, retryFromLastState: true, }); return; @@ -365,7 +365,7 @@ export async function handleInstallPackageFailure({ esClient, spaceId, force: true, - authorizationHeader, + request, }); } } catch (e) { @@ -404,7 +404,7 @@ interface InstallRegistryPackageParams { neverIgnoreVerificationError?: boolean; ignoreConstraints?: boolean; prerelease?: boolean; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; ignoreMappingUpdateErrors?: boolean; skipDataStreamRollover?: boolean; retryFromLastState?: boolean; @@ -424,7 +424,7 @@ interface InstallCustomPackageParams { esClient: ElasticsearchClient; spaceId: string; force?: boolean; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; kibanaVersion: string; } interface InstallUploadedArchiveParams { @@ -434,7 +434,7 @@ interface InstallUploadedArchiveParams { contentType: string; spaceId: string; version?: string; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; ignoreMappingUpdateErrors?: boolean; skipDataStreamRollover?: boolean; isBundledPackage?: boolean; @@ -485,7 +485,7 @@ async function installPackageFromRegistry({ pkgkey, esClient, spaceId, - authorizationHeader, + request, force = false, ignoreConstraints = false, neverIgnoreVerificationError = false, @@ -595,7 +595,7 @@ async function installPackageFromRegistry({ packageInstallContext, paths, verificationResult, - authorizationHeader, + request, ignoreMappingUpdateErrors, skipDataStreamRollover, retryFromLastState, @@ -638,7 +638,7 @@ export async function installPackageWithStateMachine(options: { paths: string[]; verificationResult?: PackageVerificationResult; telemetryEvent?: PackageUpdateEvent; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; ignoreMappingUpdateErrors?: boolean; skipDataStreamRollover?: boolean; retryFromLastState?: boolean; @@ -659,7 +659,7 @@ export async function installPackageWithStateMachine(options: { esClient, spaceId, verificationResult, - authorizationHeader, + request, ignoreMappingUpdateErrors, skipDataStreamRollover, packageInstallContext, @@ -785,7 +785,7 @@ export async function installPackageWithStateMachine(options: { spaceId, verificationResult, installSource, - authorizationHeader, + request, force, ignoreMappingUpdateErrors, skipDataStreamRollover, @@ -823,7 +823,7 @@ export async function installPackageWithStateMachine(options: { installedPkg, spaceId, esClient, - authorizationHeader, + request, keepFailedInstallation, }); sendEventWithLatestState( @@ -857,7 +857,7 @@ async function installPackageByUpload({ contentType, spaceId, version, - authorizationHeader, + request, ignoreMappingUpdateErrors, skipDataStreamRollover, isBundledPackage, @@ -940,7 +940,7 @@ async function installPackageByUpload({ spaceId, force: true, // upload has implicit force paths, - authorizationHeader, + request, ignoreMappingUpdateErrors, skipDataStreamRollover, useStreaming, @@ -977,7 +977,7 @@ export async function installPackage(args: InstallPackageParams): Promise dataset.name)), version: INITIAL_VERSION, - owner: { github: authorizationHeader?.username ?? 'unknown' }, + owner: { + github: + (request + ? appContextService.getSecurityCore().authc.getCurrentUser(request)?.username + : null) ?? 'unknown', + }, type: 'integration' as const, data_streams: generateDatastreamEntries(datasets, pkgName), }; @@ -1138,7 +1143,7 @@ export async function installCustomPackage( spaceId, force, paths, - authorizationHeader, + request, }); } diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/_state_machine_package_install.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/_state_machine_package_install.ts index bae775c66f6e8..35b7eca5c0bdd 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/_state_machine_package_install.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/_state_machine_package_install.ts @@ -9,12 +9,11 @@ import type { Logger, SavedObject, SavedObjectsClientContract, + KibanaRequest, } from '@kbn/core/server'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import { PackageSavedObjectConflictError } from '../../../../errors'; - -import type { HTTPAuthorizationHeader } from '../../../../../common/http_authorization_header'; import { INSTALL_STATES } from '../../../../../common/types'; import type { PackageInstallContext, StateNames, StateContext } from '../../../../../common/types'; import type { PackageAssetReference } from '../../../../types'; @@ -75,7 +74,7 @@ export interface InstallContext extends StateContext { spaceId: string; force?: boolean; verificationResult?: PackageVerificationResult; - authorizationHeader?: HTTPAuthorizationHeader | null; + request?: KibanaRequest; ignoreMappingUpdateErrors?: boolean; skipDataStreamRollover?: boolean; retryFromLastState?: boolean; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.test.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.test.ts index 99817dd061a3a..9f7250b99a1d6 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.test.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { loggingSystemMock, savedObjectsClientMock } from '@kbn/core/server/mocks'; +import { loggingSystemMock, savedObjectsClientMock, httpServerMock } from '@kbn/core/server/mocks'; import { SavedObjectsErrorHelpers } from '@kbn/core/server'; import type { RulesClientApi } from '@kbn/alerting-plugin/server/types'; @@ -152,7 +152,7 @@ describe('stepCreateAlertingRules', () => { rulesClient: {} as any, }, logger: loggingSystemMock.createLogger(), - authorizationHeader: 'Basic abc123', + request: httpServerMock.createKibanaRequest(), }; await stepCreateAlertingRules(context as any); @@ -202,7 +202,7 @@ describe('stepCreateAlertingRules', () => { rulesClient: {} as any, }, logger: loggingSystemMock.createLogger(), - authorizationHeader: 'Basic abc123', + request: httpServerMock.createKibanaRequest(), }; await stepCreateAlertingRules(context as any); diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.ts index 7ab12d13f12ba..b9751d0f31155 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_create_alerting_rules.ts @@ -13,7 +13,6 @@ import pMap from 'p-map'; import { FLEET_ELASTIC_AGENT_PACKAGE, FleetError } from '../../../../../../common'; import { type KibanaAssetReference, KibanaSavedObjectType } from '../../../../../../common/types'; -import { createKibanaRequestFromAuth } from '../../../../request_utils'; import { appContextService } from '../../../../app_context'; import { withPackageSpan } from '../../utils'; import type { InstallContext } from '../_state_machine_package_install'; @@ -109,7 +108,7 @@ export async function createAlertingRuleFromTemplate( export async function stepCreateAlertingRules( context: Pick< InstallContext, - 'logger' | 'savedObjectsClient' | 'packageInstallContext' | 'spaceId' | 'authorizationHeader' + 'logger' | 'savedObjectsClient' | 'packageInstallContext' | 'spaceId' | 'request' > ) { const { logger, savedObjectsClient, packageInstallContext, spaceId } = context; @@ -121,10 +120,8 @@ export async function stepCreateAlertingRules( } await withPackageSpan('Install elastic agent rules', async () => { - const rulesClient = context.authorizationHeader - ? await appContextService - .getAlertingStart() - ?.getRulesClientWithRequest(createKibanaRequestFromAuth(context.authorizationHeader)) + const rulesClient = context.request + ? await appContextService.getAlertingStart()?.getRulesClientWithRequest(context.request) : undefined; const alertTemplateAssets: ArchiveAsset[] = []; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_install_transforms.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_install_transforms.ts index f91f9fd32dcf9..24d0e2c53ba5c 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_install_transforms.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/install_state_machine/steps/step_install_transforms.ts @@ -14,14 +14,7 @@ import { cleanupTransforms } from '../../remove'; import { INSTALL_STATES } from '../../../../../../common/types'; export async function stepInstallTransforms(context: InstallContext) { - const { - packageInstallContext, - esClient, - savedObjectsClient, - logger, - force, - authorizationHeader, - } = context; + const { packageInstallContext, esClient, savedObjectsClient, logger, force, request } = context; let esReferences = context.esReferences ?? []; ({ esReferences } = await withPackageSpan('Install transforms', () => @@ -32,7 +25,7 @@ export async function stepInstallTransforms(context: InstallContext) { logger, esReferences, force, - authorizationHeader, + request, }) )); return { esReferences }; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/update_custom_integration.ts b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/update_custom_integration.ts index 6007f99a418b5..84261057c922a 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/update_custom_integration.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/epm/packages/update_custom_integration.ts @@ -176,7 +176,7 @@ export async function incrementVersionAndUpdate( spaceId: 'default', force: true, paths: packageInstallContext.paths, - authorizationHeader: null, + request: undefined, keepFailedInstallation: true, }); diff --git a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts index fafb4353fbd2d..adcb44f26469a 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts @@ -39,8 +39,6 @@ import apm from 'elastic-apm-node'; import { catchAndSetErrorStackTrace, rethrowIfInstanceOrWrap } from '../errors/utils'; -import { HTTPAuthorizationHeader } from '../../common/http_authorization_header'; - import { packageToPackagePolicy, isPackageLimited, @@ -380,7 +378,6 @@ class PackagePolicyClientImpl implements PackagePolicyClient { esClient: ElasticsearchClient, packagePolicy: NewPackagePolicy, options: { - authorizationHeader?: HTTPAuthorizationHeader | null; spaceId?: string; id?: string; user?: AuthenticatedUser; @@ -408,12 +405,6 @@ class PackagePolicyClientImpl implements PackagePolicyClient { const useSpaceAwareness = await isSpaceAwarenessEnabled(); const packagePolicyId = options?.id || uuidv4(); - let authorizationHeader = options.authorizationHeader; - - if (!authorizationHeader && request) { - authorizationHeader = HTTPAuthorizationHeader.parseFromRequest(request); - } - const savedObjectType = await getPackagePolicySavedObjectType(); const basePkgInfo = options?.packageInfo ?? @@ -512,7 +503,7 @@ class PackagePolicyClientImpl implements PackagePolicyClient { pkgName: enrichedPackagePolicy.package.name, pkgVersion: enrichedPackagePolicy.package.version, force: options?.force, - authorizationHeader, + request, }); } @@ -785,7 +776,8 @@ class PackagePolicyClientImpl implements PackagePolicyClient { bumpRevision?: boolean; force?: true; asyncDeploy?: boolean; - } + }, + request?: KibanaRequest ): Promise<{ created: PackagePolicy[]; failed: Array<{ packagePolicy: NewPackagePolicy; error?: Error | SavedObjectError }>; @@ -3350,7 +3342,6 @@ class PackagePolicyClientWithAuthz extends PackagePolicyClientImpl { esClient: ElasticsearchClient, packagePolicy: NewPackagePolicy, options?: { - authorizationHeader?: HTTPAuthorizationHeader | null; spaceId?: string; id?: string; user?: AuthenticatedUser; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/package_policy_service.ts b/x-pack/platform/plugins/shared/fleet/server/services/package_policy_service.ts index b52ebd6b05d64..580fbb94bc905 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/package_policy_service.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/package_policy_service.ts @@ -19,8 +19,6 @@ import type { import type { SavedObjectError } from '@kbn/core-saved-objects-common'; -import type { HTTPAuthorizationHeader } from '../../common/http_authorization_header'; - import type { PostDeletePackagePoliciesResponse, UpgradePackagePolicyResponse, @@ -84,7 +82,6 @@ export interface PackagePolicyClient { spaceId?: string; id?: string; user?: AuthenticatedUser; - authorizationHeader?: HTTPAuthorizationHeader | null; bumpRevision?: boolean; force?: boolean; skipEnsureInstalled?: boolean; @@ -109,9 +106,9 @@ export interface PackagePolicyClient { user?: AuthenticatedUser; bumpRevision?: boolean; force?: true; - authorizationHeader?: HTTPAuthorizationHeader | null; asyncDeploy?: boolean; - } + }, + request?: KibanaRequest ): Promise<{ created: PackagePolicy[]; failed: Array<{ packagePolicy: NewPackagePolicy; error?: Error | SavedObjectError }>; diff --git a/x-pack/platform/plugins/shared/fleet/server/services/request_utils.ts b/x-pack/platform/plugins/shared/fleet/server/services/request_utils.ts deleted file mode 100644 index 88a54452f2175..0000000000000 --- a/x-pack/platform/plugins/shared/fleet/server/services/request_utils.ts +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type { HTTPAuthorizationHeader } from '@kbn/security-plugin/server'; -import type { FakeRawRequest } from '@kbn/core/server'; -import { kibanaRequestFactory } from '@kbn/core-http-server-utils'; - -export function createKibanaRequestFromAuth(authorizationHeader: HTTPAuthorizationHeader) { - const requestHeaders: FakeRawRequest['headers'] = { - authorization: authorizationHeader.toString(), - }; - const fakeRawRequest: FakeRawRequest = { - headers: requestHeaders, - path: '/', - }; - - // Since we're using API keys and accessing elasticsearch can only be done - // via a request, we're faking one with the proper authorization headers. - const fakeRequest = kibanaRequestFactory(fakeRawRequest); - - return fakeRequest; -} diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_rollback.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_rollback.ts index ec19a400083dd..9e52f2ae96ebd 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_rollback.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_rollback.ts @@ -7,7 +7,7 @@ import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common'; import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server'; -import type { Logger } from '@kbn/core/server'; +import type { KibanaRequest, Logger } from '@kbn/core/server'; import type { RollbackPackageResponse } from '../../../common/types'; @@ -82,7 +82,12 @@ export async function _runBulkRollbackTask({ export async function scheduleBulkRollback( taskManagerStart: TaskManagerStartContract, - taskParams: Omit + taskParams: Omit, + request: KibanaRequest ) { - return scheduleBulkOperationTask(taskManagerStart, { ...taskParams, type: 'bulk_rollback' }); + return scheduleBulkOperationTask( + taskManagerStart, + { ...taskParams, type: 'bulk_rollback' }, + request + ); } diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_uninstall.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_uninstall.ts index 1d011e0ef8126..087bdc3d9d8fd 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_uninstall.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_uninstall.ts @@ -6,7 +6,7 @@ */ import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server'; -import type { Logger } from '@kbn/core/server'; +import type { KibanaRequest, Logger } from '@kbn/core/server'; import { removeInstallation } from '../../services/epm/packages'; import { appContextService } from '../../services'; @@ -70,7 +70,12 @@ export async function _runBulkUninstallTask({ export async function scheduleBulkUninstall( taskManagerStart: TaskManagerStartContract, - taskParams: Omit + taskParams: Omit, + request: KibanaRequest ) { - return scheduleBulkOperationTask(taskManagerStart, { ...taskParams, type: 'bulk_uninstall' }); + return scheduleBulkOperationTask( + taskManagerStart, + { ...taskParams, type: 'bulk_uninstall' }, + request + ); } diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.test.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.test.ts index 71ba67bb7eef9..dd72e92a11eed 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.test.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.test.ts @@ -6,6 +6,7 @@ */ import { loggingSystemMock } from '@kbn/core/server/mocks'; +import type { KibanaRequest } from '@kbn/core/server'; import { createAppContextStartContractMock } from '../../mocks'; import { appContextService } from '../../services'; @@ -57,8 +58,8 @@ describe('Bulk upgrade task', () => { taskParams: { type: 'bulk_upgrade', packages: [{ name: 'test_valid' }], - authorizationHeader: null, }, + request: {} as KibanaRequest, }); expect(installPackage).toBeCalled(); @@ -78,8 +79,8 @@ describe('Bulk upgrade task', () => { { name: 'test_valid_2' }, { name: 'test_invalid_2' }, ], - authorizationHeader: null, }, + request: {} as KibanaRequest, }); expect(installPackage).toBeCalledTimes(4); @@ -106,9 +107,9 @@ describe('Bulk upgrade task', () => { taskParams: { type: 'bulk_upgrade', packages: [{ name: 'test_valid' }], - authorizationHeader: null, upgradePackagePolicies: true, }, + request: {} as KibanaRequest, }); expect(res).toEqual([{ name: 'test_valid', success: true }]); @@ -132,8 +133,8 @@ describe('Bulk upgrade task', () => { { name: 'test_valid_2' }, { name: 'test_invalid_2' }, ], - authorizationHeader: null, }, + request: {} as KibanaRequest, }) ).rejects.toThrow(/Task was aborted/); diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.ts index d19f74f20aafa..50b721d6a3544 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/run_bulk_upgrade.ts @@ -7,9 +7,13 @@ import { DEFAULT_SPACE_ID } from '@kbn/spaces-plugin/common'; import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server'; -import type { ElasticsearchClient, Logger, SavedObjectsClientContract } from '@kbn/core/server'; +import type { + ElasticsearchClient, + KibanaRequest, + Logger, + SavedObjectsClientContract, +} from '@kbn/core/server'; -import { HTTPAuthorizationHeader } from '../../../common/http_authorization_header'; import { installPackage } from '../../services/epm/packages'; import { appContextService, packagePolicyService } from '../../services'; import { PACKAGE_POLICY_SAVED_OBJECT_TYPE, SO_SEARCH_LIMIT } from '../../constants'; @@ -20,7 +24,6 @@ export interface BulkUpgradeTaskParams { type: 'bulk_upgrade'; packages: Array<{ name: string; version?: string }>; spaceId?: string; - authorizationHeader: HTTPAuthorizationHeader | null; force?: boolean; prerelease?: boolean; upgradePackagePolicies?: boolean; @@ -43,15 +46,16 @@ export async function _runBulkUpgradeTask({ abortController, taskParams, logger, + request, }: { taskParams: BulkUpgradeTaskParams; abortController: AbortController; logger: Logger; + request: KibanaRequest; }) { const { packages, spaceId = DEFAULT_SPACE_ID, - authorizationHeader, force, prerelease, upgradePackagePolicies, @@ -69,13 +73,7 @@ export async function _runBulkUpgradeTask({ try { const installResult = await installPackage({ spaceId, - authorizationHeader: authorizationHeader - ? new HTTPAuthorizationHeader( - authorizationHeader.scheme, - authorizationHeader.credentials, - authorizationHeader.username - ) - : undefined, + request, installSource: 'registry', // Upgrade can only happens from the registry, esClient, savedObjectsClient, @@ -144,7 +142,12 @@ async function bulkUpgradePackagePolicies({ export async function scheduleBulkUpgrade( taskManagerStart: TaskManagerStartContract, - taskParams: Omit + taskParams: Omit, + request: KibanaRequest ) { - return scheduleBulkOperationTask(taskManagerStart, { ...taskParams, type: 'bulk_upgrade' }); + return scheduleBulkOperationTask( + taskManagerStart, + { ...taskParams, type: 'bulk_upgrade' }, + request + ); } diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/task_runner.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/task_runner.ts index 21940c40baf42..738b101c78cf7 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/task_runner.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/task_runner.ts @@ -10,6 +10,8 @@ import type { TaskManagerSetupContract, } from '@kbn/task-manager-plugin/server'; +import type { KibanaRequest } from '@kbn/core/server'; + import { appContextService } from '../../services'; import { type BulkUpgradeTaskParams, _runBulkUpgradeTask } from './run_bulk_upgrade'; @@ -33,9 +35,11 @@ export function registerPackagesBulkOperationTask(taskManager: TaskManagerSetupC createTaskRunner: ({ taskInstance, abortController, + fakeRequest, }: { taskInstance: ConcreteTaskInstance; abortController: AbortController; + fakeRequest?: KibanaRequest; }) => { const logger = appContextService.getLogger(); @@ -45,7 +49,6 @@ export function registerPackagesBulkOperationTask(taskManager: TaskManagerSetupC if (taskInstance.state.isDone) { return; } - const taskParams = taskInstance.params as BulkPackageOperationsTaskParams; try { let results: BulkPackageOperationsTaskState['results']; @@ -60,6 +63,7 @@ export function registerPackagesBulkOperationTask(taskManager: TaskManagerSetupC abortController, logger, taskParams: taskParams as BulkUpgradeTaskParams, + request: fakeRequest!, }); } else if (taskParams.type === 'bulk_rollback') { results = await _runBulkRollbackTask({ diff --git a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/utils.ts b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/utils.ts index 79c16be978c77..b60c5fe59e693 100644 --- a/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/utils.ts +++ b/x-pack/platform/plugins/shared/fleet/server/tasks/packages_bulk_operations/utils.ts @@ -5,6 +5,7 @@ * 2.0. */ +import type { KibanaRequest } from '@kbn/core/server'; import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server'; import { v4 as uuidv4 } from 'uuid'; @@ -31,17 +32,21 @@ export interface BulkPackageOperationsTaskParams { export async function scheduleBulkOperationTask( taskManagerStart: TaskManagerStartContract, - taskParams: BulkPackageOperationsTaskParams + taskParams: BulkPackageOperationsTaskParams, + request: KibanaRequest ) { const id = uuidv4(); - await taskManagerStart.ensureScheduled({ - id: `${TASK_TYPE}:${id}`, - scope: ['fleet'], - params: taskParams, - taskType: TASK_TYPE, - runAt: new Date(Date.now() + 3 * 1000), - state: {}, - }); + await taskManagerStart.ensureScheduled( + { + id: `${TASK_TYPE}:${id}`, + scope: ['fleet'], + params: taskParams, + taskType: TASK_TYPE, + runAt: new Date(Date.now() + 3 * 1000), + state: {}, + }, + { request } + ); return id; } diff --git a/x-pack/platform/plugins/shared/fleet/tsconfig.json b/x-pack/platform/plugins/shared/fleet/tsconfig.json index 620d649fc022d..93d0157bd516d 100644 --- a/x-pack/platform/plugins/shared/fleet/tsconfig.json +++ b/x-pack/platform/plugins/shared/fleet/tsconfig.json @@ -112,7 +112,6 @@ "@kbn/reporting-public", "@kbn/field-formats-plugin", "@kbn/core-security-server", - "@kbn/core-http-server-utils", "@kbn/core-notifications-browser-mocks", "@kbn/handlebars", "@kbn/lock-manager",