elastic · legrego · Oct 23, 2019 · Nov 25, 2019 · Nov 25, 2019 · Dec 3, 2019
diff --git a/docs/user/security/index.asciidoc b/docs/user/security/index.asciidoc
@@ -37,4 +37,5 @@ cause Kibana's authorization to behave unexpectedly.
 include::authorization/index.asciidoc[]
 include::authorization/kibana-privileges.asciidoc[]
 include::api-keys/index.asciidoc[]
+include::role-mappings/index.asciidoc[]
 include::rbac_tutorial.asciidoc[]
diff --git a/docs/user/security/role-mappings/index.asciidoc b/docs/user/security/role-mappings/index.asciidoc
@@ -0,0 +1,40 @@
+[role="xpack"]
+[[role-mappings]]
+=== Role Mappings
+
+
+Role mappings allow you to describe which roles to assign to your users
+using a set of rules. Role mappings are required when authenticating via
+an external identity provider, such as Active Directory, Kerberos, PKI, OIDC,
+or SAML.
+
+Role mappings have no effect for users inside the `native` or `file` realms.
+
+To manage your role mappings, use *Management > Security > Role Mappings*.
+
+NOTE: The role mapping UI will only be available if your license supports external
+identity providers which can benefit from role mappings.
+
+// [role="screenshot"]
+// image:user/security/role-mappings/images/role-mappings-grid.png["Role Mappings UI"]
+
+
+[float]
+[[role-mappings-security-privileges]]
+=== Security privileges
+
+You must have the `manage_security` cluster privilege to manage role mappings in {kib}.
+You can manage roles in *Management > Security > Roles*, or use the 
+<<role-management-api, {kib} Role Management API>>. 
+
+
+[float]
+[[create-role-mapping]]
+=== Create a Role Mapping
+You can create a role mapping from *Management > Security > Role Mappings*.
+
+// [role="screenshot"]
+// image:user/security/role-mappings/images/create-role-mapping.png["Create Role Mapping UI"]
+
+
+
diff --git a/test/common/services/security/role_mappings.ts b/test/common/services/security/role_mappings.ts
@@ -0,0 +1,66 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import axios, { AxiosInstance } from 'axios';
+import util from 'util';
+import { ToolingLog } from '@kbn/dev-utils';
+
+export class RoleMappings {
+  private log: ToolingLog;
+  private axios: AxiosInstance;
+
+  constructor(url: string, log: ToolingLog) {
+    this.log = log;
+    this.axios = axios.create({
+      headers: { 'kbn-xsrf': 'x-pack/ftr/services/security/role_mappings' },
+      baseURL: url,
+      maxRedirects: 0,
+      validateStatus: () => true, // we do our own validation below and throw better error messages
+    });
+  }
+
+  public async create(name: string, roleMapping: Record<string, any>) {
+    this.log.debug(`creating role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.post(
+      `/internal/security/role_mapping/${name}`,
+      roleMapping
+    );
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+    this.log.debug(`created role mapping ${name}`);
+  }
+
+  public async delete(name: string) {
+    this.log.debug(`deleting role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.delete(
+      `/internal/security/role_mapping/${name}`
+    );
+    if (status !== 200 && status !== 404) {
+      throw new Error(
+        `Expected status code of 200 or 404, received ${status} ${statusText}: ${util.inspect(
+          data
+        )}`
+      );
+    }
+    this.log.debug(`deleted role mapping ${name}`);
+  }
+}
diff --git a/test/common/services/security/security.ts b/test/common/services/security/security.ts
@@ -21,6 +21,7 @@ import { format as formatUrl } from 'url';
 
 import { Role } from './role';
 import { User } from './user';
+import { RoleMappings } from './role_mappings';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export function SecurityServiceProvider({ getService }: FtrProviderContext) {
@@ -30,6 +31,7 @@ export function SecurityServiceProvider({ getService }: FtrProviderContext) {
 
   return new (class SecurityService {
     role = new Role(url, log);
+    roleMappings = new RoleMappings(url, log);
     user = new User(url, log);
   })();
 }
diff --git a/x-pack/dev-tools/jest/create_jest_config.js b/x-pack/dev-tools/jest/create_jest_config.js
@@ -28,6 +28,7 @@ export function createJestConfig({ kibanaDirectory, xPackKibanaDirectory }) {
       '\\.(css|less|scss)$': `${kibanaDirectory}/src/dev/jest/mocks/style_mock.js`,
       '^test_utils/enzyme_helpers': `${xPackKibanaDirectory}/test_utils/enzyme_helpers.tsx`,
       '^test_utils/find_test_subject': `${xPackKibanaDirectory}/test_utils/find_test_subject.ts`,
+      '^test_utils/stub_web_worker': `${xPackKibanaDirectory}/test_utils/stub_web_worker.ts`,
     },
     coverageDirectory: '<rootDir>/../target/kibana-coverage/jest',
     coverageReporters: ['html'],

diff --git a/x-pack/legacy/plugins/security/common/model.ts b/x-pack/legacy/plugins/security/common/model.ts
@@ -21,3 +21,5 @@ export {
   canUserChangePassword,
   getUserDisplayName,
 } from '../../../../plugins/security/common/model';
+
+export * from './role_mapping';
diff --git a/x-pack/legacy/plugins/security/common/role_mapping.ts b/x-pack/legacy/plugins/security/common/role_mapping.ts
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface RoleMappingAnyRule {
+  any: RoleMappingRule[];
+}
+
+interface RoleMappingAllRule {
+  all: RoleMappingRule[];
+}
+
+interface RoleMappingFieldRule {
+  field: Record<string, any>;
+}
+
+interface RoleMappingExceptRule {
+  except: RoleMappingRule;
+}
+
+type RoleMappingRule =
+  | RoleMappingAnyRule
+  | RoleMappingAllRule
+  | RoleMappingFieldRule
+  | RoleMappingExceptRule;
+
+type RoleTemplateFormat = 'string' | 'json';
+
+export interface InlineRoleTemplate {
+  template: { source: string };
+  format?: RoleTemplateFormat;
+}
+
+export interface StoredRoleTemplate {
+  template: { id: string };
+  format?: RoleTemplateFormat;
+}
+
+export interface InvalidRoleTemplate {
+  template: string;
+  format?: RoleTemplateFormat;
+}
+
+export type RoleTemplate = InlineRoleTemplate | StoredRoleTemplate | InvalidRoleTemplate;
+
+export interface RoleMapping {
+  name: string;
+  enabled: boolean;
+  roles?: string[];
+  role_templates?: RoleTemplate[];
+  rules: RoleMappingRule | {};
+  metadata: Record<string, any>;
+}
diff --git a/x-pack/legacy/plugins/security/public/lib/role_mappings_api.ts b/x-pack/legacy/plugins/security/public/lib/role_mappings_api.ts
@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { CoreSetup } from 'src/core/public';
+import { RoleMapping } from '../../common/model';
+
+interface CheckPrivilegesResponse {
+  canManageRoleMappings: boolean;
+  canUseInlineScripts: boolean;
+  canUseStoredScripts: boolean;
+  hasCompatibleRealms: boolean;
+}
+
+type DeleteRoleMappingsResponse = Array<{
+  name: string;
+  success: boolean;
+  error?: Error;
+}>;
+
+export class RoleMappingsAPI {
+  constructor(private readonly http: CoreSetup['http']) {}
+
+  public async getRoleMappingFeatures(): Promise<CheckPrivilegesResponse> {
+    return this.http.get(`/internal/security/role_mapping_feature_check`);
+  }
+
+  public async getRoleMappings(): Promise<RoleMapping[]> {
+    return this.http.get(`/internal/security/role_mapping`);
+  }
+
+  public async getRoleMapping(name: string): Promise<RoleMapping> {
+    return this.http.get(`/internal/security/role_mapping/${encodeURIComponent(name)}`);
+  }
+
+  public async saveRoleMapping(roleMapping: RoleMapping) {
+    const payload = { ...roleMapping };
+    delete payload.name;
+
+    return this.http.post(
+      `/internal/security/role_mapping/${encodeURIComponent(roleMapping.name)}`,
+      { body: JSON.stringify(payload) }
+    );
+  }
+
+  public async deleteRoleMappings(names: string[]): Promise<DeleteRoleMappingsResponse> {
+    return Promise.all(
+      names.map(name =>
+        this.http
+          .delete(`/internal/security/role_mapping/${encodeURIComponent(name)}`)
+          .then(() => ({ success: true, name }))
+          .catch(error => ({ success: false, name, error }))
+      )
+    );
+  }
+}
diff --git a/x-pack/legacy/plugins/security/public/views/management/_index.scss b/x-pack/legacy/plugins/security/public/views/management/_index.scss
@@ -1,3 +1,4 @@
 @import './change_password_form/index';
 @import './edit_role/index';
-@import './edit_user/index';
+@import './edit_user/index';
+@import './role_mappings/edit_role_mapping/index';
diff --git a/x-pack/legacy/plugins/security/public/views/management/breadcrumbs.ts b/x-pack/legacy/plugins/security/public/views/management/breadcrumbs.ts
@@ -86,3 +86,30 @@ export function getApiKeysBreadcrumbs() {
     },
   ];
 }
+
+export function getRoleMappingBreadcrumbs() {
+  return [
+    MANAGEMENT_BREADCRUMB,
+    {
+      text: i18n.translate('xpack.security.roleMapping.breadcrumb', {
+        defaultMessage: 'Role Mappings',
+      }),
+      href: '#/management/security/role_mappings',
+    },
+  ];
+}
+
+export function getEditRoleMappingBreadcrumbs($route: Record<string, any>) {
+  const { name } = $route.current.params;
+  return [
+    ...getRoleMappingBreadcrumbs(),
+    {
+      text:
+        name ||
+        i18n.translate('xpack.security.roleMappings.createBreadcrumb', {
+          defaultMessage: 'Create',
+        }),
+      href: `#/management/security/role_mappings/edit/${name}`,
+    },
+  ];
+}
diff --git a/x-pack/legacy/plugins/security/public/views/management/management.js b/x-pack/legacy/plugins/security/public/views/management/management.js
@@ -11,10 +11,12 @@ import 'plugins/security/views/management/roles_grid/roles';
 import 'plugins/security/views/management/api_keys_grid/api_keys';
 import 'plugins/security/views/management/edit_user/edit_user';
 import 'plugins/security/views/management/edit_role/index';
+import 'plugins/security/views/management/role_mappings/role_mappings_grid';
+import 'plugins/security/views/management/role_mappings/edit_role_mapping';
 import routes from 'ui/routes';
 import { xpackInfo } from 'plugins/xpack_main/services/xpack_info';
 import '../../services/shield_user';
-import { ROLES_PATH, USERS_PATH, API_KEYS_PATH } from './management_urls';
+import { ROLES_PATH, USERS_PATH, API_KEYS_PATH, ROLE_MAPPINGS_PATH } from './management_urls';
 
 import { management } from 'ui/management';
 import { i18n } from '@kbn/i18n';
@@ -38,11 +40,23 @@ routes
     resolve: {
       securityManagementSection: function(ShieldUser) {
         const showSecurityLinks = xpackInfo.get('features.security.showLinks');
+        const showRoleMappingsManagementLink = xpackInfo.get(
+          'features.security.showRoleMappingsManagement'
+        );
 
         function deregisterSecurity() {
           management.deregister('security');
         }
 
+        function deregisterRoleMappingsManagement() {
+          if (management.hasItem('security')) {
+            const security = management.getSection('security');
+            if (security.hasItem('roleMappings')) {
+              security.deregister('roleMappings');
+            }
+          }
+        }
+
         function ensureSecurityRegistered() {
           const registerSecurity = () =>
             management.register('security', {
@@ -88,11 +102,25 @@ routes
               url: `#${API_KEYS_PATH}`,
             });
           }
+
+          if (showRoleMappingsManagementLink && !security.hasItem('roleMappings')) {
+            security.register('roleMappings', {
+              name: 'securityRoleMappingLink',
+              order: 30,
+              display: i18n.translate('xpack.security.management.roleMappingsTitle', {
+                defaultMessage: 'Role Mappings',
+              }),
+              url: `#${ROLE_MAPPINGS_PATH}`,
+            });
+          }
         }
 
         if (!showSecurityLinks) {
           deregisterSecurity();
         } else {
+          if (!showRoleMappingsManagementLink) {
+            deregisterRoleMappingsManagement();
+          }
           // getCurrent will reject if there is no authenticated user, so we prevent them from seeing the security
           // management screens
           //

diff --git a/x-pack/legacy/plugins/security/public/views/management/management_urls.ts b/x-pack/legacy/plugins/security/public/views/management/management_urls.ts
@@ -12,3 +12,5 @@ export const CLONE_ROLES_PATH = `${ROLES_PATH}/clone`;
 export const USERS_PATH = `${SECURITY_PATH}/users`;
 export const EDIT_USERS_PATH = `${USERS_PATH}/edit`;
 export const API_KEYS_PATH = `${SECURITY_PATH}/api_keys`;
+export const ROLE_MAPPINGS_PATH = `${SECURITY_PATH}/role_mappings`;
+export const EDIT_ROLE_MAPPING_PATH = `${SECURITY_PATH}/role_mappings/edit`;