Skip to content

Comments

Allow disabling xsrf protection per an endpoint#58717

Merged
mshustov merged 15 commits intoelastic:masterfrom
mshustov:issue-53823-xsrf-per-router
Mar 3, 2020
Merged

Allow disabling xsrf protection per an endpoint#58717
mshustov merged 15 commits intoelastic:masterfrom
mshustov:issue-53823-xsrf-per-router

Conversation

@mshustov
Copy link
Contributor

@mshustov mshustov commented Feb 27, 2020
edited
Loading

Summary

Closes #53823
This PR:

  • allows disabling xsrf protection per an endpoint for NP plugins with xsrfRequired: false
  • deprecates server.xsrf.whitelist. it meant to be used for IdP endpoints only, which we can switch to xsrfRequired: false

Checklist

For maintainers

Dev Docs

Route configuration allows to disable xsrf protection for destructive HTTP methods:

routet.get({ path: ..., validate: ..., options: { xsrfRequired: false } })

@mshustov
add xsrfRequired flag to a route definition interface
40a6419
@mshustov
update tests
6b3b447
@mshustov
deprecate server.xsrf.whitelist
b466852 
It meant to be used for IdP endpoints only, which we are going to refactor to disable xsrf requirement per a specific endpoint.
@mshustov
update docs
263689d
@mshustov mshustov added Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// Feature:New Platform Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. v8.0.0 v7.7.0 labels Feb 27, 2020
@mshustov mshustov requested a review from a team as a code owner February 27, 2020 12:12
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 27, 2020

Pinging @elastic/kibana-platform (Team:Platform)

@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 27, 2020

Pinging @elastic/kibana-security (Team:Security)

@mshustov mshustov requested review from a team and azasypkin February 27, 2020 12:12
mshustov
mshustov commented Feb 27, 2020
View reviewed changes
src/core/server/http/lifecycle_handlers.ts
return (request, response, toolkit) => {
if (disableProtection || whitelist.includes(request.route.path)) {
if (
disableProtection ||
Copy link
Contributor Author

@mshustov mshustov Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that we added server.xsrf.disableProtection in spalger#6 for testing purposes solely. I'm wondering if we want to collect all test-only API in the one document to have a better understanding of API surface in case of future refactoring. (in addition to --migrationgs.skip, /internal/saved_objects/_migrate etc)

mshustov
mshustov commented Feb 27, 2020
View reviewed changes
src/core/server/config/deprecation/core_deprecations.ts
if (has(settings, 'server.xsrf.whitelist')) {
log(
'It is not recommended to disable xsrf protections for API endpoints via [server.xsrf.whitelist].' +
'It will be removed in 8.0 release. Instead, supply the "kbn-xsrf" header.'
Copy link
Contributor Author

@mshustov mshustov Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joshdover what is the appropriate place to track v8 breaking changes after #40768 was closed?

Copy link
Contributor

@joshdover joshdover Mar 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this doc: docs/migration/migrate_8_0.asciidoc

pgayvallet
pgayvallet reviewed Feb 27, 2020
View reviewed changes
src/core/server/http/http_server.ts Outdated
Comment on lines 153 to 162
const kibanaRouteState: KibanaRouteState = { xsrfRequired };

this.server.route({
handler: route.handler,
method: route.method,
path: route.path,
options: {
// Enforcing the comparison with true because plugins could overwrite the auth strategy by doing `options: { authRequired: authStrategy as any }`
auth: authRequired === true ? undefined : false,
app: kibanaRouteState,
Copy link
Contributor

@pgayvallet pgayvallet Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: can't this be inlined to remove the local var?

Copy link
Contributor Author

@mshustov mshustov Feb 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can, but I want to make sure that kibanaRouteState implements KibanaRouteState correctly.
This declaration doesn't show an error for unknown properties, for example:

app: { xsrfRequired } as KibanaRouteState

@azasypkin
Copy link
Contributor

azasypkin commented Feb 28, 2020

ACK: reviewing...

azasypkin
azasypkin reviewed Feb 28, 2020
View reviewed changes
Copy link
Contributor

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, but I found one issue while testing with a real route. Thanks for the quick turnaround on this one!

@azasypkin azasypkin mentioned this pull request Mar 2, 2020
Closed
azasypkin
azasypkin approved these changes Mar 2, 2020
View reviewed changes
Copy link
Contributor

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested locally - worked perfectly!

Side note: maybe in the future we may not accept this option for "non-destructive" HTTP methods at compile-time so that xsrfRequired: true on GET wouldn't confuse API consumers, like you've done for body?: Method extends .....

@mshustov mshustov requested review from joshdover and pgayvallet March 3, 2020 08:07
mshustov
mshustov commented Mar 3, 2020
View reviewed changes
src/core/server/http/http_server.ts
this.log.debug(`registering route handler for [${route.path}]`);
// Hapi does not allow payload validation to be specified for 'head' or 'get' requests
const validate = ['head', 'get'].includes(route.method) ? undefined : { payload: true };
const validate = isSafeMethod(route.method) ? undefined : { payload: true };
Copy link
Contributor Author

@mshustov mshustov Mar 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hapi doesn't support handlers for the head method hapijs/hapi#795

@mshustov mshustov merged commit 4226b6f into elastic:master Mar 3, 2020
@mshustov mshustov deleted the issue-53823-xsrf-per-router branch March 3, 2020 14:46
@mshustov mshustov mentioned this pull request Mar 3, 2020
Merged
mshustov added a commit to mshustov/kibana that referenced this pull request Mar 3, 2020
@mshustov
Allow disabling xsrf protection per an endpoint (elastic#58717)
ba1f3ab 
* add xsrfRequired flag to a route definition interface

* update tests

* deprecate server.xsrf.whitelist

It meant to be used for IdP endpoints only, which we are going to refactor to disable xsrf requirement per a specific endpoint.

* update docs

* do not fail on manual KibanaRequest creation

* address comments

* update tests

* address comments

* make xsrfRequired available only for destructive methods

* update docs

* another isSafeMethod usage
@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 3, 2020

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

mshustov added a commit that referenced this pull request Mar 3, 2020
@mshustov
Allow disabling xsrf protection per an endpoint (#58717) (#59151)
0fdb6e5 
* add xsrfRequired flag to a route definition interface

* update tests

* deprecate server.xsrf.whitelist

It meant to be used for IdP endpoints only, which we are going to refactor to disable xsrf requirement per a specific endpoint.

* update docs

* do not fail on manual KibanaRequest creation

* address comments

* update tests

* address comments

* make xsrfRequired available only for destructive methods

* update docs

* another isSafeMethod usage
@mshustov mshustov mentioned this pull request Jun 26, 2020
Closed
@mshustov mshustov mentioned this pull request Nov 3, 2020
Closed
20 tasks
@joshdover joshdover mentioned this pull request Nov 25, 2020
Closed
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pgayvallet pgayvallet pgayvallet approved these changes

@azasypkin azasypkin azasypkin approved these changes

@joshdover joshdover Awaiting requested review from joshdover

Assignees

No one assigned

Labels

Feature:New Platform release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v7.7.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow HTTP routes to programmatically opt out of XSRF protection

6 participants

@mshustov @elasticmachine @azasypkin @kibanamachine @pgayvallet @joshdover