Migrate authentication functionality to a new Elasticsearch client.

x-pack/plugins/security/server/authentication/authentication_service.mock.ts

@@ -5,17 +5,11 @@
  */
 
 import type { DeeplyMockedKeys } from '@kbn/utility-types/jest';
-import type {
-  AuthenticationServiceSetup,
-  AuthenticationServiceStart,
-} from './authentication_service';
+import type { AuthenticationServiceStart } from './authentication_service';
 
 import { apiKeysMock } from './api_keys/api_keys.mock';
 
 export const authenticationServiceMock = {
-  createSetup: (): jest.Mocked<AuthenticationServiceSetup> => ({
-    getCurrentUser: jest.fn(),
-  }),
   createStart: (): DeeplyMockedKeys<AuthenticationServiceStart> => ({
     apiKeys: apiKeysMock.create(),
     login: jest.fn(),

x-pack/plugins/security/server/authentication/authentication_service.test.ts

@@ -25,11 +25,9 @@ import { sessionMock } from '../session_management/session.mock';
 import type {
   AuthenticationHandler,
   AuthToolkit,
-  ILegacyClusterClient,
   KibanaRequest,
   Logger,
   LoggerFactory,
-  LegacyScopedClusterClient,
   HttpServiceSetup,
   HttpServiceStart,
 } from '../../../../../src/core/server';
@@ -46,47 +44,17 @@ describe('AuthenticationService', () => {
   let service: AuthenticationService;
   let logger: jest.Mocked<Logger>;
   let mockSetupAuthenticationParams: {
-    legacyAuditLogger: jest.Mocked<SecurityAuditLogger>;
-    audit: jest.Mocked<AuditServiceSetup>;
-    config: ConfigType;
-    loggers: LoggerFactory;
     http: jest.Mocked<HttpServiceSetup>;
-    clusterClient: jest.Mocked<ILegacyClusterClient>;
     license: jest.Mocked<SecurityLicense>;
-    getFeatureUsageService: () => jest.Mocked<SecurityFeatureUsageServiceStart>;
-    session: jest.Mocked<PublicMethodsOf<Session>>;
   };
-  let mockScopedClusterClient: jest.Mocked<PublicMethodsOf<LegacyScopedClusterClient>>;
   beforeEach(() => {
     logger = loggingSystemMock.createLogger();
 
     mockSetupAuthenticationParams = {
-      legacyAuditLogger: securityAuditLoggerMock.create(),
-      audit: auditServiceMock.create(),
       http: coreMock.createSetup().http,
-      config: createConfig(
-        ConfigSchema.validate({
-          encryptionKey: 'ab'.repeat(16),
-          secureCookies: true,
-          cookieName: 'my-sid-cookie',
-        }),
-        loggingSystemMock.create().get(),
-        { isTLSEnabled: false }
-      ),
-      clusterClient: elasticsearchServiceMock.createLegacyClusterClient(),
       license: licenseMock.create(),
-      loggers: loggingSystemMock.create(),
-      getFeatureUsageService: jest
-        .fn()
-        .mockReturnValue(securityFeatureUsageServiceMock.createStartContract()),
-      session: sessionMock.create(),
     };
 
-    mockScopedClusterClient = elasticsearchServiceMock.createLegacyScopedClusterClient();
-    mockSetupAuthenticationParams.clusterClient.asScoped.mockReturnValue(
-      (mockScopedClusterClient as unknown) as jest.Mocked<LegacyScopedClusterClient>
-    );
-
     service = new AuthenticationService(logger);
   });
 
@@ -101,6 +69,42 @@ describe('AuthenticationService', () => {
         expect.any(Function)
       );
     });
+  });
+
+  describe('#start()', () => {
+    let mockStartAuthenticationParams: {
+      legacyAuditLogger: jest.Mocked<SecurityAuditLogger>;
+      audit: jest.Mocked<AuditServiceSetup>;
+      config: ConfigType;
+      loggers: LoggerFactory;
+      http: jest.Mocked<HttpServiceStart>;
+      clusterClient: ReturnType<typeof elasticsearchServiceMock.createClusterClient>;
+      featureUsageService: jest.Mocked<SecurityFeatureUsageServiceStart>;
+      session: jest.Mocked<PublicMethodsOf<Session>>;
+    };
+    beforeEach(() => {
+      const coreStart = coreMock.createStart();
+      mockStartAuthenticationParams = {
+        legacyAuditLogger: securityAuditLoggerMock.create(),
+        audit: auditServiceMock.create(),
+        config: createConfig(
+          ConfigSchema.validate({
+            encryptionKey: 'ab'.repeat(16),
+            secureCookies: true,
+            cookieName: 'my-sid-cookie',
+          }),
+          loggingSystemMock.create().get(),
+          { isTLSEnabled: false }
+        ),
+        http: coreStart.http,
+        clusterClient: elasticsearchServiceMock.createClusterClient(),
+        loggers: loggingSystemMock.create(),
+        featureUsageService: securityFeatureUsageServiceMock.createStartContract(),
+        session: sessionMock.create(),
+      };
+
+      service.setup(mockSetupAuthenticationParams);
+    });
 
     describe('authentication handler', () => {
       let authHandler: AuthenticationHandler;
@@ -109,12 +113,7 @@ describe('AuthenticationService', () => {
       beforeEach(() => {
         mockAuthToolkit = httpServiceMock.createAuthToolkit();
 
-        service.setup(mockSetupAuthenticationParams);
-
-        expect(mockSetupAuthenticationParams.http.registerAuth).toHaveBeenCalledTimes(1);
-        expect(mockSetupAuthenticationParams.http.registerAuth).toHaveBeenCalledWith(
-          expect.any(Function)
-        );
+        service.start(mockStartAuthenticationParams);
 
         authHandler = mockSetupAuthenticationParams.http.registerAuth.mock.calls[0][0];
         authenticate = jest.requireMock('./authenticator').Authenticator.mock.instances[0]
@@ -298,63 +297,7 @@ describe('AuthenticationService', () => {
     describe('getCurrentUser()', () => {
       let getCurrentUser: (r: KibanaRequest) => AuthenticatedUser | null;
       beforeEach(async () => {
-        getCurrentUser = service.setup(mockSetupAuthenticationParams).getCurrentUser;
-      });
-
-      it('returns `null` if Security is disabled', () => {
-        mockSetupAuthenticationParams.license.isEnabled.mockReturnValue(false);
-
-        expect(getCurrentUser(httpServerMock.createKibanaRequest())).toBe(null);
-      });
-
-      it('returns user from the auth state.', () => {
-        const mockUser = mockAuthenticatedUser();
-
-        const mockAuthGet = mockSetupAuthenticationParams.http.auth.get as jest.Mock;
-        mockAuthGet.mockReturnValue({ state: mockUser });
-
-        const mockRequest = httpServerMock.createKibanaRequest();
-        expect(getCurrentUser(mockRequest)).toBe(mockUser);
-        expect(mockAuthGet).toHaveBeenCalledTimes(1);
-        expect(mockAuthGet).toHaveBeenCalledWith(mockRequest);
-      });
-
-      it('returns null if auth state is not available.', () => {
-        const mockAuthGet = mockSetupAuthenticationParams.http.auth.get as jest.Mock;
-        mockAuthGet.mockReturnValue({});
-
-        const mockRequest = httpServerMock.createKibanaRequest();
-        expect(getCurrentUser(mockRequest)).toBeNull();
-        expect(mockAuthGet).toHaveBeenCalledTimes(1);
-        expect(mockAuthGet).toHaveBeenCalledWith(mockRequest);
-      });
-    });
-  });
-
-  describe('#start()', () => {
-    let mockStartAuthenticationParams: {
-      http: jest.Mocked<HttpServiceStart>;
-      clusterClient: ReturnType<typeof elasticsearchServiceMock.createClusterClient>;
-    };
-    beforeEach(() => {
-      const coreStart = coreMock.createStart();
-      mockStartAuthenticationParams = {
-        http: coreStart.http,
-        clusterClient: elasticsearchServiceMock.createClusterClient(),
-      };
-      service.setup(mockSetupAuthenticationParams);
-    });
-
-    describe('getCurrentUser()', () => {
-      let getCurrentUser: (r: KibanaRequest) => AuthenticatedUser | null;
-      beforeEach(async () => {
-        getCurrentUser = (await service.start(mockStartAuthenticationParams)).getCurrentUser;
-      });
-
-      it('returns `null` if Security is disabled', () => {
-        mockSetupAuthenticationParams.license.isEnabled.mockReturnValue(false);
-
-        expect(getCurrentUser(httpServerMock.createKibanaRequest())).toBe(null);
+        getCurrentUser = service.start(mockStartAuthenticationParams).getCurrentUser;
       });
 
       it('returns user from the auth state.', () => {

x-pack/plugins/security/server/authentication/authentication_service.ts

@@ -11,7 +11,6 @@ import type {
   Logger,
   HttpServiceSetup,
   IClusterClient,
-  ILegacyClusterClient,
   HttpServiceStart,
 } from '../../../../../src/core/server';
 import type { SecurityLicense } from '../../common/licensing';
@@ -27,27 +26,19 @@ import { APIKeys } from './api_keys';
 import { Authenticator, ProviderLoginAttempt } from './authenticator';
 
 interface AuthenticationServiceSetupParams {
-  legacyAuditLogger: SecurityAuditLogger;
-  audit: AuditServiceSetup;
-  getFeatureUsageService: () => SecurityFeatureUsageServiceStart;
-  http: HttpServiceSetup;
-  clusterClient: ILegacyClusterClient;
-  config: ConfigType;
+  http: Pick<HttpServiceSetup, 'registerAuth'>;
   license: SecurityLicense;
-  loggers: LoggerFactory;
-  session: PublicMethodsOf<Session>;
 }
 
 interface AuthenticationServiceStartParams {
-  http: HttpServiceStart;
+  http: Pick<HttpServiceStart, 'auth' | 'basePath'>;
+  config: ConfigType;
   clusterClient: IClusterClient;
-}
-
-export interface AuthenticationServiceSetup {
-  /**
-   * @deprecated use `getCurrentUser` from the start contract instead
-   */
-  getCurrentUser: (request: KibanaRequest) => AuthenticatedUser | null;
+  legacyAuditLogger: SecurityAuditLogger;
+  audit: AuditServiceSetup;
+  featureUsageService: SecurityFeatureUsageServiceStart;
+  session: PublicMethodsOf<Session>;
+  loggers: LoggerFactory;
 }
 
 export interface AuthenticationServiceStart {
@@ -67,44 +58,13 @@ export interface AuthenticationServiceStart {
 
 export class AuthenticationService {
   private license!: SecurityLicense;
-  private authenticator!: Authenticator;
+  private authenticator?: Authenticator;
 
   constructor(private readonly logger: Logger) {}
 
-  setup({
-    legacyAuditLogger: auditLogger,
-    audit,
-    getFeatureUsageService,
-    http,
-    clusterClient,
-    config,
-    license,
-    loggers,
-    session,
-  }: AuthenticationServiceSetupParams): AuthenticationServiceSetup {
+  setup({ http, license }: AuthenticationServiceSetupParams) {
     this.license = license;
 
-    const getCurrentUser = (request: KibanaRequest) => {
-      if (!license.isEnabled()) {
-        return null;
-      }
-
-      return http.auth.get<AuthenticatedUser>(request).state ?? null;
-    };
-
-    this.authenticator = new Authenticator({
-      legacyAuditLogger: auditLogger,
-      audit,
-      loggers,
-      clusterClient,
-      basePath: http.basePath,
-      config: { authc: config.authc },
-      getCurrentUser,
-      getFeatureUsageService,
-      license,
-      session,
-    });
-
     http.registerAuth(async (request, response, t) => {
       if (!license.isLicenseAvailable()) {
         this.logger.error('License is not available, authentication is not possible.');
@@ -123,6 +83,15 @@ export class AuthenticationService {
         return t.authenticated();
       }
 
+      if (!this.authenticator) {
+        this.logger.error('Authentication sub-system is not fully initialized yet.');
+        return response.customError({
+          body: 'Authentication sub-system is not fully initialized yet.',
+          statusCode: 503,
+          headers: { 'Retry-After': '30' },
+        });
+      }
+
       let authenticationResult;
       try {
         authenticationResult = await this.authenticator.authenticate(request);
@@ -174,19 +143,40 @@ export class AuthenticationService {
     });
 
     this.logger.debug('Successfully registered core authentication handler.');
-
-    return {
-      getCurrentUser,
-    };
   }
 
-  start({ clusterClient, http }: AuthenticationServiceStartParams): AuthenticationServiceStart {
+  start({
+    audit,
+    config,
+    clusterClient,
+    featureUsageService,
+    http,
+    legacyAuditLogger,
+    loggers,
+    session,
+  }: AuthenticationServiceStartParams): AuthenticationServiceStart {
     const apiKeys = new APIKeys({
       clusterClient,
       logger: this.logger.get('api-key'),
       license: this.license,
     });
 
+    const getCurrentUser = (request: KibanaRequest) =>
+      http.auth.get<AuthenticatedUser>(request).state ?? null;
+
+    this.authenticator = new Authenticator({
+      legacyAuditLogger,
+      audit,
+      loggers,
+      clusterClient,
+      basePath: http.basePath,
+      config: { authc: config.authc },
+      getCurrentUser,
+      featureUsageService,
+      license: this.license,
+      session,
+    });
+
     return {
       apiKeys: {
         areAPIKeysEnabled: apiKeys.areAPIKeysEnabled.bind(apiKeys),
@@ -206,12 +196,7 @@ export class AuthenticationService {
        * Retrieves currently authenticated user associated with the specified request.
        * @param request
        */
-      getCurrentUser: (request: KibanaRequest) => {
-        if (!this.license.isEnabled()) {
-          return null;
-        }
-        return http.auth.get<AuthenticatedUser>(request).state ?? null;
-      },
+      getCurrentUser,
     };
   }
 }