Skip to content

Commit ed3cc38

Browse files
legregoazasypkinkibanamachine
committed
Deprecate disabling the security plugin (#85159)
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security/server/index.ts
1 parent 0c9a3c0 commit ed3cc38

3 files changed

Lines changed: 256 additions & 56 deletions

File tree

x-pack/plugins/security/server/config_deprecations.test.ts

Lines changed: 186 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,186 @@
1+
/*
2+
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
3+
* or more contributor license agreements. Licensed under the Elastic License;
4+
* you may not use this file except in compliance with the Elastic License.
5+
*/
6+
7+
import { configDeprecationFactory, applyDeprecations } from '@kbn/config';
8+
import { securityConfigDeprecationProvider } from './config_deprecations';
9+
import { cloneDeep } from 'lodash';
10+
11+
const applyConfigDeprecations = (settings: Record<string, any> = {}) => {
12+
const deprecations = securityConfigDeprecationProvider(configDeprecationFactory);
13+
const deprecationMessages: string[] = [];
14+
const migrated = applyDeprecations(
15+
settings,
16+
deprecations.map((deprecation) => ({
17+
deprecation,
18+
path: 'xpack.security',
19+
})),
20+
(msg) => deprecationMessages.push(msg)
21+
);
22+
return {
23+
messages: deprecationMessages,
24+
migrated,
25+
};
26+
};
27+
28+
describe('Config Deprecations', () => {
29+
it('does not report deprecations for default configuration', () => {
30+
const defaultConfig = { xpack: { security: {} } };
31+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(defaultConfig));
32+
expect(migrated).toEqual(defaultConfig);
33+
expect(messages).toHaveLength(0);
34+
});
35+
36+
it('renames sessionTimeout to session.idleTimeout', () => {
37+
const config = {
38+
xpack: {
39+
security: {
40+
sessionTimeout: 123,
41+
},
42+
},
43+
};
44+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
45+
expect(migrated.xpack.security.sessionTimeout).not.toBeDefined();
46+
expect(migrated.xpack.security.session.idleTimeout).toEqual(123);
47+
expect(messages).toMatchInlineSnapshot(`
48+
Array [
49+
"\\"xpack.security.sessionTimeout\\" is deprecated and has been replaced by \\"xpack.security.session.idleTimeout\\"",
50+
]
51+
`);
52+
});
53+
54+
it(`warns that 'authorization.legacyFallback.enabled' is unused`, () => {
55+
const config = {
56+
xpack: {
57+
security: {
58+
authorization: {
59+
legacyFallback: {
60+
enabled: true,
61+
},
62+
},
63+
},
64+
},
65+
};
66+
const { messages } = applyConfigDeprecations(cloneDeep(config));
67+
expect(messages).toMatchInlineSnapshot(`
68+
Array [
69+
"xpack.security.authorization.legacyFallback.enabled is deprecated and is no longer used",
70+
]
71+
`);
72+
});
73+
74+
it(`warns that 'authc.saml.maxRedirectURLSize is unused`, () => {
75+
const config = {
76+
xpack: {
77+
security: {
78+
authc: {
79+
saml: {
80+
maxRedirectURLSize: 123,
81+
},
82+
},
83+
},
84+
},
85+
};
86+
const { messages } = applyConfigDeprecations(cloneDeep(config));
87+
expect(messages).toMatchInlineSnapshot(`
88+
Array [
89+
"xpack.security.authc.saml.maxRedirectURLSize is deprecated and is no longer used",
90+
]
91+
`);
92+
});
93+
94+
it(`warns that 'xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize' is unused`, () => {
95+
const config = {
96+
xpack: {
97+
security: {
98+
authc: {
99+
providers: {
100+
saml: {
101+
saml1: {
102+
maxRedirectURLSize: 123,
103+
},
104+
},
105+
},
106+
},
107+
},
108+
},
109+
};
110+
const { messages } = applyConfigDeprecations(cloneDeep(config));
111+
expect(messages).toMatchInlineSnapshot(`
112+
Array [
113+
"\`xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize\` is deprecated and is no longer used",
114+
]
115+
`);
116+
});
117+
118+
it(`warns when 'xpack.security.authc.providers' is an array of strings`, () => {
119+
const config = {
120+
xpack: {
121+
security: {
122+
authc: {
123+
providers: ['basic', 'saml'],
124+
},
125+
},
126+
},
127+
};
128+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
129+
expect(migrated).toEqual(config);
130+
expect(messages).toMatchInlineSnapshot(`
131+
Array [
132+
"Defining \`xpack.security.authc.providers\` as an array of provider types is deprecated. Use extended \`object\` format instead.",
133+
]
134+
`);
135+
});
136+
137+
it(`warns when both the basic and token providers are enabled`, () => {
138+
const config = {
139+
xpack: {
140+
security: {
141+
authc: {
142+
providers: ['basic', 'token'],
143+
},
144+
},
145+
},
146+
};
147+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
148+
expect(migrated).toEqual(config);
149+
expect(messages).toMatchInlineSnapshot(`
150+
Array [
151+
"Defining \`xpack.security.authc.providers\` as an array of provider types is deprecated. Use extended \`object\` format instead.",
152+
"Enabling both \`basic\` and \`token\` authentication providers in \`xpack.security.authc.providers\` is deprecated. Login page will only use \`token\` provider.",
153+
]
154+
`);
155+
});
156+
157+
it('warns when the security plugin is disabled', () => {
158+
const config = {
159+
xpack: {
160+
security: {
161+
enabled: false,
162+
},
163+
},
164+
};
165+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
166+
expect(migrated).toEqual(config);
167+
expect(messages).toMatchInlineSnapshot(`
168+
Array [
169+
"Disabling the security plugin (\`xpack.security.enabled\`) will not be supported in the next major version (8.0). To turn off security features, disable them in Elasticsearch instead.",
170+
]
171+
`);
172+
});
173+
174+
it('does not warn when the security plugin is enabled', () => {
175+
const config = {
176+
xpack: {
177+
security: {
178+
enabled: true,
179+
},
180+
},
181+
};
182+
const { messages, migrated } = applyConfigDeprecations(cloneDeep(config));
183+
expect(migrated).toEqual(config);
184+
expect(messages).toHaveLength(0);
185+
});
186+
});

x-pack/plugins/security/server/config_deprecations.ts

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
/*
2+
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
3+
* or more contributor license agreements. Licensed under the Elastic License;
4+
* you may not use this file except in compliance with the Elastic License.
5+
*/
6+
7+
import type { ConfigDeprecationProvider } from 'src/core/server';
8+
9+
export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({
10+
rename,
11+
unused,
12+
}) => [
13+
rename('sessionTimeout', 'session.idleTimeout'),
14+
rename('authProviders', 'authc.providers'),
15+
unused('authorization.legacyFallback.enabled'),
16+
unused('authc.saml.maxRedirectURLSize'),
17+
// Deprecation warning for the old array-based format of `xpack.security.authc.providers`.
18+
(settings, fromPath, log) => {
19+
if (Array.isArray(settings?.xpack?.security?.authc?.providers)) {
20+
log(
21+
'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format instead.'
22+
);
23+
}
24+
25+
return settings;
26+
},
27+
(settings, fromPath, log) => {
28+
const hasProviderType = (providerType: string) => {
29+
const providers = settings?.xpack?.security?.authc?.providers;
30+
if (Array.isArray(providers)) {
31+
return providers.includes(providerType);
32+
}
33+
34+
return Object.values(providers?.[providerType] || {}).some(
35+
(provider) => (provider as { enabled: boolean | undefined })?.enabled !== false
36+
);
37+
};
38+
39+
if (hasProviderType('basic') && hasProviderType('token')) {
40+
log(
41+
'Enabling both `basic` and `token` authentication providers in `xpack.security.authc.providers` is deprecated. Login page will only use `token` provider.'
42+
);
43+
}
44+
return settings;
45+
},
46+
(settings, fromPath, log) => {
47+
const samlProviders = (settings?.xpack?.security?.authc?.providers?.saml ?? {}) as Record<
48+
string,
49+
any
50+
>;
51+
if (Object.values(samlProviders).find((provider) => !!provider.maxRedirectURLSize)) {
52+
log(
53+
'`xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize` is deprecated and is no longer used'
54+
);
55+
}
56+
57+
return settings;
58+
},
59+
(settings, fromPath, log) => {
60+
if (settings?.xpack?.security?.enabled === false) {
61+
log(
62+
'Disabling the security plugin (`xpack.security.enabled`) will not be supported in the next major version (8.0). ' +
63+
'To turn off security features, disable them in Elasticsearch instead.'
64+
);
65+
}
66+
return settings;
67+
},
68+
];

x-pack/plugins/security/server/index.ts

Lines changed: 2 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import type {
1212
PluginInitializerContext,
1313
} from '../../../../src/core/server';
1414
import { ConfigSchema } from './config';
15+
import { securityConfigDeprecationProvider } from './config_deprecations';
1516
import {
1617
Plugin,
1718
SecurityPluginSetup,
@@ -40,62 +41,7 @@ export type { AuthenticatedUser } from '../common/model';
4041

4142
export const config: PluginConfigDescriptor<TypeOf<typeof ConfigSchema>> = {
4243
schema: ConfigSchema,
43-
deprecations: ({ rename, unused }) => [
44-
rename('sessionTimeout', 'session.idleTimeout'),
45-
rename('authProviders', 'authc.providers'),
46-
unused('authorization.legacyFallback.enabled'),
47-
unused('authc.saml.maxRedirectURLSize'),
48-
// Deprecation warning for the old array-based format of `xpack.security.authc.providers`.
49-
(settings, fromPath, log) => {
50-
if (Array.isArray(settings?.xpack?.security?.authc?.providers)) {
51-
log(
52-
'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format instead.'
53-
);
54-
}
55-
56-
return settings;
57-
},
58-
(settings, fromPath, log) => {
59-
const hasProviderType = (providerType: string) => {
60-
const providers = settings?.xpack?.security?.authc?.providers;
61-
if (Array.isArray(providers)) {
62-
return providers.includes(providerType);
63-
}
64-
65-
return Object.values(providers?.[providerType] || {}).some(
66-
(provider) => (provider as { enabled: boolean | undefined })?.enabled !== false
67-
);
68-
};
69-
70-
if (hasProviderType('basic') && hasProviderType('token')) {
71-
log(
72-
'Enabling both `basic` and `token` authentication providers in `xpack.security.authc.providers` is deprecated. Login page will only use `token` provider.'
73-
);
74-
}
75-
76-
if (settings?.xpack?.security?.public) {
77-
log(
78-
'Config key "xpack.security.public" is deprecated and will be removed in the next major version. ' +
79-
'Specify SAML authentication provider and its realm in "xpack.security.authc.providers.saml.*" instead.'
80-
);
81-
}
82-
83-
return settings;
84-
},
85-
(settings, fromPath, log) => {
86-
const samlProviders = (settings?.xpack?.security?.authc?.providers?.saml ?? {}) as Record<
87-
string,
88-
any
89-
>;
90-
if (Object.values(samlProviders).find((provider) => !!provider.maxRedirectURLSize)) {
91-
log(
92-
'`xpack.security.authc.providers.saml.<provider-name>.maxRedirectURLSize` is deprecated and is no longer used'
93-
);
94-
}
95-
96-
return settings;
97-
},
98-
],
44+
deprecations: securityConfigDeprecationProvider,
9945
exposeToBrowser: {
10046
loginAssistanceMessage: true,
10147
},

0 commit comments

Comments
 (0)