[New platform] Security plugin integration

[mshustov]

This issue is used to track progress and blockers for Security plugin New Platform migration:

Status

• ✔️ Client-side
  • Everything is migrated except for two request interceptors to support plugins that still use Angular HTTP client
• ✔️ Server-side
  • Everything is migrated

Blockers (in order of priority)

• Provide a way to retrieve status changes of the Elasticsearch so that we can properly register privileges with the ES cluster Migrate status service and status page to New Platform #41983
• Get rid of dependency on XPack Main's registerLicenseCheckResultsGenerator
• Kibana Platform plugins cannot access available features in start method Kibana Platform plugins cannot access available features in start method #65461
• Provide a way to render custom views HTML page rendering service #41964, [new-platform] Add support for chromeless applications #41981
• Allow defining SO mappings in the Kibana Platform plugin [Platform] SavedObject Mappings #50309
• Migrate Kibana plugin "System API" to New Platform Migrate Kibana plugin "System API" to New Platform #43970
• Allow custom new platform plugin paths in integration tests Allow custom new platform plugin paths in integration tests #49927
• Allow rendering of "hidden"/chromeless apps (/login, /logout etc.) Update istanbul package #4198
• Expose SavedObjectsClient & Co. to NP plugins (e.g. register custom ScopedSavedObjectsClientFactory, it's not a pressing need, this code can live in LP for some time) Migrate saved object service #33587
• Capabilities service. Plugin registers CapabilitiesModifier. Migrate capabilities mixin to New Platform service #45393
• Allow NP client-side plugins to access configuration values (e.g. xpack.security.sessionTimeout) Add config value support in frontend to New Platform #41990
• Expose kibana.index to NP plugins (used to prefix "applications" to apply Elasticsearch's application privileges). We can probably expose it as a part of kibana NP oss plugin if it's planned. need new platform plugin access to kibana.index config value currently available in legacy plugins #46240
• Figure out how we can support or eliminate circular dependency between Spaces and Security NP plugins (added workaround for now, not a blocker)
• Add ability to retrieve current license information aka Licensing NP plugin Migrate away from legacy xpack_main to new licensing plugin #43378
• NP loggers should be able to log optional meta replicating legacy logWithMetadata (we need this to migrate AuditLogger to NP). Logging service should log meta data #44983
• Allow NP server-side plugins to access pkg.version (used to prefix API actions that are associated with the Elasticsearch's application privileges, and are used to perform the authorization checks) Expose packageInfo to the new platform plugins #45262
• Provide a way to define API routes and views with URLs relative to root or agree on a new BWC convention Introduce HttpApi and HttpResource services #44620
• Expose serverBasePath through Core BasePath service in addition to existing request scoped base path
• Fix issues with NP client-side HTTP interception http interception promise resolves when calling controller.halt() #42990 http interception responseError missing response #42311 http interception responseError missing request #42307
• add registerAuth basic implementation. PR: [New platform] HTTP & Security integration #34631
• add registerOnRequest basic implementation. PR: [New platform] HTTP & Security integration #34631 superseded by OnPreAuth hook
• introduce separated Pre-Auth and Post-Auth hooks. PR: introduce pre-/post-auth request hooks for HttpServer #36690
• Protected/unprotected route definition. Any route should have the ability to declare itself as unprotected to disable authentication. PR: introduce pre-/post-auth request hooks for HttpServer #36690
• The ability to "tag" routes as a part of authorization rules declaration. PR: Route tags #37344
• Refactor registerAuth to allow manipulating [cookie] session storage from any place of registerAuth caller. PR: Session storage refactoring #37992
• restrict access to Hapi Request object in AuthenticationHandler. Discuss with Security team what extension points they need to implement authorization logic (access to authorization header, a resource tags, etc.) context: [New platform] HTTP & Security integration #34631 (comment)
  PR: Restrict access to hapi Request in registerAuth #38763
• integrates NP and LP http servers to simplify Security integration. PR: New Platform and Legacy platform servers integration #39047
• extend kbn/config-schema to support unknown keys for object type. PR: support unknown keys for object type in @kbn/schema-config #39448
• ScopedCookieSessionStorage should gracefully handle case with multiple cookies to repeat Legacy platform logic, logging. PR: handle mupltiple cookies sent from a browser #39431

Possible improvements

• Allow rendering of lightweight (no Kibana routing and possibly chrome) resources/apps with all the necessary headers (CSP, CORS etc.) Add support for OpenID Connect implicit authentication flow. #42069 (comment) https://github.com/elastic/kibana/pull/44866/files#diff-26035964c4fc9b37ce02660f893cfadfR15
• introduce pre-response hook introduce pre-/post-auth request hooks for HttpServer #36690 (comment), introduce pre-/post-auth request hooks for HttpServer #36690 (comment)
• decide if same site session storage cookie option is configurable Allow for cookie's SameSite attribute to be configurable #60522
• add an extended error message for several registerAuth calls [New platform] HTTP & Security integration #34631 (comment)
• Implement request creation via factory. context: Restrict access to hapi Request in registerAuth #38763 (comment)

Previous description

Security needs New Platform to provide a way to intercept all incoming requests to perform auth check. Security plugin is optional, thus flow shouldn't be affected if it is disabled. We can provide **async handler** that supports pausing request handling and finishing with one of the next scenarios: - resume execution if auth is succeeded. - interrupt in case of rejection. - redirect

Security plugin operates low-level primitives and needs a way to controls:

• cookie header (get/set/clear operations), cookie params are configured by Security plugin as well.
• auth header (get/set/clear operations).
  Downstream plugins shouldn't have access to user credentials stored via those mechanisms. It's not a problem while we don't expose raw request to plugins.

Original summary from #18024 (comment)

To summarize or discussion on the "http filters". The platform extension point that security needs should be able to:

• Intercept all incoming requests;
• Get/set/clear cookies and pass request through to the route handlers (e.g. authenticate user and save token to the cookies);
• Abort request and return error (e.g. failed authentication);
• Abort request and return 302 with redirect (e.g. SAML handshake);
• Possibly get some route-metadata (e.g we want to skip authentication for certain routes like login/logout should not go through authentication filter).

Won't be implemented in the first iteration

• The ability to render hidden apps. NP doesn't provide rendering mechanism at the moment. We still can relay on LP doing it for us.

Related: #18024

Implementation

This auth handler can be Security specific, because it specifies cookie parameters - name, password(encryptionKey), path, secure, cookie validation. ```js setup(core, dependencies){ // If we don't want to expose registerAuth as a core capability // we can provide it only to Security plugin core.http.configureCookie({ name, password ...}); core.http.registerAuthMiddleware(async function(({cookie, headers}), authToolkit){ cookie.set(...) return authToolkit.succeeded(); ```

Or the platform can provide the ability to register a request middleware. Middleware specifies to what request headers it wants to have access to

setup(core, dependencies){
   core.http.registerMiddleware(
    '*', // apply to all requests
    {   // declare access to
       headers: ['cookie', 'authorization'], // only one middleware has access to a specified header 
     },
     async function(({method, headers}), authToolkit){
       // in this case Security plugin has to manage session cookie and parse it
       // In the legacy platform that functionality is implemented by 'hapi-auth-cookie' hapi plugin.

[elasticmachine]

Pinging @elastic/kibana-platform

[mshustov]

Right now legacy platform defines 2 auth strategies:

• session. used by default https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/index.js#L117
• security-cookie, which is never set as default. https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/lib/authentication/session.js#L125
  but it's called manually to decode and validate cookie https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/lib/authentication/session.js#L56

[mshustov]

@elastic/kibana-security would you mind to check everything here makes sense 😄?

[kobelb]

@restrry thanks for writing this up! Given @azasypkin's experience with the new platform, and his knowledge of our various authentication providers, I'd like to hear his opinion on this as well.

Were you intending for this extension point to be utilized for both authentication and authorization, or would we have two different "lifecycle methods" that the new platform exposes?

[mshustov]

Were you intending for this extension point to be utilized for both authentication and authorization, or would we have two different "lifecycle methods" that the new platform exposes?

Does the authorization mechanism in the current state require incoming request interception?

As I understand Security plugin provides tools for other plugins to check user privileges but doesn't provide user data & roles directly.
https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/index.js#L124-L125
Those tools heavily relay on request headers, which we don't expose right now in NP route handler. We are going to solve this problem in #33783, for now we can provide raw request if needed

[kobelb]

Does the authorization mechanism in the current state require incoming request interception?

Spaces does currently in the master branch https://github.com/elastic/kibana/blob/master/x-pack/plugins/spaces/server/lib/space_request_interceptors.ts#L41

With the introduction of Feature Controls we're using the following code to intercept some API calls https://github.com/elastic/kibana/blob/granular-app-privileges/x-pack/plugins/security/server/lib/authorization/api_authorization.ts#L14 and we're doing something similar to block certain applications from being loaded https://github.com/elastic/kibana/blob/granular-app-privileges/x-pack/plugins/security/index.js#L231

[azasypkin]

Or the platform can provide the ability to register a request middleware. Middleware specifies to what request headers it wants to have access to

Do we have any plans on defining framework-agnostic Kibana request lifecycle with lifecycle event based hooks similar to what Hapi has or there will be express-js-like mechanism?

With the introduction of Feature Controls we're using the following code to intercept some API calls https://github.com/elastic/kibana/blob/granular-app-privileges/x-pack/plugins/security/server/lib/authorization/api_authorization.ts#L14 and we're doing something similar to block certain applications from being loaded https://github.com/elastic/kibana/blob/granular-app-privileges/x-pack/plugins/security/index.js#L231

It looks like we can group authc + all authz based interceptors internally and just register one security interceptor/pre-request-handler with the core, so that security does everything in one go before any other app route handler is invoked. It's kind of what we do already with multiple onPostAuth handlers.

Also it may depend on whether core will be treating API calls as a separate group of requests, IIRC there was a conversation about having something like core.http.regiterAPIRoute and core.http.registerSomethingElse and hence potentially two different extension points for interceptors (so that we can get rid of this a bit fragile !request.path.startsWith('/api/') check), but don't quote me on that.

[mshustov]

Sorry for a long comment, I spent several days wrapping my head around current implementation and want to structure my thoughts.

Right now we rely on 3 different stages for every request (in execution order in hapi framework, more info about hapi request lifecycle)

• onRequest step, where plugins can control a request, say check headers or URL and a result to fail/ to redirect/ to continue request. I'm able to find only one usage in the plugin code base.
• auth (when enabled) where Security plugin authenticates a user, enhance a request with user information (scopes, roles) and restricts access to resources if authentication fails.
• onPostAuth, where Security plugin, given credentials from auth step, checks if user authorized to perform an operation. At the same time, there is a case when another plugin(s) (namely dashboard_mode) also uses user credentials to restrict access to dashboard content. Thus we have a situation when not only Security plugin operates with auth credentials. I talked to @azasypkin and we came to the conclusion that could be an old solution and we want to provide a mechanism similar to Feature Controls, where Security Plugin is the only source of authorization level. Probably @elastic/kibana-security can provide more information here.
  And yeah, there are a couple of cases that aren't directly related to authorization and we might want to move them from onPostAuth to onRequest step. @elastic/kibana-platform WDYT?
  https://github.com/elastic/kibana/blob/master/src/legacy/server/http/version_check.js
  https://github.com/elastic/kibana/blob/4aa2a4c05f128f09e113d29f8a31557c1875717f/src/legacy/server/http/xsrf.js
  Here I did and integration tests passed try to move request validators from onPostAuth to general purpose onRequest #34281

As a bottom line there are 2 main mechanics:

• intercept a request and implement the context-dependent operation, interceptors do not share any information between them and do not have access to user credentials., that makes them closer to event handlers than middlewares.
  Possible implementation:

interface InterceptorToolkit {
   next: () => ({ type: 'next' }),
   redirected: (url: string) => ({ type: 'redirected', url }),
   rejected: (error?: Error) => ({ type: 'rejected', error }),
}
core.http.registerResourceInterceptor((req: KibanaRequest, interceptorToolkit: InterceptorToolkit){
   if(req.method === 'GET') return interceptorToolkit.redirect('/');
   return interceptorToolkit.next();
});

• intercept a request and perform authc/authz operation. Those 2 are dependent on order and have different meaning and interfaces. The very first step performs authentication and provides a result to the next authorization steps, which have only read access to given user credentials. Potentially we can merge them into one step, but we need to decide where 3rd party plugins (dashboard_mode e.g.) register access to authz - via HTTP server or via security plugin (I'm inclined to this option). But want to hear from @elastic/kibana-security
  An option where we merge authc/authz steps.

// 3rd party plugin, for example dashboard_mode
plugins.security.addAuthorizationInterceptor(async function(req: KibanaRequest, interceptorToolkit: InterceptorToolkit, readonly user: UserStore, scopedTools){
   if(user.roles.includes(...) || scopedTools.getSpaces(...)){
      return interceptorToolkit.redirected(...)
   }
});
// plugins/security.js
// in following steps we can restrict an access only to required auth headers instead of whole hapi request
core.http.registerAuthorizationInterceptor((req: HapiRequest, interceptorToolkit: InterceptorToolkit) => {
 const authenticationResult = await authenticate(req);
 if(authenticationResult.succeeded()){ 
   for (const interceptor of this.getAuthorizationInterceptors()){
     const authorizationResult = await interceptor(KibanaRequest.from(req), interceptorToolkit, authenticationResult.user, scopeToolsToRequest(req));
     if(authorizationResult.redirected()) {
        return interceptorToolkit.redirected(authorizationResult.redirectURL)
     }
});

Or the implementation option where we separate authc/authz steps.

interface AuthToolkit {
   authenticated: () => ({ type: 'authenticated' }),
   unauthenticated: (error?) => ({ type: 'unauthenticated', error }),
   reject: (error: Error) => ({ type: 'reject', error }),
}
// in following steps we can restrict an access only to required auth headers instead of whole hapi request
core.http.registerAuthenticationInterceptor((req: HapiRequest, authToolkit: AuthToolkit, user: UserStore){
   const authenticationResult = authenticate(req);
   if(authenticationResult.succeeded()){
      user.set(authenticationResult);
   }
   return authToolkit.authenticated();
});

core.http.registerAuthorizationInterceptor((req: HapiRequest, interceptorToolkit: InterceptorToolkit, readonly user: UserStore){
  // user is scoped to the request. on the very first step we can support old approach with plugin.secuity.checkPriveledgesFor(request, user);
   const result  = plugin.secuity.checkPriveledgesFor(user);
   if(result) {
      return interceptorToolkit.next();
   } else {
      return interceptorToolkit.reject(new Error('not found'));
   }
});

And note if we migrate Security plugin to NP we should change dependent parts (like dashboard_mode) in legacy platform to restrict an access to hapi request object. Because request objects in New and legacy platform are different objects with different lifecycles.

[kobelb]

Thanks for giving this so much thought, and a clear description of the current situation @restrry.

I think it makes sense for the security plugin itself to handle all authentication and authorization, and provide extension points to the various plugins to "add" their own authorization. This allows the security plugin to determine when authentication/authorization should be performed, without requiring other plugin authors to understand the details of when security is enabled and auth should be performed.

[epixa]

I'm comfortable with the merged approach through the security plugin as well. It's worth noting that one way or another the underlying ability to build this auth stuff through the http service is there and available to plugins, so the security plugin just makes it more explicit.