Add lint rule to prevent server code being imported into client

[joshdover]

Summary

Fixes #49053

This adds new configurations for the no-restricted-paths eslint rule to prevent:

• Importing any server-side modules into any modules that are not in a server/ directory.
  • This includes common directories often used by plugins. Necessary to ensure that modules containing shared code do not import anything that should be exclusively used on the server.
  • This helps avoid issues where server code inadvertently ends up in a Webpack bundle that breaks the front-end. When these problems happen it is often hard to understand why, and this rule should help.
• Importing any code from ui/* or uiExports/* into New Platform plugins.
  • These modules will be deleted in the future and should not be supported in New Platform plugins.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

• This was checked for cross-browser compatibility, including a check against IE11
• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This includes a feature addition or change that requires a release note and was labeled appropriately

[joshdover]

Didn't get this rule quite right, but now that I have some failures I can play around with it. Will circle back next week.

[pgayvallet]

Fixes #49053 btw

[elasticmachine]

Pinging @elastic/kibana-platform (Team:Platform)

[kobelb]

FWIW, I like the changes you made. Did the lint rule require these changes?

[joshdover]

Yes it does. If you don't want this to be part of the public contract, we can move this up into a shared types file that only security can import from.

[mshustov]

BTW shouldn't we ban public code to be imported from server as well? I'm concern about cases when a plugin accesses browser specific API and can throw on the server side

[joshdover]

I'm not against that, was just focusing this change on fixing the Webpack bundling problems. It looks like there are more violations of this pattern, let me see about doing that change in a separate PR.

[smith]

APM stuff looks good!

[streamich]

Shall we also add rules that:

• /src/plugins/*/server/**/* should not be able to import from /src/plugins/*/public/**/*
• /src/plugins/*/public/**/* should not be able to import from /src/plugins/*/server/**/*
• /src/plugins/*/common/**/* should not be able to import from server, nor public

[joshdover]

Shall we also add rules that:

• /src/plugins/*/server/**/* should not be able to import from /src/plugins/*/public/**/*

As mentioned above, I will do this in a separate change as there are more things to fix here and this is less urgent.

• /src/plugins/*/public/**/* should not be able to import from /src/plugins/*/server/**/*
• /src/plugins/*/common/**/* should not be able to import from server, nor public

Both of these are already covered in this PR. Nothing may import from server that is not also a server directory. This eliminates the immediate problem where Webpack bundles get broken.

[streamich]

I see, thanks, every time I get confused by from and target meaning in that ESLint rule.

[jfsiii]

Is this only for NP plugins? It seems useful for many. Anecdotally, I've done this twice in the last few months in an x-pack/legacy plugin and would love some protection from myself :)

Just curious, nothing to hold up this PR.

[lukeelmers]

Is this only for NP plugins? It seems useful for many.

++ This is what I was wondering.

Would be great if the imports-from-server part could be run on legacy plugins too. For example, these updates would not have prevented this regression which was fixed recently, because it was in x-pack/legacy/plugins.

Of course, ui/ and uiExports/ should probably still be allowed in the legacy world, but is there any reason why we wouldn't want to enforce the server imports bit?

[joshdover]

Added a rule to cover legacy plugins as well. There are a lot more violations here, some of which were trivial to fix, others which are not. For the more complex ones I have added eslint-ignore lines. These should be cleaned up when migrating to the New Platform.

[mikecote]

Stack services changes LGTM 👍 Created #52896 for us to change Task Manager's folder structure.

[walterra]

ML changes LGTM

[lizozom]

@streamich comments aside, the changes to @elastic/kibana-app-arch files are LGTM

[joshdover]

@elasticmachine merge upstream

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: da66f37

History

• 💚 Build #15277 succeeded a9816d5
• 💚 Build #15237 succeeded f25494dd792ecca8262cf2d68cca580c0eb7f9cd
• 💔 Build #15220 failed a5394fc5cd0d0ffcd949aca1c1b6a1162f0f7c6a
• 💔 Build #15188 failed 7015c36
• 💔 Build #14972 failed ca8e5fddc5b585739b271ad39996919a214e6d81

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[joshdover]

Opened #53021 to track adding a lint rule to forbid importing in the other direction (client code -> server code)