elastic · kc13greiner · Sep 6, 2022 · Aug 22, 2022 · Aug 22, 2022 · Aug 22, 2022
diff --git a/docs/settings/security-settings.asciidoc b/docs/settings/security-settings.asciidoc
@@ -42,6 +42,15 @@ xpack.security.authc:
 <3> Specifies the settings for the SAML authentication provider with a `saml1` name.
 <4> Specifies the settings for the SAML authentication provider with a `saml2` name.
 
+[float]
+[[authentication-access-agreement-settings]]
+==== Configure a default access agreement
+
+xpack.security.authc.accessAgreement.message {ess-icon}::
+This setting specifies the access agreement text in Markdown format that will be used as the default access agreement for all providers that do not 
+specify a value for `xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message`.
+For more information, refer to <<xpack-security-access-agreement>>.
+
 [float]
 [[authentication-provider-settings]]
 ==== Valid settings for all authentication providers

diff --git a/docs/user/security/access-agreement.asciidoc b/docs/user/security/access-agreement.asciidoc
@@ -6,6 +6,9 @@ Access agreement is a https://www.elastic.co/subscriptions[subscription feature]
 agreement before accessing {kib}. The agreement text supports Markdown format and can be specified using the
 `xpack.security.authc.providers.<provider-type>.<provider-name>.accessAgreement.message` setting.
 
+A default access agreement setting can also be specified using `xpack.security.authc.accessAgreement.message`. 
+This message will be used for each provider that doesn't specify its own access agreement.
+
 [NOTE]
 ============================================================================
 You need to acknowledge the access agreement only once per session, and {kib} reports the acknowledgement in the audit logs.

@@ -1789,6 +1789,39 @@ describe('createConfig()', () => {
     ).toThrow('[audit.appender.1.layout]: expected at least one defined value but got [undefined]');
   });
 
+  describe('Global accessAgreement', () => {
+    it('should not override local access agreement', () => {
+      const resultConfig = createConfig(
+        ConfigSchema.validate({
+          authc: {
+            accessAgreement: { message: 'foo' },
+            providers: {
+              basic: {
+                basic1: { order: 0, accessAgreement: { message: 'bar' } },
+              },
+              saml: {
+                saml1: { order: 1, realm: 'saml1', accessAgreement: { message: 'baz' } },
+                saml2: { order: 2, realm: 'saml2' },
+              },
+              oidc: {
+                oidc1: { order: 3, realm: 'oidc1' },
+                oidc2: { order: 4, realm: 'oidc2', accessAgreement: { message: 'qux' } },
+              },
+            },
+          },
+        }),
+        loggingSystemMock.create().get(),
+        { isTLSEnabled: true }
+      );
+
+      expect(resultConfig.authc.providers.basic?.basic1.accessAgreement?.message).toBe('bar');
+      expect(resultConfig.authc.providers.saml?.saml1.accessAgreement?.message).toBe('baz');
+      expect(resultConfig.authc.providers.saml?.saml2.accessAgreement?.message).toBe('foo');
+      expect(resultConfig.authc.providers.oidc?.oidc1.accessAgreement?.message).toBe('foo');
+      expect(resultConfig.authc.providers.oidc?.oidc2.accessAgreement?.message).toBe('qux');
+    });
+  });
+
   describe('#getExpirationTimeouts', () => {
     function createMockConfig(config: Record<string, any> = {}) {
       return createConfig(ConfigSchema.validate(config), loggingSystemMock.createLogger(), {

@@ -83,6 +83,7 @@ function getUniqueProviderSchema<TProperties extends Record<string, Type<any>>>(
 }
 
 type ProvidersConfigType = TypeOf<typeof providersConfigSchema>;
+
 const providersConfigSchema = schema.object(
   {
     basic: getUniqueProviderSchema('basic', {
@@ -237,6 +238,7 @@ export const ConfigSchema = schema.object({
   }),
   authc: schema.object({
     selector: schema.object({ enabled: schema.maybe(schema.boolean()) }),
+    accessAgreement: schema.maybe(schema.object({ message: schema.string() })),
     providers: schema.oneOf([schema.arrayOf(schema.string()), providersConfigSchema], {
       defaultValue: {
         basic: {
@@ -306,6 +308,7 @@ export function createConfig(
   }
 
   let secureCookies = config.secureCookies;
+
   if (!isTLSEnabled) {
     if (secureCookies) {
       logger.warn(
@@ -322,7 +325,8 @@ export function createConfig(
   }
 
   const isUsingLegacyProvidersFormat = Array.isArray(config.authc.providers);
-  const providers = (
+
+  let providers = (
     isUsingLegacyProvidersFormat
       ? [...new Set(config.authc.providers as Array<keyof ProvidersConfigType>)].reduce(
           (legacyProviders, providerType, order) => {
@@ -332,35 +336,66 @@ export function createConfig(
                   ? { enabled: true, showInSelector: true, order, ...config.authc[providerType] }
                   : { enabled: true, showInSelector: true, order },
             };
+
             return legacyProviders;
           },
           {} as Record<string, unknown>
         )
       : config.authc.providers
   ) as ProvidersConfigType;
 
+  const updatedProvidersWithAccessAgreement: Record<string, object> = {};
+
   // Remove disabled providers and sort the rest.
   const sortedProviders: Array<{
     type: keyof ProvidersConfigType;
     name: string;
     order: number;
     hasAccessAgreement: boolean;
   }> = [];
+
   for (const [type, providerGroup] of Object.entries(providers)) {
     for (const [name, { enabled, order, accessAgreement }] of Object.entries(providerGroup ?? {})) {
+      const hasLocalAccessAgreement: boolean = !!accessAgreement?.message;
+      const globalAccessAgreement = config.authc?.accessAgreement?.message;
+
+      const currType = {
+        ...updatedProvidersWithAccessAgreement[type],
+        [name]: {
+          ...providerGroup[name],
+        },
+      };
+
+      if (!hasLocalAccessAgreement) {
+        if (globalAccessAgreement) {
+          currType[name] = {
+            ...currType[name],
+            accessAgreement: {
+              message: globalAccessAgreement,
+            },
+          };
+        }
+      }
+
+      updatedProvidersWithAccessAgreement[type] = currType;
+
       if (!enabled) {
         delete providerGroup![name];
       } else {
+        const hasAccessAgreement: boolean = hasLocalAccessAgreement || !!globalAccessAgreement;
+
         sortedProviders.push({
           type: type as any,
           name,
           order,
-          hasAccessAgreement: !!accessAgreement?.message,
+          hasAccessAgreement,
         });
       }
     }
   }
 
+  providers = updatedProvidersWithAccessAgreement as ProvidersConfigType;
+
   sortedProviders.sort(({ order: orderA }, { order: orderB }) =>
     orderA < orderB ? -1 : orderA > orderB ? 1 : 0
   );
@@ -391,6 +426,7 @@ export function createConfig(
         max: 10,
       },
     } as AppenderConfigType);
+
   return {
     ...config,
     audit: {