Add security support for alerts and actions

x-pack/legacy/plugins/actions/README.md

@@ -53,7 +53,7 @@ This is the primary function for an action type. Whenever the action needs to ex
 |config|The decrypted configuration given to an action. This comes from the action saved object that is partially or fully encrypted within the data store. If you would like to validate the config before being passed to the executor, define `validate.config` within the action type.|
 |params|Parameters for the execution. These will be given at execution time by either an alert or manually provided when calling the plugin provided execute function.|
 |services.callCluster(path, opts)|Use this to do Elasticsearch queries on the cluster Kibana connects to. This function is the same as any other `callCluster` in Kibana.<br><br>**NOTE**: This currently authenticates as the Kibana internal user, but will change in a future PR.|
-|services.savedObjectsClient|This is an instance of the saved objects client. This provides the ability to do CRUD on any saved objects within the same space the alert lives in.<br><br>**NOTE**: This currently only works when security is disabled. A future PR will add support for enabling security using Elasticsearch API tokens.|
+|services.savedObjectsClient|This is an instance of the saved objects client. This provides the ability to do CRUD on any saved objects within the same space the alert lives in.<br><br>The scope of the saved objects client is tied to the user in context calling the execute API or the API key provided to the execute plugin function (only when security isenabled).|
 |services.log(tags, [data], [timestamp])|Use this to create server logs. (This is the same function as server.log)|
 
 ### Example
@@ -146,6 +146,7 @@ The following table describes the properties of the `options` object.
 |id|The id of the action you want to execute.|string|
 |params|The `params` value to give the action type executor.|object|
 |spaceId|The space id the action is within.|string|
+|apiKey|The Elasticsearch API key to use for context. (Note: only required and used when security is enabled).|string|
 
 ### Example
 

x-pack/legacy/plugins/actions/mappings.json

@@ -15,5 +15,19 @@
         "type": "binary"
       }
     }
+  },
+  "action_task_params": {
+    "properties": {
+      "actionId": {
+        "type": "keyword"
+      },
+      "params": {
+        "enabled": false,
+        "type": "object"
+      },
+      "apiKey": {
+        "type": "binary"
+      }
+    }
   }
 }

x-pack/legacy/plugins/actions/server/action_type_registry.test.ts

@@ -26,6 +26,7 @@ function getServices() {
 }
 const actionTypeRegistryParams = {
   getServices,
+  isSecurityEnabled: true,
   taskManager: mockTaskManager,
   encryptedSavedObjectsPlugin: encryptedSavedObjectsMock.create(),
   spaceIdToNamespace: jest.fn().mockReturnValue(undefined),
@@ -64,11 +65,14 @@ describe('register()', () => {
         },
       ]
     `);
-    expect(getCreateTaskRunnerFunction).toHaveBeenCalledTimes(1);
-    const call = getCreateTaskRunnerFunction.mock.calls[0][0];
-    expect(call.actionTypeRegistry).toBeTruthy();
-    expect(call.encryptedSavedObjectsPlugin).toBeTruthy();
-    expect(call.getServices).toBeTruthy();
+    expect(getCreateTaskRunnerFunction).toHaveBeenCalledWith({
+      actionTypeRegistry,
+      isSecurityEnabled: true,
+      encryptedSavedObjectsPlugin: actionTypeRegistryParams.encryptedSavedObjectsPlugin,
+      getServices: actionTypeRegistryParams.getServices,
+      getBasePath: actionTypeRegistryParams.getBasePath,
+      spaceIdToNamespace: actionTypeRegistryParams.spaceIdToNamespace,
+    });
   });
 
   test('throws error if action type already registered', () => {

x-pack/legacy/plugins/actions/server/action_type_registry.ts

@@ -6,18 +6,23 @@
 
 import Boom from 'boom';
 import { i18n } from '@kbn/i18n';
-import { ActionType, GetServicesFunction } from './types';
 import { TaskManager, TaskRunCreatorFunction } from '../../task_manager';
 import { getCreateTaskRunnerFunction, ExecutorError } from './lib';
 import { EncryptedSavedObjectsPlugin } from '../../encrypted_saved_objects';
-import { SpacesPlugin } from '../../spaces';
+import {
+  ActionType,
+  GetBasePathFunction,
+  GetServicesFunction,
+  SpaceIdToNamespaceFunction,
+} from './types';
 
 interface ConstructorOptions {
+  isSecurityEnabled: boolean;
   taskManager: TaskManager;
   getServices: GetServicesFunction;
   encryptedSavedObjectsPlugin: EncryptedSavedObjectsPlugin;
-  spaceIdToNamespace: SpacesPlugin['spaceIdToNamespace'];
-  getBasePath: SpacesPlugin['getBasePath'];
+  spaceIdToNamespace: SpaceIdToNamespaceFunction;
+  getBasePath: GetBasePathFunction;
 }
 
 export class ActionTypeRegistry {
@@ -31,9 +36,11 @@ export class ActionTypeRegistry {
     encryptedSavedObjectsPlugin,
     spaceIdToNamespace,
     getBasePath,
+    isSecurityEnabled,
   }: ConstructorOptions) {
     this.taskManager = taskManager;
     this.taskRunCreatorFunction = getCreateTaskRunnerFunction({
+      isSecurityEnabled,
       getServices,
       actionTypeRegistry: this,
       encryptedSavedObjectsPlugin,

x-pack/legacy/plugins/actions/server/actions_client.test.ts

@@ -29,6 +29,7 @@ function getServices() {
 
 const actionTypeRegistryParams = {
   getServices,
+  isSecurityEnabled: true,
   taskManager: mockTaskManager,
   encryptedSavedObjectsPlugin: mockEncryptedSavedObjectsPlugin,
   spaceIdToNamespace: jest.fn().mockReturnValue(undefined),

x-pack/legacy/plugins/actions/server/builtin_action_types/email.test.ts

@@ -41,6 +41,7 @@ const mockEncryptedSavedObjectsPlugin = encryptedSavedObjectsMock.create();
 beforeAll(() => {
   actionTypeRegistry = new ActionTypeRegistry({
     getServices,
+    isSecurityEnabled: true,
     taskManager: taskManagerMock.create(),
     encryptedSavedObjectsPlugin: mockEncryptedSavedObjectsPlugin,
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),

x-pack/legacy/plugins/actions/server/builtin_action_types/es_index.test.ts

@@ -38,6 +38,7 @@ const mockEncryptedSavedObjectsPlugin = encryptedSavedObjectsMock.create();
 beforeAll(() => {
   actionTypeRegistry = new ActionTypeRegistry({
     getServices,
+    isSecurityEnabled: true,
     taskManager: taskManagerMock.create(),
     encryptedSavedObjectsPlugin: mockEncryptedSavedObjectsPlugin,
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),

x-pack/legacy/plugins/actions/server/builtin_action_types/server_log.test.ts

@@ -33,6 +33,7 @@ const mockEncryptedSavedObjectsPlugin = encryptedSavedObjectsMock.create();
 beforeAll(() => {
   actionTypeRegistry = new ActionTypeRegistry({
     getServices,
+    isSecurityEnabled: true,
     taskManager: taskManagerMock.create(),
     encryptedSavedObjectsPlugin: mockEncryptedSavedObjectsPlugin,
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),

x-pack/legacy/plugins/actions/server/builtin_action_types/slack.test.ts

@@ -50,6 +50,7 @@ async function mockSlackExecutor(options: ActionTypeExecutorOptions): Promise<an
 beforeAll(() => {
   actionTypeRegistry = new ActionTypeRegistry({
     getServices,
+    isSecurityEnabled: true,
     taskManager: taskManagerMock.create(),
     encryptedSavedObjectsPlugin: mockEncryptedSavedObjectsPlugin,
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),

x-pack/legacy/plugins/actions/server/create_execute_function.test.ts

@@ -10,16 +10,17 @@ import { SavedObjectsClientMock } from '../../../../../src/core/server/mocks';
 
 const mockTaskManager = taskManagerMock.create();
 const savedObjectsClient = SavedObjectsClientMock.create();
-const spaceIdToNamespace = jest.fn();
+const getBasePath = jest.fn();
 
 beforeEach(() => jest.resetAllMocks());
 
 describe('execute()', () => {
   test('schedules the action with all given parameters', async () => {
     const executeFn = createExecuteFunction({
+      getBasePath,
+      isSecurityEnabled: true,
       taskManager: mockTaskManager,
-      internalSavedObjectsRepository: savedObjectsClient,
-      spaceIdToNamespace,
+      getScopedSavedObjectsClient: jest.fn().mockReturnValueOnce(savedObjectsClient),
     });
     savedObjectsClient.get.mockResolvedValueOnce({
       id: '123',
@@ -29,41 +30,129 @@ describe('execute()', () => {
       },
       references: [],
     });
-    spaceIdToNamespace.mockReturnValueOnce('namespace1');
+    savedObjectsClient.create.mockResolvedValueOnce({
+      id: '234',
+      type: 'action_task_params',
+      attributes: {},
+      references: [],
+    });
     await executeFn({
       id: '123',
       params: { baz: false },
       spaceId: 'default',
+      apiKey: 'MTIzOmFiYw==',
     });
     expect(mockTaskManager.schedule).toHaveBeenCalledTimes(1);
     expect(mockTaskManager.schedule.mock.calls[0]).toMatchInlineSnapshot(`
-      Array [
-        Object {
-          "params": Object {
-            "id": "123",
-            "params": Object {
-              "baz": false,
-            },
-            "spaceId": "default",
-          },
-          "scope": Array [
-            "actions",
-          ],
-          "state": Object {},
-          "taskType": "actions:mock-action",
-        },
-      ]
-    `);
-    expect(savedObjectsClient.get).toHaveBeenCalledTimes(1);
-    expect(savedObjectsClient.get.mock.calls[0]).toMatchInlineSnapshot(`
             Array [
-              "action",
-              "123",
               Object {
-                "namespace": "namespace1",
+                "params": Object {
+                  "actionTaskParamsId": "234",
+                  "spaceId": "default",
+                },
+                "scope": Array [
+                  "actions",
+                ],
+                "state": Object {},
+                "taskType": "actions:mock-action",
               },
             ]
         `);
-    expect(spaceIdToNamespace).toHaveBeenCalledWith('default');
+    expect(savedObjectsClient.get).toHaveBeenCalledWith('action', '123');
+    expect(savedObjectsClient.create).toHaveBeenCalledWith('action_task_params', {
+      actionId: '123',
+      params: { baz: false },
+      apiKey: 'MTIzOmFiYw==',
+    });
+  });
+
+  test('uses API key when provided', async () => {
+    const getScopedSavedObjectsClient = jest.fn().mockReturnValueOnce(savedObjectsClient);
+    const executeFn = createExecuteFunction({
+      getBasePath,
+      taskManager: mockTaskManager,
+      getScopedSavedObjectsClient,
+      isSecurityEnabled: true,
+    });
+    savedObjectsClient.get.mockResolvedValueOnce({
+      id: '123',
+      type: 'action',
+      attributes: {
+        actionTypeId: 'mock-action',
+      },
+      references: [],
+    });
+    savedObjectsClient.create.mockResolvedValueOnce({
+      id: '234',
+      type: 'action_task_params',
+      attributes: {},
+      references: [],
+    });
+
+    await executeFn({
+      id: '123',
+      params: { baz: false },
+      spaceId: 'default',
+      apiKey: 'MTIzOmFiYw==',
+    });
+    expect(getScopedSavedObjectsClient).toHaveBeenCalledWith({
+      getBasePath: expect.anything(),
+      headers: {
+        // base64 encoded "123:abc"
+        authorization: 'ApiKey MTIzOmFiYw==',
+      },
+    });
+  });
+
+  test(`doesn't use API keys when not provided`, async () => {
+    const getScopedSavedObjectsClient = jest.fn().mockReturnValueOnce(savedObjectsClient);
+    const executeFn = createExecuteFunction({
+      isSecurityEnabled: false,
+      getBasePath,
+      taskManager: mockTaskManager,
+      getScopedSavedObjectsClient,
+    });
+    savedObjectsClient.get.mockResolvedValueOnce({
+      id: '123',
+      type: 'action',
+      attributes: {
+        actionTypeId: 'mock-action',
+      },
+      references: [],
+    });
+    savedObjectsClient.create.mockResolvedValueOnce({
+      id: '234',
+      type: 'action_task_params',
+      attributes: {},
+      references: [],
+    });
+
+    await executeFn({
+      id: '123',
+      params: { baz: false },
+      spaceId: 'default',
+    });
+    expect(getScopedSavedObjectsClient).toHaveBeenCalledWith({
+      getBasePath: expect.anything(),
+      headers: {},
+    });
+  });
+
+  test(`throws an error when isSecurityEnabled is true and key not passed in`, async () => {
+    const executeFn = createExecuteFunction({
+      getBasePath,
+      taskManager: mockTaskManager,
+      getScopedSavedObjectsClient: jest.fn().mockReturnValueOnce(savedObjectsClient),
+      isSecurityEnabled: true,
+    });
+    await expect(
+      executeFn({
+        id: '123',
+        params: { baz: false },
+        spaceId: 'default',
+      })
+    ).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"API key is required. The attribute \\"apiKey\\" is missing."`
+    );
   });
 });

x-pack/legacy/plugins/actions/server/create_execute_function.ts

@@ -6,34 +6,57 @@
 
 import { SavedObjectsClientContract } from 'src/core/server';
 import { TaskManager } from '../../task_manager';
-import { SpacesPlugin } from '../../spaces';
+import { GetBasePathFunction } from './types';
 
 interface CreateExecuteFunctionOptions {
+  isSecurityEnabled: boolean;
   taskManager: TaskManager;
-  internalSavedObjectsRepository: SavedObjectsClientContract;
-  spaceIdToNamespace: SpacesPlugin['spaceIdToNamespace'];
+  getScopedSavedObjectsClient: (request: any) => SavedObjectsClientContract;
+  getBasePath: GetBasePathFunction;
 }
 
 export interface ExecuteOptions {
   id: string;
   params: Record<string, any>;
   spaceId: string;
+  apiKey?: string;
 }
 
 export function createExecuteFunction({
+  getBasePath,
   taskManager,
-  internalSavedObjectsRepository,
-  spaceIdToNamespace,
+  isSecurityEnabled,
+  getScopedSavedObjectsClient,
 }: CreateExecuteFunctionOptions) {
-  return async function execute({ id, params, spaceId }: ExecuteOptions) {
-    const namespace = spaceIdToNamespace(spaceId);
-    const actionSavedObject = await internalSavedObjectsRepository.get('action', id, { namespace });
+  return async function execute({ id, params, spaceId, apiKey }: ExecuteOptions) {
+    const requestHeaders: Record<string, string> = {};
+
+    if (isSecurityEnabled && !apiKey) {
+      throw new Error('API key is required. The attribute "apiKey" is missing.');
+    } else if (isSecurityEnabled) {
+      requestHeaders.authorization = `ApiKey ${apiKey}`;
+    }
+
+    // Since we're using API keys and accessing elasticsearch can only be done
+    // via a request, we're faking one with the proper authorization headers.
+    const fakeRequest: any = {
+      headers: requestHeaders,
+      getBasePath: () => getBasePath(spaceId),
+    };
+
+    const savedObjectsClient = getScopedSavedObjectsClient(fakeRequest);
+    const actionSavedObject = await savedObjectsClient.get('action', id);
+    const actionTaskParamsRecord = await savedObjectsClient.create('action_task_params', {
+      actionId: id,
+      params,
+      apiKey,
+    });
+
     await taskManager.schedule({
       taskType: `actions:${actionSavedObject.attributes.actionTypeId}`,
       params: {
-        id,
         spaceId,
-        params,
+        actionTaskParamsId: actionTaskParamsRecord.id,
       },
       state: {},
       scope: ['actions'],