Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move CSP options to new platform #52698

Merged
merged 13 commits into from
Dec 13, 2019
Merged

Conversation

eliperelman
Copy link
Contributor

@eliperelman eliperelman commented Dec 10, 2019

Summary

Move CSP options from legacy into the new platform. This blocks being able to add the new rendering service in #52161.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

For maintainers

Dev Docs

The default options used for managing Kibana's Content Security Policy have been moved into core for the new platform. Relevant items exposed from src/core/server include:

  • CspConfig: TypeScript class for generating CSP configuration. Will generate default configuration for any properties not specified in initialization.
  • CspConfig.DEFAULT: Default CSP configuration.
  • ICspConfig: Interface representing CSP configuration.

@eliperelman eliperelman added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Feature:New Platform release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. v8.0.0 v7.6.0 labels Dec 10, 2019
@eliperelman eliperelman self-assigned this Dec 10, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform (Team:Platform)

src/legacy/ui/ui_render/ui_render_mixin.js Outdated Show resolved Hide resolved
src/core/server/types.ts Outdated Show resolved Hide resolved
@eliperelman eliperelman force-pushed the feature/np-csp branch 3 times, most recently from 002df22 to 255a723 Compare December 11, 2019 16:14
@eliperelman eliperelman marked this pull request as ready for review December 11, 2019 16:21
@eliperelman eliperelman requested review from a team as code owners December 11, 2019 16:21
.github/CODEOWNERS Outdated Show resolved Hide resolved
src/legacy/ui/ui_render/ui_render_mixin.js Outdated Show resolved Hide resolved
src/core/server/csp/csp.ts Outdated Show resolved Hide resolved
src/legacy/server/config/schema.js Outdated Show resolved Hide resolved
src/core/server/csp/csp.ts Outdated Show resolved Hide resolved
@eliperelman eliperelman force-pushed the feature/np-csp branch 2 times, most recently from fe8af81 to 2d3d745 Compare December 12, 2019 18:49
@mshustov mshustov mentioned this pull request Dec 12, 2019
3 tasks
Copy link
Contributor

@joshdover joshdover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the last iteration I looked at, directives was not part of the config, which I thought made sense. This revision has it back in the config, which is redundant with the csp.rules config option.

src/core/server/csp/config.ts Outdated Show resolved Hide resolved
src/core/server/csp/types.ts Outdated Show resolved Hide resolved
Copy link
Contributor

@pgayvallet pgayvallet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kobelb kobelb self-requested a review December 13, 2019 15:49
src/core/server/server.api.md Outdated Show resolved Hide resolved
src/core/server/csp/csp_config.ts Show resolved Hide resolved
`style-src 'unsafe-inline' 'self'`,
],
}),
strict: schema.boolean({ defaultValue: true }),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll have to be careful when backporting this, as the default in 7.x is false

src/core/server/csp/config.ts Show resolved Hide resolved
x-pack/legacy/plugins/security/index.js Outdated Show resolved Hide resolved
Copy link
Contributor

@joshdover joshdover left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Platform changes LGTM, I'll defer to @elastic/kibana-security for the changes to their plugin.

Copy link
Contributor

@kobelb kobelb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on green CI

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Comment on lines +28 to +30
// TODO: Move this to server.csp using config deprecations
// ? https://github.com/elastic/kibana/pull/52251
path: 'csp',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding renaming the csp config key, I will handle this in another PR and make sure we reach consensus between the Platform and Security teams =)

@eliperelman
Copy link
Contributor Author

Thanks for all the great reviews!

@eliperelman eliperelman merged commit 614bde9 into elastic:master Dec 13, 2019
eliperelman added a commit to eliperelman/kibana that referenced this pull request Dec 16, 2019
* Move CSP options to new platform

* Expose SharedGlobalConfig from root

* Derive CSP options from config

* Consolidate CSP configuration with HTTP config

* Fix outstanding config renames

* Remove legacy CSP configuration calls, migrate to platform properties

* Revise docs

* Fix test from type change

* Expose ICspConfig, consolidate and simplify CSP defaults access

* Rebase and update docs

* Remove legacy API from route definition params, review nits

* Clean up config path usages for consistency

* Regenerate docs
eliperelman added a commit that referenced this pull request Dec 16, 2019
* Move CSP options to new platform (#52698)

* Move CSP options to new platform

* Expose SharedGlobalConfig from root

* Derive CSP options from config

* Consolidate CSP configuration with HTTP config

* Fix outstanding config renames

* Remove legacy CSP configuration calls, migrate to platform properties

* Revise docs

* Fix test from type change

* Expose ICspConfig, consolidate and simplify CSP defaults access

* Rebase and update docs

* Remove legacy API from route definition params, review nits

* Clean up config path usages for consistency

* Regenerate docs

* Test correct default value of csp.strict in 7.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:New Platform release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v7.6.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants