Skip to content

Commit

Permalink
Move CSP options to new platform (elastic#52698)
Browse files Browse the repository at this point in the history
* Move CSP options to new platform

* Expose SharedGlobalConfig from root

* Derive CSP options from config

* Consolidate CSP configuration with HTTP config

* Fix outstanding config renames

* Remove legacy CSP configuration calls, migrate to platform properties

* Revise docs

* Fix test from type change

* Expose ICspConfig, consolidate and simplify CSP defaults access

* Rebase and update docs

* Remove legacy API from route definition params, review nits

* Clean up config path usages for consistency

* Regenerate docs
  • Loading branch information
eliperelman committed Dec 16, 2019
1 parent fc0d6af commit 6ff4a80
Show file tree
Hide file tree
Showing 51 changed files with 600 additions and 242 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [DEFAULT](./kibana-plugin-server.cspconfig.default.md)

## CspConfig.DEFAULT property

<b>Signature:</b>

```typescript
static readonly DEFAULT: CspConfig;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [header](./kibana-plugin-server.cspconfig.header.md)

## CspConfig.header property

<b>Signature:</b>

```typescript
readonly header: string;
```
28 changes: 28 additions & 0 deletions docs/development/core/server/kibana-plugin-server.cspconfig.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md)

## CspConfig class

CSP configuration for use in Kibana.

<b>Signature:</b>

```typescript
export declare class CspConfig implements ICspConfig
```
## Properties
| Property | Modifiers | Type | Description |
| --- | --- | --- | --- |
| [DEFAULT](./kibana-plugin-server.cspconfig.default.md) | <code>static</code> | <code>CspConfig</code> | |
| [header](./kibana-plugin-server.cspconfig.header.md) | | <code>string</code> | |
| [rules](./kibana-plugin-server.cspconfig.rules.md) | | <code>string[]</code> | |
| [strict](./kibana-plugin-server.cspconfig.strict.md) | | <code>boolean</code> | |
| [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md) | | <code>boolean</code> | |
## Remarks
The constructor for this class is marked as internal. Third-party code should not call the constructor directly or create subclasses that extend the `CspConfig` class.
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [rules](./kibana-plugin-server.cspconfig.rules.md)

## CspConfig.rules property

<b>Signature:</b>

```typescript
readonly rules: string[];
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [strict](./kibana-plugin-server.cspconfig.strict.md)

## CspConfig.strict property

<b>Signature:</b>

```typescript
readonly strict: boolean;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [CspConfig](./kibana-plugin-server.cspconfig.md) &gt; [warnLegacyBrowsers](./kibana-plugin-server.cspconfig.warnlegacybrowsers.md)

## CspConfig.warnLegacyBrowsers property

<b>Signature:</b>

```typescript
readonly warnLegacyBrowsers: boolean;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) &gt; [csp](./kibana-plugin-server.httpservicesetup.csp.md)

## HttpServiceSetup.csp property

The CSP config used for Kibana.

<b>Signature:</b>

```typescript
csp: ICspConfig;
```
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ export interface HttpServiceSetup
| [basePath](./kibana-plugin-server.httpservicesetup.basepath.md) | <code>IBasePath</code> | Access or manipulate the Kibana base path See [IBasePath](./kibana-plugin-server.ibasepath.md)<!-- -->. |
| [createCookieSessionStorageFactory](./kibana-plugin-server.httpservicesetup.createcookiesessionstoragefactory.md) | <code>&lt;T&gt;(cookieOptions: SessionStorageCookieOptions&lt;T&gt;) =&gt; Promise&lt;SessionStorageFactory&lt;T&gt;&gt;</code> | Creates cookie based session storage factory [SessionStorageFactory](./kibana-plugin-server.sessionstoragefactory.md) |
| [createRouter](./kibana-plugin-server.httpservicesetup.createrouter.md) | <code>() =&gt; IRouter</code> | Provides ability to declare a handler function for a particular path and HTTP request method. |
| [csp](./kibana-plugin-server.httpservicesetup.csp.md) | <code>ICspConfig</code> | The CSP config used for Kibana. |
| [isTlsEnabled](./kibana-plugin-server.httpservicesetup.istlsenabled.md) | <code>boolean</code> | Flag showing whether a server was configured to use TLS connection. |
| [registerAuth](./kibana-plugin-server.httpservicesetup.registerauth.md) | <code>(handler: AuthenticationHandler) =&gt; void</code> | To define custom authentication and/or authorization mechanism for incoming requests. |
| [registerOnPostAuth](./kibana-plugin-server.httpservicesetup.registeronpostauth.md) | <code>(handler: OnPostAuthHandler) =&gt; void</code> | To define custom logic to perform for incoming requests. |
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [header](./kibana-plugin-server.icspconfig.header.md)

## ICspConfig.header property

The CSP rules in a formatted directives string for use in a `Content-Security-Policy` header.

<b>Signature:</b>

```typescript
readonly header: string;
```
23 changes: 23 additions & 0 deletions docs/development/core/server/kibana-plugin-server.icspconfig.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md)

## ICspConfig interface

CSP configuration for use in Kibana.

<b>Signature:</b>

```typescript
export interface ICspConfig
```

## Properties

| Property | Type | Description |
| --- | --- | --- |
| [header](./kibana-plugin-server.icspconfig.header.md) | <code>string</code> | The CSP rules in a formatted directives string for use in a <code>Content-Security-Policy</code> header. |
| [rules](./kibana-plugin-server.icspconfig.rules.md) | <code>string[]</code> | The CSP rules used for Kibana. |
| [strict](./kibana-plugin-server.icspconfig.strict.md) | <code>boolean</code> | Specify whether browsers that do not support CSP should be able to use Kibana. Use <code>true</code> to block and <code>false</code> to allow. |
| [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md) | <code>boolean</code> | Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance. |

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [rules](./kibana-plugin-server.icspconfig.rules.md)

## ICspConfig.rules property

The CSP rules used for Kibana.

<b>Signature:</b>

```typescript
readonly rules: string[];
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [strict](./kibana-plugin-server.icspconfig.strict.md)

## ICspConfig.strict property

Specify whether browsers that do not support CSP should be able to use Kibana. Use `true` to block and `false` to allow.

<b>Signature:</b>

```typescript
readonly strict: boolean;
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<!-- Do not edit this file. It is automatically generated by API Documenter. -->

[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [ICspConfig](./kibana-plugin-server.icspconfig.md) &gt; [warnLegacyBrowsers](./kibana-plugin-server.icspconfig.warnlegacybrowsers.md)

## ICspConfig.warnLegacyBrowsers property

Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance.

<b>Signature:</b>

```typescript
readonly warnLegacyBrowsers: boolean;
```
2 changes: 2 additions & 0 deletions docs/development/core/server/kibana-plugin-server.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| --- | --- |
| [BasePath](./kibana-plugin-server.basepath.md) | Access or manipulate the Kibana base path |
| [ClusterClient](./kibana-plugin-server.clusterclient.md) | Represents an Elasticsearch cluster API client and allows to call API on behalf of the internal Kibana user and the actual user that is derived from the request headers (via <code>asScoped(...)</code>).<!-- -->See [ClusterClient](./kibana-plugin-server.clusterclient.md)<!-- -->. |
| [CspConfig](./kibana-plugin-server.cspconfig.md) | CSP configuration for use in Kibana. |
| [ElasticsearchErrorHelpers](./kibana-plugin-server.elasticsearcherrorhelpers.md) | Helpers for working with errors returned from the Elasticsearch service.Since the internal data of errors are subject to change, consumers of the Elasticsearch service should always use these helpers to classify errors instead of checking error internals such as <code>body.error.header[WWW-Authenticate]</code> |
| [KibanaRequest](./kibana-plugin-server.kibanarequest.md) | Kibana specific abstraction for an incoming request. |
| [SavedObjectsClient](./kibana-plugin-server.savedobjectsclient.md) | |
Expand Down Expand Up @@ -64,6 +65,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
| [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) | Kibana HTTP Service provides own abstraction for work with HTTP stack. Plugins don't have direct access to <code>hapi</code> server and its primitives anymore. Moreover, plugins shouldn't rely on the fact that HTTP Service uses one or another library under the hood. This gives the platform flexibility to upgrade or changing our internal HTTP stack without breaking plugins. If the HTTP Service lacks functionality you need, we are happy to discuss and support your needs. |
| [HttpServiceStart](./kibana-plugin-server.httpservicestart.md) | |
| [IContextContainer](./kibana-plugin-server.icontextcontainer.md) | An object that handles registration of context providers and configuring handlers with context. |
| [ICspConfig](./kibana-plugin-server.icspconfig.md) | CSP configuration for use in Kibana. |
| [IKibanaResponse](./kibana-plugin-server.ikibanaresponse.md) | A response data object, expected to returned as a result of [RequestHandler](./kibana-plugin-server.requesthandler.md) execution |
| [IKibanaSocket](./kibana-plugin-server.ikibanasocket.md) | A tiny abstraction for TCP socket. |
| [IndexSettingsDeprecationInfo](./kibana-plugin-server.indexsettingsdeprecationinfo.md) | |
Expand Down
42 changes: 42 additions & 0 deletions src/core/server/csp/config.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import { TypeOf, schema } from '@kbn/config-schema';

/**
* @internal
*/
export type CspConfigType = TypeOf<typeof config.schema>;

export const config = {
// TODO: Move this to server.csp using config deprecations
// ? https://github.com/elastic/kibana/pull/52251
path: 'csp',
schema: schema.object({
rules: schema.arrayOf(schema.string(), {
defaultValue: [
`script-src 'unsafe-eval' 'self'`,
`worker-src blob: 'self'`,
`style-src 'unsafe-inline' 'self'`,
],
}),
strict: schema.boolean({ defaultValue: false }),
warnLegacyBrowsers: schema.boolean({ defaultValue: true }),
}),
};
97 changes: 97 additions & 0 deletions src/core/server/csp/csp_config.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

import { CspConfig } from '.';

// CSP rules aren't strictly additive, so any change can potentially expand or
// restrict the policy in a way we consider a breaking change. For that reason,
// we test the default rules exactly so any change to those rules gets flagged
// for manual review. In other words, this test is intentionally fragile to draw
// extra attention if defaults are modified in any way.
//
// A test failure here does not necessarily mean this change cannot be made,
// but any change here should undergo sufficient scrutiny by the Kibana
// security team.
//
// The tests use inline snapshots to make it as easy as possible to identify
// the nature of a change in defaults during a PR review.

describe('CspConfig', () => {
test('DEFAULT', () => {
expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
CspConfig {
"header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
"rules": Array [
"script-src 'unsafe-eval' 'self'",
"worker-src blob: 'self'",
"style-src 'unsafe-inline' 'self'",
],
"strict": true,
"warnLegacyBrowsers": true,
}
`);
});

test('defaults from config', () => {
expect(new CspConfig()).toMatchInlineSnapshot(`
CspConfig {
"header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
"rules": Array [
"script-src 'unsafe-eval' 'self'",
"worker-src blob: 'self'",
"style-src 'unsafe-inline' 'self'",
],
"strict": true,
"warnLegacyBrowsers": true,
}
`);
});

test('creates from partial config', () => {
expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(`
CspConfig {
"header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
"rules": Array [
"script-src 'unsafe-eval' 'self'",
"worker-src blob: 'self'",
"style-src 'unsafe-inline' 'self'",
],
"strict": false,
"warnLegacyBrowsers": false,
}
`);
});

test('computes header from rules', () => {
const cspConfig = new CspConfig({ rules: ['alpha', 'beta', 'gamma'] });

expect(cspConfig).toMatchInlineSnapshot(`
CspConfig {
"header": "alpha; beta; gamma",
"rules": Array [
"alpha",
"beta",
"gamma",
],
"strict": true,
"warnLegacyBrowsers": true,
}
`);
});
});
Loading

0 comments on commit 6ff4a80

Please sign in to comment.