Sets logout and saml callback APIs as public in serverless (#162523)

Subset of #161337 Unblocks #162149 ## Summary This PR uses the access 'public' option when registering the `GET /api/security/logout` and `POST /api/security/saml/callback` APIs. This will ensure they have public access in serverless, while all other APIs will default to internal. PR #161672 changes default access of registered endpoints to 'internal', meaning that API owners have to explicitly set access: public to pass the API protection restriction. This PR also adds internal headers to the existing serverless Spaces API tests. This unblocks the PR to enable API protection in serverless (#162149). --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
elastic · Jul 26, 2023 · e8a705e · e8a705e
1 parent 32b5903
commit e8a705e
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 3 deletions.
diff --git a/x-pack/plugins/security/server/routes/authentication/common.test.ts b/x-pack/plugins/security/server/routes/authentication/common.test.ts
@@ -66,6 +66,7 @@ describe('Common authentication routes', () => {
 
     it('correctly defines route.', async () => {
       expect(routeConfig.options).toEqual({
+        access: 'public',
         authRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
       });

diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts
@@ -41,7 +41,11 @@ export function defineCommonRoutes({
         // Allow unknown query parameters as this endpoint can be hit by the 3rd-party with any
         // set of query string parameters (e.g. SAML/OIDC logout request/response parameters).
         validate: { query: schema.object({}, { unknowns: 'allow' }) },
-        options: { authRequired: false, tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW] },
+        options: {
+          access: 'public',
+          authRequired: false,
+          tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
+        },
       },
       async (context, request, response) => {
         const serverBasePath = basePath.serverBasePath;

diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts
@@ -54,6 +54,7 @@ describe('SAML authentication routes', () => {
 
     it('correctly defines route.', () => {
       expect(routeConfig.options).toEqual({
+        access: 'public',
         authRequired: false,
         xsrfRequired: false,
         tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],

diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts
@@ -32,6 +32,7 @@ export function defineSAMLRoutes({
           ),
         },
         options: {
+          access: 'public',
           authRequired: false,
           xsrfRequired: false,
           tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],

diff --git a/x-pack/test_serverless/api_integration/services/svl_common_api.ts b/x-pack/test_serverless/api_integration/services/svl_common_api.ts
@@ -13,12 +13,21 @@ const COMMON_REQUEST_HEADERS = {
   'kbn-xsrf': 'some-xsrf-token',
 };
 
+const INTERNAL_REQUEST_HEADERS = {
+  ...COMMON_REQUEST_HEADERS,
+  'x-elastic-internal-origin': 'kibana',
+};
+
 export function SvlCommonApiServiceProvider({}: FtrProviderContext) {
   return {
     getCommonRequestHeader() {
       return COMMON_REQUEST_HEADERS;
     },
 
+    getInternalRequestHeader() {
+      return INTERNAL_REQUEST_HEADERS;
+    },
+
     assertResponseStatusCode(expectedStatus: number, actualStatus: number, responseBody: object) {
       expect(actualStatus).to.eql(
         expectedStatus,

diff --git a/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts b/x-pack/test_serverless/api_integration/test_suites/common/spaces.ts
@@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a space', async () => {
       const { body, status } = await supertest
         .post('/api/spaces/space')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           id: 'custom',
           name: 'Custom',
@@ -36,7 +36,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to update a space with disabledFeatures', async () => {
       const { body, status } = await supertest
         .put('/api/spaces/space/default')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           id: 'custom',
           name: 'Custom',