Enable API protection in serverless

[TinaHeiligers]

fix #162117
restrictInternalApis set to true enforces the restriction to internal API's. The restriction is only enabled in serverless.

What this means to plugin authors and stack components :

Access to internal Kibana HTTP API endpoints is restricted in serverless and calls to these endpoints will respond with 400 when the request doesn't include an x-elastic-internal-origin header.

The header is automatically included when using core's browser-side HTTP service (e.g. core.http.fetch('....'))

where the restriction is not applied:

• Public APIs do not have the restriction. Any request made to an endpoint defined as access: public remains open.
• The restriction is not enabled in our current offerings.

For more details, see #152404

Risk

Risk	Probability	Severity	Mitigation/Notes
The restriction is knowingly bypassed by end-users adding the required header to use internal APIs	Low	High	Serverless: Kibana's internal APIs are not publically documented. If we do see violations, we tell the user to stop. Current offerings: internal public documentation on internal APIs must have the experimental warning and clearly state that internal APIs are subject to frequent changes
Upstream services don't include the header and requests to internal APIs fail	Medium	Medium	The Core team needs to ensure intra-stack components are updated too

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[TinaHeiligers]

Tests against api/spaces/space fail because they're public and missing the required and now enforced x-elastic-internal-origin header. The requests are expected to fail but for different reasons. Adding the header will fix the error message we expect to see.
@elastic/kibana-security is looking into that.

Update: Clarifying above:

When the access tag for a route definition is not explicitly set by API owners, the default was to interpret access from the route path:

• Route paths with a prefix of "internal" (e.g. path = '/internal/my_app/....") end up with `access: 'internal'.
• Route paths with a prefix of "api" (e.g. path = '/api/my_app/....") have access: 'public'.
• All other routes that don't have either of those two prefixes also become public by default.

#161672 changes the default to internal, meaning that API owners have to explicitly set access: public to pass the API protection restriction.

api/spaces/space used to be 'public', and not restricted but now it's seen as internal.

[TinaHeiligers]

@jloleysens @pgayvallet suggests a CLI implementation.

[pgayvallet]

I suggested to do something else in https://github.com/elastic/kibana/pull/161733/files#r1262308667 because the purpose of the linked PR was to enabled restricted API mode for tests, and enabling it globally wasn't the best way of doing so.

If your PR intends to enabled the restriction in production, then uncommenting the value in the serverless config file makes sense.

[azasypkin]

restrictInternalApis set to true enforces the restriction to internal API's. The restriction is only enabled in serverless.

What does it mean in practice? Does it affect internal routes defined with httpResources.register (e.g. '/internal/security/capture-url' - user is being redirected to this URL and it's not possible to set any request headers)?

Tests against api/spaces/space fail because they're public and missing the required and now enforced x-elastic-internal-origin header.

If API is public, does it require x-elastic-internal-origin? What about public APIs used by external integrations that cannot set these headers (e.g. /api/security/saml/callback)?

[jloleysens]

Hey @azasypkin !

In practice it means that all routes that match request.route.options.access === 'internal' will require setting x-elastic-internal-origin.

We are going to be doing an analysis of affected systems first before merging this PR (like resource bundles, login etc). Will likely take a while longer before this is ready.

If API is public, does it require x-elastic-internal-origin

No it will not require the header to use the endpoint.

[jloleysens]

Blocking pending further analysis of affected systems

[azasypkin]

We are going to be doing an analysis of affected systems first before merging this PR (like resource bundles, login etc). Will likely take a while longer before this is ready.

👍

No it will not require the header to use the endpoint.

Great, thanks for confirming!

[jloleysens]

Let's wait 1 week from today to merge this -- we should address failing tests though.

FWIW #162258 has been merged.

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

Now that we merged #162636 I think we should just do a simple smoke test of running this PR against ES project, then merge tomorrow. WDYT

@jloleysens The smoke test failed miserably 😞 . There's an issue security solution cypress tests.

[TinaHeiligers]

@elastic/security-solution your serverless cyprus test fail with API protection enabled.

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

@paul-tavares oh dear, it looks like we need to do more work around cypress.
sendApiLoginRequest is missing the required header in the request to the internal API '/internal/security/login',

kibana/x-pack/test_serverless/functional/test_suites/security/cypress/tasks/login.ts

Lines 19 to 47 in c0030da

	const sendApiLoginRequest = (
	username: string,
	password: string
	): Cypress.Chainable<{ username: string; password: string }> => {
	const url = new URL(Cypress.config().baseUrl ?? '');
	url.pathname = '/internal/security/login';
	cy.log(`Authenticating [${username}] via ${url.toString()}`);
	return request({
	headers: { 'kbn-xsrf': 'cypress-creds-via-env' },
	method: 'POST',
	url: url.toString(),
	body: {
	providerType: 'basic',
	providerName: isLocalhost(url.hostname) ? 'basic' : 'cloud-basic',
	currentURL: '/',
	params: {
	username,
	password,
	},
	},
	}).then(() => {
	return {
	username,
	password,
	};
	});
	};

There might be a few others too

[patrykkopycinski]

added label to make sure we run all Kibana's Cypress tests

[TinaHeiligers]

@elasticmachine merge upstream

[jloleysens]

@elasticmachine merge upstream

[TinaHeiligers]

@elasticmachine merge upstream

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 6334d7b
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-162149-6334d7b8821b

Failed CI Steps

• Threat Intelligence Cypress Tests #1
• Osquery Cypress Tests #2

Test Failures

• [job] [logs] Threat Intelligence Cypress Tests #1 / Empty Page should render the empty page with link to docs and integrations, and navigate to integrations page

Metrics [docs]

✅ unchanged

History

• 💔 Build #147367 failed 6f28f2a
• 💔 Build #146962 failed 548af6a
• 💔 Build #146910 failed c07f854
• 💚 Build #146347 succeeded f57b71d
• 💔 Build #146284 failed 757186c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[TinaHeiligers]

@paul-tavares one of the cypress test failed but didn't block the build.
Could you please watch that tests and let me know if it stays flaky?
Thanks!

[paul-tavares]

I just took a look and its not one of the tests we worked on. It came from x-pack/plugins/threat_intelligence/cypress/e2e/empty_page.cy.ts which ran on this PR because of the label that @patrykkopycinski added. I don't think it has anything to do with serverless