[WIP] Securing Spaces

src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap

@@ -0,0 +1,3 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`1, 1 throws Error 1`] = `"Already have entry with this priority"`;

src/server/saved_objects/service/lib/priority_collection.test.ts

@@ -0,0 +1,57 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { PriorityCollection } from './priority_collection';
+
+test(`1, 2, 3`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(1, 1);
+  priorityCollection.add(2, 2);
+  priorityCollection.add(3, 3);
+  expect(priorityCollection.toArray()).toEqual([1, 2, 3]);
+});
+
+test(`3, 2, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(3, 3);
+  priorityCollection.add(2, 2);
+  priorityCollection.add(1, 1);
+  expect(priorityCollection.toArray()).toEqual([1, 2, 3]);
+});
+
+test(`2, 3, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(2, 2);
+  priorityCollection.add(3, 3);
+  priorityCollection.add(1, 1);
+  expect(priorityCollection.toArray()).toEqual([1, 2, 3]);
+});
+
+test(`Number.MAX_VALUE, NUMBER.MIN_VALUE, 1`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(Number.MAX_VALUE, 3);
+  priorityCollection.add(Number.MIN_VALUE, 1);
+  priorityCollection.add(1, 2);
+  expect(priorityCollection.toArray()).toEqual([1, 2, 3]);
+});
+
+test(`1, 1 throws Error`, () => {
+  const priorityCollection = new PriorityCollection();
+  priorityCollection.add(1, 1);
+  expect(() => priorityCollection.add(1, 1)).toThrowErrorMatchingSnapshot();
+});

src/server/saved_objects/service/lib/priority_collection.ts

@@ -0,0 +1,47 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+interface PriorityCollectionEntry<T> {
+  priority: number;
+  value: T;
+}
+
+export class PriorityCollection<T> {
+  private readonly array: Array<PriorityCollectionEntry<T>> = [];
+
+  public add(priority: number, value: T) {
+    let i = 0;
+    while (i < this.array.length) {
+      const current = this.array[i];
+      if (priority === current.priority) {
+        throw new Error('Already have entry with this priority');
+      }
+
+      if (priority < current.priority) {
+        break;
+      }
+      ++i;
+    }
+    this.array.splice(i, 0, { priority, value });
+  }
+
+  public toArray(): T[] {
+    return this.array.map(entry => entry.value);
+  }
+}

src/server/saved_objects/service/lib/scoped_client_provider.js

@@ -16,13 +16,14 @@
  * specific language governing permissions and limitations
  * under the License.
  */
+import { PriorityCollection } from './priority_collection';
 
 /**
  * Provider for the Scoped Saved Object Client.
  */
 export class ScopedSavedObjectsClientProvider {
 
-  _wrapperFactories = [];
+  _wrapperFactories = new PriorityCollection();
 
   constructor({
     defaultClientFactory
@@ -38,8 +39,8 @@ export class ScopedSavedObjectsClientProvider {
   // dependency on plugin b, that means that plugin b's client wrapper would want
   // to be able to run first when the SavedObjectClient methods are invoked to
   // provide additional context to plugin a's client wrapper.
-  addClientWrapperFactory(wrapperFactory) {
-    this._wrapperFactories.unshift(wrapperFactory);
+  addClientWrapperFactory(priority, wrapperFactory) {
+    this._wrapperFactories.add(priority, wrapperFactory);
   }
 
   setClientFactory(customClientFactory) {
@@ -55,11 +56,13 @@ export class ScopedSavedObjectsClientProvider {
       request,
     });
 
-    return this._wrapperFactories.reduce((clientToWrap, wrapperFactory) => {
-      return wrapperFactory({
-        request,
-        client: clientToWrap,
-      });
-    }, client);
+    return this._wrapperFactories
+      .toArray()
+      .reduceRight((clientToWrap, wrapperFactory) => {
+        return wrapperFactory({
+          request,
+          client: clientToWrap,
+        });
+      }, client);
   }
 }

src/server/saved_objects/service/lib/scoped_client_provider.test.js

@@ -64,40 +64,20 @@ test(`throws error when more than one scoped saved objects client factory is set
   }).toThrowErrorMatchingSnapshot();
 });
 
-test(`invokes and uses instance from single added wrapper factory`, () => {
+test(`invokes and uses wrappers in specified order`, () => {
   const defaultClient = Symbol();
   const defaultClientFactoryMock = jest.fn().mockReturnValue(defaultClient);
   const clientProvider = new ScopedSavedObjectsClientProvider({
     defaultClientFactory: defaultClientFactoryMock
   });
-  const wrappedClient = Symbol();
-  const clientWrapperFactoryMock = jest.fn().mockReturnValue(wrappedClient);
-  const request = Symbol();
-
-  clientProvider.addClientWrapperFactory(clientWrapperFactoryMock);
-  const actualClient = clientProvider.getClient(request);
-
-  expect(actualClient).toBe(wrappedClient);
-  expect(clientWrapperFactoryMock).toHaveBeenCalledWith({
-    request,
-    client: defaultClient
-  });
-});
-
-test(`invokes and uses wrappers in LIFO order`, () => {
-  const defaultClient = Symbol();
-  const defaultClientFactoryMock = jest.fn().mockReturnValue(defaultClient);
-  const clientProvider = new ScopedSavedObjectsClientProvider({
-    defaultClientFactory: defaultClientFactoryMock
-  });
-  const firstWrappedClient = Symbol();
+  const firstWrappedClient = Symbol('first client');
   const firstClientWrapperFactoryMock = jest.fn().mockReturnValue(firstWrappedClient);
-  const secondWrapperClient = Symbol();
+  const secondWrapperClient = Symbol('second client');
   const secondClientWrapperFactoryMock = jest.fn().mockReturnValue(secondWrapperClient);
   const request = Symbol();
 
-  clientProvider.addClientWrapperFactory(firstClientWrapperFactoryMock);
-  clientProvider.addClientWrapperFactory(secondClientWrapperFactoryMock);
+  clientProvider.addClientWrapperFactory(1, secondClientWrapperFactoryMock);
+  clientProvider.addClientWrapperFactory(0, firstClientWrapperFactoryMock);
   const actualClient = clientProvider.getClient(request);
 
   expect(actualClient).toBe(firstWrappedClient);

x-pack/plugins/security/common/constants.js

@@ -4,4 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export const ALL_RESOURCE = '*';
+export const GLOBAL_RESOURCE = '*';

x-pack/plugins/security/index.js

@@ -19,9 +19,10 @@ import { initAuthenticator } from './server/lib/authentication/authenticator';
 import { initPrivilegesApi } from './server/routes/api/v1/privileges';
 import { SecurityAuditLogger } from './server/lib/audit_logger';
 import { AuditLogger } from '../../server/lib/audit_logger';
-import { SecureSavedObjectsClient } from './server/lib/saved_objects_client/secure_saved_objects_client';
-import { initAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
+import { createAuthorizationService, registerPrivilegesWithCluster } from './server/lib/authorization';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
+import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/secure_saved_objects_client_wrapper';
+import { deepFreeze } from './server/lib/deep_freeze';
 
 export const security = (kibana) => new kibana.Plugin({
   id: 'security',
@@ -106,7 +107,8 @@ export const security = (kibana) => new kibana.Plugin({
     server.auth.strategy('session', 'login', 'required');
 
     // exposes server.plugins.security.authorization
-    initAuthorizationService(server);
+    const authorization = createAuthorizationService(server, xpackInfoFeature);
+    server.expose('authorization', deepFreeze(authorization));
 
     watchStatusAndLicenseToInitialize(xpackMainPlugin, plugin, async (license) => {
       if (license.allowRbac) {
@@ -124,30 +126,37 @@ export const security = (kibana) => new kibana.Plugin({
       const { callWithRequest, callWithInternalUser } = adminCluster;
       const callCluster = (...args) => callWithRequest(request, ...args);
 
+      if (authorization.mode.useRbacForRequest(request)) {
+        const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
+        return new savedObjects.SavedObjectsClient(internalRepository);
+      }
+
       const callWithRequestRepository = savedObjects.getSavedObjectsRepository(callCluster);
+      return new savedObjects.SavedObjectsClient(callWithRequestRepository);
+    });
 
-      if (!xpackInfoFeature.getLicenseCheckResults().allowRbac) {
-        return new savedObjects.SavedObjectsClient(callWithRequestRepository);
+    savedObjects.addScopedSavedObjectsClientWrapperFactory(Number.MIN_VALUE, ({ client, request }) => {
+      if (authorization.mode.useRbacForRequest(request)) {
+        const { spaces } = server.plugins;
+
+        return new SecureSavedObjectsClientWrapper({
+          actions: authorization.actions,
+          auditLogger,
+          baseClient: client,
+          checkPrivilegesWithRequest: authorization.checkPrivilegesWithRequest,
+          errors: savedObjects.SavedObjectsClient.errors,
+          request,
+          savedObjectTypes: savedObjects.types,
+          spaces,
+        });
       }
 
-      const { authorization } = server.plugins.security;
-      const checkPrivileges = authorization.checkPrivilegesWithRequest(request);
-      const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
-
-      return new SecureSavedObjectsClient({
-        internalRepository,
-        callWithRequestRepository,
-        errors: savedObjects.SavedObjectsClient.errors,
-        checkPrivileges,
-        auditLogger,
-        savedObjectTypes: savedObjects.types,
-        actions: authorization.actions,
-      });
+      return client;
     });
 
     getUserProvider(server);
 
-    await initAuthenticator(server);
+    await initAuthenticator(server, authorization.mode);
     initAuthenticateApi(server);
     initUsersApi(server);
     initPublicRolesApi(server);

x-pack/plugins/security/public/services/application_privilege.js

@@ -10,5 +10,9 @@ import { uiModules } from 'ui/modules';
 const module = uiModules.get('security', ['ngResource']);
 module.service('ApplicationPrivileges', ($resource, chrome) => {
   const baseUrl = chrome.addBasePath('/api/security/v1/privileges');
-  return $resource(baseUrl);
+  return $resource(baseUrl, null, {
+    query: {
+      isArray: false,
+    }
+  });
 });

x-pack/plugins/security/public/views/management/edit_role/index.js

@@ -67,11 +67,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
       return role.then(res => res.toJSON());
     },
-    kibanaApplicationPrivilege(ApplicationPrivileges, kbnUrl, Promise, Private) {
-      return ApplicationPrivileges.query().$promise
-        .then(privileges => privileges.map(p => p.toJSON()))
-        .catch(checkLicenseError(kbnUrl, Promise, Private));
-    },
     users(ShieldUser, kbnUrl, Promise, Private) {
       // $promise is used here because the result is an ngResource, not a promise itself
       return ShieldUser.query().$promise
@@ -93,7 +88,6 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
 
     const Notifier = $injector.get('Notifier');
 
-    const kibanaApplicationPrivilege = $route.current.locals.kibanaApplicationPrivilege;
     const role = $route.current.locals.role;
 
     const xpackInfo = Private(XPackInfoProvider);
@@ -126,6 +120,9 @@ routes.when(`${EDIT_ROLES_PATH}/:name?`, {
       spaces,
     } = $route.current.locals;
 
+    // todo: don't hard-code this...
+    const kibanaApplicationPrivilege = [{ name: 'all' }, { name: 'read' } ];
+
     $scope.$$postDigest(() => {
       const domNode = document.getElementById('editRoleReactRoot');
 

x-pack/plugins/security/server/lib/authentication/__tests__/authenticator.js

@@ -22,6 +22,7 @@ describe('Authenticator', () => {
   let server;
   let session;
   let cluster;
+  let authorizationMode;
   beforeEach(() => {
     server = serverFixture();
     session = sinon.createStubInstance(Session);
@@ -34,6 +35,8 @@ describe('Authenticator', () => {
     cluster = sinon.stub({ callWithRequest() {} });
     sandbox.stub(ClientShield, 'getClient').returns(cluster);
 
+    authorizationMode = { initialize: sinon.stub() };
+
     server.config.returns(config);
     server.register.yields();
 
@@ -83,7 +86,7 @@ describe('Authenticator', () => {
       server.plugins.kibana.systemApi.isSystemApiRequest.returns(true);
       session.clear.throws(new Error('`Session.clear` is not supposed to be called!'));
 
-      await initAuthenticator(server);
+      await initAuthenticator(server, authorizationMode);
 
       // Second argument will be a method we'd like to test.
       authenticate = server.expose.withArgs('authenticate').firstCall.args[1];
@@ -112,6 +115,18 @@ describe('Authenticator', () => {
       expect(authenticationResult.error).to.be(failureReason);
     });
 
+    it(`doesn't initialize authorizationMode when authentication fails.`, async () => {
+      const request = requestFixture({ headers: { authorization: 'Basic ***' } });
+      session.get.withArgs(request).returns(Promise.resolve(null));
+
+      const failureReason = new Error('Not Authorized');
+      cluster.callWithRequest.withArgs(request).returns(Promise.reject(failureReason));
+
+      await authenticate(request);
+
+      sinon.assert.notCalled(authorizationMode.initialize);
+    });
+
     it('returns user that authentication provider returns.', async () => {
       const request = requestFixture({ headers: { authorization: 'Basic ***' } });
       const user = { username: 'user' };
@@ -125,6 +140,15 @@ describe('Authenticator', () => {
       });
     });
 
+    it('initiliazes authorizationMode when authentication succeeds.', async () => {
+      const request = requestFixture({ headers: { authorization: 'Basic ***' } });
+      const user = { username: 'user' };
+      cluster.callWithRequest.withArgs(request).returns(Promise.resolve(user));
+
+      await authenticate(request);
+      sinon.assert.calledWith(authorizationMode.initialize, request);
+    });
+
     it('creates session whenever authentication provider returns state to store.', async () => {
       const user = { username: 'user' };
       const systemAPIRequest = requestFixture({ headers: { authorization: 'Basic xxx' } });