From 3b9c2e4e9cf9470dd1c0163e97223646eeed153a Mon Sep 17 00:00:00 2001 From: Larry Gregory Date: Wed, 9 Dec 2020 18:08:49 -0500 Subject: [PATCH] Deprecate disabling the security plugin (#85159) Co-authored-by: Aleh Zasypkin Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> --- .../server/config_deprecations.test.ts | 186 ++++++++++++++++++ .../security/server/config_deprecations.ts | 67 +++++++ x-pack/plugins/security/server/index.ts | 49 +---- 3 files changed, 255 insertions(+), 47 deletions(-) create mode 100644 x-pack/plugins/security/server/config_deprecations.test.ts create mode 100644 x-pack/plugins/security/server/config_deprecations.ts diff --git a/x-pack/plugins/security/server/config_deprecations.test.ts b/x-pack/plugins/security/server/config_deprecations.test.ts new file mode 100644 index 0000000000000..28cd4166b2683 --- /dev/null +++ b/x-pack/plugins/security/server/config_deprecations.test.ts @@ -0,0 +1,186 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { configDeprecationFactory, applyDeprecations } from '@kbn/config'; +import { securityConfigDeprecationProvider } from './config_deprecations'; +import { cloneDeep } from 'lodash'; + +const applyConfigDeprecations = (settings: Record = {}) => { + const deprecations = securityConfigDeprecationProvider(configDeprecationFactory); + const deprecationMessages: string[] = []; + const migrated = applyDeprecations( + settings, + deprecations.map((deprecation) => ({ + deprecation, + path: 'xpack.security', + })), + (msg) => deprecationMessages.push(msg) + ); + return { + messages: deprecationMessages, + migrated, + }; +}; + +describe('Config Deprecations', () => { + it('does not report deprecations for default configuration', () => { + const defaultConfig = { xpack: { security: {} } }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(defaultConfig)); + expect(migrated).toEqual(defaultConfig); + expect(messages).toHaveLength(0); + }); + + it('renames sessionTimeout to session.idleTimeout', () => { + const config = { + xpack: { + security: { + sessionTimeout: 123, + }, + }, + }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); + expect(migrated.xpack.security.sessionTimeout).not.toBeDefined(); + expect(migrated.xpack.security.session.idleTimeout).toEqual(123); + expect(messages).toMatchInlineSnapshot(` + Array [ + "\\"xpack.security.sessionTimeout\\" is deprecated and has been replaced by \\"xpack.security.session.idleTimeout\\"", + ] + `); + }); + + it(`warns that 'authorization.legacyFallback.enabled' is unused`, () => { + const config = { + xpack: { + security: { + authorization: { + legacyFallback: { + enabled: true, + }, + }, + }, + }, + }; + const { messages } = applyConfigDeprecations(cloneDeep(config)); + expect(messages).toMatchInlineSnapshot(` + Array [ + "xpack.security.authorization.legacyFallback.enabled is deprecated and is no longer used", + ] + `); + }); + + it(`warns that 'authc.saml.maxRedirectURLSize is unused`, () => { + const config = { + xpack: { + security: { + authc: { + saml: { + maxRedirectURLSize: 123, + }, + }, + }, + }, + }; + const { messages } = applyConfigDeprecations(cloneDeep(config)); + expect(messages).toMatchInlineSnapshot(` + Array [ + "xpack.security.authc.saml.maxRedirectURLSize is deprecated and is no longer used", + ] + `); + }); + + it(`warns that 'xpack.security.authc.providers.saml..maxRedirectURLSize' is unused`, () => { + const config = { + xpack: { + security: { + authc: { + providers: { + saml: { + saml1: { + maxRedirectURLSize: 123, + }, + }, + }, + }, + }, + }, + }; + const { messages } = applyConfigDeprecations(cloneDeep(config)); + expect(messages).toMatchInlineSnapshot(` + Array [ + "\`xpack.security.authc.providers.saml..maxRedirectURLSize\` is deprecated and is no longer used", + ] + `); + }); + + it(`warns when 'xpack.security.authc.providers' is an array of strings`, () => { + const config = { + xpack: { + security: { + authc: { + providers: ['basic', 'saml'], + }, + }, + }, + }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); + expect(migrated).toEqual(config); + expect(messages).toMatchInlineSnapshot(` + Array [ + "Defining \`xpack.security.authc.providers\` as an array of provider types is deprecated. Use extended \`object\` format instead.", + ] + `); + }); + + it(`warns when both the basic and token providers are enabled`, () => { + const config = { + xpack: { + security: { + authc: { + providers: ['basic', 'token'], + }, + }, + }, + }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); + expect(migrated).toEqual(config); + expect(messages).toMatchInlineSnapshot(` + Array [ + "Defining \`xpack.security.authc.providers\` as an array of provider types is deprecated. Use extended \`object\` format instead.", + "Enabling both \`basic\` and \`token\` authentication providers in \`xpack.security.authc.providers\` is deprecated. Login page will only use \`token\` provider.", + ] + `); + }); + + it('warns when the security plugin is disabled', () => { + const config = { + xpack: { + security: { + enabled: false, + }, + }, + }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); + expect(migrated).toEqual(config); + expect(messages).toMatchInlineSnapshot(` + Array [ + "Disabling the security plugin (\`xpack.security.enabled\`) will not be supported in the next major version (8.0). To turn off security features, disable them in Elasticsearch instead.", + ] + `); + }); + + it('does not warn when the security plugin is enabled', () => { + const config = { + xpack: { + security: { + enabled: true, + }, + }, + }; + const { messages, migrated } = applyConfigDeprecations(cloneDeep(config)); + expect(migrated).toEqual(config); + expect(messages).toHaveLength(0); + }); +}); diff --git a/x-pack/plugins/security/server/config_deprecations.ts b/x-pack/plugins/security/server/config_deprecations.ts new file mode 100644 index 0000000000000..3c5d82b93acba --- /dev/null +++ b/x-pack/plugins/security/server/config_deprecations.ts @@ -0,0 +1,67 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import type { ConfigDeprecationProvider } from 'src/core/server'; + +export const securityConfigDeprecationProvider: ConfigDeprecationProvider = ({ + rename, + unused, +}) => [ + rename('sessionTimeout', 'session.idleTimeout'), + unused('authorization.legacyFallback.enabled'), + unused('authc.saml.maxRedirectURLSize'), + // Deprecation warning for the old array-based format of `xpack.security.authc.providers`. + (settings, fromPath, log) => { + if (Array.isArray(settings?.xpack?.security?.authc?.providers)) { + log( + 'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format instead.' + ); + } + + return settings; + }, + (settings, fromPath, log) => { + const hasProviderType = (providerType: string) => { + const providers = settings?.xpack?.security?.authc?.providers; + if (Array.isArray(providers)) { + return providers.includes(providerType); + } + + return Object.values(providers?.[providerType] || {}).some( + (provider) => (provider as { enabled: boolean | undefined })?.enabled !== false + ); + }; + + if (hasProviderType('basic') && hasProviderType('token')) { + log( + 'Enabling both `basic` and `token` authentication providers in `xpack.security.authc.providers` is deprecated. Login page will only use `token` provider.' + ); + } + return settings; + }, + (settings, fromPath, log) => { + const samlProviders = (settings?.xpack?.security?.authc?.providers?.saml ?? {}) as Record< + string, + any + >; + if (Object.values(samlProviders).find((provider) => !!provider.maxRedirectURLSize)) { + log( + '`xpack.security.authc.providers.saml..maxRedirectURLSize` is deprecated and is no longer used' + ); + } + + return settings; + }, + (settings, fromPath, log) => { + if (settings?.xpack?.security?.enabled === false) { + log( + 'Disabling the security plugin (`xpack.security.enabled`) will not be supported in the next major version (8.0). ' + + 'To turn off security features, disable them in Elasticsearch instead.' + ); + } + return settings; + }, +]; diff --git a/x-pack/plugins/security/server/index.ts b/x-pack/plugins/security/server/index.ts index 85f49bf3f931a..5d51b88d82939 100644 --- a/x-pack/plugins/security/server/index.ts +++ b/x-pack/plugins/security/server/index.ts @@ -12,6 +12,7 @@ import type { PluginInitializerContext, } from '../../../../src/core/server'; import { ConfigSchema } from './config'; +import { securityConfigDeprecationProvider } from './config_deprecations'; import { Plugin, SecurityPluginSetup, @@ -40,53 +41,7 @@ export type { AuthenticatedUser } from '../common/model'; export const config: PluginConfigDescriptor> = { schema: ConfigSchema, - deprecations: ({ rename, unused }) => [ - rename('sessionTimeout', 'session.idleTimeout'), - unused('authorization.legacyFallback.enabled'), - unused('authc.saml.maxRedirectURLSize'), - // Deprecation warning for the old array-based format of `xpack.security.authc.providers`. - (settings, fromPath, log) => { - if (Array.isArray(settings?.xpack?.security?.authc?.providers)) { - log( - 'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format instead.' - ); - } - - return settings; - }, - (settings, fromPath, log) => { - const hasProviderType = (providerType: string) => { - const providers = settings?.xpack?.security?.authc?.providers; - if (Array.isArray(providers)) { - return providers.includes(providerType); - } - - return Object.values(providers?.[providerType] || {}).some( - (provider) => (provider as { enabled: boolean | undefined })?.enabled !== false - ); - }; - - if (hasProviderType('basic') && hasProviderType('token')) { - log( - 'Enabling both `basic` and `token` authentication providers in `xpack.security.authc.providers` is deprecated. Login page will only use `token` provider.' - ); - } - return settings; - }, - (settings, fromPath, log) => { - const samlProviders = (settings?.xpack?.security?.authc?.providers?.saml ?? {}) as Record< - string, - any - >; - if (Object.values(samlProviders).find((provider) => !!provider.maxRedirectURLSize)) { - log( - '`xpack.security.authc.providers.saml..maxRedirectURLSize` is deprecated and is no longer used' - ); - } - - return settings; - }, - ], + deprecations: securityConfigDeprecationProvider, exposeToBrowser: { loginAssistanceMessage: true, },