[Ingest] Enforce security required and superuser permissions (#65315) (#65368)

jen-huang · elasticmachine · web-flow · commit 2b51b2f8b097 · 2020-05-05T21:40:32.000-07:00
* Add check permissions route and request hook

* Conditionally register routes

* Add security not enabled and permissions missing warning UIs

* Hide global settings when there is an error
# Conflicts:
#	x-pack/plugins/ingest_manager/server/plugin.ts

Co-authored-by: Elastic Machine &lt;elasticmachine@users.noreply.github.com&gt;
diff --git a/x-pack/plugins/ingest_manager/common/constants/routes.ts b/x-pack/plugins/ingest_manager/common/constants/routes.ts
@@ -61,6 +61,11 @@ export const SETTINGS_API_ROUTES = {
   UPDATE_PATTERN: `${API_ROOT}/settings`,
 };
 
+// App API routes
+export const APP_API_ROUTES = {
+  CHECK_PERMISSIONS_PATTERN: `${API_ROOT}/check-permissions`,
+};
+
 // Agent API routes
 export const AGENT_API_ROUTES = {
   LIST_PATTERN: `${FLEET_API_ROOT}/agents`,
diff --git a/x-pack/plugins/ingest_manager/common/services/routes.ts b/x-pack/plugins/ingest_manager/common/services/routes.ts
@@ -15,6 +15,7 @@ import {
   SETUP_API_ROUTE,
   OUTPUT_API_ROUTES,
   SETTINGS_API_ROUTES,
+  APP_API_ROUTES,
 } from '../constants';
 
 export const epmRouteService = {
@@ -126,6 +127,10 @@ export const settingsRoutesService = {
   getUpdatePath: () => SETTINGS_API_ROUTES.UPDATE_PATTERN,
 };
 
+export const appRoutesService = {
+  getCheckPermissionsPath: () => APP_API_ROUTES.CHECK_PERMISSIONS_PATTERN,
+};
+
 export const enrollmentAPIKeyRouteService = {
   getListPath: () => ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN,
   getCreatePath: () => ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN,
diff --git a/x-pack/plugins/ingest_manager/common/types/rest_spec/app.ts b/x-pack/plugins/ingest_manager/common/types/rest_spec/app.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export interface CheckPermissionsResponse {
+  error?: 'MISSING_SECURITY' | 'MISSING_SUPERUSER_ROLE';
+  success: boolean;
+}
diff --git a/x-pack/plugins/ingest_manager/common/types/rest_spec/index.ts b/x-pack/plugins/ingest_manager/common/types/rest_spec/index.ts
@@ -14,3 +14,4 @@ export * from './enrollment_api_key';
 export * from './install_script';
 export * from './output';
 export * from './settings';
+export * from './app';
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_request/app.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_request/app.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { sendRequest } from './use_request';
+import { appRoutesService } from '../../services';
+import { CheckPermissionsResponse } from '../../types';
+
+export const sendGetPermissionsCheck = () => {
+  return sendRequest<CheckPermissionsResponse>({
+    path: appRoutesService.getCheckPermissionsPath(),
+    method: 'get',
+  });
+};
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_request/index.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/hooks/use_request/index.ts
@@ -13,3 +13,4 @@ export * from './epm';
 export * from './outputs';
 export * from './settings';
 export * from './setup';
+export * from './app';
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/index.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/index.tsx
@@ -7,8 +7,10 @@ import React, { useEffect, useState } from 'react';
 import ReactDOM from 'react-dom';
 import { useObservable } from 'react-use';
 import { HashRouter as Router, Redirect, Switch, Route, RouteProps } from 'react-router-dom';
+import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n/react';
-import { EuiErrorBoundary } from '@elastic/eui';
+import styled from 'styled-components';
+import { EuiErrorBoundary, EuiPanel, EuiEmptyPrompt, EuiCode } from '@elastic/eui';
 import { CoreStart, AppMountParameters } from 'src/core/public';
 import { EuiThemeProvider } from '../../../../../legacy/common/eui_styled_components';
 import {
@@ -22,7 +24,7 @@ import { Loading, Error } from './components';
 import { IngestManagerOverview, EPMApp, AgentConfigApp, FleetApp, DataStreamApp } from './sections';
 import { CoreContext, DepsContext, ConfigContext, setHttpClient, useConfig } from './hooks';
 import { PackageInstallProvider } from './sections/epm/hooks';
-import { sendSetup } from './hooks/use_request/setup';
+import { useCore, sendSetup, sendGetPermissionsCheck } from './hooks';
 import { FleetStatusProvider } from './hooks/use_fleet_status';
 import './index.scss';
 
@@ -39,86 +41,175 @@ export const ProtectedRoute: React.FunctionComponent<ProtectedRouteProps> = ({
   return isAllowed ? <Route {...routeProps} /> : <Redirect to={{ pathname: restrictedPath }} />;
 };
 
+const Panel = styled(EuiPanel)`
+  max-width: 500px;
+  margin-right: auto;
+  margin-left: auto;
+`;
+
+const ErrorLayout = ({ children }: { children: JSX.Element }) => (
+  <EuiErrorBoundary>
+    <DefaultLayout showSettings={false}>
+      <WithoutHeaderLayout>{children}</WithoutHeaderLayout>
+    </DefaultLayout>
+  </EuiErrorBoundary>
+);
+
 const IngestManagerRoutes = ({ ...rest }) => {
   const { epm, fleet } = useConfig();
+  const { notifications } = useCore();
 
+  const [isPermissionsLoading, setIsPermissionsLoading] = useState<boolean>(false);
+  const [permissionsError, setPermissionsError] = useState<string>();
   const [isInitialized, setIsInitialized] = useState(false);
   const [initializationError, setInitializationError] = useState<Error | null>(null);
 
   useEffect(() => {
     (async () => {
+      setIsPermissionsLoading(false);
+      setPermissionsError(undefined);
       setIsInitialized(false);
       setInitializationError(null);
       try {
-        const res = await sendSetup();
-        if (res.error) {
-          setInitializationError(res.error);
+        setIsPermissionsLoading(true);
+        const permissionsResponse = await sendGetPermissionsCheck();
+        setIsPermissionsLoading(false);
+        if (permissionsResponse.data?.success) {
+          try {
+            const setupResponse = await sendSetup();
+            if (setupResponse.error) {
+              setInitializationError(setupResponse.error);
+            }
+          } catch (err) {
+            setInitializationError(err);
+          }
+          setIsInitialized(true);
+        } else {
+          setPermissionsError(permissionsResponse.data?.error || 'REQUEST_ERROR');
         }
       } catch (err) {
-        setInitializationError(err);
+        setPermissionsError('REQUEST_ERROR');
       }
-      setIsInitialized(true);
     })();
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, []);
 
+  if (isPermissionsLoading || permissionsError) {
+    return (
+      <ErrorLayout>
+        {isPermissionsLoading ? (
+          <Loading />
+        ) : permissionsError === 'REQUEST_ERROR' ? (
+          <Error
+            title={
+              <FormattedMessage
+                id="xpack.ingestManager.permissionsRequestErrorMessageTitle"
+                defaultMessage="Unable to check permissions"
+              />
+            }
+            error={i18n.translate('xpack.ingestManager.permissionsRequestErrorMessageDescription', {
+              defaultMessage: 'There was a problem checking Ingest Manager permissions',
+            })}
+          />
+        ) : (
+          <Panel>
+            <EuiEmptyPrompt
+              iconType="securityApp"
+              title={
+                <h2>
+                  {permissionsError === 'MISSING_SUPERUSER_ROLE' ? (
+                    <FormattedMessage
+                      id="xpack.ingestManager.permissionDeniedErrorTitle"
+                      defaultMessage="Permission denied"
+                    />
+                  ) : (
+                    <FormattedMessage
+                      id="xpack.ingestManager.securityRequiredErrorTitle"
+                      defaultMessage="Security is not enabled"
+                    />
+                  )}
+                </h2>
+              }
+              body={
+                <p>
+                  {permissionsError === 'MISSING_SUPERUSER_ROLE' ? (
+                    <FormattedMessage
+                      id="xpack.ingestManager.permissionDeniedErrorMessage"
+                      defaultMessage="You are not authorized to access Ingest Manager. Ingest Manager requires {roleName} privileges."
+                      values={{ roleName: <EuiCode>superuser</EuiCode> }}
+                    />
+                  ) : (
+                    <FormattedMessage
+                      id="xpack.ingestManager.securityRequiredErrorMessage"
+                      defaultMessage="You must enable security in Kibana and Elasticsearch to use Ingest Manager."
+                    />
+                  )}
+                </p>
+              }
+            />
+          </Panel>
+        )}
+      </ErrorLayout>
+    );
+  }
+
   if (!isInitialized || initializationError) {
     return (
-      <EuiErrorBoundary>
-        <DefaultLayout>
-          <WithoutHeaderLayout>
-            {initializationError ? (
-              <Error
-                title={
-                  <FormattedMessage
-                    id="xpack.ingestManager.initializationErrorMessageTitle"
-                    defaultMessage="Unable to initialize Ingest Manager"
-                  />
-                }
-                error={initializationError}
+      <ErrorLayout>
+        {initializationError ? (
+          <Error
+            title={
+              <FormattedMessage
+                id="xpack.ingestManager.initializationErrorMessageTitle"
+                defaultMessage="Unable to initialize Ingest Manager"
               />
-            ) : (
-              <Loading />
-            )}
-          </WithoutHeaderLayout>
-        </DefaultLayout>
-      </EuiErrorBoundary>
+            }
+            error={initializationError}
+          />
+        ) : (
+          <Loading />
+        )}
+      </ErrorLayout>
     );
   }
 
   return (
-    <EuiErrorBoundary>
-      <Router {...rest}>
-        <Switch>
-          <ProtectedRoute path={EPM_PATH} isAllowed={epm.enabled}>
-            <DefaultLayout section="epm">
-              <EPMApp />
-            </DefaultLayout>
-          </ProtectedRoute>
-          <Route path={AGENT_CONFIG_PATH}>
-            <DefaultLayout section="agent_config">
-              <AgentConfigApp />
-            </DefaultLayout>
-          </Route>
-          <Route path={DATA_STREAM_PATH}>
-            <DefaultLayout section="data_stream">
-              <DataStreamApp />
-            </DefaultLayout>
-          </Route>
-          <ProtectedRoute path={FLEET_PATH} isAllowed={fleet.enabled}>
-            <DefaultLayout section="fleet">
-              <FleetApp />
-            </DefaultLayout>
-          </ProtectedRoute>
-          <Route exact path="/">
-            <DefaultLayout section="overview">
-              <IngestManagerOverview />
-            </DefaultLayout>
-          </Route>
-          <Redirect to="/" />
-        </Switch>
-      </Router>
-    </EuiErrorBoundary>
+    <PackageInstallProvider notifications={notifications}>
+      <FleetStatusProvider>
+        <EuiErrorBoundary>
+          <Router {...rest}>
+            <Switch>
+              <ProtectedRoute path={EPM_PATH} isAllowed={epm.enabled}>
+                <DefaultLayout section="epm">
+                  <EPMApp />
+                </DefaultLayout>
+              </ProtectedRoute>
+              <Route path={AGENT_CONFIG_PATH}>
+                <DefaultLayout section="agent_config">
+                  <AgentConfigApp />
+                </DefaultLayout>
+              </Route>
+              <Route path={DATA_STREAM_PATH}>
+                <DefaultLayout section="data_stream">
+                  <DataStreamApp />
+                </DefaultLayout>
+              </Route>
+              <ProtectedRoute path={FLEET_PATH} isAllowed={fleet.enabled}>
+                <DefaultLayout section="fleet">
+                  <FleetApp />
+                </DefaultLayout>
+              </ProtectedRoute>
+              <Route exact path="/">
+                <DefaultLayout section="overview">
+                  <IngestManagerOverview />
+                </DefaultLayout>
+              </Route>
+              <Redirect to="/" />
+            </Switch>
+          </Router>
+        </EuiErrorBoundary>
+      </FleetStatusProvider>
+    </PackageInstallProvider>
   );
 };
 
@@ -142,11 +233,7 @@ const IngestManagerApp = ({
         <DepsContext.Provider value={{ setup: setupDeps, start: startDeps }}>
           <ConfigContext.Provider value={config}>
             <EuiThemeProvider darkMode={isDarkMode}>
-              <PackageInstallProvider notifications={coreStart.notifications}>
-                <FleetStatusProvider>
-                  <IngestManagerRoutes basepath={basepath} />
-                </FleetStatusProvider>
-              </PackageInstallProvider>
+              <IngestManagerRoutes basepath={basepath} />
             </EuiThemeProvider>
           </ConfigContext.Provider>
         </DepsContext.Provider>
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/layouts/default.tsx b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/layouts/default.tsx
@@ -13,6 +13,7 @@ import { useLink, useConfig } from '../hooks';
 import { EPM_PATH, FLEET_PATH, AGENT_CONFIG_PATH, DATA_STREAM_PATH } from '../constants';
 
 interface Props {
+  showSettings?: boolean;
   section?: Section;
   children?: React.ReactNode;
 }
@@ -33,7 +34,11 @@ const Nav = styled.nav`
   }
 `;
 
-export const DefaultLayout: React.FunctionComponent<Props> = ({ section, children }) => {
+export const DefaultLayout: React.FunctionComponent<Props> = ({
+  showSettings = true,
+  section,
+  children,
+}) => {
   const { epm, fleet } = useConfig();
 
   const [isSettingsFlyoutOpen, setIsSettingsFlyoutOpen] = React.useState(false);
@@ -109,14 +114,16 @@ export const DefaultLayout: React.FunctionComponent<Props> = ({ section, childre
                     />
                   </EuiButtonEmpty>
                 </EuiFlexItem>
-                <EuiFlexItem>
-                  <EuiButtonEmpty iconType="gear" onClick={() => setIsSettingsFlyoutOpen(true)}>
-                    <FormattedMessage
-                      id="xpack.ingestManager.appNavigation.settingsButton"
-                      defaultMessage="Settings"
-                    />
-                  </EuiButtonEmpty>
-                </EuiFlexItem>
+                {showSettings ? (
+                  <EuiFlexItem>
+                    <EuiButtonEmpty iconType="gear" onClick={() => setIsSettingsFlyoutOpen(true)}>
+                      <FormattedMessage
+                        id="xpack.ingestManager.appNavigation.settingsButton"
+                        defaultMessage="Settings"
+                      />
+                    </EuiButtonEmpty>
+                  </EuiFlexItem>
+                ) : null}
               </EuiFlexGroup>
             </EuiFlexItem>
           </EuiFlexGroup>
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/services/index.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/services/index.ts
@@ -17,6 +17,7 @@ export {
   setupRouteService,
   outputRoutesService,
   settingsRoutesService,
+  appRoutesService,
   packageToConfigDatasourceInputs,
   storedDatasourceToAgentDatasource,
   AgentStatusKueryHelper,
diff --git a/x-pack/plugins/ingest_manager/public/applications/ingest_manager/types/index.ts b/x-pack/plugins/ingest_manager/public/applications/ingest_manager/types/index.ts
@@ -62,6 +62,8 @@ export {
   GetSettingsResponse,
   PutSettingsRequest,
   PutSettingsResponse,
+  // API schemas - app
+  CheckPermissionsResponse,
   // EPM types
   AssetReference,
   AssetsGroupedByServiceByType,
diff --git a/x-pack/plugins/ingest_manager/public/plugin.ts b/x-pack/plugins/ingest_manager/public/plugin.ts
diff --git a/x-pack/plugins/ingest_manager/server/constants/index.ts b/x-pack/plugins/ingest_manager/server/constants/index.ts
diff --git a/x-pack/plugins/ingest_manager/server/plugin.ts b/x-pack/plugins/ingest_manager/server/plugin.ts
diff --git a/x-pack/plugins/ingest_manager/server/routes/app/index.ts b/x-pack/plugins/ingest_manager/server/routes/app/index.ts
diff --git a/x-pack/plugins/ingest_manager/server/routes/index.ts b/x-pack/plugins/ingest_manager/server/routes/index.ts
