Introduce telemetry for security features (#74530)

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>

Author: legrego

x-pack/plugins/security/common/licensing/index.mock.ts

@@ -9,6 +9,7 @@ import { SecurityLicense } from '.';
 
 export const licenseMock = {
   create: (): jest.Mocked<SecurityLicense> => ({
+    isLicenseAvailable: jest.fn(),
     isEnabled: jest.fn().mockReturnValue(true),
     getFeatures: jest.fn(),
     features$: of(),

x-pack/plugins/security/common/licensing/license_service.test.ts

@@ -13,6 +13,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(undefined as any),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(false);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: false,
@@ -34,6 +35,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(rawLicenseMock),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(false);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: false,
@@ -60,6 +62,7 @@ describe('license features', function () {
     const subscriptionHandler = jest.fn();
     const subscription = serviceSetup.license.features$.subscribe(subscriptionHandler);
     try {
+      expect(serviceSetup.license.isLicenseAvailable()).toEqual(false);
       expect(subscriptionHandler).toHaveBeenCalledTimes(1);
       expect(subscriptionHandler.mock.calls[0]).toMatchInlineSnapshot(`
         Array [
@@ -80,6 +83,7 @@ describe('license features', function () {
       `);
 
       rawLicense$.next(licenseMock.createLicenseMock());
+      expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
       expect(subscriptionHandler).toHaveBeenCalledTimes(2);
       expect(subscriptionHandler.mock.calls[1]).toMatchInlineSnapshot(`
         Array [
@@ -112,6 +116,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(mockRawLicense),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: true,
@@ -136,6 +141,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(mockRawLicense),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: false,
       allowLogin: false,
@@ -159,6 +165,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(mockRawLicense),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: true,
@@ -182,6 +189,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(mockRawLicense),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: true,
@@ -205,6 +213,7 @@ describe('license features', function () {
     const serviceSetup = new SecurityLicenseService().setup({
       license$: of(mockRawLicense),
     });
+    expect(serviceSetup.license.isLicenseAvailable()).toEqual(true);
     expect(serviceSetup.license.getFeatures()).toEqual({
       showLogin: true,
       allowLogin: true,

x-pack/plugins/security/common/licensing/license_service.ts

@@ -10,6 +10,7 @@ import { ILicense } from '../../../licensing/common/types';
 import { SecurityLicenseFeatures } from './license_features';
 
 export interface SecurityLicense {
+  isLicenseAvailable(): boolean;
   isEnabled(): boolean;
   getFeatures(): SecurityLicenseFeatures;
   features$: Observable<SecurityLicenseFeatures>;
@@ -31,6 +32,8 @@ export class SecurityLicenseService {
 
     return {
       license: Object.freeze({
+        isLicenseAvailable: () => rawLicense?.isAvailable ?? false,
+
         isEnabled: () => this.isSecurityEnabledFromRawLicense(rawLicense),
 
         getFeatures: () => this.calculateFeaturesFromRawLicense(rawLicense),

x-pack/plugins/security/kibana.json

@@ -4,7 +4,7 @@
   "kibanaVersion": "kibana",
   "configPath": ["xpack", "security"],
   "requiredPlugins": ["data", "features", "licensing", "taskManager"],
-  "optionalPlugins": ["home", "management"],
+  "optionalPlugins": ["home", "management", "usageCollection"],
   "server": true,
   "ui": true,
   "requiredBundles": [

x-pack/plugins/security/public/management/roles/edit_role/privileges/es/__snapshots__/elasticsearch_privileges.test.tsx.snap

@@ -41,6 +41,7 @@ describe('Security Plugin', () => {
         __legacyCompat: { logoutUrl: '/some-base-path/logout', tenant: '/some-base-path' },
         authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) },
         license: {
+          isLicenseAvailable: expect.any(Function),
           isEnabled: expect.any(Function),
           getFeatures: expect.any(Function),
           features$: expect.any(Observable),
@@ -67,6 +68,7 @@ describe('Security Plugin', () => {
       expect(setupManagementServiceMock).toHaveBeenCalledWith({
         authc: { getCurrentUser: expect.any(Function), areAPIKeysEnabled: expect.any(Function) },
         license: {
+          isLicenseAvailable: expect.any(Function),
           isEnabled: expect.any(Function),
           getFeatures: expect.any(Function),
           features$: expect.any(Observable),

x-pack/plugins/security/public/plugin.test.tsx

@@ -904,11 +904,13 @@ describe('createConfig()', () => {
         },
         "sortedProviders": Array [
           Object {
+            "hasAccessAgreement": false,
             "name": "saml",
             "order": 0,
             "type": "saml",
           },
           Object {
+            "hasAccessAgreement": false,
             "name": "basic",
             "order": 1,
             "type": "basic",
@@ -982,6 +984,63 @@ describe('createConfig()', () => {
     ).toBe(true);
   });
 
+  it('indicates which providers have the access agreement enabled', () => {
+    expect(
+      createConfig(
+        ConfigSchema.validate({
+          authc: {
+            providers: {
+              basic: { basic1: { order: 3 } },
+              saml: {
+                saml1: { order: 2, realm: 'saml1', accessAgreement: { message: 'foo' } },
+                saml2: { order: 1, realm: 'saml2' },
+              },
+              oidc: {
+                oidc1: { order: 0, realm: 'oidc1', accessAgreement: { message: 'foo' } },
+                oidc2: { order: 4, realm: 'oidc2' },
+              },
+            },
+          },
+        }),
+        loggingSystemMock.create().get(),
+        { isTLSEnabled: true }
+      ).authc.sortedProviders
+    ).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "hasAccessAgreement": true,
+          "name": "oidc1",
+          "order": 0,
+          "type": "oidc",
+        },
+        Object {
+          "hasAccessAgreement": false,
+          "name": "saml2",
+          "order": 1,
+          "type": "saml",
+        },
+        Object {
+          "hasAccessAgreement": true,
+          "name": "saml1",
+          "order": 2,
+          "type": "saml",
+        },
+        Object {
+          "hasAccessAgreement": false,
+          "name": "basic1",
+          "order": 3,
+          "type": "basic",
+        },
+        Object {
+          "hasAccessAgreement": false,
+          "name": "oidc2",
+          "order": 4,
+          "type": "oidc",
+        },
+      ]
+    `);
+  });
+
   it('correctly sorts providers based on the `order`', () => {
     expect(
       createConfig(
@@ -1000,26 +1059,31 @@ describe('createConfig()', () => {
     ).toMatchInlineSnapshot(`
       Array [
         Object {
+          "hasAccessAgreement": false,
           "name": "oidc1",
           "order": 0,
           "type": "oidc",
         },
         Object {
+          "hasAccessAgreement": false,
           "name": "saml2",
           "order": 1,
           "type": "saml",
         },
         Object {
+          "hasAccessAgreement": false,
           "name": "saml1",
           "order": 2,
           "type": "saml",
         },
         Object {
+          "hasAccessAgreement": false,
           "name": "basic1",
           "order": 3,
           "type": "basic",
         },
         Object {
+          "hasAccessAgreement": false,
           "name": "oidc2",
           "order": 4,
           "type": "oidc",

x-pack/plugins/security/server/config.test.ts

@@ -255,13 +255,19 @@ export function createConfig(
     type: keyof ProvidersConfigType;
     name: string;
     order: number;
+    hasAccessAgreement: boolean;
   }> = [];
   for (const [type, providerGroup] of Object.entries(providers)) {
-    for (const [name, { enabled, order }] of Object.entries(providerGroup ?? {})) {
+    for (const [name, { enabled, order, accessAgreement }] of Object.entries(providerGroup ?? {})) {
       if (!enabled) {
         delete providerGroup![name];
       } else {
-        sortedProviders.push({ type: type as any, name, order });
+        sortedProviders.push({
+          type: type as any,
+          name,
+          order,
+          hasAccessAgreement: !!accessAgreement?.message,
+        });
       }
     }
   }

x-pack/plugins/security/server/config.ts

@@ -108,6 +108,7 @@ describe('Security Plugin', () => {
                   },
                   "getFeatures": [Function],
                   "isEnabled": [Function],
+                  "isLicenseAvailable": [Function],
                 },
                 "registerSpacesService": [Function],
               }

x-pack/plugins/security/server/plugin.test.ts

@@ -7,6 +7,7 @@
 import { combineLatest } from 'rxjs';
 import { first, map } from 'rxjs/operators';
 import { TypeOf } from '@kbn/config-schema';
+import { UsageCollectionSetup } from 'src/plugins/usage_collection/server';
 import {
   deepFreeze,
   CoreSetup,
@@ -32,6 +33,7 @@ import { AuditService, SecurityAuditLogger, AuditServiceSetup } from './audit';
 import { SecurityFeatureUsageService, SecurityFeatureUsageServiceStart } from './feature_usage';
 import { ElasticsearchService } from './elasticsearch';
 import { SessionManagementService } from './session_management';
+import { registerSecurityUsageCollector } from './usage_collector';
 
 export type SpacesService = Pick<
   SpacesPluginSetup['spacesService'],
@@ -74,6 +76,7 @@ export interface PluginSetupDependencies {
   features: FeaturesPluginSetup;
   licensing: LicensingPluginSetup;
   taskManager: TaskManagerSetupContract;
+  usageCollection?: UsageCollectionSetup;
 }
 
 export interface PluginStartDependencies {
@@ -123,7 +126,7 @@ export class Plugin {
 
   public async setup(
     core: CoreSetup<PluginStartDependencies>,
-    { features, licensing, taskManager }: PluginSetupDependencies
+    { features, licensing, taskManager, usageCollection }: PluginSetupDependencies
   ) {
     const [config, legacyConfig] = await combineLatest([
       this.initializerContext.config.create<TypeOf<typeof ConfigSchema>>().pipe(
@@ -151,6 +154,8 @@ export class Plugin {
 
     this.featureUsageService.setup({ featureUsage: licensing.featureUsage });
 
+    registerSecurityUsageCollector({ usageCollection, config, license });
+
     const audit = this.auditService.setup({ license, config: config.audit });
     const auditLogger = new SecurityAuditLogger(audit.getLogger());