Merge branch 'master' into vis-types-2

Author: kibanamachine

.github/CODEOWNERS

@@ -439,6 +439,9 @@
 /x-pack/test/reporting_api_integration/ @elastic/kibana-reporting-services @elastic/kibana-app-services
 /x-pack/test/reporting_functional/ @elastic/kibana-reporting-services @elastic/kibana-app-services
 /x-pack/test/stack_functional_integration/apps/reporting/ @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/user/reporting @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/settings/reporting-settings.asciidoc @elastic/kibana-reporting-services @elastic/kibana-app-services
+/docs/setup/configuring-reporting.asciidoc @elastic/kibana-reporting-services @elastic/kibana-app-services
 #CC# /x-pack/plugins/reporting/ @elastic/kibana-reporting-services
 
 

docs/management/advanced-options.asciidoc

@@ -186,7 +186,7 @@ Set to `true` to enable a dark mode for the {kib} UI. You must refresh the page
 to apply the setting.
 
 [[theme-version]]`theme:version`::
-Specifies the {kib} theme. If you change the setting, refresh the page to apply the setting. 
+Specifies the {kib} theme. If you change the setting, refresh the page to apply the setting.
 
 [[timepicker-quickranges]]`timepicker:quickRanges`::
 The list of ranges to show in the Quick section of the time filter. This should
@@ -214,7 +214,7 @@ truncation.
 When enabled, provides access to the experimental *Labs* features for *Canvas*.
 
 [[labs-dashboard-defer-below-fold]]`labs:dashboard:deferBelowFold`::
-When enabled, the panels that appear below the fold are loaded when they become visible on the dashboard. 
+When enabled, the panels that appear below the fold are loaded when they become visible on the dashboard.
 _Below the fold_ refers to panels that are not immediately visible when you open a dashboard, but become visible as you scroll. For additional information, refer to <<defer-loading-panels-below-the-fold,Improve dashboard loading time>>.
 
 [[labs-dashboard-enable-ui]]`labs:dashboard:enable_ui`::
@@ -240,7 +240,7 @@ Banners are a https://www.elastic.co/subscriptions[subscription feature].
 
 [horizontal]
 [[banners-placement]]`banners:placement`::
-Set to `Top` to display a banner above the Elastic header for this space. Defaults to the value of 
+Set to `Top` to display a banner above the Elastic header for this space. Defaults to the value of
 the `xpack.banners.placement` configuration property.
 
 [[banners-textcontent]]`banners:textContent`::
@@ -443,6 +443,9 @@ The threshold above which {ml} job anomalies are displayed in the {security-app}
 A comma-delimited list of {es} indices from which the {security-app} collects
 events.
 
+[[securitysolution-threatindices]]`securitySolution:defaultThreatIndex`::
+A comma-delimited list of Threat Intelligence indices from which the {security-app} collects indicators.
+
 [[securitysolution-enablenewsfeed]]`securitySolution:enableNewsFeed`:: Enables
 the security news feed on the Security *Overview* page.
 
@@ -544,4 +547,4 @@ only production-ready visualizations are available to users.
 [horizontal]
 [[telemetry-enabled-advanced-setting]]`telemetry:enabled`::
 When enabled, helps improve the Elastic Stack by providing usage statistics for
-basic features. This data will not be shared outside of Elastic.
+basic features. This data will not be shared outside of Elastic.

docs/settings/reporting-settings.asciidoc

@@ -281,16 +281,15 @@ NOTE: This setting exists for backwards compatibility, but is unused and hardcod
 [[reporting-advanced-settings]]
 ==== Security settings
 
-[[xpack-reporting-roles-enabled]] `xpack.reporting.roles.enabled`::
-deprecated:[7.14.0,This setting must be set to `false` in 8.0.] When `true`, grants users access to the {report-features} by assigning reporting roles, specified by `xpack.reporting.roles.allow`. Granting access to users this way is deprecated. Set to `false` and use {kibana-ref}/kibana-privileges.html[{kib} privileges] instead. Defaults to `true`.
+With Security enabled, Reporting has two forms of access control: each user can only access their own reports, and custom roles determine who has privilege to generate reports. When Reporting is configured with <<kibana-privileges, {kib} application privileges>>, you can control the spaces and applications where users are allowed to generate reports.
 
 [NOTE]
 ============================================================================
-In 7.x, the default value of `xpack.reporting.roles.enabled` is `true`. To migrate users to the
-new method of securing access to *Reporting*, you must set `xpack.reporting.roles.enabled: false`. In the next major version of {kib}, `false` will be the only valid configuration.
+The `xpack.reporting.roles` settings are for a deprecated system of access control in Reporting. It does not allow API Keys to generate reports, and it doesn't allow {kib} application privileges. We recommend you explicitly turn off reporting's deprecated access control feature by adding `xpack.reporting.roles.enabled: false` in kibana.yml. This will enable application privileges for reporting, as described in <<grant-user-access, granting users access to reporting>>.
 ============================================================================
 
-`xpack.reporting.roles.allow`::
-deprecated:[7.14.0,This setting will be removed in 8.0.] Specifies the roles, in addition to superusers, that can generate reports, using the {ref}/security-api.html#security-role-apis[{es} role management APIs]. Requires `xpack.reporting.roles.enabled` to be `true`. Granting access to users this way is deprecated. Use {kibana-ref}/kibana-privileges.html[{kib} privileges] instead. Defaults to `[ "reporting_user" ]`.
+[[xpack-reporting-roles-enabled]] `xpack.reporting.roles.enabled`::
+deprecated:[7.14.0,The default for this setting will be `false` in an upcoming version of {kib}.] Sets access control to a set of assigned reporting roles, specified by `xpack.reporting.roles.allow`. Defaults to `true`.
 
-NOTE: Each user has access to only their own reports.
+`xpack.reporting.roles.allow`::
+deprecated:[7.14.0] In addition to superusers, specifies the roles that can generate reports using the {ref}/security-api.html#security-role-apis[{es} role management APIs]. Requires `xpack.reporting.roles.enabled` to be `true`. Defaults to `[ "reporting_user" ]`.

docs/setup/configuring-reporting.asciidoc

@@ -41,11 +41,16 @@ To troubleshoot the problem, start the {kib} server with environment variables t
 [float]
 [[grant-user-access]]
 === Grant users access to reporting
+When security is enabled, you grant users access to generate reports with <<kibana-privileges, {kib} application privileges>>, which allow you to create custom roles that control the spaces and applications where users generate reports.
 
-When security is enabled, access to the {report-features} is controlled by roles and <<kibana-privileges, privileges>>. With privileges, you can define custom roles that grant *Reporting* privileges as sub-features of {kib} applications. To grant users permission to generate reports and view their reports in *Reporting*, create and assign the reporting role.
-
-[[reporting-app-users]]
-NOTE: In 7.12.0 and earlier, you grant access to the {report-features} by assigning users the `reporting_user` role in {es}. 
+. Enable application privileges in Reporting. To enable, turn off the default user access control features in `kibana.yml`:
++
+[source,yaml]
+------------------------------------
+xpack.reporting.roles.enabled: false
+------------------------------------
++
+NOTE: If you use the default settings, you can still create a custom role that grants reporting privileges. The default role is `reporting_user`. This behavior is being deprecated and does not allow application-level access controls for {report-features}, and does not allow API keys or authentication tokens to authorize report generation. Refer to <<reporting-advanced-settings, reporting security settings>> for information and caveats about the deprecated access control features.
 
 . Create the reporting role. 
 
@@ -90,10 +95,12 @@ If the *Reporting* option is unavailable, contact your administrator, or <<repor
 
 .. Click *Update user*.
 
+Granting the privilege to generate reports also grants the user the privilege to view their reports in *Stack Management > Reporting*. Users can only access their own reports.
+
 [float]
 [[reporting-roles-user-api]]
 ==== Grant access with the role API
-You can also use the {ref}/security-api-put-role.html[role API] to grant access to the reporting features. Grant the reporting role to users in combination with other roles that grant read access to the data in {es}, and at least read access in the applications where users can generate reports.
+With <<grant-user-access, {kib} application privileges>> enabled in Reporting, you can also use the {ref}/security-api-put-role.html[role API] to grant access to the {report-features}. Grant custom reporting roles to users in combination with other roles that grant read access to the data in {es}, and at least read access in the applications where users can generate reports.
 
 [source, sh]
 ---------------------------------------------------------------

package.json

@@ -655,6 +655,7 @@
     "@types/yauzl": "^2.9.1",
     "@types/zen-observable": "^0.8.0",
     "@typescript-eslint/eslint-plugin": "^4.14.1",
+    "@typescript-eslint/typescript-estree": "^4.14.1",
     "@typescript-eslint/parser": "^4.14.1",
     "@yarnpkg/lockfile": "^1.1.0",
     "abab": "^2.0.4",
@@ -725,6 +726,7 @@
     "eslint-plugin-react": "^7.20.3",
     "eslint-plugin-react-hooks": "^4.2.0",
     "eslint-plugin-react-perf": "^3.2.3",
+    "eslint-traverse": "^1.0.0",
     "expose-loader": "^0.7.5",
     "faker": "^5.1.0",
     "fancy-log": "^1.3.2",

packages/elastic-eslint-config-kibana/.eslintrc.js

@@ -90,5 +90,7 @@ module.exports = {
         },
       ],
     ],
+
+    '@kbn/eslint/no_async_promise_body': 'error',
   },
 };

packages/kbn-eslint-plugin-eslint/index.js

@@ -12,5 +12,6 @@ module.exports = {
     'disallow-license-headers': require('./rules/disallow_license_headers'),
     'no-restricted-paths': require('./rules/no_restricted_paths'),
     module_migration: require('./rules/module_migration'),
+    no_async_promise_body: require('./rules/no_async_promise_body'),
   },
 };

packages/kbn-eslint-plugin-eslint/rules/no_async_promise_body.js

@@ -0,0 +1,165 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+const { parseExpression } = require('@babel/parser');
+const { default: generate } = require('@babel/generator');
+const tsEstree = require('@typescript-eslint/typescript-estree');
+const traverse = require('eslint-traverse');
+const esTypes = tsEstree.AST_NODE_TYPES;
+const babelTypes = require('@babel/types');
+
+/** @typedef {import("eslint").Rule.RuleModule} Rule */
+/** @typedef {import("@typescript-eslint/parser").ParserServices} ParserServices */
+/** @typedef {import("@typescript-eslint/typescript-estree").TSESTree.Expression} Expression */
+/** @typedef {import("@typescript-eslint/typescript-estree").TSESTree.ArrowFunctionExpression} ArrowFunctionExpression */
+/** @typedef {import("@typescript-eslint/typescript-estree").TSESTree.FunctionExpression} FunctionExpression */
+/** @typedef {import("@typescript-eslint/typescript-estree").TSESTree.TryStatement} TryStatement */
+/** @typedef {import("@typescript-eslint/typescript-estree").TSESTree.NewExpression} NewExpression */
+/** @typedef {import("typescript").ExportDeclaration} ExportDeclaration */
+/** @typedef {import("eslint").Rule.RuleFixer} Fixer */
+
+const ERROR_MSG =
+  'Passing an async function to the Promise constructor leads to a hidden promise being created and prevents handling rejections';
+
+/**
+ * @param {Expression} node
+ */
+const isPromise = (node) => node.type === esTypes.Identifier && node.name === 'Promise';
+
+/**
+ * @param {Expression} node
+ * @returns {node is ArrowFunctionExpression | FunctionExpression}
+ */
+const isFunc = (node) =>
+  node.type === esTypes.ArrowFunctionExpression || node.type === esTypes.FunctionExpression;
+
+/**
+ * @param {any} context
+ * @param {ArrowFunctionExpression | FunctionExpression} node
+ */
+const isFuncBodySafe = (context, node) => {
+  // if the body isn't wrapped in a blockStatement it can't have a try/catch at the root
+  if (node.body.type !== esTypes.BlockStatement) {
+    return false;
+  }
+
+  // when the entire body is wrapped in a try/catch it is the only node
+  if (node.body.body.length !== 1) {
+    return false;
+  }
+
+  const tryNode = node.body.body[0];
+  // ensure we have a try node with a handler
+  if (tryNode.type !== esTypes.TryStatement || !tryNode.handler) {
+    return false;
+  }
+
+  // ensure the handler doesn't throw
+  let hasThrow = false;
+  traverse(context, tryNode.handler, (path) => {
+    if (path.node.type === esTypes.ThrowStatement) {
+      hasThrow = true;
+      return traverse.STOP;
+    }
+  });
+  return !hasThrow;
+};
+
+/**
+ * @param {string} code
+ */
+const wrapFunctionInTryCatch = (code) => {
+  // parse the code with babel so we can mutate the AST
+  const ast = parseExpression(code, {
+    plugins: ['typescript', 'jsx'],
+  });
+
+  // validate that the code reperesents an arrow or function expression
+  if (!babelTypes.isArrowFunctionExpression(ast) && !babelTypes.isFunctionExpression(ast)) {
+    throw new Error('expected function to be an arrow or function expression');
+  }
+
+  // ensure that the function receives the second argument, and capture its name if already defined
+  let rejectName = 'reject';
+  if (ast.params.length === 0) {
+    ast.params.push(babelTypes.identifier('resolve'), babelTypes.identifier(rejectName));
+  } else if (ast.params.length === 1) {
+    ast.params.push(babelTypes.identifier(rejectName));
+  } else if (ast.params.length === 2) {
+    if (babelTypes.isIdentifier(ast.params[1])) {
+      rejectName = ast.params[1].name;
+    } else {
+      throw new Error('expected second param of promise definition function to be an identifier');
+    }
+  }
+
+  // ensure that the body of the function is a blockStatement
+  let block = ast.body;
+  if (!babelTypes.isBlockStatement(block)) {
+    block = babelTypes.blockStatement([babelTypes.returnStatement(block)]);
+  }
+
+  // redefine the body of the function as a new blockStatement containing a tryStatement
+  // which catches errors and forwards them to reject() when caught
+  ast.body = babelTypes.blockStatement([
+    // try {
+    babelTypes.tryStatement(
+      block,
+      // catch (error) {
+      babelTypes.catchClause(
+        babelTypes.identifier('error'),
+        babelTypes.blockStatement([
+          // reject(error)
+          babelTypes.expressionStatement(
+            babelTypes.callExpression(babelTypes.identifier(rejectName), [
+              babelTypes.identifier('error'),
+            ])
+          ),
+        ])
+      )
+    ),
+  ]);
+
+  return generate(ast).code;
+};
+
+/** @type {Rule} */
+module.exports = {
+  meta: {
+    fixable: 'code',
+    schema: [],
+  },
+  create: (context) => ({
+    NewExpression(_) {
+      const node = /** @type {NewExpression} */ (_);
+
+      // ensure we are newing up a promise with a single argument
+      if (!isPromise(node.callee) || node.arguments.length !== 1) {
+        return;
+      }
+
+      const func = node.arguments[0];
+      // ensure the argument is an arrow or function expression and is async
+      if (!isFunc(func) || !func.async) {
+        return;
+      }
+
+      // body must be a blockStatement, try/catch can't exist outside of a block
+      if (!isFuncBodySafe(context, func)) {
+        context.report({
+          message: ERROR_MSG,
+          loc: func.loc,
+          fix(fixer) {
+            const source = context.getSourceCode();
+            return fixer.replaceText(func, wrapFunctionInTryCatch(source.getText(func)));
+          },
+        });
+      }
+    },
+  }),
+};