Security - Role Mappings UI (#53620) (#54534)

* Initial role mappings UI

* apply design edits

* address PR feedback

* fix type cast for number field

* Update x-pack/legacy/plugins/security/public/views/management/role_mappings/edit_role_mapping/components/mapping_info_panel/mapping_info_panel.tsx

Co-Authored-By: Joe Portner <5295965+jportner@users.noreply.github.com>

* Cleanup FTR configuration, and handle role mapping 404 errors properly

* align naming of role mappings feature check

* Apply suggestions from code review

Co-Authored-By: Brandon Kobel <brandon.kobel@gmail.com>

* add missing test assertions

* inlining feature check logic

* switch to using snapshot

* use href instead of onClick

* adding delete unit test

* consolidate href building

* unify page load error handling

* simplify initial loading state

* documenting unconditional catch blocks

* use nodes.info instead of transport.request

* Apply suggestions from code review

Co-Authored-By: Brandon Kobel <brandon.kobel@gmail.com>

* move model out of LP into NP

* convert except_field_rule to except_any_rule

* docs, take 1

* update gif

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: 4 people

docs/user/security/index.asciidoc

@@ -37,4 +37,5 @@ cause Kibana's authorization to behave unexpectedly.
 include::authorization/index.asciidoc[]
 include::authorization/kibana-privileges.asciidoc[]
 include::api-keys/index.asciidoc[]
+include::role-mappings/index.asciidoc[]
 include::rbac_tutorial.asciidoc[]

docs/user/security/role-mappings/images/role-mappings-create-step-1.png

@@ -0,0 +1,51 @@
+[role="xpack"]
+[[role-mappings]]
+=== Role mappings
+
+Role mappings allow you to describe which roles to assign to your users
+using a set of rules. Role mappings are required when authenticating via
+an external identity provider, such as Active Directory, Kerberos, PKI, OIDC,
+or SAML.
+
+Role mappings have no effect for users inside the `native` or `file` realms.
+
+To manage your role mappings, use *Management > Security > Role Mappings*.
+
+With *Role mappings*, you can:
+
+* View your configured role mappings
+* Create/Edit/Delete role mappings
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-grid.png["Role mappings"]
+
+
+[float]
+=== Create a role mapping
+
+To create a role mapping, navigate to *Management > Security > Role Mappings*, and click **Create role mapping**.
+Give your role mapping a unique name, and choose which roles you wish to assign to your users.
+If you need more flexibility, you can use {ref}/security-api-put-role-mapping.html#_role_templates[role templates] instead.
+
+Next, define the rules describing which users should receive the roles you defined. Rules can optionally grouped and nested, allowing for sophisticated logic to suite complex requirements.
+View the {ref}/role-mapping-resources.html[role mapping resources for an overview of the allowed rule types].
+
+
+[float]
+=== Example
+
+Let's create a `sales-users` role mapping, which assigns a `sales` role to users whose username
+starts with `sls_`, *or* belongs to the `executive` group.
+
+First, we give the role mapping a name, and assign the `sales` role:
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-create-step-1.png["Create role mapping, step 1"]
+
+Next, we define the two rules, making sure to set the group to *Any are true*:
+
+[role="screenshot"]
+image:user/security/role-mappings/images/role-mappings-create-step-2.gif["Create role mapping, step 2"]
+
+Click *Save role mapping* once you're finished.
+

docs/user/security/role-mappings/images/role-mappings-create-step-2.gif

@@ -0,0 +1,66 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import axios, { AxiosInstance } from 'axios';
+import util from 'util';
+import { ToolingLog } from '@kbn/dev-utils';
+
+export class RoleMappings {
+  private log: ToolingLog;
+  private axios: AxiosInstance;
+
+  constructor(url: string, log: ToolingLog) {
+    this.log = log;
+    this.axios = axios.create({
+      headers: { 'kbn-xsrf': 'x-pack/ftr/services/security/role_mappings' },
+      baseURL: url,
+      maxRedirects: 0,
+      validateStatus: () => true, // we do our own validation below and throw better error messages
+    });
+  }
+
+  public async create(name: string, roleMapping: Record<string, any>) {
+    this.log.debug(`creating role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.post(
+      `/internal/security/role_mapping/${name}`,
+      roleMapping
+    );
+    if (status !== 200) {
+      throw new Error(
+        `Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
+      );
+    }
+    this.log.debug(`created role mapping ${name}`);
+  }
+
+  public async delete(name: string) {
+    this.log.debug(`deleting role mapping ${name}`);
+    const { data, status, statusText } = await this.axios.delete(
+      `/internal/security/role_mapping/${name}`
+    );
+    if (status !== 200 && status !== 404) {
+      throw new Error(
+        `Expected status code of 200 or 404, received ${status} ${statusText}: ${util.inspect(
+          data
+        )}`
+      );
+    }
+    this.log.debug(`deleted role mapping ${name}`);
+  }
+}

docs/user/security/role-mappings/images/role-mappings-grid.png

@@ -21,6 +21,7 @@ import { format as formatUrl } from 'url';
 
 import { Role } from './role';
 import { User } from './user';
+import { RoleMappings } from './role_mappings';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export function SecurityServiceProvider({ getService }: FtrProviderContext) {
@@ -30,6 +31,7 @@ export function SecurityServiceProvider({ getService }: FtrProviderContext) {
 
   return new (class SecurityService {
     role = new Role(url, log);
+    roleMappings = new RoleMappings(url, log);
     user = new User(url, log);
   })();
 }

docs/user/security/role-mappings/index.asciidoc

@@ -28,6 +28,7 @@ export function createJestConfig({ kibanaDirectory, xPackKibanaDirectory }) {
       '\\.(css|less|scss)$': `${kibanaDirectory}/src/dev/jest/mocks/style_mock.js`,
       '^test_utils/enzyme_helpers': `${xPackKibanaDirectory}/test_utils/enzyme_helpers.tsx`,
       '^test_utils/find_test_subject': `${xPackKibanaDirectory}/test_utils/find_test_subject.ts`,
+      '^test_utils/stub_web_worker': `${xPackKibanaDirectory}/test_utils/stub_web_worker.ts`,
     },
     coverageDirectory: '<rootDir>/../target/kibana-coverage/jest',
     coverageReporters: ['html'],

test/common/services/security/role_mappings.ts

@@ -11,12 +11,17 @@ export {
   BuiltinESPrivileges,
   EditUser,
   FeaturesPrivileges,
+  InlineRoleTemplate,
+  InvalidRoleTemplate,
   KibanaPrivileges,
   RawKibanaFeaturePrivileges,
   RawKibanaPrivileges,
   Role,
   RoleIndexPrivilege,
   RoleKibanaPrivilege,
+  RoleMapping,
+  RoleTemplate,
+  StoredRoleTemplate,
   User,
   canUserChangePassword,
   getUserDisplayName,

test/common/services/security/security.ts

@@ -0,0 +1,58 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { CoreSetup } from 'src/core/public';
+import { RoleMapping } from '../../common/model';
+
+interface CheckRoleMappingFeaturesResponse {
+  canManageRoleMappings: boolean;
+  canUseInlineScripts: boolean;
+  canUseStoredScripts: boolean;
+  hasCompatibleRealms: boolean;
+}
+
+type DeleteRoleMappingsResponse = Array<{
+  name: string;
+  success: boolean;
+  error?: Error;
+}>;
+
+export class RoleMappingsAPI {
+  constructor(private readonly http: CoreSetup['http']) {}
+
+  public async checkRoleMappingFeatures(): Promise<CheckRoleMappingFeaturesResponse> {
+    return this.http.get(`/internal/security/_check_role_mapping_features`);
+  }
+
+  public async getRoleMappings(): Promise<RoleMapping[]> {
+    return this.http.get(`/internal/security/role_mapping`);
+  }
+
+  public async getRoleMapping(name: string): Promise<RoleMapping> {
+    return this.http.get(`/internal/security/role_mapping/${encodeURIComponent(name)}`);
+  }
+
+  public async saveRoleMapping(roleMapping: RoleMapping) {
+    const payload = { ...roleMapping };
+    delete payload.name;
+
+    return this.http.post(
+      `/internal/security/role_mapping/${encodeURIComponent(roleMapping.name)}`,
+      { body: JSON.stringify(payload) }
+    );
+  }
+
+  public async deleteRoleMappings(names: string[]): Promise<DeleteRoleMappingsResponse> {
+    return Promise.all(
+      names.map(name =>
+        this.http
+          .delete(`/internal/security/role_mapping/${encodeURIComponent(name)}`)
+          .then(() => ({ success: true, name }))
+          .catch(error => ({ success: false, name, error }))
+      )
+    );
+  }
+}