[Uptime] Use authorised saved object client only for write operations (…

…elastic#123141)
tomsonpl · Jan 17, 2022 · 17c3daa · 17c3daa
1 parent 2c52ac2
commit 17c3daa
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 7 deletions.
diff --git a/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts b/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts
@@ -47,6 +47,7 @@ export interface UptimeServerSetup {
   fleet: FleetStartContract;
   security: SecurityPluginStart;
   savedObjectsClient?: SavedObjectsClientContract;
+  authSavedObjectsClient?: SavedObjectsClientContract;
   encryptedSavedObjects: EncryptedSavedObjectsPluginStart;
   syntheticsService: SyntheticsService;
 }

diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts
@@ -22,7 +22,7 @@ export const getAPIKeyForSyntheticsService = async ({
   server: UptimeServerSetup;
   request?: KibanaRequest;
 }): Promise<SyntheticsServiceApiKey | undefined> => {
-  const { security, encryptedSavedObjects, savedObjectsClient } = server;
+  const { security, encryptedSavedObjects, authSavedObjectsClient } = server;
 
   const encryptedClient = encryptedSavedObjects.getClient({
     includedHiddenTypes: [syntheticsServiceApiKey.name],
@@ -37,17 +37,22 @@ export const getAPIKeyForSyntheticsService = async ({
     // TODO: figure out how to handle decryption errors
   }
 
-  return await generateAndSaveAPIKey({ request, security, savedObjectsClient });
+  return await generateAndSaveAPIKey({
+    request,
+    security,
+    authSavedObjectsClient,
+  });
 };
 
 export const generateAndSaveAPIKey = async ({
   security,
   request,
-  savedObjectsClient,
+  authSavedObjectsClient,
 }: {
   request?: KibanaRequest;
   security: SecurityPluginStart;
-  savedObjectsClient?: SavedObjectsClientContract;
+  // authSavedObject is needed for write operations
+  authSavedObjectsClient?: SavedObjectsClientContract;
 }) => {
   const isApiKeysEnabled = await security.authc.apiKeys?.areAPIKeysEnabled();
 
@@ -81,9 +86,9 @@ export const generateAndSaveAPIKey = async ({
   if (apiKeyResult) {
     const { id, name, api_key: apiKey } = apiKeyResult;
     const apiKeyObject = { id, name, apiKey };
-    if (savedObjectsClient) {
+    if (authSavedObjectsClient) {
       // discard decoded key and rest of the keys
-      await setSyntheticsServiceApiKey(savedObjectsClient, apiKeyObject);
+      await setSyntheticsServiceApiKey(authSavedObjectsClient, apiKeyObject);
     }
     return apiKeyObject;
   }

diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts
@@ -118,6 +118,9 @@ export class ServiceAPIClient {
           rxjsFrom(callServiceEndpoint(locMonitors, url)).pipe(
             tap((result) => {
               this.logger.debug(result.data);
+              this.logger.debug(
+                `Successfully called service with method ${method} with ${allMonitors.length} monitors `
+              );
             }),
             catchError((err) => {
               pushErrors.push({ locationId: id, error: err });

diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts
@@ -149,6 +149,7 @@ export class SyntheticsService {
       try {
         this.apiKey = await getAPIKeyForSyntheticsService({ server: this.server, request });
       } catch (err) {
+        this.logger.error(err);
         throw err;
       }
     }
@@ -159,6 +160,8 @@ export class SyntheticsService {
       throw error;
     }
 
+    this.logger.debug('Found api key and esHosts for service.');
+
     return {
       hosts: this.esHosts,
       api_key: `${this.apiKey.id}:${this.apiKey.apiKey}`,
@@ -168,13 +171,16 @@ export class SyntheticsService {
   async pushConfigs(request?: KibanaRequest, configs?: SyntheticsMonitorWithId[]) {
     const monitors = this.formatConfigs(configs || (await this.getMonitorConfigs()));
     if (monitors.length === 0) {
+      this.logger.debug('No monitor found which can be pushed to service.');
       return;
     }
     const data = {
       monitors,
       output: await this.getOutput(request),
     };
 
+    this.logger.debug(`${monitors.length} monitors will be pushed to synthetics service.`);
+
     try {
       return await this.apiClient.post(data);
     } catch (e) {

diff --git a/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts b/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts
@@ -31,7 +31,7 @@ export const uptimeRouteWrapper: UMKibanaRouteWrapper = (uptimeRoute, server) =>
     }
 
     // specifically needed for the synthetics service api key generation
-    server.savedObjectsClient = savedObjectsClient;
+    server.authSavedObjectsClient = savedObjectsClient;
 
     const isInspectorEnabled = await context.core.uiSettings.client.get<boolean>(
       enableInspectEsQueries