From 17c3daad93c4435cc662ee5a55034f2a0d7bdc04 Mon Sep 17 00:00:00 2001 From: Shahzad Date: Mon, 17 Jan 2022 21:13:22 +0100 Subject: [PATCH] [Uptime] Use authorised saved object client only for write operations (#123141) --- .../lib/adapters/framework/adapter_types.ts | 1 + .../lib/synthetics_service/get_api_key.ts | 17 +++++++++++------ .../synthetics_service/service_api_client.ts | 3 +++ .../synthetics_service/synthetics_service.ts | 6 ++++++ .../server/rest_api/uptime_route_wrapper.ts | 2 +- 5 files changed, 22 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts b/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts index 988cb3ddb9447b..18c72d7c35cb16 100644 --- a/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts +++ b/x-pack/plugins/uptime/server/lib/adapters/framework/adapter_types.ts @@ -47,6 +47,7 @@ export interface UptimeServerSetup { fleet: FleetStartContract; security: SecurityPluginStart; savedObjectsClient?: SavedObjectsClientContract; + authSavedObjectsClient?: SavedObjectsClientContract; encryptedSavedObjects: EncryptedSavedObjectsPluginStart; syntheticsService: SyntheticsService; } diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts index 3cf37758b7cec2..cd90828f93ccfd 100644 --- a/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts +++ b/x-pack/plugins/uptime/server/lib/synthetics_service/get_api_key.ts @@ -22,7 +22,7 @@ export const getAPIKeyForSyntheticsService = async ({ server: UptimeServerSetup; request?: KibanaRequest; }): Promise => { - const { security, encryptedSavedObjects, savedObjectsClient } = server; + const { security, encryptedSavedObjects, authSavedObjectsClient } = server; const encryptedClient = encryptedSavedObjects.getClient({ includedHiddenTypes: [syntheticsServiceApiKey.name], @@ -37,17 +37,22 @@ export const getAPIKeyForSyntheticsService = async ({ // TODO: figure out how to handle decryption errors } - return await generateAndSaveAPIKey({ request, security, savedObjectsClient }); + return await generateAndSaveAPIKey({ + request, + security, + authSavedObjectsClient, + }); }; export const generateAndSaveAPIKey = async ({ security, request, - savedObjectsClient, + authSavedObjectsClient, }: { request?: KibanaRequest; security: SecurityPluginStart; - savedObjectsClient?: SavedObjectsClientContract; + // authSavedObject is needed for write operations + authSavedObjectsClient?: SavedObjectsClientContract; }) => { const isApiKeysEnabled = await security.authc.apiKeys?.areAPIKeysEnabled(); @@ -81,9 +86,9 @@ export const generateAndSaveAPIKey = async ({ if (apiKeyResult) { const { id, name, api_key: apiKey } = apiKeyResult; const apiKeyObject = { id, name, apiKey }; - if (savedObjectsClient) { + if (authSavedObjectsClient) { // discard decoded key and rest of the keys - await setSyntheticsServiceApiKey(savedObjectsClient, apiKeyObject); + await setSyntheticsServiceApiKey(authSavedObjectsClient, apiKeyObject); } return apiKeyObject; } diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts index ccb2847e4644d0..1c55b8812d64fd 100644 --- a/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts +++ b/x-pack/plugins/uptime/server/lib/synthetics_service/service_api_client.ts @@ -118,6 +118,9 @@ export class ServiceAPIClient { rxjsFrom(callServiceEndpoint(locMonitors, url)).pipe( tap((result) => { this.logger.debug(result.data); + this.logger.debug( + `Successfully called service with method ${method} with ${allMonitors.length} monitors ` + ); }), catchError((err) => { pushErrors.push({ locationId: id, error: err }); diff --git a/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts b/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts index e25535df08baf5..d6fe86453a1c00 100644 --- a/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts +++ b/x-pack/plugins/uptime/server/lib/synthetics_service/synthetics_service.ts @@ -149,6 +149,7 @@ export class SyntheticsService { try { this.apiKey = await getAPIKeyForSyntheticsService({ server: this.server, request }); } catch (err) { + this.logger.error(err); throw err; } } @@ -159,6 +160,8 @@ export class SyntheticsService { throw error; } + this.logger.debug('Found api key and esHosts for service.'); + return { hosts: this.esHosts, api_key: `${this.apiKey.id}:${this.apiKey.apiKey}`, @@ -168,6 +171,7 @@ export class SyntheticsService { async pushConfigs(request?: KibanaRequest, configs?: SyntheticsMonitorWithId[]) { const monitors = this.formatConfigs(configs || (await this.getMonitorConfigs())); if (monitors.length === 0) { + this.logger.debug('No monitor found which can be pushed to service.'); return; } const data = { @@ -175,6 +179,8 @@ export class SyntheticsService { output: await this.getOutput(request), }; + this.logger.debug(`${monitors.length} monitors will be pushed to synthetics service.`); + try { return await this.apiClient.post(data); } catch (e) { diff --git a/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts b/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts index faefb71e34f661..47c25bca6f900b 100644 --- a/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts +++ b/x-pack/plugins/uptime/server/rest_api/uptime_route_wrapper.ts @@ -31,7 +31,7 @@ export const uptimeRouteWrapper: UMKibanaRouteWrapper = (uptimeRoute, server) => } // specifically needed for the synthetics service api key generation - server.savedObjectsClient = savedObjectsClient; + server.authSavedObjectsClient = savedObjectsClient; const isInspectorEnabled = await context.core.uiSettings.client.get( enableInspectEsQueries