diff --git a/x-pack/plugins/alerts/server/alerts_client.ts b/x-pack/plugins/alerts/server/alerts_client.ts index e8e6f82f138828..ba832c65319f94 100644 --- a/x-pack/plugins/alerts/server/alerts_client.ts +++ b/x-pack/plugins/alerts/server/alerts_client.ts @@ -13,6 +13,7 @@ import { SavedObjectReference, SavedObject, } from 'src/core/server'; +import _ from 'lodash'; import { ActionsClient } from '../../actions/server'; import { Alert, @@ -53,7 +54,7 @@ interface ConstructorOptions { spaceId?: string; namespace?: string; getUserName: () => Promise; - createAPIKey: () => Promise; + createAPIKey: (name: string) => Promise; invalidateAPIKey: (params: InvalidateAPIKeyParams) => Promise; getActionsClient: () => Promise; } @@ -129,7 +130,7 @@ export class AlertsClient { private readonly taskManager: TaskManagerStartContract; private readonly savedObjectsClient: SavedObjectsClientContract; private readonly alertTypeRegistry: AlertTypeRegistry; - private readonly createAPIKey: () => Promise; + private readonly createAPIKey: (name: string) => Promise; private readonly invalidateAPIKey: ( params: InvalidateAPIKeyParams ) => Promise; @@ -167,7 +168,10 @@ export class AlertsClient { const alertType = this.alertTypeRegistry.get(data.alertTypeId); const validatedAlertTypeParams = validateAlertTypeParams(alertType, data.params); const username = await this.getUserName(); - const createdAPIKey = data.enabled ? await this.createAPIKey() : null; + + const createdAPIKey = data.enabled + ? await this.createAPIKey(this.generateAPIKeyName(alertType.id, data.name)) + : null; this.validateActions(alertType, data.actions); @@ -334,7 +338,9 @@ export class AlertsClient { const { actions, references } = await this.denormalizeActions(data.actions); const username = await this.getUserName(); - const createdAPIKey = attributes.enabled ? await this.createAPIKey() : null; + const createdAPIKey = attributes.enabled + ? await this.createAPIKey(this.generateAPIKeyName(alertType.id, data.name)) + : null; const apiKeyAttributes = this.apiKeyAsAlertAttributes(createdAPIKey, username); const updatedObject = await this.savedObjectsClient.update( @@ -406,7 +412,10 @@ export class AlertsClient { id, { ...attributes, - ...this.apiKeyAsAlertAttributes(await this.createAPIKey(), username), + ...this.apiKeyAsAlertAttributes( + await this.createAPIKey(this.generateAPIKeyName(attributes.alertTypeId, attributes.name)), + username + ), updatedBy: username, }, { version } @@ -464,7 +473,12 @@ export class AlertsClient { { ...attributes, enabled: true, - ...this.apiKeyAsAlertAttributes(await this.createAPIKey(), username), + ...this.apiKeyAsAlertAttributes( + await this.createAPIKey( + this.generateAPIKeyName(attributes.alertTypeId, attributes.name) + ), + username + ), updatedBy: username, }, { version } @@ -697,4 +711,8 @@ export class AlertsClient { references, }; } + + private generateAPIKeyName(alertTypeId: string, alertName: string) { + return _.truncate(`Alerting: ${alertTypeId}/${alertName}`, { length: 256 }); + } } diff --git a/x-pack/plugins/alerts/server/alerts_client_factory.ts b/x-pack/plugins/alerts/server/alerts_client_factory.ts index af546f965d7df7..30fcd1b949f2bf 100644 --- a/x-pack/plugins/alerts/server/alerts_client_factory.ts +++ b/x-pack/plugins/alerts/server/alerts_client_factory.ts @@ -70,7 +70,7 @@ export class AlertsClientFactory { const user = await securityPluginSetup.authc.getCurrentUser(request); return user ? user.username : null; }, - async createAPIKey() { + async createAPIKey(name: string) { if (!securityPluginSetup) { return { apiKeysEnabled: false }; } @@ -78,7 +78,11 @@ export class AlertsClientFactory { // API key for the user, instead of having the user create it themselves, which requires api_key // privileges const createAPIKeyResult = await securityPluginSetup.authc.grantAPIKeyAsInternalUser( - request + request, + { + name, + role_descriptors: {}, + } ); if (!createAPIKeyResult) { return { apiKeysEnabled: false }; diff --git a/x-pack/plugins/security/server/authentication/api_keys.test.ts b/x-pack/plugins/security/server/authentication/api_keys.test.ts index 631a6f9ab213c3..5164099f9ff672 100644 --- a/x-pack/plugins/security/server/authentication/api_keys.test.ts +++ b/x-pack/plugins/security/server/authentication/api_keys.test.ts @@ -162,7 +162,10 @@ describe('API Keys', () => { describe('grantAsInternalUser()', () => { it('returns null when security feature is disabled', async () => { mockLicense.isEnabled.mockReturnValue(false); - const result = await apiKeys.grantAsInternalUser(httpServerMock.createKibanaRequest()); + const result = await apiKeys.grantAsInternalUser(httpServerMock.createKibanaRequest(), { + name: 'test_api_key', + role_descriptors: {}, + }); expect(result).toBeNull(); expect(mockClusterClient.callAsInternalUser).not.toHaveBeenCalled(); @@ -174,21 +177,33 @@ describe('API Keys', () => { id: '123', name: 'key-name', api_key: 'abc123', + expires: '1d', }); const result = await apiKeys.grantAsInternalUser( httpServerMock.createKibanaRequest({ headers: { authorization: `Basic ${encodeToBase64('foo:bar')}`, }, - }) + }), + { + name: 'test_api_key', + role_descriptors: { foo: true }, + expiration: '1d', + } ); expect(result).toEqual({ api_key: 'abc123', id: '123', name: 'key-name', + expires: '1d', }); expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.grantAPIKey', { body: { + api_key: { + name: 'test_api_key', + role_descriptors: { foo: true }, + expiration: '1d', + }, grant_type: 'password', username: 'foo', password: 'bar', @@ -208,7 +223,12 @@ describe('API Keys', () => { headers: { authorization: `Bearer foo-access-token`, }, - }) + }), + { + name: 'test_api_key', + role_descriptors: { foo: true }, + expiration: '1d', + } ); expect(result).toEqual({ api_key: 'abc123', @@ -217,6 +237,11 @@ describe('API Keys', () => { }); expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.grantAPIKey', { body: { + api_key: { + name: 'test_api_key', + role_descriptors: { foo: true }, + expiration: '1d', + }, grant_type: 'access_token', access_token: 'foo-access-token', }, @@ -231,7 +256,12 @@ describe('API Keys', () => { headers: { authorization: `Digest username="foo"`, }, - }) + }), + { + name: 'test_api_key', + role_descriptors: { foo: true }, + expiration: '1d', + } ) ).rejects.toThrowErrorMatchingInlineSnapshot( `"Unsupported scheme \\"Digest\\" for granting API Key"` diff --git a/x-pack/plugins/security/server/authentication/api_keys.ts b/x-pack/plugins/security/server/authentication/api_keys.ts index 3b6aee72651e29..19922ce3c890d0 100644 --- a/x-pack/plugins/security/server/authentication/api_keys.ts +++ b/x-pack/plugins/security/server/authentication/api_keys.ts @@ -29,6 +29,7 @@ export interface CreateAPIKeyParams { } interface GrantAPIKeyParams { + api_key: CreateAPIKeyParams; grant_type: 'password' | 'access_token'; username?: string; password?: string; @@ -188,7 +189,7 @@ export class APIKeys { * Tries to grant an API key for the current user. * @param request Request instance. */ - async grantAsInternalUser(request: KibanaRequest) { + async grantAsInternalUser(request: KibanaRequest, createParams: CreateAPIKeyParams) { if (!this.license.isEnabled()) { return null; } @@ -200,7 +201,7 @@ export class APIKeys { `Unable to grant an API Key, request does not contain an authorization header` ); } - const params = this.getGrantParams(authorizationHeader); + const params = this.getGrantParams(createParams, authorizationHeader); // User needs `manage_api_key` or `grant_api_key` privilege to use this API let result: GrantAPIKeyResult; @@ -281,9 +282,13 @@ export class APIKeys { return disabledFeature === 'api_keys'; } - private getGrantParams(authorizationHeader: HTTPAuthorizationHeader): GrantAPIKeyParams { + private getGrantParams( + createParams: CreateAPIKeyParams, + authorizationHeader: HTTPAuthorizationHeader + ): GrantAPIKeyParams { if (authorizationHeader.scheme.toLowerCase() === 'bearer') { return { + api_key: createParams, grant_type: 'access_token', access_token: authorizationHeader.credentials, }; @@ -294,6 +299,7 @@ export class APIKeys { authorizationHeader.credentials ); return { + api_key: createParams, grant_type: 'password', username: basicCredentials.username, password: basicCredentials.password, diff --git a/x-pack/plugins/security/server/authentication/index.test.ts b/x-pack/plugins/security/server/authentication/index.test.ts index e98539ce820ba1..de1fd7c2ce014b 100644 --- a/x-pack/plugins/security/server/authentication/index.test.ts +++ b/x-pack/plugins/security/server/authentication/index.test.ts @@ -419,7 +419,10 @@ describe('setupAuthentication()', () => { }); describe('grantAPIKeyAsInternalUser()', () => { - let grantAPIKeyAsInternalUser: (request: KibanaRequest) => Promise; + let grantAPIKeyAsInternalUser: ( + request: KibanaRequest, + params: CreateAPIKeyParams + ) => Promise; beforeEach(async () => { grantAPIKeyAsInternalUser = (await setupAuthentication(mockSetupAuthenticationParams)) .grantAPIKeyAsInternalUser; @@ -429,10 +432,13 @@ describe('setupAuthentication()', () => { const request = httpServerMock.createKibanaRequest(); const apiKeysInstance = jest.requireMock('./api_keys').APIKeys.mock.instances[0]; apiKeysInstance.grantAsInternalUser.mockResolvedValueOnce({ api_key: 'foo' }); - await expect(grantAPIKeyAsInternalUser(request)).resolves.toEqual({ + + const createParams = { name: 'test_key', role_descriptors: {} }; + + await expect(grantAPIKeyAsInternalUser(request, createParams)).resolves.toEqual({ api_key: 'foo', }); - expect(apiKeysInstance.grantAsInternalUser).toHaveBeenCalledWith(request); + expect(apiKeysInstance.grantAsInternalUser).toHaveBeenCalledWith(request, createParams); }); }); diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts index 6d2b124c870cf9..25d4d5b5ee78fc 100644 --- a/x-pack/plugins/security/server/authentication/index.ts +++ b/x-pack/plugins/security/server/authentication/index.ts @@ -199,7 +199,8 @@ export async function setupAuthentication({ areAPIKeysEnabled: () => apiKeys.areAPIKeysEnabled(), createAPIKey: (request: KibanaRequest, params: CreateAPIKeyParams) => apiKeys.create(request, params), - grantAPIKeyAsInternalUser: (request: KibanaRequest) => apiKeys.grantAsInternalUser(request), + grantAPIKeyAsInternalUser: (request: KibanaRequest, params: CreateAPIKeyParams) => + apiKeys.grantAsInternalUser(request, params), invalidateAPIKey: (request: KibanaRequest, params: InvalidateAPIKeyParams) => apiKeys.invalidate(request, params), invalidateAPIKeyAsInternalUser: (params: InvalidateAPIKeyParams) =>