Restrict access to hapi Request in registerAuth (#38763)

* Prevent exposing Hapi.Request to registerAuth.

Prevent exposing headers.authorization in KibanaRequest.
Introduce a mechanism to associate authorization headers with an
incoming request and retrieve its value to perform a request to
elasticsearch cluster.

* fix tests

* address @joshdover comments

docs/development/core/server/kibana-plugin-server.authenticationhandler.md

@@ -8,5 +8,5 @@
 <b>Signature:</b>
 
 ```typescript
-export declare type AuthenticationHandler = (request: Readonly<Request>, t: AuthToolkit) => AuthResult | Promise<AuthResult>;
+export declare type AuthenticationHandler = (request: KibanaRequest, t: AuthToolkit) => AuthResult | Promise<AuthResult>;
 ```

docs/development/core/server/kibana-plugin-server.authheaders.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [AuthHeaders](./kibana-plugin-server.authheaders.md)
+
+## AuthHeaders type
+
+Auth Headers map
+
+<b>Signature:</b>
+
+```typescript
+export declare type AuthHeaders = Record<string, string>;
+```

docs/development/core/server/kibana-plugin-server.authresultdata.headers.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [AuthResultData](./kibana-plugin-server.authresultdata.md) &gt; [headers](./kibana-plugin-server.authresultdata.headers.md)
+
+## AuthResultData.headers property
+
+Auth specific headers to authenticate a user against Elasticsearch.
+
+<b>Signature:</b>
+
+```typescript
+headers: AuthHeaders;
+```

docs/development/core/server/kibana-plugin-server.authresultdata.md

@@ -0,0 +1,21 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [AuthResultData](./kibana-plugin-server.authresultdata.md)
+
+## AuthResultData interface
+
+Result of an incoming request authentication.
+
+<b>Signature:</b>
+
+```typescript
+export interface AuthResultData 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [headers](./kibana-plugin-server.authresultdata.headers.md) | <code>AuthHeaders</code> | Auth specific headers to authenticate a user against Elasticsearch. |
+|  [state](./kibana-plugin-server.authresultdata.state.md) | <code>Record&lt;string, unknown&gt;</code> | Data to associate with an incoming request. Any downstream plugin may get access to the data. |
+

docs/development/core/server/kibana-plugin-server.authresultdata.state.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [AuthResultData](./kibana-plugin-server.authresultdata.md) &gt; [state](./kibana-plugin-server.authresultdata.state.md)
+
+## AuthResultData.state property
+
+Data to associate with an incoming request. Any downstream plugin may get access to the data.
+
+<b>Signature:</b>
+
+```typescript
+state: Record<string, unknown>;
+```

docs/development/core/server/kibana-plugin-server.authtoolkit.authenticated.md

@@ -9,5 +9,5 @@ Authentication is successful with given credentials, allow request to pass throu
 <b>Signature:</b>
 
 ```typescript
-authenticated: (state?: object) => AuthResult;
+authenticated: (data?: Partial<AuthResultData>) => AuthResult;
 ```

docs/development/core/server/kibana-plugin-server.authtoolkit.md

@@ -16,7 +16,7 @@ export interface AuthToolkit
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [authenticated](./kibana-plugin-server.authtoolkit.authenticated.md) | <code>(state?: object) =&gt; AuthResult</code> | Authentication is successful with given credentials, allow request to pass through |
+|  [authenticated](./kibana-plugin-server.authtoolkit.authenticated.md) | <code>(data?: Partial&lt;AuthResultData&gt;) =&gt; AuthResult</code> | Authentication is successful with given credentials, allow request to pass through |
 |  [redirected](./kibana-plugin-server.authtoolkit.redirected.md) | <code>(url: string) =&gt; AuthResult</code> | Authentication requires to interrupt request handling and redirect to a configured url |
 |  [rejected](./kibana-plugin-server.authtoolkit.rejected.md) | <code>(error: Error, options?: {</code><br/><code>        statusCode?: number;</code><br/><code>    }) =&gt; AuthResult</code> | Authentication is unsuccessful, fail the request with specified error. |
 

docs/development/core/server/kibana-plugin-server.clusterclient.(constructor).md

@@ -9,7 +9,7 @@ Constructs a new instance of the `ClusterClient` class
 <b>Signature:</b>
 
 ```typescript
-constructor(config: ElasticsearchClientConfig, log: Logger);
+constructor(config: ElasticsearchClientConfig, log: Logger, getAuthHeaders?: GetAuthHeaders);
 ```
 
 ## Parameters
@@ -18,4 +18,5 @@ constructor(config: ElasticsearchClientConfig, log: Logger);
 |  --- | --- | --- |
 |  config | <code>ElasticsearchClientConfig</code> |  |
 |  log | <code>Logger</code> |  |
+|  getAuthHeaders | <code>GetAuthHeaders</code> |  |
 

docs/development/core/server/kibana-plugin-server.clusterclient.asscoped.md

@@ -9,16 +9,14 @@ Creates an instance of `ScopedClusterClient` based on the configuration the curr
 <b>Signature:</b>
 
 ```typescript
-asScoped(req?: {
-        headers?: Headers;
-    }): ScopedClusterClient;
+asScoped(request?: KibanaRequest | LegacyRequest | FakeRequest): ScopedClusterClient;
 ```
 
 ## Parameters
 
 |  Parameter | Type | Description |
 |  --- | --- | --- |
-|  req | <code>{</code><br/><code>        headers?: Headers;</code><br/><code>    }</code> | Request the <code>ScopedClusterClient</code> instance will be scoped to. |
+|  request | <code>KibanaRequest &#124; LegacyRequest &#124; FakeRequest</code> | Request the <code>ScopedClusterClient</code> instance will be scoped to. Supports request optionality, Legacy.Request &amp; FakeRequest for BWC with LegacyPlatform |
 
 <b>Returns:</b>
 

docs/development/core/server/kibana-plugin-server.clusterclient.md

@@ -16,7 +16,7 @@ export declare class ClusterClient
 
 |  Constructor | Modifiers | Description |
 |  --- | --- | --- |
-|  [(constructor)(config, log)](./kibana-plugin-server.clusterclient.(constructor).md) |  | Constructs a new instance of the <code>ClusterClient</code> class |
+|  [(constructor)(config, log, getAuthHeaders)](./kibana-plugin-server.clusterclient.(constructor).md) |  | Constructs a new instance of the <code>ClusterClient</code> class |
 
 ## Properties
 
@@ -28,6 +28,6 @@ export declare class ClusterClient
 
 |  Method | Modifiers | Description |
 |  --- | --- | --- |
-|  [asScoped(req)](./kibana-plugin-server.clusterclient.asscoped.md) |  | Creates an instance of <code>ScopedClusterClient</code> based on the configuration the current cluster client that exposes additional <code>callAsCurrentUser</code> method scoped to the provided req. Consumers shouldn't worry about closing scoped client instances, these will be automatically closed as soon as the original cluster client isn't needed anymore and closed. |
+|  [asScoped(request)](./kibana-plugin-server.clusterclient.asscoped.md) |  | Creates an instance of <code>ScopedClusterClient</code> based on the configuration the current cluster client that exposes additional <code>callAsCurrentUser</code> method scoped to the provided req. Consumers shouldn't worry about closing scoped client instances, these will be automatically closed as soon as the original cluster client isn't needed anymore and closed. |
 |  [close()](./kibana-plugin-server.clusterclient.close.md) |  | Closes the cluster client. After that client cannot be used and one should create a new client instance to be able to interact with Elasticsearch API. |
 

docs/development/core/server/kibana-plugin-server.fakerequest.headers.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [FakeRequest](./kibana-plugin-server.fakerequest.md) &gt; [headers](./kibana-plugin-server.fakerequest.headers.md)
+
+## FakeRequest.headers property
+
+Headers used for authentication against Elasticsearch
+
+<b>Signature:</b>
+
+```typescript
+headers: Record<string, string>;
+```

docs/development/core/server/kibana-plugin-server.fakerequest.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [FakeRequest](./kibana-plugin-server.fakerequest.md)
+
+## FakeRequest interface
+
+Fake request object created manually by Kibana plugins.
+
+<b>Signature:</b>
+
+```typescript
+export interface FakeRequest 
+```
+
+## Properties
+
+|  Property | Type | Description |
+|  --- | --- | --- |
+|  [headers](./kibana-plugin-server.fakerequest.headers.md) | <code>Record&lt;string, string&gt;</code> | Headers used for authentication against Elasticsearch |
+

docs/development/core/server/kibana-plugin-server.getauthheaders.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [GetAuthHeaders](./kibana-plugin-server.getauthheaders.md)
+
+## GetAuthHeaders type
+
+Get headers to authenticate a user against Elasticsearch.
+
+<b>Signature:</b>
+
+```typescript
+export declare type GetAuthHeaders = (request: KibanaRequest | Request) => AuthHeaders | undefined;
+```

docs/development/core/server/kibana-plugin-server.kibanarequest.(constructor).md

@@ -9,7 +9,7 @@ Constructs a new instance of the `KibanaRequest` class
 <b>Signature:</b>
 
 ```typescript
-constructor(request: Request, params: Params, query: Query, body: Body);
+constructor(request: Request, params: Params, query: Query, body: Body, withoutSecretHeaders: boolean);
 ```
 
 ## Parameters
@@ -20,4 +20,5 @@ constructor(request: Request, params: Params, query: Query, body: Body);
 |  params | <code>Params</code> |  |
 |  query | <code>Query</code> |  |
 |  body | <code>Body</code> |  |
+|  withoutSecretHeaders | <code>boolean</code> |  |
 

docs/development/core/server/kibana-plugin-server.kibanarequest.md

@@ -16,14 +16,13 @@ export declare class KibanaRequest<Params = unknown, Query = unknown, Body = unk
 
 |  Constructor | Modifiers | Description |
 |  --- | --- | --- |
-|  [(constructor)(request, params, query, body)](./kibana-plugin-server.kibanarequest.(constructor).md) |  | Constructs a new instance of the <code>KibanaRequest</code> class |
+|  [(constructor)(request, params, query, body, withoutSecretHeaders)](./kibana-plugin-server.kibanarequest.(constructor).md) |  | Constructs a new instance of the <code>KibanaRequest</code> class |
 
 ## Properties
 
 |  Property | Modifiers | Type | Description |
 |  --- | --- | --- | --- |
 |  [body](./kibana-plugin-server.kibanarequest.body.md) |  | <code>Body</code> |  |
-|  [headers](./kibana-plugin-server.kibanarequest.headers.md) |  | <code>Headers</code> |  |
 |  [params](./kibana-plugin-server.kibanarequest.params.md) |  | <code>Params</code> |  |
 |  [query](./kibana-plugin-server.kibanarequest.query.md) |  | <code>Query</code> |  |
 |  [route](./kibana-plugin-server.kibanarequest.route.md) |  | <code>RecursiveReadonly&lt;KibanaRequestRoute&gt;</code> |  |

docs/development/core/server/kibana-plugin-server.legacyrequest.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-server](./kibana-plugin-server.md) &gt; [LegacyRequest](./kibana-plugin-server.legacyrequest.md)
+
+## LegacyRequest type
+
+Support Legacy platform request for the period of migration.
+
+<b>Signature:</b>
+
+```typescript
+export declare type LegacyRequest = Request;
+```

docs/development/core/server/kibana-plugin-server.md

@@ -23,12 +23,14 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 
 |  Interface | Description |
 |  --- | --- |
+|  [AuthResultData](./kibana-plugin-server.authresultdata.md) | Result of an incoming request authentication. |
 |  [AuthToolkit](./kibana-plugin-server.authtoolkit.md) | A tool set defining an outcome of Auth interceptor for incoming request. |
 |  [CallAPIOptions](./kibana-plugin-server.callapioptions.md) | The set of options that defines how API call should be made and result be processed. |
 |  [CoreSetup](./kibana-plugin-server.coresetup.md) | Context passed to the plugins <code>setup</code> method. |
 |  [CoreStart](./kibana-plugin-server.corestart.md) | Context passed to the plugins <code>start</code> method. |
 |  [DiscoveredPlugin](./kibana-plugin-server.discoveredplugin.md) | Small container object used to expose information about discovered plugins that may or may not have been started. |
 |  [ElasticsearchServiceSetup](./kibana-plugin-server.elasticsearchservicesetup.md) |  |
+|  [FakeRequest](./kibana-plugin-server.fakerequest.md) | Fake request object created manually by Kibana plugins. |
 |  [HttpServiceSetup](./kibana-plugin-server.httpservicesetup.md) |  |
 |  [HttpServiceStart](./kibana-plugin-server.httpservicestart.md) |  |
 |  [InternalCoreStart](./kibana-plugin-server.internalcorestart.md) |  |
@@ -52,8 +54,11 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  --- | --- |
 |  [APICaller](./kibana-plugin-server.apicaller.md) |  |
 |  [AuthenticationHandler](./kibana-plugin-server.authenticationhandler.md) |  |
+|  [AuthHeaders](./kibana-plugin-server.authheaders.md) | Auth Headers map |
 |  [ElasticsearchClientConfig](./kibana-plugin-server.elasticsearchclientconfig.md) |  |
+|  [GetAuthHeaders](./kibana-plugin-server.getauthheaders.md) | Get headers to authenticate a user against Elasticsearch. |
 |  [Headers](./kibana-plugin-server.headers.md) |  |
+|  [LegacyRequest](./kibana-plugin-server.legacyrequest.md) | Support Legacy platform request for the period of migration. |
 |  [OnPostAuthHandler](./kibana-plugin-server.onpostauthhandler.md) |  |
 |  [OnPreAuthHandler](./kibana-plugin-server.onpreauthhandler.md) |  |
 |  [PluginInitializer](./kibana-plugin-server.plugininitializer.md) | The <code>plugin</code> export at the root of a plugin's <code>server</code> directory should conform to this interface. |

docs/development/core/server/kibana-plugin-server.sessionstoragefactory.asscoped.md

@@ -7,5 +7,5 @@
 <b>Signature:</b>
 
 ```typescript
-asScoped: (request: Readonly<Request> | KibanaRequest) => SessionStorage<T>;
+asScoped: (request: KibanaRequest) => SessionStorage<T>;
 ```

docs/development/core/server/kibana-plugin-server.sessionstoragefactory.md

@@ -16,5 +16,5 @@ export interface SessionStorageFactory<T>
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [asScoped](./kibana-plugin-server.sessionstoragefactory.asscoped.md) | <code>(request: Readonly&lt;Request&gt; &#124; KibanaRequest) =&gt; SessionStorage&lt;T&gt;</code> |  |
+|  [asScoped](./kibana-plugin-server.sessionstoragefactory.asscoped.md) | <code>(request: KibanaRequest) =&gt; SessionStorage&lt;T&gt;</code> |  |