-
Notifications
You must be signed in to change notification settings - Fork 8.3k
/
plugin.ts
138 lines (123 loc) · 4.67 KB
/
plugin.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import nodeCrypto from '@elastic/node-crypto';
import type { CoreSetup, Logger, Plugin, PluginInitializerContext } from 'src/core/server';
import type { SecurityPluginSetup } from '../../security/server';
import { EncryptedSavedObjectsAuditLogger } from './audit';
import type { ConfigType } from './config';
import type { CreateEncryptedSavedObjectsMigrationFn } from './create_migration';
import { getCreateMigration } from './create_migration';
import type { EncryptedSavedObjectTypeRegistration } from './crypto';
import {
EncryptedSavedObjectsService,
EncryptionError,
EncryptionKeyRotationService,
} from './crypto';
import { defineRoutes } from './routes';
import type { ClientInstanciator } from './saved_objects';
import { setupSavedObjects } from './saved_objects';
export interface PluginsSetup {
security?: SecurityPluginSetup;
}
export interface EncryptedSavedObjectsPluginSetup {
/**
* Indicates if Saved Object encryption is possible. Requires an encryption key to be explicitly set via `xpack.encryptedSavedObjects.encryptionKey`.
*/
canEncrypt: boolean;
registerType: (typeRegistration: EncryptedSavedObjectTypeRegistration) => void;
createMigration: CreateEncryptedSavedObjectsMigrationFn;
}
export interface EncryptedSavedObjectsPluginStart {
isEncryptionError: (error: Error) => boolean;
getClient: ClientInstanciator;
}
/**
* Represents EncryptedSavedObjects Plugin instance that will be managed by the Kibana plugin system.
*/
export class EncryptedSavedObjectsPlugin
implements
Plugin<EncryptedSavedObjectsPluginSetup, EncryptedSavedObjectsPluginStart, PluginsSetup> {
private readonly logger: Logger;
private savedObjectsSetup!: ClientInstanciator;
constructor(private readonly initializerContext: PluginInitializerContext) {
this.logger = this.initializerContext.logger.get();
}
public setup(core: CoreSetup, deps: PluginsSetup): EncryptedSavedObjectsPluginSetup {
const config = this.initializerContext.config.get<ConfigType>();
const canEncrypt = config.encryptionKey !== undefined;
if (!canEncrypt) {
this.logger.warn(
'Saved objects encryption key is not set. This will severely limit Kibana functionality. ' +
'Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.'
);
}
const primaryCrypto = config.encryptionKey
? nodeCrypto({ encryptionKey: config.encryptionKey })
: undefined;
const decryptionOnlyCryptos = config.keyRotation.decryptionOnlyKeys.map((decryptionKey) =>
nodeCrypto({ encryptionKey: decryptionKey })
);
const auditLogger = new EncryptedSavedObjectsAuditLogger(
deps.security?.audit.getLogger('encryptedSavedObjects')
);
const service = Object.freeze(
new EncryptedSavedObjectsService({
primaryCrypto,
decryptionOnlyCryptos,
logger: this.logger,
audit: auditLogger,
})
);
this.savedObjectsSetup = setupSavedObjects({
service,
savedObjects: core.savedObjects,
security: deps.security,
getStartServices: core.getStartServices,
});
defineRoutes({
router: core.http.createRouter(),
logger: this.initializerContext.logger.get('routes'),
encryptionKeyRotationService: Object.freeze(
new EncryptionKeyRotationService({
logger: this.logger.get('key-rotation-service'),
service,
getStartServices: core.getStartServices,
security: deps.security,
})
),
config,
});
return {
canEncrypt,
registerType: (typeRegistration: EncryptedSavedObjectTypeRegistration) =>
service.registerType(typeRegistration),
createMigration: getCreateMigration(
service,
(typeRegistration: EncryptedSavedObjectTypeRegistration) => {
const serviceForMigration = new EncryptedSavedObjectsService({
primaryCrypto,
decryptionOnlyCryptos,
logger: this.logger,
audit: auditLogger,
});
serviceForMigration.registerType(typeRegistration);
return serviceForMigration;
}
),
};
}
public start() {
this.logger.debug('Starting plugin');
return {
isEncryptionError: (error: Error) => error instanceof EncryptionError,
getClient: (options = {}) => this.savedObjectsSetup(options),
};
}
public stop() {
this.logger.debug('Stopping plugin');
}
}