Skip to content

Commit

Permalink
[Search] add enterpriseSearch.appsDisabled config option (#203858)
Browse files Browse the repository at this point in the history
## Summary

Adding the enterpriseSearch.appsDisabled config option that will
manually disable both App Search and Workplace Search in the Kibana UI
when set to true. This will be used in environments where we never want
new users to start using products that are deprecated or EOL.

### Checklist

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
  • Loading branch information
TattdCodeMonkey authored Dec 13, 2024
1 parent 0c9a0a9 commit a30c971
Show file tree
Hide file tree
Showing 6 changed files with 85 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ kibana_vars=(
elasticsearch.username
enterpriseSearch.accessCheckTimeout
enterpriseSearch.accessCheckTimeoutWarning
enterpriseSearch.appsDisabled
enterpriseSearch.host
externalUrl.policy
i18n.locale
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/enterprise_search/server/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export const plugin = async (initializerContext: PluginInitializerContext) => {
export const configSchema = schema.object({
accessCheckTimeout: schema.number({ defaultValue: 5000 }),
accessCheckTimeoutWarning: schema.number({ defaultValue: 300 }),
appsDisabled: schema.boolean({ defaultValue: false }),
canDeployEntSearch: schema.boolean({ defaultValue: true }),
customHeaders: schema.maybe(schema.object({}, { unknowns: 'allow' })),
enabled: schema.boolean({ defaultValue: true }),
Expand Down
26 changes: 26 additions & 0 deletions x-pack/plugins/enterprise_search/server/lib/check_access.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ describe('checkAccess', () => {
const mockDependencies = {
request: { auth: { isAuthenticated: true } },
config: {
appsDisabled: false,
canDeployEntSearch: true,
host: 'http://localhost:3002',
},
Expand Down Expand Up @@ -153,6 +154,31 @@ describe('checkAccess', () => {
});
});

it('should disables apps for superuser when config.appsDisabled set to true', async () => {
const security = {
...mockSecurity,
authz: {
mode: { useRbacForRequest: () => true },
checkPrivilegesWithRequest: () => ({
globally: () => ({
hasAllRequested: true,
}),
}),
actions: { ui: { get: () => {} } },
},
};
expect(
await checkAccess({
...mockDependencies,
config: { ...mockDependencies.config, appsDisabled: true },
security,
})
).toEqual({
hasAppSearchAccess: false,
hasWorkplaceSearchAccess: false,
});
});

it('falls back to assuming a non-superuser role if auth credentials are missing', async () => {
const security = {
authz: {
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/enterprise_search/server/lib/check_access.ts
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ export const checkAccess = async ({
request,
log,
}: CheckAccess): Promise<ProductAccess> => {
if (config.appsDisabled) {
// When `appsDisabled` is used we explicitly disable App Search & Workplace Search in Kibana
return DENY_ALL_PLUGINS;
}
const isRbacEnabled = security.authz.mode.useRbacForRequest(request);

// If security has been disabled, always hide app search and workplace search
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ describe('callEnterpriseSearchConfigAPI', () => {
accessCheckTimeoutWarning: 100,
hasNativeConnectors: true,
hasWebCrawler: true,
appsDisabled: false,
};
const mockRequest = {
headers: { authorization: '==someAuth' },
Expand Down Expand Up @@ -278,6 +279,45 @@ describe('callEnterpriseSearchConfigAPI', () => {
);
});

it('handles config.appsDisabled', async () => {
const mockedResponse = {
...mockResponse,
current_user: {
...mockResponse.current_user,
access: {
app_search: true,
workplace_search: true,
},
},
};
(fetch as unknown as jest.Mock).mockImplementationOnce((url: string) => {
expect(url).toEqual('http://localhost:3002/api/ent/v2/internal/client_config');
return Promise.resolve(new Response(JSON.stringify(mockedResponse)));
});

const dependencies = {
...mockDependencies,
config: {
...mockDependencies.config,
appsDisabled: true,
},
};

expect(await callEnterpriseSearchConfigAPI(dependencies)).toEqual({
...DEFAULT_INITIAL_APP_DATA,
kibanaVersion: '1.0.0',
access: {
hasAppSearchAccess: false,
hasWorkplaceSearchAccess: false,
},
features: {
hasNativeConnectors: true,
hasWebCrawler: true,
},
publicUrl: 'http://some.vanity.url',
});
});

describe('warnMismatchedVersions', () => {
it("logs a warning when Enterprise Search and Kibana's versions are not the same", () => {
warnMismatchedVersions('1.1.0', mockDependencies.log);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import { kibanaPackageJson } from '@kbn/repo-info';
import { ConfigType } from '..';
import { isVersionMismatch } from '../../common/is_version_mismatch';
import { stripTrailingSlash } from '../../common/strip_slashes';
import { InitialAppData } from '../../common/types';
import { InitialAppData, ProductAccess } from '../../common/types';

import { entSearchHttpAgent } from './enterprise_search_http_agent';

Expand Down Expand Up @@ -97,13 +97,21 @@ export const callEnterpriseSearchConfigAPI = async ({

warnMismatchedVersions(data?.version?.number, log);

// When `appsDisabled` is used we explicitly disable App Search & Workplace Search in Kibana
const access: ProductAccess = config.appsDisabled
? {
hasAppSearchAccess: false,
hasWorkplaceSearchAccess: false,
}
: {
hasAppSearchAccess: !!data?.current_user?.access?.app_search,
hasWorkplaceSearchAccess: !!data?.current_user?.access?.workplace_search,
};

return {
enterpriseSearchVersion: data?.version?.number,
kibanaVersion: kibanaPackageJson.version,
access: {
hasAppSearchAccess: !!data?.current_user?.access?.app_search,
hasWorkplaceSearchAccess: !!data?.current_user?.access?.workplace_search,
},
access,
features: {
hasConnectors: config.hasConnectors,
hasDefaultIngestPipeline: config.hasDefaultIngestPipeline,
Expand Down

0 comments on commit a30c971

Please sign in to comment.