Security - remove auth scope provider

x-pack/plugins/dashboard_mode/index.js

@@ -11,7 +11,6 @@ import {
 } from './common';
 
 import {
-  getDashboardModeAuthScope,
   createDashboardModeRequestInterceptor,
 } from './server';
 
@@ -80,9 +79,6 @@ export function dashboardMode(kibana) {
       ));
 
       if (server.plugins.security) {
-        // register auth getter with security plugin
-        server.plugins.security.registerAuthScopeGetter(getDashboardModeAuthScope);
-
         // extend the server to intercept requests
         const dashboardViewerApp = server.getHiddenUiAppById('dashboardViewer');
         server.ext(createDashboardModeRequestInterceptor(dashboardViewerApp));

x-pack/plugins/dashboard_mode/server/__tests__/dashboard_mode_request_interceptor.js

@@ -6,27 +6,24 @@
 
 import expect from '@kbn/expect';
 import Hapi from 'hapi';
-import Chance from 'chance';
 
 import { createDashboardModeRequestInterceptor } from '../dashboard_mode_request_interceptor';
-import * as constantsNS from '../../common/constants';
 
-const chance = new Chance();
+const DASHBOARD_ONLY_MODE_ROLE = 'test_dashboard_only_mode_role';
 
 function setup() {
-  // randomize AUTH_SCOPE_DASHBORD_ONLY_MODE "constant" to ensure it's being used everywhere
-  const authScope = chance.word({ length: 12 });
-  Object.defineProperty(constantsNS, 'AUTH_SCOPE_DASHBORD_ONLY_MODE', {
-    value: authScope,
-    configurable: true,
-  });
-
   const dashboardViewerApp = {
     name: 'dashboardViewerApp'
   };
 
   const server = new Hapi.Server();
 
+  server.decorate('request', 'getUiSettingsService', () => {
+    return {
+      get: () => Promise.resolve([DASHBOARD_ONLY_MODE_ROLE])
+    };
+  });
+
   // attach the extension
   server.ext(createDashboardModeRequestInterceptor(dashboardViewerApp));
 
@@ -53,7 +50,7 @@ function setup() {
     }
   });
 
-  return { server, authScope };
+  return { server };
 }
 
 describe('DashboardOnlyModeRequestInterceptor', () => {
@@ -72,7 +69,7 @@ describe('DashboardOnlyModeRequestInterceptor', () => {
         const response = await server.inject({
           url: '/app/kibana',
           credentials: {
-            scope: ['foo', 'bar']
+            roles: ['foo', 'bar']
           }
         });
 
@@ -91,7 +88,7 @@ describe('DashboardOnlyModeRequestInterceptor', () => {
         const response = await server.inject({
           url: '/foo/bar',
           credentials: {
-            scope: ['foo', 'bar']
+            roles: ['foo', 'bar']
           }
         });
 
@@ -108,11 +105,11 @@ describe('DashboardOnlyModeRequestInterceptor', () => {
   describe('request has correct auth scope scope', () => {
     describe('non-kibana app route', () => {
       it('responds with 404', async () => {
-        const { server, authScope } = setup();
+        const { server } = setup();
         const response = await server.inject({
           url: '/app/foo',
           credentials: {
-            scope: [authScope]
+            roles: [DASHBOARD_ONLY_MODE_ROLE]
           }
         });
 
@@ -124,11 +121,11 @@ describe('DashboardOnlyModeRequestInterceptor', () => {
     function testRendersDashboardViewerApp(url) {
       describe(`requests to url:"${url}"`, () => {
         it('renders the dashboardViewerApp instead', async () => {
-          const { server, authScope } = setup();
+          const { server } = setup();
           const response = await server.inject({
             url: '/app/kibana',
             credentials: {
-              scope: [authScope]
+              roles: [DASHBOARD_ONLY_MODE_ROLE]
             }
           });
 

x-pack/plugins/dashboard_mode/server/dashboard_mode_request_interceptor.js

@@ -7,9 +7,11 @@
 import Boom from 'boom';
 
 import {
-  AUTH_SCOPE_DASHBORD_ONLY_MODE
+  CONFIG_DASHBOARD_ONLY_MODE_ROLES,
 } from '../common';
 
+const superuserRole = 'superuser';
+
 /**
  *  Intercept all requests after auth has completed and apply filtering
  *  logic to enforce `xpack:dashboardMode` scope
@@ -27,7 +29,25 @@ export function createDashboardModeRequestInterceptor(dashboardViewerApp) {
       const { auth, url } = request;
       const isAppRequest = url.path.startsWith('/app/');
 
-      if (isAppRequest && auth.credentials.scope && auth.credentials.scope.includes(AUTH_SCOPE_DASHBORD_ONLY_MODE)) {
+      if (!isAppRequest) {
+        return h.continue;
+      }
+
+      const user = auth.credentials;
+
+      const uiSettings = request.getUiSettingsService();
+
+      const dashboardOnlyModeRoles = await uiSettings.get(CONFIG_DASHBOARD_ONLY_MODE_ROLES);
+
+      if (!dashboardOnlyModeRoles || user.roles.length === 0) {
+        return;
+      }
+
+      const isDashboardOnlyModeUser = user.roles.find(role => dashboardOnlyModeRoles.includes(role));
+      const isSuperUser = user.roles.find(role => role === superuserRole);
+
+      const enforceDashboardOnlyMode = isDashboardOnlyModeUser && !isSuperUser;
+      if (enforceDashboardOnlyMode) {
         if (url.path.startsWith('/app/kibana')) {
           // If the user is in "Dashboard only mode" they should only be allowed to see
           // that app and none others.  Here we are intercepting all other routing and ensuring the viewer

x-pack/plugins/dashboard_mode/server/index.js

@@ -4,5 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { getDashboardModeAuthScope } from './dashboard_mode_auth_scope';
 export { createDashboardModeRequestInterceptor } from './dashboard_mode_request_interceptor';