Security - Don't allow unauthorized users to login to Kibana

test/functional/page_objects/error_page.js

@@ -18,29 +18,28 @@
  */
 import expect from '@kbn/expect';
 
-export function ErrorPageProvider({ getPageObjects }) {
-  const PageObjects = getPageObjects(['common']);
+export function ErrorPageProvider({ getService }) {
+  const testSubjects = getService('testSubjects');
+  const retry = getService('retry');
 
   class ErrorPage {
     async expectForbidden() {
-      const messageText = await PageObjects.common.getBodyText();
-      expect(messageText).to.eql(
-        JSON.stringify({
-          statusCode: 403,
-          error: 'Forbidden',
-          message: 'Forbidden'
-        })
-      );
+      await retry.try(async () => {
+        const title = await testSubjects.getVisibleText('unavailable-unauthorized-title');
+        const message = await testSubjects.getVisibleText('unavailable-unauthorized-message');
+
+        expect(title).to.eql('No access to Kibana');
+        expect(message).to.eql('Your account does not have access to Kibana.');
+      });
     }
     async expectNotFound() {
-      const messageText = await PageObjects.common.getBodyText();
-      expect(messageText).to.eql(
-        JSON.stringify({
-          statusCode: 404,
-          error: 'Not Found',
-          message: 'Not Found',
-        })
-      );
+      await retry.try(async () => {
+        const title = await testSubjects.getVisibleText('unavailable-notFound-title');
+        const message = await testSubjects.getVisibleText('unavailable-notFound-message');
+
+        expect(title).to.eql('Not found');
+        expect(message).to.eql('Sorry, the requested resource was not found.');
+      });
     }
   }
 

x-pack/legacy/plugins/security/index.js

@@ -24,12 +24,14 @@ import {
   initAPIAuthorization,
   initAppAuthorization,
   registerPrivilegesWithCluster,
-  validateFeaturePrivileges
+  validateFeaturePrivileges,
+  isAuthorizedKibanaUser
 } from './server/lib/authorization';
 import { watchStatusAndLicenseToInitialize } from '../../server/lib/watch_status_and_license_to_initialize';
 import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_client/secure_saved_objects_client_wrapper';
 import { deepFreeze } from './server/lib/deep_freeze';
 import { createOptionalPlugin } from '../../server/lib/optional_plugin';
+import { get } from 'lodash';
 import { KibanaRequest } from '../../../../src/core/server';
 
 export const security = (kibana) => new kibana.Plugin({
@@ -106,6 +108,16 @@ export const security = (kibana) => new kibana.Plugin({
         enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'),
       };
     },
+    replaceInjectedVars: async function (injectedVars, request, server) {
+      const { security } = server.plugins;
+
+      const userRoles = get(request, 'auth.credentials.roles', []);
+
+      return {
+        ...injectedVars,
+        canAccessKibana: await isAuthorizedKibanaUser(security.authorization, request, userRoles),
+      };
+    }
   },
 
   async postInit(server) {

x-pack/legacy/plugins/security/public/views/login/components/basic_login_form/basic_login_form.tsx

@@ -8,6 +8,7 @@ import { EuiButton, EuiCallOut, EuiFieldText, EuiFormRow, EuiPanel, EuiSpacer }
 import { FormattedMessage, InjectedIntl, injectI18n } from '@kbn/i18n/react';
 import React, { ChangeEvent, Component, FormEvent, Fragment, MouseEvent } from 'react';
 import { LoginState } from '../../../../../common/login_state';
+import { UnauthorizedLoginForm } from '../unauthorized_login_form';
 
 interface Props {
   http: any;
@@ -19,7 +20,7 @@ interface Props {
 }
 
 interface State {
-  hasError: boolean;
+  errorStatusCode: number | null;
   isLoading: boolean;
   username: string;
   password: string;
@@ -28,14 +29,17 @@ interface State {
 
 class BasicLoginFormUI extends Component<Props, State> {
   public state = {
-    hasError: false,
+    errorStatusCode: null,
     isLoading: false,
     username: '',
     password: '',
     message: '',
   };
 
   public render() {
+    if (this.state.errorStatusCode === 403) {
+      return <UnauthorizedLoginForm window={this.props.window} />;
+    }
     return (
       <Fragment>
         {this.renderMessage()}
@@ -192,7 +196,7 @@ class BasicLoginFormUI extends Component<Props, State> {
         }
 
         this.setState({
-          hasError: true,
+          errorStatusCode: statusCode,
           message,
           isLoading: false,
         });

x-pack/legacy/plugins/security/public/views/login/components/unauthorized_login_form/index.ts

@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { UnauthorizedLoginForm } from './unauthorized_login_form';

x-pack/legacy/plugins/security/public/views/login/components/unauthorized_login_form/unauthorized_login_form.tsx

@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+import chrome from 'ui/chrome';
+import { EuiButton, EuiEmptyPrompt, EuiPanel } from '@elastic/eui';
+import { FormattedMessage, InjectedIntl, injectI18n } from '@kbn/i18n/react';
+import React from 'react';
+
+interface Props {
+  window: any;
+  intl: InjectedIntl;
+}
+
+export const UnauthorizedLoginForm = injectI18n((props: Props) => {
+  function handleLogoutClick() {
+    props.window.location = chrome.addBasePath('/logout');
+  }
+
+  return (
+    <EuiPanel data-test-subj="unauthorized-login-form">
+      <EuiEmptyPrompt
+        iconType="lock"
+        title={
+          <h2>
+            <FormattedMessage
+              id="xpack.security.login.unauthorizedLoginForm.noAccessTitle"
+              defaultMessage="No access to Kibana"
+            />
+          </h2>
+        }
+        body={
+          <p>
+            <FormattedMessage
+              id="xpack.security.login.unauthorizedLoginForm.noAccessMessage"
+              defaultMessage="Your account does not allow access to Kibana. Please contact your administrator."
+            />
+          </p>
+        }
+        actions={
+          <EuiButton color="primary" fill onClick={handleLogoutClick}>
+            Logout
+          </EuiButton>
+        }
+      />
+    </EuiPanel>
+  );
+});

x-pack/legacy/plugins/security/server/lib/__tests__/__fixtures__/server.ts

@@ -37,6 +37,9 @@ export function serverFixture() {
         getUser: stub(),
         authenticate: stub(),
         deauthenticate: stub(),
+        authorization: {
+          mode: { useRbacForRequest: () => true },
+        },
       },
 
       xpack_main: {

x-pack/legacy/plugins/security/server/lib/authorization/get_privileges_with_request.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Legacy } from 'kibana';
+import { transformKibanaApplicationsFromEs } from './transform_kibana_applications_from_es';
+import { TransformApplicationsFromEsResponse } from './types';
+
+export type GetPrivilegesWithRequest = (
+  request: Legacy.Request
+) => Promise<TransformApplicationsFromEsResponse>;
+
+export function getPrivilegesWithRequestFactory(
+  application: string,
+  shieldClient: any
+): GetPrivilegesWithRequest {
+  const { callWithRequest } = shieldClient;
+
+  return async function getPrivilegesWithRequest(
+    request: Legacy.Request
+  ): Promise<TransformApplicationsFromEsResponse> {
+    const userPrivilegesResponse = await callWithRequest(request, 'shield.userPrivileges');
+
+    return transformKibanaApplicationsFromEs(application, userPrivilegesResponse.applications);
+  };
+}

x-pack/legacy/plugins/security/server/lib/authorization/index.ts

@@ -14,3 +14,5 @@ export { PrivilegeSerializer } from './privilege_serializer';
 export { registerPrivilegesWithCluster } from './register_privileges_with_cluster';
 export { ResourceSerializer } from './resource_serializer';
 export { validateFeaturePrivileges } from './validate_feature_privileges';
+export { transformKibanaApplicationsFromEs } from './transform_kibana_applications_from_es';
+export { isAuthorizedKibanaUser } from './is_authorized_kibana_user';

x-pack/legacy/plugins/security/server/lib/authorization/is_authorized_kibana_user.test.ts

@@ -0,0 +1,156 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Legacy } from 'kibana';
+import { AuthorizationService } from './service';
+import { isAuthorizedKibanaUser } from './is_authorized_kibana_user';
+import { TransformApplicationsFromEsResponse } from './types';
+
+function buildAuthorizationService(
+  privilegesResponse: TransformApplicationsFromEsResponse = { success: true, value: [] }
+) {
+  return ({
+    application: 'kibana-.kibana',
+    getPrivilegesWithRequest: jest.fn().mockResolvedValue(privilegesResponse),
+    mode: {
+      useRbacForRequest: jest.fn().mockReturnValue(true),
+    },
+    privileges: {
+      get: () => ({
+        global: {
+          all: ['actions'],
+          read: ['actions'],
+        },
+        space: {
+          all: ['actions'],
+          read: ['actions'],
+        },
+        features: {
+          feature1: {
+            all: ['actions'],
+          },
+        },
+        reserved: {
+          reserved_feature_1: ['actions'],
+        },
+      }),
+    },
+  } as unknown) as AuthorizationService;
+}
+
+function buildRequest(): Legacy.Request {
+  const request: Legacy.Request = ({
+    headers: { authorization: 'Basic: somegarbage' },
+  } as unknown) as Legacy.Request;
+
+  return request;
+}
+
+describe('isAuthorizedKibanaUser', () => {
+  it('returns true for superusers', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService();
+
+    await expect(isAuthorizedKibanaUser(authService, request, ['superuser'])).resolves.toEqual(
+      true
+    );
+  });
+
+  it('returns false for users with no privileges', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService();
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(false);
+  });
+
+  it('returns false for users with only reserved privileges', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService({
+      success: true,
+      value: [
+        {
+          base: [],
+          feature: {},
+          _reserved: ['foo'],
+          spaces: ['*'],
+        },
+      ],
+    });
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(false);
+  });
+
+  it('returns true for users with a base privilege', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService({
+      success: true,
+      value: [
+        {
+          base: ['all'],
+          feature: {},
+          spaces: ['*'],
+        },
+      ],
+    });
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(true);
+  });
+
+  it('returns true for users with a feature privilege', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService({
+      success: true,
+      value: [
+        {
+          base: [],
+          feature: {
+            feature1: ['all'],
+          },
+          spaces: ['*'],
+        },
+      ],
+    });
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(true);
+  });
+
+  it('returns true for users with both reserved and non-reserved privileges', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService({
+      success: true,
+      value: [
+        {
+          base: [],
+          feature: {
+            feature1: ['all'],
+          },
+          _reserved: ['foo'],
+          spaces: ['*'],
+        },
+      ],
+    });
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(true);
+  });
+
+  it('returns false for users with unknown privileges', async () => {
+    const request = buildRequest();
+    const authService = buildAuthorizationService({
+      success: true,
+      value: [
+        {
+          base: [],
+          feature: {
+            feature1: ['unknown'],
+          },
+          spaces: ['*'],
+        },
+      ],
+    });
+
+    await expect(isAuthorizedKibanaUser(authService, request)).resolves.toEqual(false);
+  });
+});