NP Security HTTP Interceptors

docs/development/core/public/kibana-plugin-public.httpservicebase.anonymouspaths.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-public](./kibana-plugin-public.md) &gt; [HttpServiceBase](./kibana-plugin-public.httpservicebase.md) &gt; [anonymousPaths](./kibana-plugin-public.httpservicebase.anonymouspaths.md)
+
+## HttpServiceBase.anonymousPaths property
+
+APIs for denoting certain paths for not requiring authentication
+
+<b>Signature:</b>
+
+```typescript
+anonymousPaths: IAnonymousPaths;
+```

docs/development/core/public/kibana-plugin-public.httpservicebase.md

@@ -15,6 +15,7 @@ export interface HttpServiceBase
 
 |  Property | Type | Description |
 |  --- | --- | --- |
+|  [anonymousPaths](./kibana-plugin-public.httpservicebase.anonymouspaths.md) | <code>IAnonymousPaths</code> | APIs for denoting certain paths for not requiring authentication |
 |  [basePath](./kibana-plugin-public.httpservicebase.basepath.md) | <code>IBasePath</code> | APIs for manipulating the basePath on URL segments. |
 |  [delete](./kibana-plugin-public.httpservicebase.delete.md) | <code>HttpHandler</code> | Makes an HTTP request with the DELETE method. See [HttpHandler](./kibana-plugin-public.httphandler.md) for options. |
 |  [fetch](./kibana-plugin-public.httpservicebase.fetch.md) | <code>HttpHandler</code> | Makes an HTTP request. Defaults to a GET request unless overriden. See [HttpHandler](./kibana-plugin-public.httphandler.md) for options. |

docs/development/core/public/kibana-plugin-public.ianonymouspaths.isanonymous.md

@@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-public](./kibana-plugin-public.md) &gt; [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md) &gt; [isAnonymous](./kibana-plugin-public.ianonymouspaths.isanonymous.md)
+
+## IAnonymousPaths.isAnonymous() method
+
+Determines whether the provided path doesn't require authentication
+
+<b>Signature:</b>
+
+```typescript
+isAnonymous(path: string): boolean;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  path | <code>string</code> |  |
+
+<b>Returns:</b>
+
+`boolean`
+

docs/development/core/public/kibana-plugin-public.ianonymouspaths.md

@@ -0,0 +1,21 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-public](./kibana-plugin-public.md) &gt; [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md)
+
+## IAnonymousPaths interface
+
+APIs for denoting paths as not requiring authentication
+
+<b>Signature:</b>
+
+```typescript
+export interface IAnonymousPaths 
+```
+
+## Methods
+
+|  Method | Description |
+|  --- | --- |
+|  [isAnonymous(path)](./kibana-plugin-public.ianonymouspaths.isanonymous.md) | Determines whether the provided path doesn't require authentication |
+|  [register(path)](./kibana-plugin-public.ianonymouspaths.register.md) | Register <code>path</code> as not requiring authentication |
+

docs/development/core/public/kibana-plugin-public.ianonymouspaths.register.md

@@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-public](./kibana-plugin-public.md) &gt; [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md) &gt; [register](./kibana-plugin-public.ianonymouspaths.register.md)
+
+## IAnonymousPaths.register() method
+
+Register `path` as not requiring authentication
+
+<b>Signature:</b>
+
+```typescript
+register(path: string): void;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  path | <code>string</code> |  |
+
+<b>Returns:</b>
+
+`void`
+

docs/development/core/public/kibana-plugin-public.md

@@ -57,6 +57,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 |  [HttpResponse](./kibana-plugin-public.httpresponse.md) |  |
 |  [HttpServiceBase](./kibana-plugin-public.httpservicebase.md) |  |
 |  [I18nStart](./kibana-plugin-public.i18nstart.md) | I18nStart.Context is required by any localizable React component from @<!-- -->kbn/i18n and @<!-- -->elastic/eui packages and is supposed to be used as the topmost component for any i18n-compatible React tree. |
+|  [IAnonymousPaths](./kibana-plugin-public.ianonymouspaths.md) | APIs for denoting paths as not requiring authentication |
 |  [IBasePath](./kibana-plugin-public.ibasepath.md) | APIs for manipulating the basePath on URL segments. |
 |  [IContextContainer](./kibana-plugin-public.icontextcontainer.md) | An object that handles registration of context providers and configuring handlers with context. |
 |  [IHttpFetchError](./kibana-plugin-public.ihttpfetcherror.md) |  |

src/core/public/http/anonymous_paths.test.ts

@@ -0,0 +1,81 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { AnonymousPaths } from './anonymous_paths';
+import { BasePath } from './base_path_service';
+
+describe('#register', () => {
+  it(`throws an error for paths that don't start with '/'`, () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    expect(() => anonymousPaths.register('bar')).toThrowErrorMatchingInlineSnapshot(
+      `"\\"path\\" must start with \\"/\\""`
+    );
+  });
+
+  it(`allows paths that end with '/'`, () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar/');
+  });
+});
+
+describe('#isAnonymous', () => {
+  it('returns true for registered paths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar');
+    expect(anonymousPaths.isAnonymous('/foo/bar')).toBe(true);
+  });
+
+  it('returns true for paths registered with a trailing slash, but call "isAnonymous" with no trailing slash', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar/');
+    expect(anonymousPaths.isAnonymous('/foo/bar')).toBe(true);
+  });
+
+  it('returns true for paths registered without a trailing slash, but call "isAnonymous" with a trailing slash', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar');
+    expect(anonymousPaths.isAnonymous('/foo/bar/')).toBe(true);
+  });
+
+  it('returns true for paths whose capitalization is different', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/BAR');
+    expect(anonymousPaths.isAnonymous('/foo/bar')).toBe(true);
+  });
+
+  it('returns false for other paths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar');
+    expect(anonymousPaths.isAnonymous('/foo/foo')).toBe(false);
+  });
+
+  it('returns false for sub-paths of registered paths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath);
+    anonymousPaths.register('/bar');
+    expect(anonymousPaths.isAnonymous('/foo/bar/baz')).toBe(false);
+  });
+});

src/core/public/http/anonymous_paths.ts

@@ -0,0 +1,51 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { HttpSetup } from 'src/core/public';
+
+export class AnonymousPaths {
+  private paths: Set<string>;
+
+  constructor(private basePath: HttpSetup['basePath']) {
+    this.paths = new Set();
+  }
+
+  public isAnonymous(path: string): boolean {
+    const pathWithoutBasePath = this.basePath.remove(path);
+    return this.paths.has(this.normalizePath(pathWithoutBasePath));
+  }
+
+  public register(path: string) {
+    if (!path.startsWith('/')) {
+      throw new Error('"path" must start with "/"');
+    }
+
+    this.paths.add(this.normalizePath(path));
+  }
+
+  private normalizePath(path: string) {
+    const lowercased = path.toLowerCase();
+
+    if (lowercased.endsWith('/')) {
+      return lowercased.slice(0, lowercased.length - 1);
+    }
+
+    return lowercased;
+  }
+}

src/core/public/http/http_service.mock.ts

@@ -20,9 +20,11 @@
 import { HttpService } from './http_service';
 import { HttpSetup } from './types';
 import { BehaviorSubject } from 'rxjs';
+import { BasePath } from './base_path_service';
+import { AnonymousPaths } from './anonymous_paths';
 
 type ServiceSetupMockType = jest.Mocked<HttpSetup> & {
-  basePath: jest.Mocked<HttpSetup['basePath']>;
+  basePath: BasePath;
 };
 
 const createServiceMock = ({ basePath = '' } = {}): ServiceSetupMockType => ({
@@ -34,11 +36,8 @@ const createServiceMock = ({ basePath = '' } = {}): ServiceSetupMockType => ({
   patch: jest.fn(),
   delete: jest.fn(),
   options: jest.fn(),
-  basePath: {
-    get: jest.fn(() => basePath),
-    prepend: jest.fn(path => `${basePath}${path}`),
-    remove: jest.fn(),
-  },
+  basePath: new BasePath(basePath),
+  anonymousPaths: new AnonymousPaths(new BasePath(basePath)),
   addLoadingCount: jest.fn(),
   getLoadingCount$: jest.fn().mockReturnValue(new BehaviorSubject(0)),
   stop: jest.fn(),

src/core/public/http/http_setup.ts

@@ -36,6 +36,7 @@ import { HttpInterceptController } from './http_intercept_controller';
 import { HttpFetchError } from './http_fetch_error';
 import { HttpInterceptHaltError } from './http_intercept_halt_error';
 import { BasePath } from './base_path_service';
+import { AnonymousPaths } from './anonymous_paths';
 
 const JSON_CONTENT = /^(application\/(json|x-javascript)|text\/(x-)?javascript|x-json)(;.*)?$/;
 const NDJSON_CONTENT = /^(application\/ndjson)(;.*)?$/;
@@ -57,6 +58,7 @@ export const setup = (
   const interceptors = new Set<HttpInterceptor>();
   const kibanaVersion = injectedMetadata.getKibanaVersion();
   const basePath = new BasePath(injectedMetadata.getBasePath());
+  const anonymousPaths = new AnonymousPaths(basePath);
 
   function intercept(interceptor: HttpInterceptor) {
     interceptors.add(interceptor);
@@ -318,6 +320,7 @@ export const setup = (
   return {
     stop,
     basePath,
+    anonymousPaths,
     intercept,
     removeAllInterceptors,
     fetch,

src/core/public/http/types.ts

@@ -29,6 +29,11 @@ export interface HttpServiceBase {
    */
   basePath: IBasePath;
 
+  /**
+   * APIs for denoting certain paths for not requiring authentication
+   */
+  anonymousPaths: IAnonymousPaths;
+
   /**
    * Adds a new {@link HttpInterceptor} to the global HTTP client.
    * @param interceptor a {@link HttpInterceptor}
@@ -92,6 +97,21 @@ export interface IBasePath {
   remove: (url: string) => string;
 }
 
+/**
+ * APIs for denoting paths as not requiring authentication
+ */
+export interface IAnonymousPaths {
+  /**
+   * Determines whether the provided path doesn't require authentication. `path` should include the current basePath.
+   */
+  isAnonymous(path: string): boolean;
+
+  /**
+   * Register `path` as not requiring authentication. `path` should not include the current basePath.
+   */
+  register(path: string): void;
+}
+
 /**
  * See {@link HttpServiceBase}
  * @public

src/core/public/index.ts

@@ -110,6 +110,7 @@ export {
   HttpHandler,
   HttpBody,
   IBasePath,
+  IAnonymousPaths,
   IHttpInterceptController,
   IHttpFetchError,
   InterceptedHttpResponse,

src/core/public/mocks.ts

@@ -18,12 +18,12 @@
  */
 import { applicationServiceMock } from './application/application_service.mock';
 import { chromeServiceMock } from './chrome/chrome_service.mock';
-import { CoreContext, CoreSetup, CoreStart, PluginInitializerContext } from '.';
+import { CoreContext, CoreSetup, CoreStart, PluginInitializerContext, NotificationsSetup } from '.';
 import { docLinksServiceMock } from './doc_links/doc_links_service.mock';
 import { fatalErrorsServiceMock } from './fatal_errors/fatal_errors_service.mock';
 import { httpServiceMock } from './http/http_service.mock';
 import { i18nServiceMock } from './i18n/i18n_service.mock';
-import { notificationServiceMock } from './notifications/notifications_service.mock';
+import { notificationServiceMock, DeeplyMocked } from './notifications/notifications_service.mock';
 import { overlayServiceMock } from './overlays/overlay_service.mock';
 import { uiSettingsServiceMock } from './ui_settings/ui_settings_service.mock';
 import { savedObjectsMock } from './saved_objects/saved_objects_service.mock';
@@ -41,12 +41,12 @@ export { notificationServiceMock } from './notifications/notifications_service.m
 export { overlayServiceMock } from './overlays/overlay_service.mock';
 export { uiSettingsServiceMock } from './ui_settings/ui_settings_service.mock';
 
-function createCoreSetupMock() {
-  const mock: MockedKeys<CoreSetup> = {
+function createCoreSetupMock({ basePath = '' } = {}) {
+  const mock: MockedKeys<CoreSetup> & { notifications: DeeplyMocked<NotificationsSetup> } = {
     application: applicationServiceMock.createSetupContract(),
     context: contextServiceMock.createSetupContract(),
     fatalErrors: fatalErrorsServiceMock.createSetupContract(),
-    http: httpServiceMock.createSetupContract(),
+    http: httpServiceMock.createSetupContract({ basePath }),
     notifications: notificationServiceMock.createSetupContract(),
     uiSettings: uiSettingsServiceMock.createSetupContract(),
     injectedMetadata: {
@@ -57,12 +57,12 @@ function createCoreSetupMock() {
   return mock;
 }
 
-function createCoreStartMock() {
-  const mock: MockedKeys<CoreStart> = {
+function createCoreStartMock({ basePath = '' } = {}) {
+  const mock: MockedKeys<CoreStart> & { notifications: DeeplyMocked<NotificationsSetup> } = {
     application: applicationServiceMock.createStartContract(),
     chrome: chromeServiceMock.createStartContract(),
     docLinks: docLinksServiceMock.createStartContract(),
-    http: httpServiceMock.createStartContract(),
+    http: httpServiceMock.createStartContract({ basePath }),
     i18n: i18nServiceMock.createStartContract(),
     notifications: notificationServiceMock.createStartContract(),
     overlays: overlayServiceMock.createStartContract(),

src/core/public/notifications/notifications_service.mock.ts

@@ -23,7 +23,7 @@ import {
 } from './notifications_service';
 import { toastsServiceMock } from './toasts/toasts_service.mock';
 
-type DeeplyMocked<T> = { [P in keyof T]: jest.Mocked<T[P]> };
+export type DeeplyMocked<T> = { [P in keyof T]: jest.Mocked<T[P]> };
 
 const createSetupContractMock = () => {
   const setupContract: DeeplyMocked<NotificationsSetup> = {