diff --git a/config/opensearch_dashboards.yml b/config/opensearch_dashboards.yml index 3ece0fd3b612..fc90e92ab64e 100644 --- a/config/opensearch_dashboards.yml +++ b/config/opensearch_dashboards.yml @@ -131,8 +131,9 @@ # Set the allowlist to check input graphite Url. Allowlist is the default check list. #vis_type_timeline.graphiteAllowedUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'] -# Set the blocklist to check input graphite Url. Blocklist is an IP list. +# Set the denylist to check input graphite Url. Denylist is an IP list. # Below is an example for reference + # vis_type_timeline.graphiteBlockedIPs: [ # //Loopback # '127.0.0.0/8', @@ -161,7 +162,37 @@ # '2001:db8::/32', # 'ff00::/8', # ] -#vis_type_timeline.graphiteBlockedIPs: [] + +# vis_type_timeline.graphiteDeniedIPs: [] + +# vis_type_timeline.graphiteDeniedIPs: [ +# //Loopback +# '127.0.0.0/8', +# '::1/128', +# //Link-local Address for IPv6 +# 'fe80::/10', +# //Private IP address for IPv4 +# '10.0.0.0/8', +# '172.16.0.0/12', +# '192.168.0.0/16', +# //Unique local address (ULA) +# 'fc00::/7', +# //Reserved IP address +# '0.0.0.0/8', +# '100.64.0.0/10', +# '192.0.0.0/24', +# '192.0.2.0/24', +# '198.18.0.0/15', +# '192.88.99.0/24', +# '198.51.100.0/24', +# '203.0.113.0/24', +# '224.0.0.0/4', +# '240.0.0.0/4', +# '255.255.255.255/32', +# '::/128', +# '2001:db8::/32', +# 'ff00::/8', +# ] # opensearchDashboards.branding: # logo: @@ -177,9 +208,10 @@ # applicationTitle: "" # useExpandedHeader: false -# Set the value of this setting to true to capture region blocked warnings and errors +# Set the value of this setting to true to capture region denied warnings and errors # for your map rendering services. -# map.showRegionBlockedWarning: false + +# map.showRegionDeniedWarning: false # Set the value of this setting to false to suppress search usage telemetry # for reducing the load of OpenSearch cluster. diff --git a/packages/opensearch-safer-lodash-set/scripts/update.sh b/packages/opensearch-safer-lodash-set/scripts/update.sh index 58ed52d61b61..f095a6d94325 100755 --- a/packages/opensearch-safer-lodash-set/scripts/update.sh +++ b/packages/opensearch-safer-lodash-set/scripts/update.sh @@ -22,7 +22,7 @@ all_files=$(cd lodash && ls) modified_lodash_files=(_baseSet.js) # Get fresh copies of all the files that was originally copied from lodash, -# expect the ones in the whitelist +# expect the ones in the allowlist for file in $all_files do if [[ ! "${modified_lodash_files[@]}" =~ "${file}" ]] diff --git a/packages/osd-pm/dist/index.js b/packages/osd-pm/dist/index.js index 0cefa9767f41..336a6c56b299 100644 --- a/packages/osd-pm/dist/index.js +++ b/packages/osd-pm/dist/index.js @@ -86225,7 +86225,7 @@ module.exports = ProgressEmitter; "use strict"; -const blacklist = [ +const denylist = [ // # All '^npm-debug\\.log$', // Error log for npm '^\\..*\\.swp$', // Swap file for vim state @@ -86254,7 +86254,7 @@ exports.re = () => { throw new Error('`junk.re` was renamed to `junk.regex`'); }; -exports.regex = new RegExp(blacklist.join('|')); +exports.regex = new RegExp(denylist.join('|')); exports.is = filename => exports.regex.test(filename); diff --git a/src/core/server/http/http_server.test.ts b/src/core/server/http/http_server.test.ts index 3663d4e432a2..4db4c4fac17f 100644 --- a/src/core/server/http/http_server.test.ts +++ b/src/core/server/http/http_server.test.ts @@ -869,7 +869,7 @@ describe('conditional compression', () => { expect(response.header).toHaveProperty('content-encoding', 'gzip'); }); - test('enables compression for whitelisted referer', async () => { + test('enables compression for whitelisted (deprecated) or allowlisted referer', async () => { const response = await supertest(listener) .get('/') .set('accept-encoding', 'gzip') @@ -878,7 +878,7 @@ describe('conditional compression', () => { expect(response.header).toHaveProperty('content-encoding', 'gzip'); }); - test('disables compression for non-whitelisted referer', async () => { + test('disables compression for non-whitelisted (deprecated) or non-allowlisted referer', async () => { const response = await supertest(listener) .get('/') .set('accept-encoding', 'gzip') diff --git a/src/core/server/opensearch/opensearch_config.ts b/src/core/server/opensearch/opensearch_config.ts index 807b636d2a5a..d9f7e2d3f9cf 100644 --- a/src/core/server/opensearch/opensearch_config.ts +++ b/src/core/server/opensearch/opensearch_config.ts @@ -149,6 +149,10 @@ const deprecations: ConfigDeprecationProvider = ({ renameFromRoot, renameFromRoo 'opensearch.requestHeadersWhitelist', 'opensearch.requestHeadersAllowlist' ), + renameFromRootWithoutMap( + 'opensearch.requestHeadersWhitelistConfigured', + 'opensearch.requestHeadersAllowlistConfigured' + ), renameFromRoot('elasticsearch.customHeaders', 'opensearch.customHeaders'), renameFromRoot('elasticsearch.shardTimeout', 'opensearch.shardTimeout'), renameFromRoot('elasticsearch.requestTimeout', 'opensearch.requestTimeout'), diff --git a/src/core/server/saved_objects/mappings/lib/get_root_properties_objects.test.ts b/src/core/server/saved_objects/mappings/lib/get_root_properties_objects.test.ts index 23070484be45..05b8541e288d 100644 --- a/src/core/server/saved_objects/mappings/lib/get_root_properties_objects.test.ts +++ b/src/core/server/saved_objects/mappings/lib/get_root_properties_objects.test.ts @@ -179,7 +179,7 @@ test(`includes one object with type === 'object' and excludes one object without }); }); -test('excludes references and migrationVersion which are part of the blacklist', () => { +test('excludes references and migrationVersion which are part of the denylist', () => { const mappings = { properties: { references: { diff --git a/src/dev/license_checker/config.ts b/src/dev/license_checker/config.ts index c3dc1a07a94f..f685da4ed5b6 100644 --- a/src/dev/license_checker/config.ts +++ b/src/dev/license_checker/config.ts @@ -30,7 +30,7 @@ // The following list applies to packages both // used as dependencies or dev dependencies -export const LICENSE_WHITELIST = [ +export const LICENSE_ALLOWLIST = [ 'Elastic-License', '0BSD', '(BSD-2-Clause OR MIT OR Apache-2.0)', @@ -86,7 +86,7 @@ export const LICENSE_WHITELIST = [ // The following list only applies to licenses that // we wanna allow in packages only used as dev dependencies -export const DEV_ONLY_LICENSE_WHITELIST = ['MPL-2.0']; +export const DEV_ONLY_LICENSE_ALLOWLIST = ['MPL-2.0']; // Globally overrides a license for a given package@version export const LICENSE_OVERRIDES = { diff --git a/src/dev/license_checker/index.ts b/src/dev/license_checker/index.ts index 19450a7840ef..e8a309d15da0 100644 --- a/src/dev/license_checker/index.ts +++ b/src/dev/license_checker/index.ts @@ -28,5 +28,5 @@ * under the License. */ -export { LICENSE_WHITELIST, DEV_ONLY_LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config'; +export { LICENSE_ALLOWLIST, DEV_ONLY_LICENSE_ALLOWLIST, LICENSE_OVERRIDES } from './config'; export { assertLicensesValid } from './valid'; diff --git a/src/dev/license_checker/run_check_licenses_cli.ts b/src/dev/license_checker/run_check_licenses_cli.ts index db7a9e9cbaa9..064e0d3d75ac 100644 --- a/src/dev/license_checker/run_check_licenses_cli.ts +++ b/src/dev/license_checker/run_check_licenses_cli.ts @@ -32,7 +32,7 @@ import { REPO_ROOT } from '@osd/utils'; import { run } from '@osd/dev-utils'; import { getInstalledPackages } from '../npm'; -import { LICENSE_WHITELIST, DEV_ONLY_LICENSE_WHITELIST, LICENSE_OVERRIDES } from './config'; +import { LICENSE_ALLOWLIST, DEV_ONLY_LICENSE_ALLOWLIST, LICENSE_OVERRIDES } from './config'; import { assertLicensesValid } from './valid'; run( @@ -47,7 +47,7 @@ run( // packages are valid assertLicensesValid({ packages: packages.filter((pkg) => !pkg.isDevOnly), - validLicenses: LICENSE_WHITELIST, + validLicenses: LICENSE_ALLOWLIST, }); log.success('All production dependency licenses are allowed'); @@ -56,7 +56,7 @@ run( if (flags.dev) { assertLicensesValid({ packages: packages.filter((pkg) => pkg.isDevOnly), - validLicenses: LICENSE_WHITELIST.concat(DEV_ONLY_LICENSE_WHITELIST), + validLicenses: LICENSE_ALLOWLIST.concat(DEV_ONLY_LICENSE_ALLOWLIST), }); log.success('All development dependency licenses are allowed'); } diff --git a/src/legacy/server/config/schema.js b/src/legacy/server/config/schema.js index 1ae6dc385917..7e7574d62009 100644 --- a/src/legacy/server/config/schema.js +++ b/src/legacy/server/config/schema.js @@ -154,7 +154,7 @@ export default () => map: Joi.object({ includeOpenSearchMapsService: Joi.boolean().default(true), proxyOpenSearchMapsServiceInMaps: Joi.boolean().default(false), - showRegionBlockedWarning: Joi.boolean().default(false), + showRegionDeniedWarning: Joi.boolean().default(false), tilemap: Joi.object({ url: Joi.string(), options: Joi.object({ diff --git a/src/plugins/home/public/application/components/tutorial/__snapshots__/content.test.js.snap b/src/plugins/home/public/application/components/tutorial/__snapshots__/content.test.js.snap index 690875dc9690..1f8ad1822b0f 100644 --- a/src/plugins/home/public/application/components/tutorial/__snapshots__/content.test.js.snap +++ b/src/plugins/home/public/application/components/tutorial/__snapshots__/content.test.js.snap @@ -2,6 +2,14 @@ exports[`should render content with markdown 1`] = ` ); } diff --git a/src/plugins/home/server/tutorials/santa_logs/index.ts b/src/plugins/home/server/tutorials/santa_logs/index.ts index 46642bdce5e8..0008a3adb73d 100644 --- a/src/plugins/home/server/tutorials/santa_logs/index.ts +++ b/src/plugins/home/server/tutorials/santa_logs/index.ts @@ -52,7 +52,7 @@ export function santaLogsSpecProvider(context: TutorialContext): TutorialSchema longDescription: i18n.translate('home.tutorials.santaLogs.longDescription', { defaultMessage: 'The module collects and parses logs from [Google Santa](https://github.com/google/santa), \ - a security tool for macOS that monitors process executions and can blacklist/whitelist binaries. \ + a security tool for macOS that monitors process executions and can denylist/allowlist binaries. \ [Learn more]({learnMoreLink}).', values: { learnMoreLink: '{config.docs.beats.filebeat}/filebeat-module-santa.html', diff --git a/src/plugins/maps_legacy/config.ts b/src/plugins/maps_legacy/config.ts index 88de91170329..4ed5b4522c12 100644 --- a/src/plugins/maps_legacy/config.ts +++ b/src/plugins/maps_legacy/config.ts @@ -35,7 +35,7 @@ import { configSchema as regionmapSchema } from '../region_map/config'; export const configSchema = schema.object({ includeOpenSearchMapsService: schema.boolean({ defaultValue: true }), proxyOpenSearchMapsServiceInMaps: schema.boolean({ defaultValue: false }), - showRegionBlockedWarning: schema.boolean({ defaultValue: false }), + showRegionDeniedWarning: schema.boolean({ defaultValue: false }), tilemap: tilemapSchema, regionmap: regionmapSchema, manifestServiceUrl: schema.string({ defaultValue: '' }), diff --git a/src/plugins/maps_legacy/public/map/base_maps_visualization.js b/src/plugins/maps_legacy/public/map/base_maps_visualization.js index 902654ed7bd9..b544997c74d7 100644 --- a/src/plugins/maps_legacy/public/map/base_maps_visualization.js +++ b/src/plugins/maps_legacy/public/map/base_maps_visualization.js @@ -205,13 +205,13 @@ export function BaseMapsVisualizationProvider() { isDarkMode ); const showZoomMessage = serviceSettings.shouldShowZoomMessage(tmsLayer); - const showRegionBlockedWarning = serviceSettings.shouldShowRegionBlockedWarning(); + const showRegionDeniedWarning = serviceSettings.shouldShowRegionDeniedWarning(); const options = { ...tmsLayer }; delete options.id; delete options.subdomains; this._opensearchDashboardsMap.setBaseLayer({ baseLayerType: 'tms', - options: { ...options, showZoomMessage, showRegionBlockedWarning, ...meta }, + options: { ...options, showZoomMessage, showRegionDeniedWarning, ...meta }, }); } diff --git a/src/plugins/maps_legacy/public/map/map_messages.js b/src/plugins/maps_legacy/public/map/map_messages.js index bce3220a5dc3..e87161c1ba1f 100644 --- a/src/plugins/maps_legacy/public/map/map_messages.js +++ b/src/plugins/maps_legacy/public/map/map_messages.js @@ -35,9 +35,9 @@ import { FormattedMessage } from '@osd/i18n/react'; import { EuiSpacer, EuiButtonEmpty, EuiEmptyPrompt } from '@elastic/eui'; import { toMountPoint } from '../../../opensearch_dashboards_react/public'; -export const createRegionBlockedWarning = (function () { +export const createRegionDeniedWarning = (function () { /* eslint-disable react/prefer-stateless-function */ - class RegionBlockedWarningOverlay extends React.Component { + class RegionDeniedWarningOverlay extends React.Component { constructor(props) { super(props); } @@ -71,7 +71,7 @@ export const createRegionBlockedWarning = (function () { document.getElementsByClassName('leaflet-container'), (leafletDom) => { ReactDOM.render( - new RegionBlockedWarningOverlay().render(), + new RegionDeniedWarningOverlay().render(), leafletDom.appendChild(messageBlock) ); } @@ -80,7 +80,7 @@ export const createRegionBlockedWarning = (function () { }; })(); -export const removeRegionBlockedWarning = (function () { +export const removeRegionDeniedWarning = (function () { return () => { const childEle = document.getElementById('blocker-div'); if (childEle) { diff --git a/src/plugins/maps_legacy/public/map/opensearch_dashboards_map.js b/src/plugins/maps_legacy/public/map/opensearch_dashboards_map.js index 0031d99fc0fe..3ca067c27796 100644 --- a/src/plugins/maps_legacy/public/map/opensearch_dashboards_map.js +++ b/src/plugins/maps_legacy/public/map/opensearch_dashboards_map.js @@ -31,8 +31,8 @@ import { EventEmitter } from 'events'; import { createZoomWarningMsg, - createRegionBlockedWarning, - removeRegionBlockedWarning, + createRegionDeniedWarning, + removeRegionDeniedWarning, } from './map_messages'; import $ from 'jquery'; import { get, isEqual, escape } from 'lodash'; @@ -609,8 +609,8 @@ export class OpenSearchDashboardsMap extends EventEmitter { this.emit('baseLayer:loading'); }); baseLayer.on('tileerror', () => { - if (settings.options.showRegionBlockedWarning) { - createRegionBlockedWarning(); + if (settings.options.showRegionDeniedWarning) { + createRegionDeniedWarning(); } }); @@ -691,7 +691,7 @@ export class OpenSearchDashboardsMap extends EventEmitter { } _updateDesaturation() { - removeRegionBlockedWarning(); + removeRegionDeniedWarning(); const tiles = $('img.leaflet-tile-loaded'); // Don't apply client-side styling to EMS basemaps if (get(this._baseLayerSettings, 'options.origin') === ORIGIN.EMS) { diff --git a/src/plugins/maps_legacy/public/map/service_settings.js b/src/plugins/maps_legacy/public/map/service_settings.js index 7d5bc2f17217..26f2cda24aaa 100644 --- a/src/plugins/maps_legacy/public/map/service_settings.js +++ b/src/plugins/maps_legacy/public/map/service_settings.js @@ -58,7 +58,7 @@ export class ServiceSettings { this._hasTmsConfigured = typeof tilemapsConfig.url === 'string' && tilemapsConfig.url !== ''; this._showZoomMessage = true; - this._showRegionBlockedWarning = this._mapConfig.showRegionBlockedWarning; + this._showRegionDeniedWarning = this._mapConfig.showRegionDeniedWarning; this._emsClient = null; this._opensearchMapsClient = new OpenSearchMapsClient({ language: i18n.getLocale(), @@ -89,8 +89,8 @@ export class ServiceSettings { }); } - shouldShowRegionBlockedWarning() { - return this._showRegionBlockedWarning; + shouldShowRegionDeniedWarning() { + return this._showRegionDeniedWarning; } shouldShowZoomMessage({ origin }) { diff --git a/src/plugins/maps_legacy/server/index.ts b/src/plugins/maps_legacy/server/index.ts index 612c8be9745a..f6240d8aef50 100644 --- a/src/plugins/maps_legacy/server/index.ts +++ b/src/plugins/maps_legacy/server/index.ts @@ -38,7 +38,7 @@ export const config: PluginConfigDescriptor = { exposeToBrowser: { includeOpenSearchMapsService: true, proxyOpenSearchMapsServiceInMaps: true, - showRegionBlockedWarning: true, + showRegionDeniedWarning: true, tilemap: true, regionmap: true, manifestServiceUrl: true, @@ -57,6 +57,7 @@ export const config: PluginConfigDescriptor = { 'map.regionmap.includeElasticMapsService', 'map.regionmap.includeOpenSearchMapsService' ), + renameFromRoot('map.showRegionBlockedWarning', 'map.showRegionDeniedWarning'), ], }; diff --git a/src/plugins/opensearch_dashboards_react/public/markdown/__snapshots__/markdown.test.tsx.snap b/src/plugins/opensearch_dashboards_react/public/markdown/__snapshots__/markdown.test.tsx.snap index 29a68a55a978..2cd06435a104 100644 --- a/src/plugins/opensearch_dashboards_react/public/markdown/__snapshots__/markdown.test.tsx.snap +++ b/src/plugins/opensearch_dashboards_react/public/markdown/__snapshots__/markdown.test.tsx.snap @@ -1,5 +1,17 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP +exports[`props allowListedRules 1`] = ` +
I am some [content](https://en.wikipedia.org/wiki/Content) with markdown

+", + } + } +/> +`; + exports[`props markdown 1`] = `
{ expect(component).toMatchSnapshot(); }); + test('allowListedRules', () => { + const component = shallow( + + ); + expect(component).toMatchSnapshot(); + }); + test('should update markdown when openLinksInNewTab prop change', () => { const component = shallow(); expect(component.render().find('a').prop('target')).not.toBe('_blank'); @@ -111,4 +118,16 @@ describe('props', () => { expect(component.render().find('code')).toHaveLength(1); expect(component.render().find('em')).toHaveLength(0); }); + + test('should update markdown when allowListedRules prop change', () => { + const md = '*emphasis* `backticks`'; + const component = shallow( + + ); + expect(component.render().find('em')).toHaveLength(1); + expect(component.render().find('code')).toHaveLength(1); + component.setProps({ allowListedRules: ['backticks'] }); + expect(component.render().find('code')).toHaveLength(1); + expect(component.render().find('em')).toHaveLength(0); + }); }); diff --git a/src/plugins/opensearch_dashboards_react/public/markdown/markdown.tsx b/src/plugins/opensearch_dashboards_react/public/markdown/markdown.tsx index eeccf16eea53..1602b3c01c3d 100644 --- a/src/plugins/opensearch_dashboards_react/public/markdown/markdown.tsx +++ b/src/plugins/opensearch_dashboards_react/public/markdown/markdown.tsx @@ -37,22 +37,30 @@ import { getSecureRelForTarget } from '@elastic/eui'; import './index.scss'; /** * Return a memoized markdown rendering function that use the specified - * whiteListedRules and openLinksInNewTab configurations. - * @param {Array of Strings} whiteListedRules - white list of markdown rules + * whiteListedRules (deprecated) (use allowListedRules) and openLinksInNewTab configurations. + * @param {Array of Strings} whiteListedRules - allow list of markdown rules + * @param {Array of Strings} allowListedRules - allow list of markdown rules * list of rules can be found at https://github.com/markdown-it/markdown-it/issues/361 * @param {Boolean} openLinksInNewTab * @return {Function} Returns an Object to use with dangerouslySetInnerHTML * with the rendered markdown HTML */ export const markdownFactory = memoize( - (whiteListedRules: string[] = [], openLinksInNewTab: boolean = false) => { + ( + whiteListedRules: string[] = [], + allowListedRules: string[] = [], + openLinksInNewTab: boolean = false + ) => { let markdownIt: MarkdownIt; // It is imperative that the html config property be set to false, to mitigate XSS: the output of markdown-it is // fed directly to the DOM via React's dangerouslySetInnerHTML below. - if (whiteListedRules && whiteListedRules.length > 0) { - markdownIt = new MarkdownIt('zero', { html: false, linkify: true }); + markdownIt = new MarkdownIt('zero', { html: false, linkify: true }); + + if (allowListedRules && allowListedRules.length > 0) { + markdownIt.enable(allowListedRules); + } else if (whiteListedRules && whiteListedRules.length > 0) { markdownIt.enable(whiteListedRules); } else { markdownIt = new MarkdownIt({ html: false, linkify: true }); @@ -90,8 +98,14 @@ export const markdownFactory = memoize( return markdown ? markdownIt.render(markdown) : ''; }; }, - (whiteListedRules: string[] = [], openLinksInNewTab: boolean = false) => { - return `${whiteListedRules.join('_')}${openLinksInNewTab}`; + ( + whiteListedRules: string[] = [], + allowListedRules: string[] = [], + openLinksInNewTab: boolean = false + ) => { + return whiteListedRules.length > 0 + ? `${whiteListedRules.join('_')}${openLinksInNewTab}` + : `${allowListedRules.join('_')}${openLinksInNewTab}`; } ); @@ -99,15 +113,24 @@ export interface MarkdownProps extends React.HTMLAttributes { className?: string; markdown?: string; openLinksInNewTab?: boolean; + /** @deprecated use allowListedRules: */ whiteListedRules?: string[]; + allowListedRules?: string[]; } export class Markdown extends PureComponent { render() { - const { className, markdown = '', openLinksInNewTab, whiteListedRules, ...rest } = this.props; + const { + className, + markdown = '', + openLinksInNewTab, + whiteListedRules, + allowListedRules, + ...rest + } = this.props; const classes = classNames('osdMarkdown__body', className); - const markdownRenderer = markdownFactory(whiteListedRules, openLinksInNewTab); + const markdownRenderer = markdownFactory(whiteListedRules, allowListedRules, openLinksInNewTab); const renderedMarkdown = markdownRenderer(markdown); return (
= { exposeToBrowser: { ui: true, }, - deprecations: ({ renameFromRoot }) => [ + deprecations: ({ renameFromRoot, renameFromRootWithoutMap }) => [ // timelion.enabled and timelion_vis.enabled deprecation renameFromRoot('timelion.enabled', 'vis_type_timeline.enabled'), renameFromRoot('timelion_vis.enabled', 'vis_type_timeline.enabled'), @@ -61,6 +61,11 @@ export const config: PluginConfigDescriptor = { renameFromRoot('timelion.ui.enabled', 'vis_type_timeline.ui.enabled', true), renameFromRoot('vis_type_timelion.ui.enabled', 'vis_type_timeline.ui.enabled', true), renameFromRoot('timeline.ui.enabled', 'vis_type_timeline.ui.enabled', true), + + renameFromRootWithoutMap( + 'vis_type_timeline.graphiteBlockedIPs', + 'vis_type_timeline.graphiteDeniedIPs' + ), ], }; export const plugin = (initializerContext: PluginInitializerContext) => diff --git a/src/plugins/vis_type_timeline/server/lib/config_manager.ts b/src/plugins/vis_type_timeline/server/lib/config_manager.ts index 8d5e9edc0eb6..048db67422a6 100644 --- a/src/plugins/vis_type_timeline/server/lib/config_manager.ts +++ b/src/plugins/vis_type_timeline/server/lib/config_manager.ts @@ -36,7 +36,6 @@ export class ConfigManager { private opensearchShardTimeout: number = 0; private graphiteAllowedUrls: string[] = []; private graphiteBlockedIPs: string[] = []; - constructor(config: PluginInitializerContext['config']) { config.create>().subscribe((configUpdate) => { this.graphiteAllowedUrls = configUpdate.graphiteAllowedUrls || []; diff --git a/src/plugins/vis_type_timeline/server/series_functions/fixtures/tl_config.js b/src/plugins/vis_type_timeline/server/series_functions/fixtures/tl_config.js index 55a1f644936c..e9fc8d4c1487 100644 --- a/src/plugins/vis_type_timeline/server/series_functions/fixtures/tl_config.js +++ b/src/plugins/vis_type_timeline/server/series_functions/fixtures/tl_config.js @@ -54,6 +54,7 @@ export default function () { opensearchShardTimeout: moment.duration(30000), allowedGraphiteUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'], + blockedGraphiteIPs: [], }); diff --git a/src/plugins/vis_type_timeline/server/series_functions/graphite.test.js b/src/plugins/vis_type_timeline/server/series_functions/graphite.test.js index e5ef1c987992..e251f3963a17 100644 --- a/src/plugins/vis_type_timeline/server/series_functions/graphite.test.js +++ b/src/plugins/vis_type_timeline/server/series_functions/graphite.test.js @@ -90,7 +90,17 @@ describe('graphite', function () { }); }); - it('should return error message if both allowlist and blocklist are disabled', function () { + it('should return error message if both allowlist and blockedlist are disabled', function () { + return invoke(fn, [], { + settings: { 'timeline:graphite.url': 'http://127.0.0.1' }, + allowedGraphiteUrls: [], + blockedGraphiteIPs: [], + }).catch((e) => { + expect(e.message).to.eql(MISS_CHECKLIST_MESSAGE); + }); + }); + + it('should return error message if both allowlist and denylist are disabled', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'http://127.0.0.1' }, allowedGraphiteUrls: [], @@ -122,7 +132,7 @@ describe('graphite', function () { }); }); - it('setting with matched blocklist url should return error message', function () { + it('setting with matched denylist url should return error message', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'http://127.0.0.1' }, allowedGraphiteUrls: [], @@ -132,7 +142,7 @@ describe('graphite', function () { }); }); - it('setting with matched blocklist localhost should return error message', function () { + it('setting with matched denylist localhost should return error message', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'http://localhost' }, allowedGraphiteUrls: [], @@ -142,7 +152,7 @@ describe('graphite', function () { }); }); - it('setting with unmatched blocklist https url should return result', function () { + it('setting with unmatched denylist https url should return result', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'https://opensearch.org/' }, allowedGraphiteUrls: [], @@ -152,7 +162,7 @@ describe('graphite', function () { }); }); - it('setting with unmatched blocklist ftp url should return result', function () { + it('setting with unmatched denylist ftp url should return result', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'ftp://www.opensearch.org' }, allowedGraphiteUrls: [], @@ -182,7 +192,7 @@ describe('graphite', function () { }); }); - it('with both allowlist and blocklist, setting not in blocklist but in allowlist should return result', function () { + it('with both allowlist and denylist, setting not in denylist but in allowlist should return result', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite', @@ -194,7 +204,7 @@ describe('graphite', function () { }); }); - it('with conflict allowlist and blocklist, setting in blocklist and in allowlist should return error message', function () { + it('with conflict allowlist and denylist, setting in denylist and in allowlist should return error message', function () { return invoke(fn, [], { settings: { 'timeline:graphite.url': 'http://127.0.0.1', diff --git a/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.js b/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.js index ceb19a0f819e..ace4987eb3b5 100644 --- a/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.js +++ b/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.js @@ -26,16 +26,16 @@ function getIpAddress(urlObject) { return null; } /** - * Check whether customer input URL is blocked + * Check whether customer input URL is denied * This function first check the format of URL, URL has be in the format as * scheme://server/path/resource otherwise an TypeError would be thrown * Then IPCIDR check if a specific IP address fall in the * range of an IP address block * @param {string} configuredUrls - * @param {Array|string} blockedIPs - * @returns {boolean} true if the configuredUrl is blocked + * @param {Array|string} deniedIPs + * @returns {boolean} true if the configuredUrl is denied */ -function isBlockedURL(configuredUrl, blockedIPs) { +function isDeniedURL(configuredUrl, deniedIPs) { let configuredUrlObject; try { configuredUrlObject = new URL(configuredUrl); @@ -46,28 +46,28 @@ function isBlockedURL(configuredUrl, blockedIPs) { if (!ip) { return true; } - const isBlocked = blockedIPs.some((blockedIP) => new IPCIDR(blockedIP).contains(ip)); - return isBlocked; + const isDenied = deniedIPs.some((deniedIP) => new IPCIDR(deniedIP).contains(ip)); + return isDenied; } /** - * Check configured url using blocklist and allowlist + * Check configured url using denylist and allowlist * If allowlist is used, return false if allowlist does not contain configured url - * If blocklist is used, return false if blocklist contains configured url - * If both allowlist and blocklist are used, check blocklist first then allowlist - * @param {Array|string} blockedIPs + * If denylist is used, return false if denylist contains configured url + * If both allowlist and denylist are used, check denylist first then allowlist + * @param {Array|string} deniedIPs * @param {Array|string} allowedUrls * @param {string} configuredUrls * @returns {boolean} true if the configuredUrl is valid */ -function isValidConfig(blockedIPs, allowedUrls, configuredUrl) { - if (blockedIPs.length === 0) { +function isValidConfig(deniedIPs, allowedUrls, configuredUrl) { + if (deniedIPs.length === 0) { if (!allowedUrls.includes(configuredUrl)) return false; } else if (allowedUrls.length === 0) { - if (exports.isBlockedURL(configuredUrl, blockedIPs)) return false; + if (exports.isDeniedURL(configuredUrl, deniedIPs)) return false; } else { - if (exports.isBlockedURL(configuredUrl, blockedIPs) || !allowedUrls.includes(configuredUrl)) + if (exports.isDeniedURL(configuredUrl, deniedIPs) || !allowedUrls.includes(configuredUrl)) return false; } return true; } -export { getIpAddress, isBlockedURL, isValidConfig }; +export { getIpAddress, isDeniedURL, isValidConfig }; diff --git a/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.test.js b/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.test.js index 20053c7bc212..9c1ca1a9c176 100644 --- a/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.test.js +++ b/src/plugins/vis_type_timeline/server/series_functions/helpers/graphite_helper.test.js @@ -6,32 +6,32 @@ import * as helper from './graphite_helper'; describe('graphite_helper', function () { - it('valid Url should not be blocked and isBlockedURL should return false', function () { - expect(helper.isBlockedURL('https://opensearch.org', ['127.0.0.0/8'])).toEqual(false); + it('valid Url should not be blocked and isDeniedURL should return false', function () { + expect(helper.isDeniedURL('https://opensearch.org', ['127.0.0.0/8'])).toEqual(false); }); - it('blocked Url should be blocked and isBlockedURL should return true', function () { - expect(helper.isBlockedURL('https://127.0.0.1', ['127.0.0.0/8'])).toEqual(true); + it('blocked Url should be blocked and isDeniedURL should return true', function () { + expect(helper.isDeniedURL('https://127.0.0.1', ['127.0.0.0/8'])).toEqual(true); }); - it('invalid Url should be blocked and isBlockedURL should return true', function () { - expect(helper.isBlockedURL('www.opensearch.org', ['127.0.0.0/8'])).toEqual(true); + it('invalid Url should be blocked and isDeniedURL should return true', function () { + expect(helper.isDeniedURL('www.opensearch.org', ['127.0.0.0/8'])).toEqual(true); }); - it('blocklist should be checked if blocklist is enabled', function () { - jest.spyOn(helper, 'isBlockedURL').mockReturnValueOnce(false); + it('denylist should be checked if denylist is enabled', function () { + jest.spyOn(helper, 'isDeniedURL').mockReturnValueOnce(false); helper.isValidConfig(['127.0.0.0/8'], [], 'https://opensearch.org'); - expect(helper.isBlockedURL).toBeCalled(); + expect(helper.isDeniedURL).toBeCalled(); }); - it('blocklist should be checked it both allowlist and blocklist are enabled', function () { - jest.spyOn(helper, 'isBlockedURL').mockReturnValueOnce(false); + it('denylist should be checked it both allowlist and denylist are enabled', function () { + jest.spyOn(helper, 'isDeniedURL').mockReturnValueOnce(false); helper.isValidConfig( ['127.0.0.0/8'], ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite'], 'https://opensearch.org' ); - expect(helper.isBlockedURL).toBeCalled(); + expect(helper.isDeniedURL).toBeCalled(); }); it('with only allowlist, isValidConfig should return false for Url not in the allowlist', function () { @@ -54,15 +54,15 @@ describe('graphite_helper', function () { ).toEqual(true); }); - it('with only blocklist, isValidConfig should return false for Url in the blocklist', function () { + it('with only denylist, isValidConfig should return false for Url in the denylist', function () { expect(helper.isValidConfig(['127.0.0.0/8'], [], 'https://127.0.0.1')).toEqual(false); }); - it('with only blocklist, isValidConfig should return true for Url not in the blocklist', function () { + it('with only denylist, isValidConfig should return true for Url not in the denylist', function () { expect(helper.isValidConfig(['127.0.0.0/8'], [], 'https://opensearch.org')).toEqual(true); }); - it('with both blocklist and allowlist, isValidConfig should return false if allowlist check fails', function () { + it('with both denylist and allowlist, isValidConfig should return false if allowlist check fails', function () { expect( helper.isValidConfig( ['127.0.0.0/8'], @@ -72,7 +72,7 @@ describe('graphite_helper', function () { ).toEqual(false); }); - it('with both blocklist and allowlist, isValidConfig should return false if blocklist check fails', function () { + it('with both denylist and allowlist, isValidConfig should return false if denylist check fails', function () { expect( helper.isValidConfig( ['127.0.0.0/8'], @@ -82,7 +82,7 @@ describe('graphite_helper', function () { ).toEqual(false); }); - it('with conflict blocklist and allowlist, isValidConfig should return false if blocklist check fails', function () { + it('with conflict denylist and allowlist, isValidConfig should return false if denylist check fails', function () { expect( helper.isValidConfig(['127.0.0.0/8'], ['https://127.0.0.1'], 'https://127.0.0.1') ).toEqual(false); diff --git a/src/plugins/vis_type_timeseries/common/ui_restrictions.ts b/src/plugins/vis_type_timeseries/common/ui_restrictions.ts index a153c4329a5b..d9e0c6a80e32 100644 --- a/src/plugins/vis_type_timeseries/common/ui_restrictions.ts +++ b/src/plugins/vis_type_timeseries/common/ui_restrictions.ts @@ -37,19 +37,25 @@ import { PANEL_TYPES } from './panel_types'; */ export enum RESTRICTIONS_KEYS { /** - * Key for getting the white listed group by fields from the UIRestrictions object. + * Key for getting the allow listed group by fields from the UIRestrictions object. */ + /** @deprecated use ALLOW_LISTED_GROUP_BY_FIELDS*/ WHITE_LISTED_GROUP_BY_FIELDS = 'whiteListedGroupByFields', + ALLOW_LISTED_GROUP_BY_FIELDS = 'allowListedGroupByFields', /** - * Key for getting the white listed metrics from the UIRestrictions object. + * Key for getting the allow listed metrics from the UIRestrictions object. */ + /** @deprecated use ALLOW_LISTED_METRICS*/ WHITE_LISTED_METRICS = 'whiteListedMetrics', + ALLOW_LISTED_METRICS = 'allowListedMetrics', /** - * Key for getting the white listed Time Range modes from the UIRestrictions object. + * Key for getting the allow listed Time Range modes from the UIRestrictions object. */ + /** @deprecated use ALLOW_LISTED_TIMERANGE_MODES*/ WHITE_LISTED_TIMERANGE_MODES = 'whiteListedTimerangeModes', + ALLOW_LISTED_TIMERANGE_MODES = 'allowListedTimerangeModes', } export interface UIRestrictions { diff --git a/src/plugins/vis_type_timeseries/public/application/lib/check_ui_restrictions.js b/src/plugins/vis_type_timeseries/public/application/lib/check_ui_restrictions.js index e2128d77c758..379643fcc726 100644 --- a/src/plugins/vis_type_timeseries/public/application/lib/check_ui_restrictions.js +++ b/src/plugins/vis_type_timeseries/public/application/lib/check_ui_restrictions.js @@ -53,7 +53,7 @@ const checkUIRestrictions = (key, restrictions = DEFAULT_UI_RESTRICTION, type) = * @return {boolean} */ export const isMetricEnabled = (key, restrictions) => { - return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.WHITE_LISTED_METRICS); + return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.ALLOW_LISTED_METRICS); }; /** @@ -69,7 +69,7 @@ export const isFieldEnabled = (field, metricType, restrictions = DEFAULT_UI_REST if (isMetricEnabled(metricType, restrictions)) { return checkUIRestrictions( field, - restrictions[RESTRICTIONS_KEYS.WHITE_LISTED_METRICS], + restrictions[RESTRICTIONS_KEYS.ALLOW_LISTED_METRICS], metricType ); } @@ -86,7 +86,7 @@ export const isFieldEnabled = (field, metricType, restrictions = DEFAULT_UI_REST * @return {boolean} */ export const isGroupByFieldsEnabled = (key, restrictions) => { - return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.WHITE_LISTED_GROUP_BY_FIELDS); + return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.ALLOW_LISTED_GROUP_BY_FIELDS); }; /** @@ -99,5 +99,5 @@ export const isGroupByFieldsEnabled = (key, restrictions) => { * @return {boolean} */ export const isTimerangeModeEnabled = (key, restrictions) => { - return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.WHITE_LISTED_TIMERANGE_MODES); + return checkUIRestrictions(key, restrictions, RESTRICTIONS_KEYS.ALLOW_LISTED_TIMERANGE_MODES); }; diff --git a/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.js b/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.js index 7807d0fb54c3..85c1de00557e 100644 --- a/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.js +++ b/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.js @@ -49,23 +49,41 @@ export class DefaultSearchCapabilities { return null; } + /** @deprecated use allowListedMetrics*/ get whiteListedMetrics() { return this.createUiRestriction(); } + /** @deprecated use allowListedGroupByFields*/ get whiteListedGroupByFields() { return this.createUiRestriction(); } + /** @deprecated use allowListedTimerangeMode*/ get whiteListedTimerangeModes() { return this.createUiRestriction(); } + get allowListedMetrics() { + return this.createUiRestriction(); + } + + get allowListedGroupByFields() { + return this.createUiRestriction(); + } + + get allowListedTimerangeModes() { + return this.createUiRestriction(); + } + get uiRestrictions() { return { [RESTRICTIONS_KEYS.WHITE_LISTED_METRICS]: this.whiteListedMetrics, [RESTRICTIONS_KEYS.WHITE_LISTED_GROUP_BY_FIELDS]: this.whiteListedGroupByFields, [RESTRICTIONS_KEYS.WHITE_LISTED_TIMERANGE_MODES]: this.whiteListedTimerangeModes, + [RESTRICTIONS_KEYS.ALLOW_LISTED_METRICS]: this.allowListedMetrics, + [RESTRICTIONS_KEYS.ALLOW_LISTED_GROUP_BY_FIELDS]: this.allowListedGroupByFields, + [RESTRICTIONS_KEYS.ALLOW_LISTED_TIMERANGE_MODES]: this.allowListedTimerangeModes, }; } diff --git a/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.test.js b/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.test.js index b318a06755f0..0bfe242a0d08 100644 --- a/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.test.js +++ b/src/plugins/vis_type_timeseries/server/lib/search_strategies/default_search_capabilities.test.js @@ -53,6 +53,9 @@ describe('DefaultSearchCapabilities', () => { whiteListedMetrics: { '*': true }, whiteListedGroupByFields: { '*': true }, whiteListedTimerangeModes: { '*': true }, + allowListedMetrics: { '*': true }, + allowListedGroupByFields: { '*': true }, + allowListedTimerangeModes: { '*': true }, }); }); diff --git a/src/plugins/vis_type_vega/public/services.ts b/src/plugins/vis_type_vega/public/services.ts index a8c9079372c3..d241b66d472c 100644 --- a/src/plugins/vis_type_vega/public/services.ts +++ b/src/plugins/vis_type_vega/public/services.ts @@ -57,4 +57,4 @@ export const [getMapsLegacyConfig, setMapsLegacyConfig] = createGetterSetter getInjectedVars().enableExternalUrls; export const getEmsTileLayerId = () => getMapsLegacyConfig().emsTileLayerId; -export const getShowRegionBlockedWarning = () => getMapsLegacyConfig().showRegionBlockedWarning; +export const getShowRegionDeniedWarning = () => getMapsLegacyConfig().showRegionDeniedWarning; diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js index 2e39f1d3a47b..c1919631d12d 100644 --- a/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js +++ b/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js @@ -32,7 +32,7 @@ import { i18n } from '@osd/i18n'; import { vega } from '../lib/vega'; import { VegaBaseView } from './vega_base_view'; import { VegaMapLayer } from './vega_map_layer'; -import { getEmsTileLayerId, getShowRegionBlockedWarning, getUISettings } from '../services'; +import { getEmsTileLayerId, getShowRegionDeniedWarning, getUISettings } from '../services'; import { lazyLoadMapsLegacyModules } from '../../../maps_legacy/public'; export class VegaMapView extends VegaBaseView { @@ -58,7 +58,7 @@ export class VegaMapView extends VegaBaseView { baseMapOpts = { ...baseMapOpts, ...(await this._serviceSettings.getAttributesForTMSLayer(baseMapOpts, true, isDarkMode)), - showRegionBlockedWarning: getShowRegionBlockedWarning(), + showRegionDeniedWarning: getShowRegionDeniedWarning(), }; if (!baseMapOpts) { this.onWarn( diff --git a/test/api_integration/apis/core/index.js b/test/api_integration/apis/core/index.js index edca353e9af0..d35f9ad10590 100644 --- a/test/api_integration/apis/core/index.js +++ b/test/api_integration/apis/core/index.js @@ -44,7 +44,7 @@ export default function ({ getService }) { }); }); - it(`uses compression when there is a whitelisted referer`, async () => { + it(`uses compression when there is a allowlisted referer`, async () => { await supertest .get('/app/opensearch-dashboards') .set('accept-encoding', 'gzip') @@ -54,7 +54,7 @@ export default function ({ getService }) { }); }); - it(`doesn't use compression when there is a non-whitelisted referer`, async () => { + it(`doesn't use compression when there is a non-allowlisted referer`, async () => { await supertest .get('/app/opensearch-dashboards') .set('accept-encoding', 'gzip')