Merge pull request #5792 from epixa/remove-client-create

Remove ability to create kibana index via proxy

src/plugins/elasticsearch/index.js

@@ -1,3 +1,6 @@
+var _ = require('lodash');
+let Boom = require('boom');
+
 module.exports = function (kibana) {
   var healthCheck = require('./lib/health_check');
   var exposeClient = require('./lib/expose_client');
@@ -49,12 +52,28 @@ module.exports = function (kibana) {
         return reply.continue();
       }
 
+      function noCreateIndex(request, reply) {
+        const requestPath = _.trimRight(_.trim(request.path), '/');
+        const matchPath = createProxy.createPath(config.get('kibana.index'));
+
+        if (requestPath === matchPath) {
+          return reply(Boom.methodNotAllowed('You cannot modify the primary kibana index through this interface.'));
+        }
+
+        reply.continue();
+      }
+
+      // These routes are actually used to deal with things such as managing
+      // index patterns and advanced settings, but since hapi treats route
+      // wildcards as zero-or-more, the routes also match the kibana index
+      // itself. The client-side kibana code does not deal with creating nor
+      // destroying the kibana index, so we limit that ability here.
       createProxy(
         server,
         ['PUT', 'POST', 'DELETE'],
         '/' + config.get('kibana.index') + '/{paths*}',
         {
-          pre: [ noBulkCheck ]
+          pre: [ noCreateIndex, noBulkCheck ]
         }
       );
 

src/plugins/elasticsearch/lib/__tests__/create_proxy.js

@@ -0,0 +1,22 @@
+const expect = require('expect.js');
+const createProxy = require('../create_proxy');
+
+describe('plugins/elasticsearch', function () {
+  describe('lib/create_proxy', function () {
+
+    describe('#createPath', function () {
+      it('prepends /elasticsearch to route', function () {
+        const path = createProxy.createPath('/wat');
+        expect(path).to.equal('/elasticsearch/wat');
+      });
+
+      context('when arg does not start with a slash', function () {
+        it('adds slash anyway', function () {
+          const path = createProxy.createPath('wat');
+          expect(path).to.equal('/elasticsearch/wat');
+        });
+      });
+    });
+
+  });
+});

src/plugins/elasticsearch/lib/__tests__/routes.js

@@ -33,7 +33,8 @@ describe('plugins/elasticsearch', function () {
         }
       });
 
-      return kbnServer.ready();
+      return kbnServer.ready()
+      .then(() => kbnServer.server.plugins.elasticsearch.waitUntilReady());
     });
 
 
@@ -76,8 +77,19 @@ describe('plugins/elasticsearch', function () {
     testRoute({
       method: 'POST',
       url: '/elasticsearch/.kibana',
-      payload: {settings: { number_of_shards: 1 }},
-      statusCode: 200
+      statusCode: 405
+    });
+
+    testRoute({
+      method: 'PUT',
+      url: '/elasticsearch/.kibana',
+      statusCode: 405
+    });
+
+    testRoute({
+      method: 'DELETE',
+      url: '/elasticsearch/.kibana',
+      statusCode: 405
     });
 
     testRoute({

src/plugins/elasticsearch/lib/create_proxy.js

@@ -1,14 +1,12 @@
 var createAgent = require('./create_agent');
 var mapUri = require('./map_uri');
 var { resolve } = require('url');
-module.exports = function createProxy(server, method, route, config) {
 
-  var pre = '/elasticsearch';
-  var sep = route[0] === '/' ? '' : '/';
-  var path = `${pre}${sep}${route}`;
+function createProxy(server, method, route, config) {
+
   var options = {
     method: method,
-    path: path,
+    path: createProxy.createPath(route),
     handler: {
       proxy: {
         mapUri: mapUri(server),
@@ -24,3 +22,10 @@ module.exports = function createProxy(server, method, route, config) {
   server.route(options);
 };
 
+createProxy.createPath = function createPath(path) {
+  const pre = '/elasticsearch';
+  const sep = path[0] === '/' ? '' : '/';
+  return `${pre}${sep}${path}`;
+};
+
+module.exports = createProxy;