Handles security disabled

jeramysoucy · jeramysoucy · commit 2796f501e5de · 2026-05-27T15:09:00.000+02:00
diff --git a/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.test.ts b/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.test.ts
@@ -752,6 +752,96 @@ describe('UserProfileService', () => {
         ).toHaveBeenCalledTimes(1);
       });
     });
+
+    describe(`when security is disabled`, () => {
+      beforeEach(() => {
+        userProfileService = new UserProfileService(logger);
+        const license = licenseMock.create({ allowUserProfileCollaboration: true });
+        license.isEnabled.mockReturnValue(false);
+        userProfileService.setup({ authz: mockAuthz, license });
+      });
+
+      it('returns `null` for basic auth requests without calling any ES APIs or recording telemetry', async () => {
+        (securityTelemetry.recordGetCurrentProfileInvocation as jest.Mock).mockClear();
+
+        const request = httpServerMock.createKibanaRequest({
+          headers: {
+            authorization: `basic ${Buffer.from('user:pass').toString('base64')}`,
+          },
+        });
+
+        const startContract = userProfileService.start(mockStartParams);
+        await expect(startContract.getCurrent({ request })).resolves.toBeNull();
+
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.activateUserProfile
+        ).not.toHaveBeenCalled();
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.getUserProfile
+        ).not.toHaveBeenCalled();
+        expect(securityTelemetry.recordGetCurrentProfileInvocation).not.toHaveBeenCalled();
+      });
+
+      it('returns `null` for API key requests without calling any ES APIs or recording telemetry', async () => {
+        (securityTelemetry.recordGetCurrentProfileInvocation as jest.Mock).mockClear();
+
+        const testApiKeyId = 'some-api-key-id';
+        const testApiKeyValue = 'some-api-key-value';
+        const request = httpServerMock.createKibanaRequest({
+          headers: {
+            authorization: `apikey ${Buffer.from(`${testApiKeyId}:${testApiKeyValue}`).toString(
+              'base64'
+            )}`,
+          },
+        });
+
+        const startContract = userProfileService.start(mockStartParams);
+        await expect(startContract.getCurrent({ request })).resolves.toBeNull();
+
+        expect(
+          mockStartParams.clusterClient.asScoped().asCurrentUser.security.getApiKey
+        ).not.toHaveBeenCalled();
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.getUserProfile
+        ).not.toHaveBeenCalled();
+        expect(securityTelemetry.recordGetCurrentProfileInvocation).not.toHaveBeenCalled();
+      });
+
+      it('returns `null` for session-authenticated requests without calling any ES APIs or recording telemetry', async () => {
+        (securityTelemetry.recordGetCurrentProfileInvocation as jest.Mock).mockClear();
+        mockStartParams.session.getSID.mockResolvedValue('some-session-id');
+
+        const startContract = userProfileService.start(mockStartParams);
+        await expect(startContract.getCurrent({ request: mockRequest })).resolves.toBeNull();
+
+        expect(mockStartParams.session.getSID).not.toHaveBeenCalled();
+        expect(mockStartParams.session.get).not.toHaveBeenCalled();
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.getUserProfile
+        ).not.toHaveBeenCalled();
+        expect(securityTelemetry.recordGetCurrentProfileInvocation).not.toHaveBeenCalled();
+      });
+
+      it('returns `null` for requests with runas header without calling any ES APIs or recording telemetry', async () => {
+        (securityTelemetry.recordGetCurrentProfileInvocation as jest.Mock).mockClear();
+
+        const request = httpServerMock.createKibanaRequest({
+          headers: { 'es-security-runas-user': 'some-user' },
+        });
+
+        const startContract = userProfileService.start(mockStartParams);
+        await expect(startContract.getCurrent({ request })).resolves.toBeNull();
+
+        expect(mockStartParams.session.getSID).not.toHaveBeenCalled();
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.activateUserProfile
+        ).not.toHaveBeenCalled();
+        expect(
+          mockStartParams.clusterClient.asInternalUser.security.getUserProfile
+        ).not.toHaveBeenCalled();
+        expect(securityTelemetry.recordGetCurrentProfileInvocation).not.toHaveBeenCalled();
+      });
+    });
   });
 
   describe('#update', () => {
diff --git a/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts b/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
@@ -356,6 +356,13 @@ export class UserProfileService {
     sessionlessUserProfileRetrievalEnabled: boolean,
     { request, dataPath }: UserProfileGetCurrentParams
   ) {
+    if (!this.license?.isEnabled()) {
+      this.logger.debug(
+        'Skipping user profile retrieval: security features are disabled in Elasticsearch.'
+      );
+      return null;
+    }
+
     if (request.auth.isAuthenticated === false) {
       throw new Error('Request to get current user profile is not authenticated.');
     }
