[9.1] [User profiles] Strict user profile setting keys (#241213) (#245266)

# Backport

This will backport the following commits from `main` to `9.1`:
- [[User profiles] Strict user profile setting keys
(#241213)](#241213)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT
[{"author":{"name":"Sid","email":"siddharthmantri1@gmail.com"},"sourceCommit":{"committedDate":"2025-12-04T15:33:51Z","message":"[User
profiles] Strict user profile setting keys (#241213)\n\n##
Summary\n\nAdds strict schema validation to the user profile update API
endpoint\n(/internal/security/user_profile/_data) to restrict the
request body to\njust allowed fields.\n\nThe PR also introduces some
reasonable defaults for string length for\ncolors and initials.\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [ ] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/User
Profile","backport:all-open","v9.3.0"],"title":"[User profiles] Strict
user profile setting
keys","number":241213,"url":"https://github.com/elastic/kibana/pull/241213","mergeCommit":{"message":"[User
profiles] Strict user profile setting keys (#241213)\n\n##
Summary\n\nAdds strict schema validation to the user profile update API
endpoint\n(/internal/security/user_profile/_data) to restrict the
request body to\njust allowed fields.\n\nThe PR also introduces some
reasonable defaults for string length for\ncolors and initials.\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [ ] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/241213","number":241213,"mergeCommit":{"message":"[User
profiles] Strict user profile setting keys (#241213)\n\n##
Summary\n\nAdds strict schema validation to the user profile update API
endpoint\n(/internal/security/user_profile/_data) to restrict the
request body to\njust allowed fields.\n\nThe PR also introduces some
reasonable defaults for string length for\ncolors and initials.\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [ ] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}}]}]
BACKPORT-->

Co-authored-by: Sid <siddharthmantri1@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: 3 people

x-pack/platform/plugins/shared/security/server/routes/user_profile/update.test.ts

@@ -67,25 +67,178 @@ describe('Update profile routes', () => {
     it('correctly defines route.', () => {
       const bodySchema = (routeConfig.validate as any).body as ObjectType;
       expect(() => bodySchema.validate(0)).toThrowErrorMatchingInlineSnapshot(
-        `"expected value of type [object] but got [number]"`
+        `"expected a plain object value, but found [number] instead."`
       );
       expect(() => bodySchema.validate('avatar')).toThrowErrorMatchingInlineSnapshot(
-        `"could not parse record value from json input"`
+        `"could not parse object value from json input"`
       );
       expect(() => bodySchema.validate(true)).toThrowErrorMatchingInlineSnapshot(
-        `"expected value of type [object] but got [boolean]"`
-      );
-      expect(() => bodySchema.validate(null)).toThrowErrorMatchingInlineSnapshot(
-        `"expected value of type [object] but got [null]"`
-      );
-      expect(() => bodySchema.validate(undefined)).toThrowErrorMatchingInlineSnapshot(
-        `"expected value of type [object] but got [undefined]"`
+        `"expected a plain object value, but found [boolean] instead."`
       );
 
       expect(bodySchema.validate({})).toEqual({});
       expect(
-        bodySchema.validate({ title: 'some-title', content: { deepProperty: { type: 'basic' } } })
-      ).toEqual({ title: 'some-title', content: { deepProperty: { type: 'basic' } } });
+        bodySchema.validate({
+          avatar: { initials: 'some-initials', color: 'some-color', imageUrl: 'some-image-url' },
+          userSettings: { darkMode: 'dark', contrastMode: 'high' },
+        })
+      ).toEqual({
+        avatar: { initials: 'some-initials', color: 'some-color', imageUrl: 'some-image-url' },
+        userSettings: { darkMode: 'dark', contrastMode: 'high' },
+      });
+    });
+
+    it('rejects invalid darkMode enum values.', () => {
+      const bodySchema = (routeConfig.validate as any).body as ObjectType;
+
+      // Valid values should pass
+      expect(
+        bodySchema.validate({
+          userSettings: { darkMode: 'system' },
+        })
+      ).toEqual({ userSettings: { darkMode: 'system' } });
+
+      expect(
+        bodySchema.validate({
+          userSettings: { darkMode: 'dark' },
+        })
+      ).toEqual({ userSettings: { darkMode: 'dark' } });
+
+      expect(
+        bodySchema.validate({
+          userSettings: { darkMode: 'light' },
+        })
+      ).toEqual({ userSettings: { darkMode: 'light' } });
+
+      expect(
+        bodySchema.validate({
+          userSettings: { darkMode: 'space_default' },
+        })
+      ).toEqual({ userSettings: { darkMode: 'space_default' } });
+
+      // Invalid values should fail
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { darkMode: 'invalid' },
+        })
+      ).toThrow();
+
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { darkMode: 'INVALID' },
+        })
+      ).toThrow();
+
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { darkMode: 123 },
+        })
+      ).toThrow();
+    });
+
+    it('rejects invalid contrastMode enum values.', () => {
+      const bodySchema = (routeConfig.validate as any).body as ObjectType;
+
+      // Valid values should pass
+      expect(
+        bodySchema.validate({
+          userSettings: { contrastMode: 'system' },
+        })
+      ).toEqual({ userSettings: { contrastMode: 'system' } });
+
+      expect(
+        bodySchema.validate({
+          userSettings: { contrastMode: 'standard' },
+        })
+      ).toEqual({ userSettings: { contrastMode: 'standard' } });
+
+      expect(
+        bodySchema.validate({
+          userSettings: { contrastMode: 'high' },
+        })
+      ).toEqual({ userSettings: { contrastMode: 'high' } });
+
+      // Invalid values should fail
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { contrastMode: 'invalid' },
+        })
+      ).toThrow();
+
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { contrastMode: 'INVALID' },
+        })
+      ).toThrow();
+
+      expect(() =>
+        bodySchema.validate({
+          userSettings: { contrastMode: 123 },
+        })
+      ).toThrow();
+    });
+
+    it('rejects avatar initials exceeding max length.', () => {
+      const bodySchema = (routeConfig.validate as any).body as ObjectType;
+      const MAX_STRING_FIELD_LENGTH = 1024;
+
+      // Valid length should pass
+      const validInitials = 'a'.repeat(MAX_STRING_FIELD_LENGTH);
+      expect(
+        bodySchema.validate({
+          avatar: { initials: validInitials },
+        })
+      ).toEqual({ avatar: { color: null, imageUrl: null, initials: validInitials } });
+
+      const invalidInitials = 'a'.repeat(MAX_STRING_FIELD_LENGTH + 1);
+      expect(() =>
+        bodySchema.validate({
+          avatar: { initials: invalidInitials },
+        })
+      ).toThrowErrorMatchingInlineSnapshot(`
+        "[avatar.initials]: types that failed validation:
+        - [avatar.initials.0]: value has length [1025] but it must have a maximum length of [1024].
+        - [avatar.initials.1]: expected value to equal [null]"
+      `);
+    });
+
+    it('rejects avatar color exceeding max length.', () => {
+      const bodySchema = (routeConfig.validate as any).body as ObjectType;
+      const MAX_STRING_FIELD_LENGTH = 1024;
+
+      const validColor = 'a'.repeat(MAX_STRING_FIELD_LENGTH);
+      expect(
+        bodySchema.validate({
+          avatar: { color: validColor },
+        })
+      ).toEqual({ avatar: { color: validColor, imageUrl: null, initials: null } });
+
+      const invalidColor = 'a'.repeat(MAX_STRING_FIELD_LENGTH + 1);
+      expect(() =>
+        bodySchema.validate({
+          avatar: { color: invalidColor },
+        })
+      ).toThrowErrorMatchingInlineSnapshot(`
+        "[avatar.color]: types that failed validation:
+        - [avatar.color.0]: value has length [1025] but it must have a maximum length of [1024].
+        - [avatar.color.1]: expected value to equal [null]"
+      `);
+    });
+
+    it('allows null values for avatar initials and color.', () => {
+      const bodySchema = (routeConfig.validate as any).body as ObjectType;
+
+      expect(
+        bodySchema.validate({
+          avatar: { initials: null, color: null },
+        })
+      ).toEqual({ avatar: { imageUrl: null, initials: null, color: null } });
+    });
+
+    it('validates body size limit is configured correctly.', () => {
+      const MAX_USER_PROFILE_DATA_SIZE_BYTES = 1000 * 1024;
+
+      expect(routeConfig.options?.body?.maxBytes).toBe(MAX_USER_PROFILE_DATA_SIZE_BYTES);
     });
 
     it('fails if session is not found.', async () => {

x-pack/platform/plugins/shared/security/server/routes/user_profile/update.ts

@@ -17,6 +17,36 @@ import { createLicensedRouteHandler } from '../licensed_route_handler';
 /** User profile data keys that are allowed to be updated by Cloud users */
 const ALLOWED_KEYS_UPDATE_CLOUD = ['userSettings.darkMode', 'userSettings.contrastMode'];
 
+const MAX_STRING_FIELD_LENGTH = 1024;
+
+const MAX_USER_PROFILE_DATA_SIZE_BYTES = 1000 * 1024;
+
+const userProfileUpdateSchema = schema.object({
+  avatar: schema.maybe(
+    schema.object({
+      initials: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })),
+      color: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })),
+      imageUrl: schema.nullable(schema.string()),
+    })
+  ),
+  userSettings: schema.maybe(
+    schema.object({
+      darkMode: schema.maybe(
+        schema.oneOf([
+          schema.literal('system'),
+          schema.literal('dark'),
+          schema.literal('light'),
+          schema.literal('space_default'),
+        ])
+      ),
+      contrastMode: schema.maybe(
+        schema.oneOf([schema.literal('system'), schema.literal('standard'), schema.literal('high')])
+      ),
+      'solutionNavigationTour:completed': schema.maybe(schema.boolean()),
+    })
+  ),
+});
+
 export function defineUpdateUserProfileDataRoute({
   router,
   getSession,
@@ -35,7 +65,12 @@ export function defineUpdateUserProfileDataRoute({
         },
       },
       validate: {
-        body: schema.recordOf(schema.string(), schema.any()),
+        body: userProfileUpdateSchema,
+      },
+      options: {
+        body: {
+          maxBytes: MAX_USER_PROFILE_DATA_SIZE_BYTES,
+        },
       },
     },
     createLicensedRouteHandler(async (context, request, response) => {

x-pack/platform/test/cases_api_integration/security_and_spaces/tests/common/internal/user_actions_get_users.ts

@@ -470,11 +470,10 @@ export default ({ getService }: FtrProviderContext): void => {
             supertest,
             req: {
               // @ts-expect-error: types are not correct
-              initials: 4,
-              // @ts-expect-error: types are not correct
-              color: true,
+              initials: null,
               // @ts-expect-error: types are not correct
-              imageUrl: [],
+              color: null,
+              imageUrl: null,
             },
             headers: superUserHeaders,
           });

x-pack/platform/test/security_api_integration/tests/user_profiles/bulk_get.ts

@@ -104,7 +104,13 @@ export default function ({ getService }: FtrProviderContext) {
             .post('/internal/security/user_profile/_data')
             .set('kbn-xsrf', 'xxx')
             .set('Cookie', usersSessions.get(`user_${userPrefix}`)!.cookie.cookieString())
-            .send({ some: `data-${userPrefix}` })
+            .send({
+              avatar: {
+                initials: `some-initials-${userPrefix}`,
+                color: `some-color-${userPrefix}`,
+              },
+              userSettings: { darkMode: `dark`, contrastMode: `high` },
+            })
             .expect(200)
         )
       );
@@ -145,7 +151,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('kbn-xsrf', 'xxx')
         .send({
           uids: [usersSessions.get('user_one')!.uid, usersSessions.get('user_two')!.uid],
-          dataPath: 'some',
+          dataPath: 'avatar',
         })
         .expect(200);
       expect(profiles.body).to.have.length(2);
@@ -155,7 +161,11 @@ export default function ({ getService }: FtrProviderContext) {
         Array [
           Object {
             "data": Object {
-              "some": "data-one",
+              "avatar": Object {
+                "color": "some-color-one",
+                "imageUrl": null,
+                "initials": "some-initials-one",
+              },
             },
             "user": Object {
               "email": "one@elastic.co",
@@ -165,7 +175,11 @@ export default function ({ getService }: FtrProviderContext) {
           },
           Object {
             "data": Object {
-              "some": "data-two",
+              "avatar": Object {
+                "color": "some-color-two",
+                "imageUrl": null,
+                "initials": "some-initials-two",
+              },
             },
             "user": Object {
               "email": "two@elastic.co",

x-pack/platform/test/security_api_integration/tests/user_profiles/get_current.ts

@@ -51,7 +51,10 @@ export default function ({ getService }: FtrProviderContext) {
         .post('/internal/security/user_profile/_data')
         .set('kbn-xsrf', 'xxx')
         .set('Cookie', sessionCookie.cookieString())
-        .send({ some: 'data', another: 'another-data' })
+        .send({
+          avatar: { initials: 'some-initials', color: 'some-color' },
+          userSettings: { darkMode: 'dark', contrastMode: 'high' },
+        })
         .expect(200);
 
       const { body: profileWithoutData } = await supertestWithoutAuth
@@ -96,8 +99,15 @@ export default function ({ getService }: FtrProviderContext) {
       expectSnapshot(profileWithAllData).toMatchInline(`
         Object {
           "data": Object {
-            "another": "another-data",
-            "some": "data",
+            "avatar": Object {
+              "color": "some-color",
+              "imageUrl": null,
+              "initials": "some-initials",
+            },
+            "userSettings": Object {
+              "contrastMode": "high",
+              "darkMode": "dark",
+            },
           },
           "enabled": true,
           "labels": Object {},
@@ -119,9 +129,7 @@ export default function ({ getService }: FtrProviderContext) {
       `);
       expectSnapshot(profileWithSomeData).toMatchInline(`
         Object {
-          "data": Object {
-            "some": "data",
-          },
+          "data": Object {},
           "enabled": true,
           "labels": Object {},
           "uid": "u_K1WXIRQbRoHiuJylXp842IEhAO_OdqT7SDHrJSzUIjU_0",