Merge branch 'main' into 16717-event-driven-triggers-testing-ux

Author: yngrdyn

docs/reference/configuration-reference/internationalization-settings.md

@@ -30,8 +30,40 @@ When a user sets a preferred language, it is stored in their user profile and ta
 
 {{kib}} resolves the display language using the following priority chain:
 
-1. **User profile setting** — The language selected by the user in their profile or the user menu (must be one of `i18n.locales`).
-2. **`i18n.defaultLocale` config** — The server-wide default set in `kibana.yml`.
+1. **User profile setting** — The language selected by the user in their
+   profile or the user menu (must be one of `i18n.locales`).
+2. **`KBN_LOCALE` cookie** — The most recently rendered locale on this
+   browser. {{kib}} writes this cookie on every rendered response, so it
+   tracks profile changes automatically. The cookie is the fallback used
+   on surfaces where the profile isn't available — login pages, error
+   pages, and any browsing the user does after signing out. Only used
+   when the cookie value matches a locale {{kib}} can serve.
+3. **`Accept-Language` header** {applies_to}`serverless: ga` — On
+   serverless deployments, {{kib}} consults the browser's
+   `Accept-Language` preferences when neither the profile setting nor
+   the cookie produces a match. The first weighted preference that's an
+   exact match (region included) for an entry in `i18n.locales` wins.
+   This step is skipped on traditional/self-managed deployments to keep
+   existing users' language stable across upgrades.
+4. **`i18n.defaultLocale` config** — The server-wide default set in `kibana.yml`.
+
+#### About the `KBN_LOCALE` cookie
+
+{{kib}} sets a `KBN_LOCALE` cookie on every rendered response containing
+the resolved locale id (for example, `KBN_LOCALE=ja-JP`). Attributes:
+
+- Path scoped to the {{kib}} `serverBasePath`.
+- `SameSite=Lax`, `Max-Age` of one year, and `Secure` when the response is over HTTPS.
+- `HttpOnly`. The value is a preference, not a secret, but {{kib}} does not need browser-side JavaScript to read it.
+
+Privacy posture: `KBN_LOCALE` is a strictly-necessary preference cookie.
+It does not track the user, store identity, or enable cross-site activity.
+
+To disable the cookie entirely, set `i18n.allowLocaleCookie: false` in
+`kibana.yml`. When disabled, the per-user language selection still works via
+user profiles; however, anonymous pages and pages visited after signing out
+will always fall back to `i18n.defaultLocale` (or `Accept-Language` on
+serverless deployments) rather than remembering the previously resolved locale.
 
 ## Example configurations
 
@@ -51,4 +83,7 @@ i18n.defaultLocale: "en"
 
 # 4. Legacy form — still works, logs a deprecation warning at startup:
 i18n.locale: "ja-JP"
-```
+
+# 5. Disable the KBN_LOCALE cookie:
+i18n.allowLocaleCookie: false
+```

docs/reference/configuration-reference/internationalization-settings.yml

@@ -1,6 +1,6 @@
 ---
 # This file is used to generate "i18n settings" page in the product docs
-# For the schema and an example refer to the automated settings reference: 
+# For the schema and an example refer to the automated settings reference:
 # https://github.com/elastic/docs-builder/blob/main/docs/syntax/automated_settings.md
 
 product: Kibana
@@ -39,6 +39,19 @@ groups:
           ech: ga
           self: ga
 
+      - setting: i18n.allowLocaleCookie
+        description: |
+          When `true` (the default), {{kib}} writes a `KBN_LOCALE` cookie on every
+          rendered response so the browser remembers the resolved locale across
+          page loads, anonymous pages, and post-logout browsing. Set to `false`
+          to disable the cookie.
+        datatype: boolean
+        default: "true"
+        applies_to:
+          stack: ga 9.5+
+          ech: ga
+          self: ga
+
       - setting: i18n.locale
         description: |
           Set the {{kib}} interface language.
@@ -59,4 +72,4 @@ groups:
         applies_to:
           stack: deprecated 9.5+
           ech: ga
-          self: ga
+          self: ga

packages/kbn-mock-idp-plugin/public/role_switcher.tsx

@@ -33,16 +33,16 @@ export const useAuthenticator = (reloadPage = false) => {
       body: JSON.stringify(params),
     });
 
-    if (reloadPage) {
-      const form = createForm(
-        services.http.basePath.prepend('/api/security/saml/callback'),
-        response
-      );
+    const { acsUrl, ...samlFields } = response;
+    const formAction = acsUrl ?? services.http.basePath.prepend('/api/security/saml/callback');
+
+    if (reloadPage || acsUrl) {
+      const form = createForm(formAction, samlFields);
       form.submit();
       await new Promise(() => {});
     } else {
       await services.http.post('/api/security/saml/callback', {
-        body: JSON.stringify(response),
+        body: JSON.stringify(samlFields),
         asResponse: true,
         rawResponse: true,
       });

packages/kbn-mock-idp-plugin/server/plugin.ts

@@ -201,6 +201,13 @@ export const plugin: PluginInitializer<void, void, PluginSetupDependencies> = as
             const parsed = new URL(request.body.url, 'https://localhost');
             const relayState = parsed.searchParams.get('RelayState') ?? undefined;
 
+            // Kibana-bound ACS URLs are intentionally left to the `onPreResponse` rewrite above;
+            // we only override here for external SPs (e.g. UIAM).
+            const externalAcsUrl =
+              samlRequestInfo?.acsUrl && !samlRequestInfo.acsUrl.startsWith(MOCK_IDP_SP_BASE_URL)
+                ? samlRequestInfo.acsUrl
+                : undefined;
+
             return response.ok({
               body: {
                 SAMLResponse: await createSAMLResponse({
@@ -212,9 +219,13 @@ export const plugin: PluginInitializer<void, void, PluginSetupDependencies> = as
                     ? { authnRequestId: samlRequestInfo.requestId }
                     : {}),
                   ...(samlRequestInfo?.issuer ? { spEntityId: samlRequestInfo.issuer } : {}),
+                  ...(externalAcsUrl ? { acsUrl: externalAcsUrl } : {}),
                   ...serverlessOptions,
                 }),
                 ...(relayState ? { RelayState: relayState } : {}),
+                // Echoed alongside SAMLResponse so the browser's auto-submitted form posts to UIAM
+                // instead of the default Kibana ACS endpoint (see mock_idp_page form action).
+                ...(externalAcsUrl ? { acsUrl: externalAcsUrl } : {}),
               },
             });
           } catch (err) {

packages/kbn-optimizer/limits.yml

@@ -169,7 +169,7 @@ pageLoadAssetSize:
   securitySolutionEss: 38689
   securitySolutionServerless: 52082
   serverless: 7412
-  serverlessObservability: 19300
+  serverlessObservability: 21437
   serverlessSearch: 26287
   serverlessVectordb: 7618
   serverlessWorkplaceAI: 4855

src/cli/serve/serve.js

@@ -462,6 +462,7 @@ function tryConfigureServerlessSamlProvider(rawConfig, opts, extraCliOptions) {
   // Ensure the plugin is loaded in dynamically to exclude from production build
   const {
     MOCK_IDP_REALM_NAME,
+    MOCK_IDP_UIAM_OAUTH_BASE_URL,
     MOCK_IDP_UIAM_SERVICE_URL,
     MOCK_IDP_UIAM_SHARED_SECRET,
     MOCK_IDP_UIAM_ORGANIZATION_ID,
@@ -515,6 +516,14 @@ function tryConfigureServerlessSamlProvider(rawConfig, opts, extraCliOptions) {
     lodashSet(rawConfig, 'xpack.security.uiam.ssl.verificationMode', 'none');
     lodashSet(rawConfig, 'mockIdpPlugin.uiam.enabled', true);
 
+    // SAML POST binding submits the response cross-origin to UIAM's ACS endpoint, so the
+    // enforced `form-action` directive (default `'self'`) needs to allow the UIAM origin.
+    const uiamOAuthOrigin = new url.URL(MOCK_IDP_UIAM_OAUTH_BASE_URL).origin;
+    const existingFormAction = _.get(rawConfig, 'csp.form_action', []);
+    if (!existingFormAction.includes(uiamOAuthOrigin)) {
+      lodashSet(rawConfig, 'csp.form_action', [...existingFormAction, uiamOAuthOrigin]);
+    }
+
     if (!_.has(rawConfig, 'xpack.security.uiam.url')) {
       lodashSet(rawConfig, 'xpack.security.uiam.url', MOCK_IDP_UIAM_SERVICE_URL);
     }

src/cli/serve/serve.test.js

@@ -85,6 +85,7 @@ describe('applyConfigOverrides', () => {
 
   it('alters config to enable SAML Mock IdP and UIAM in serverless dev mode', () => {
     expect(applyConfigOverrides({}, { dev: true, serverless: true, uiam: true }, {}, {})).toEqual({
+      csp: { form_action: ['https://localhost:8444'] },
       elasticsearch: {
         hosts: ['https://localhost:9200'],
         serviceAccountToken: kibanaDevServiceAccount.token,

src/core/packages/http/resources-server-internal/src/http_resources_service.test.ts

@@ -134,6 +134,42 @@ describe('HttpResources service', () => {
               }
             );
           });
+
+          it('merges Set-Cookie from rendering with caller-provided headers', async () => {
+            register(routeConfig, async (ctx, req, res) => {
+              return res.renderCoreApp({ headers: { 'x-extra': 'yes' } });
+            });
+            const [[, routeHandler]] = router.get.mock.calls;
+
+            const responseFactory = createHttpResourcesResponseFactory();
+            await routeHandler(context, kibanaRequest, responseFactory);
+
+            expect(responseFactory.ok).toHaveBeenCalledWith(
+              expect.objectContaining({
+                headers: expect.objectContaining({
+                  'set-cookie': expect.arrayContaining([expect.stringContaining('KBN_LOCALE=')]),
+                  'x-extra': 'yes',
+                }),
+              })
+            );
+          });
+
+          it('preserves both KBN_LOCALE and a caller-provided set-cookie', async () => {
+            register(routeConfig, async (ctx, req, res) => {
+              return res.renderCoreApp({ headers: { 'set-cookie': 'foo=bar' } });
+            });
+            const [[, routeHandler]] = router.get.mock.calls;
+
+            const responseFactory = createHttpResourcesResponseFactory();
+            await routeHandler(context, kibanaRequest, responseFactory);
+
+            const { headers } = (responseFactory.ok as jest.Mock).mock.calls[0][0];
+            const cookies: string[] = Array.isArray(headers['set-cookie'])
+              ? headers['set-cookie']
+              : [headers['set-cookie']];
+            expect(cookies.some((c: string) => c.includes('KBN_LOCALE='))).toBe(true);
+            expect(cookies.some((c: string) => c.includes('foo=bar'))).toBe(true);
+          });
         });
 
         describe('renderAnonymousCoreApp', () => {
@@ -156,6 +192,23 @@ describe('HttpResources service', () => {
               }
             );
           });
+
+          it('preserves both KBN_LOCALE and a caller-provided set-cookie', async () => {
+            register(routeConfig, async (ctx, req, res) => {
+              return res.renderAnonymousCoreApp({ headers: { 'set-cookie': 'foo=bar' } });
+            });
+            const [[, routeHandler]] = router.get.mock.calls;
+
+            const responseFactory = createHttpResourcesResponseFactory();
+            await routeHandler(context, kibanaRequest, responseFactory);
+
+            const { headers } = (responseFactory.ok as jest.Mock).mock.calls[0][0];
+            const cookies: string[] = Array.isArray(headers['set-cookie'])
+              ? headers['set-cookie']
+              : [headers['set-cookie']];
+            expect(cookies.some((c: string) => c.includes('KBN_LOCALE='))).toBe(true);
+            expect(cookies.some((c: string) => c.includes('foo=bar'))).toBe(true);
+          });
         });
 
         describe('renderHtml', () => {

src/core/packages/http/resources-server-internal/src/http_resources_service.ts

@@ -14,6 +14,7 @@ import type {
   RouteConfig,
   KibanaRequest,
   KibanaResponseFactory,
+  ResponseHeaders,
 } from '@kbn/core-http-server';
 import type {
   InternalHttpServiceSetup,
@@ -34,6 +35,26 @@ import type {
 
 import type { InternalHttpResourcesSetup } from './types';
 
+const toArray = (val: string | string[] | undefined): string[] => {
+  if (val === undefined) return [];
+  return Array.isArray(val) ? val : [val];
+};
+
+const mergeRenderHeaders = (
+  renderHeaders: ResponseHeaders,
+  optionsHeaders: ResponseHeaders = {}
+): ResponseHeaders => {
+  const setCookie = [
+    ...toArray(renderHeaders['set-cookie']),
+    ...toArray(optionsHeaders['set-cookie']),
+  ];
+  return {
+    ...renderHeaders,
+    ...optionsHeaders,
+    ...(setCookie.length > 0 ? { 'set-cookie': setCookie } : {}),
+  };
+};
+
 /**
  * @internal
  */
@@ -114,26 +135,26 @@ export class HttpResourcesService implements CoreService<InternalHttpResourcesSe
     return {
       async renderCoreApp(options: HttpResourcesRenderOptions = {}) {
         const { uiSettings } = await context.core;
-        const body = await deps.rendering.render(request, uiSettings, {
+        const { body, headers: renderHeaders } = await deps.rendering.render(request, uiSettings, {
           isAnonymousPage: false,
           includeExposedConfigKeys: options.includeExposedConfigKeys,
         });
 
         return response.ok({
           body,
-          headers: options.headers,
+          headers: mergeRenderHeaders(renderHeaders, options.headers),
         });
       },
       async renderAnonymousCoreApp(options: HttpResourcesRenderOptions = {}) {
         const { uiSettings } = await context.core;
-        const body = await deps.rendering.render(request, uiSettings, {
+        const { body, headers: renderHeaders } = await deps.rendering.render(request, uiSettings, {
           isAnonymousPage: true,
           includeExposedConfigKeys: options.includeExposedConfigKeys,
         });
 
         return response.ok({
           body,
-          headers: options.headers,
+          headers: mergeRenderHeaders(renderHeaders, options.headers),
         });
       },
       renderHtml(options: HttpResourcesResponseOptions) {

src/core/packages/i18n/server-internal/moon.yml

@@ -32,6 +32,7 @@ dependsOn:
   - '@kbn/std'
   - '@kbn/repo-packages'
   - '@kbn/core-http-router-server-mocks'
+  - '@kbn/core-http-router-server-internal'
 tags:
   - shared-server
   - package