From 6bbd3c67e19af3ebe26bed0f48cfd239ea0750e4 Mon Sep 17 00:00:00 2001
From: Brad White <Ikuni17@users.noreply.github.com>
Date: Thu, 31 Aug 2023 20:03:23 -0600
Subject: [PATCH] Check where SES is running before passing along service token
 (#165411)

## Summary

If a user is running serverless ES in the cloud and serverless KBN
locally, passing the token can trigger an invalid configuration error:

`serviceAccountToken cannot be specified when "username" is also
defined`

Additionally, the token is likely invalid anyways because the SES
instance was not seeded with it. This PR checks the
`elasticsearch.hosts` configuration for non-localhost values before
passing along the token.

## Testing
Add something like the following to `config/kibana.dev.yml` and run
`yarn serverless`. Should not get a configuration error.

```yml
elasticsearch.hosts: https://xxxxxxxxxx.es.us-west2.gcp.elastic-cloud.com:443
elasticsearch.username: kibana_system_user
elasticsearch.password: xxxxxxxxxxxxxx
```

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 src/cli/serve/serve.js | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js
index d03d7294e2806..911eecd45a9fb 100644
--- a/src/cli/serve/serve.js
+++ b/src/cli/serve/serve.js
@@ -44,8 +44,30 @@ const getBootstrapScript = (isDev) => {
   }
 };
 
-const setServerlessKibanaDevServiceAccountIfPossible = (set, opts) => {
-  if (!opts.dev || !opts.serverless || process.env.isDevCliChild === 'true') {
+const setServerlessKibanaDevServiceAccountIfPossible = (get, set, opts) => {
+  const esHosts = [].concat(
+    get('elasticsearch.hosts', []),
+    opts.elasticsearch ? opts.elasticsearch.split(',') : []
+  );
+
+  /*
+   * We only handle the service token if serverless ES is running locally.
+   * Example would be if the user is running SES in the cloud and KBN serverless
+   * locally, they would be expected to handle auth on their own and this token
+   * is likely invalid anyways.
+   */
+  const isESlocalhost = esHosts.length
+    ? esHosts.some((hostUrl) => {
+        const parsedUrl = url.parse(hostUrl);
+        return (
+          parsedUrl.hostname === 'localhost' ||
+          parsedUrl.hostname === '127.0.0.1' ||
+          parsedUrl.hostname === 'host.docker.internal'
+        );
+      })
+    : true; // default is localhost:9200
+
+  if (!opts.dev || !opts.serverless || !isESlocalhost) {
     return;
   }
 
@@ -86,7 +108,7 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
 
   if (opts.dev) {
     if (opts.serverless) {
-      setServerlessKibanaDevServiceAccountIfPossible(set, opts);
+      setServerlessKibanaDevServiceAccountIfPossible(get, set, opts);
     }
 
     if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) {