[POC] Use WebAssembly build of package-spec for package validation

[joshdover]

Summary

Related to #115032
Uses a WebAssembly build from elastic/package-spec#285

This imports a WebAssembly (wasm) build of the package-spec validation code and applies it to all packages installed via upload. It will fail to install these packages if they do not pass the package-spec validation.

For instance, this fails on the endpoint package today with this error (due to elastic/package-spec#23):

Failed installing package [endpoint] due to error: [found 2 validation errors:
   1. item [index_template] is not allowed in folder [endpoint-1.5.0.zip/elasticsearch]
   2. item [transform] is not allowed in folder [endpoint-1.5.0.zip/elasticsearch]
]

Maybe for now we make this a dev-only log warning to start?

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[joshdover]

@elastic/kibana-security I noticed that we have no other usages of WASM in Kibana today. Are there any known reasons we can't or shouldn't pursue this option?

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: 921353f
• Interpreting CI Failures
• Storybooks Preview
• Webpack Bundle Analyzer

Failed CI Steps

• Docker CI Group
• Docker CI Group
• Jest Tests #8

Test Failures

• [job] [logs] Docker CI Group / endpoint "before all" hook in "endpoint"
• [job] [logs] Docker CI Group / endpoint "before all" hook in "endpoint"
• [job] [logs] Jest Tests #8 / install registry should install from bundled package if one exists

Metrics [docs]

Unknown metric groups

ESLint disabled in files

id	before	after	diff
fleet	8	9	+1

Total ESLint disabled count

id	before	after	diff
fleet	55	56	+1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[legrego]

@elastic/kibana-security I noticed that we have no other usages of WASM in Kibana today. Are there any known reasons we can't or shouldn't pursue this option?

Thanks for asking! I'll let others on the team respond do your direct usage, which appears to be server-side. I don't know enough to have an opinion one way or another here.

For client-side WASM, we would likely need a CSP that included either script-src: unsafe-eval or script-src: wasm-unsafe-eval. We are actively working to remove unsafe-eval, and I'm not keen on adding wasm-unsafe-eval. You can probably ignore all of this since your usage is server-side, but I wanted to mention it to start to spread awareness.

[azasypkin]

I agree with Larry's earlier assessment. If we use WASM on the server-side and compile only the module we ship, then I don't have any significant security-related concerns. I just left few performance related questions and it'd be great if we can avoid polluting the global scope with Go wasm helper.

[azasypkin]

nit: if it's called multiple times then it'd probably make sense to compile module just once and reuse it for instantiation (with new WebAssembly.Module or WebAssembly.compile).

[azasypkin]

question: Just curious, I see this module is about 12mb, I assume it's not optimized yet (with more aggressive build optimization flags, wasm-opt and friends)?

[joshdover]

Yep we still need to explore making this smaller and distribute it via a proper npm module. This is currently being built with go-wasm, but I think it would make sense to look at tinygo.

[azasypkin]

question: I'm not familiar with wasm_exec.js\tinygo, is it possible to use its importObject without polluting the global scope with Go?

[joshdover]

Without editing the wasm_exec.js from Go (this is not from tinygo), I don't see a way. I think it would be a small edit though and I agree we shouldn't merge this in its current state (polluting the global scope).