mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
Remove legacy fallback (#29107)
* Remove mode.initialize and change useRbacForRequest to useRbac * Updating saved object api tests * Fixing spaces api integration tests * Removing unused "expect legacy forbidden" declarations and imports * Updating docs * Update docs/migration/migrate_7_0.asciidoc Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update docs/migration/migrate_7_0.asciidoc Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Updating comment that mentions the scenario when we aren't using RBAC * Adding back the authorization section of the config When a config setting is marked as unused using the deprecations, it's still required to show up in the config declarations so an error isn't thrown on startup. * Adding note about watcher jobs * Update docs/migration/migrate_7_0.asciidoc Co-Authored-By: kobelb <brandon.kobel@gmail.com>
This commit is contained in:
Brandon Kobel
GitHub
parent
72c2f7839b
commit
0e00c3ffef
53 changed files with 263 additions and 1137 deletions
|
|
@ -9,6 +9,13 @@ your application to Kibana 7.0.
|
|||
|
||||
See also <<release-highlights>> and <<release-notes>>.
|
||||
|
||||
[float]
|
||||
=== Removed support for users relying on direct index privileges to the Kibana index in Elasticsearch
|
||||
*Details:* With the introduction of Kibana RBAC in 6.4, users no longer require privileges to the Kibana index in Elasticsearch. Instead, users
|
||||
should be granted <<kibana-privileges>>. Prior to 7.0, when a user that relies upon direct index privileges logs into Kibana, a deprecation warning is logged. If you are using the `kibana_user` or `kibana_dashboard_only_user` role to grant access to Kibana, or a custom role using <<kibana-privileges>>, no changes are required.
|
||||
|
||||
*Impact:* You must change any roles which grant access to Kibana using index privileges to instead use <<kibana-privileges>>. Watcher jobs using the Reporting attachment type must be updated as well.
|
||||
|
||||
[float]
|
||||
=== Removed support for tribe nodes
|
||||
*Details:* Elasticsearch 7.0 removes the tribe node feature, so Kibana removes it as well.
|
||||
|
|
|
|||
|
|
@ -25,11 +25,6 @@ export const getCustomLogo = async ({
|
|||
getBasePath: () => job.basePath || serverBasePath,
|
||||
};
|
||||
|
||||
if (server.plugins.security) {
|
||||
const { authorization } = server.plugins.security;
|
||||
await authorization.mode.initialize(fakeRequest);
|
||||
}
|
||||
|
||||
const savedObjects = server.savedObjects;
|
||||
|
||||
const savedObjectsClient = savedObjects.getScopedSavedObjectsClient(fakeRequest);
|
||||
|
|
|
|||
|
|
@ -48,11 +48,6 @@ function executeJobFn(server) {
|
|||
getBasePath: () => basePath || serverBasePath,
|
||||
};
|
||||
|
||||
if (server.plugins.security) {
|
||||
const { authorization } = server.plugins.security;
|
||||
await authorization.mode.initialize(fakeRequest);
|
||||
}
|
||||
|
||||
const callEndpoint = (endpoint, clientParams = {}, options = {}) => {
|
||||
return callWithRequest(fakeRequest, endpoint, clientParams, options);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ export const security = (kibana) => new kibana.Plugin({
|
|||
}).default(),
|
||||
authorization: Joi.object({
|
||||
legacyFallback: Joi.object({
|
||||
enabled: Joi.boolean().default(true)
|
||||
enabled: Joi.boolean().default(true) // deprecated
|
||||
}).default()
|
||||
}).default(),
|
||||
audit: Joi.object({
|
||||
|
|
@ -54,6 +54,12 @@ export const security = (kibana) => new kibana.Plugin({
|
|||
}).default();
|
||||
},
|
||||
|
||||
deprecations: function ({ unused }) {
|
||||
return [
|
||||
unused('authorization.legacyFallback.enabled'),
|
||||
];
|
||||
},
|
||||
|
||||
uiExports: {
|
||||
chromeNavControls: ['plugins/security/views/nav_control'],
|
||||
managementSections: ['plugins/security/views/management'],
|
||||
|
|
@ -134,7 +140,7 @@ export const security = (kibana) => new kibana.Plugin({
|
|||
const { callWithRequest, callWithInternalUser } = adminCluster;
|
||||
const callCluster = (...args) => callWithRequest(request, ...args);
|
||||
|
||||
if (authorization.mode.useRbacForRequest(request)) {
|
||||
if (authorization.mode.useRbac()) {
|
||||
const internalRepository = savedObjects.getSavedObjectsRepository(callWithInternalUser);
|
||||
return new savedObjects.SavedObjectsClient(internalRepository);
|
||||
}
|
||||
|
|
@ -144,7 +150,7 @@ export const security = (kibana) => new kibana.Plugin({
|
|||
});
|
||||
|
||||
savedObjects.addScopedSavedObjectsClientWrapperFactory(Number.MIN_VALUE, ({ client, request }) => {
|
||||
if (authorization.mode.useRbacForRequest(request)) {
|
||||
if (authorization.mode.useRbac()) {
|
||||
const { spaces } = server.plugins;
|
||||
|
||||
return new SecureSavedObjectsClientWrapper({
|
||||
|
|
@ -164,7 +170,7 @@ export const security = (kibana) => new kibana.Plugin({
|
|||
|
||||
getUserProvider(server);
|
||||
|
||||
await initAuthenticator(server, authorization.mode);
|
||||
await initAuthenticator(server);
|
||||
initAuthenticateApi(server);
|
||||
initUsersApi(server);
|
||||
initPublicRolesApi(server);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ export function serverFixture() {
|
|||
deauthenticate: stub(),
|
||||
authorization: {
|
||||
mode: {
|
||||
useRbacForRequest: stub(),
|
||||
useRbac: stub(),
|
||||
},
|
||||
actions: {
|
||||
login: 'stub-login-action',
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ describe('Authenticator', () => {
|
|||
let server;
|
||||
let session;
|
||||
let cluster;
|
||||
let authorizationMode;
|
||||
beforeEach(() => {
|
||||
server = serverFixture();
|
||||
session = sinon.createStubInstance(Session);
|
||||
|
|
@ -36,8 +35,6 @@ describe('Authenticator', () => {
|
|||
cluster = sinon.stub({ callWithRequest() {} });
|
||||
sandbox.stub(ClientShield, 'getClient').returns(cluster);
|
||||
|
||||
authorizationMode = { initialize: sinon.stub() };
|
||||
|
||||
server.config.returns(config);
|
||||
server.register.yields();
|
||||
|
||||
|
|
@ -87,7 +84,7 @@ describe('Authenticator', () => {
|
|||
server.plugins.kibana.systemApi.isSystemApiRequest.returns(true);
|
||||
session.clear.throws(new Error('`Session.clear` is not supposed to be called!'));
|
||||
|
||||
await initAuthenticator(server, authorizationMode);
|
||||
await initAuthenticator(server);
|
||||
|
||||
// Second argument will be a method we'd like to test.
|
||||
authenticate = server.expose.withArgs('authenticate').firstCall.args[1];
|
||||
|
|
@ -116,18 +113,6 @@ describe('Authenticator', () => {
|
|||
expect(authenticationResult.error).to.be(failureReason);
|
||||
});
|
||||
|
||||
it(`doesn't initialize authorizationMode when authentication fails.`, async () => {
|
||||
const request = requestFixture({ headers: { authorization: 'Basic ***' } });
|
||||
session.get.withArgs(request).returns(Promise.resolve(null));
|
||||
|
||||
const failureReason = new Error('Not Authorized');
|
||||
cluster.callWithRequest.withArgs(request).returns(Promise.reject(failureReason));
|
||||
|
||||
await authenticate(request);
|
||||
|
||||
sinon.assert.notCalled(authorizationMode.initialize);
|
||||
});
|
||||
|
||||
it('returns user that authentication provider returns.', async () => {
|
||||
const request = requestFixture({ headers: { authorization: 'Basic ***' } });
|
||||
const user = { username: 'user' };
|
||||
|
|
@ -141,15 +126,6 @@ describe('Authenticator', () => {
|
|||
});
|
||||
});
|
||||
|
||||
it('initiliazes authorizationMode when authentication succeeds.', async () => {
|
||||
const request = requestFixture({ headers: { authorization: 'Basic ***' } });
|
||||
const user = { username: 'user' };
|
||||
cluster.callWithRequest.withArgs(request).returns(Promise.resolve(user));
|
||||
|
||||
await authenticate(request);
|
||||
sinon.assert.calledWith(authorizationMode.initialize, request);
|
||||
});
|
||||
|
||||
it('creates session whenever authentication provider returns state for system API requests', async () => {
|
||||
const user = { username: 'user' };
|
||||
const request = requestFixture();
|
||||
|
|
|
|||
|
|
@ -105,13 +105,11 @@ class Authenticator {
|
|||
* @param {Hapi.Server} server HapiJS Server instance.
|
||||
* @param {AuthScopeService} authScope AuthScopeService instance.
|
||||
* @param {Session} session Session instance.
|
||||
* @param {AuthorizationMode} authorizationMode AuthorizationMode instance
|
||||
*/
|
||||
constructor(server, authScope, session, authorizationMode) {
|
||||
constructor(server, authScope, session) {
|
||||
this._server = server;
|
||||
this._authScope = authScope;
|
||||
this._session = session;
|
||||
this._authorizationMode = authorizationMode;
|
||||
|
||||
const config = this._server.config();
|
||||
const authProviders = config.get('xpack.security.authProviders');
|
||||
|
|
@ -177,8 +175,6 @@ class Authenticator {
|
|||
}
|
||||
|
||||
if (authenticationResult.succeeded()) {
|
||||
// we have to do this here, as the auth scope's could be dependent on this
|
||||
await this._authorizationMode.initialize(request);
|
||||
return AuthenticationResult.succeeded({
|
||||
...authenticationResult.user,
|
||||
// Complement user returned from the provider with scopes.
|
||||
|
|
@ -280,10 +276,10 @@ class Authenticator {
|
|||
}
|
||||
}
|
||||
|
||||
export async function initAuthenticator(server, authorizationMode) {
|
||||
export async function initAuthenticator(server) {
|
||||
const session = await Session.create(server);
|
||||
const authScope = new AuthScopeService();
|
||||
const authenticator = new Authenticator(server, authScope, session, authorizationMode);
|
||||
const authenticator = new Authenticator(server, authScope, session);
|
||||
|
||||
const loginAttempts = new WeakMap();
|
||||
server.decorate('request', 'loginAttempt', function () {
|
||||
|
|
|
|||
|
|
@ -5,58 +5,11 @@
|
|||
*/
|
||||
|
||||
export function authorizationModeFactory(
|
||||
application,
|
||||
config,
|
||||
log,
|
||||
shieldClient,
|
||||
xpackInfoFeature,
|
||||
) {
|
||||
const useRbacForRequestCache = new WeakMap();
|
||||
|
||||
const shouldUseRbacForRequest = async (request) => {
|
||||
if (!config.get('xpack.security.authorization.legacyFallback.enabled')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
const { callWithRequest } = shieldClient;
|
||||
|
||||
const getUserPrivilegesResponse = await callWithRequest(request, 'shield.getUserPrivileges');
|
||||
|
||||
// Superusers have `*` and all other roles will have the explicit application.
|
||||
// We aren't using wildcards at this time, so if the user somehow specifies them
|
||||
// using the ES apis directly (which is documented as unsupported) they won't work here.
|
||||
const result = getUserPrivilegesResponse.applications
|
||||
.some(entry => entry.application === '*' || entry.application === application);
|
||||
|
||||
return result;
|
||||
};
|
||||
|
||||
const isRbacEnabled = () => xpackInfoFeature.getLicenseCheckResults().allowRbac;
|
||||
|
||||
return {
|
||||
async initialize(request) {
|
||||
if (useRbacForRequestCache.has(request)) {
|
||||
log(['security', 'debug'], `Authorization mode is already initialized`);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!isRbacEnabled()) {
|
||||
useRbacForRequestCache.set(request, false);
|
||||
return;
|
||||
}
|
||||
|
||||
const result = await shouldUseRbacForRequest(request);
|
||||
useRbacForRequestCache.set(request, result);
|
||||
},
|
||||
|
||||
useRbacForRequest(request) {
|
||||
// the following can happen when the user isn't authenticated. Either true or false would work here,
|
||||
// but we're going to go with false as this is closer to the "legacy" behavior
|
||||
if (!useRbacForRequestCache.has(request)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return useRbacForRequestCache.get(request);
|
||||
useRbac() {
|
||||
return xpackInfoFeature.getLicenseCheckResults().allowRbac;
|
||||
},
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,22 +6,6 @@
|
|||
|
||||
import { authorizationModeFactory } from './mode';
|
||||
|
||||
const application = 'kibana-.kibana';
|
||||
|
||||
const createMockConfig = (settings) => {
|
||||
const mockConfig = {
|
||||
get: jest.fn()
|
||||
};
|
||||
|
||||
mockConfig.get.mockImplementation(key => {
|
||||
return settings[key];
|
||||
});
|
||||
|
||||
return mockConfig;
|
||||
};
|
||||
|
||||
const createMockLogger = () => jest.fn();
|
||||
|
||||
const createMockXpackInfoFeature = (allowRbac) => {
|
||||
return {
|
||||
getLicenseCheckResults() {
|
||||
|
|
@ -32,161 +16,20 @@ const createMockXpackInfoFeature = (allowRbac) => {
|
|||
};
|
||||
};
|
||||
|
||||
const createMockShieldClient = (getUserPrivilegesResponse) => ({
|
||||
callWithRequest: jest.fn().mockReturnValue(getUserPrivilegesResponse)
|
||||
});
|
||||
|
||||
describe(`#initialize`, () => {
|
||||
test(`can't be initialized twice for the same request`, async () => {
|
||||
const mockConfig = createMockConfig();
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature();
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
|
||||
const request = {};
|
||||
|
||||
await mode.initialize(request);
|
||||
expect(mockLogger).not.toHaveBeenCalled();
|
||||
await mode.initialize(request);
|
||||
expect(mockLogger).toHaveBeenCalledWith(['security', 'debug'], `Authorization mode is already initialized`);
|
||||
});
|
||||
});
|
||||
|
||||
describe(`#useRbacForRequest`, () => {
|
||||
test(`return false if not initialized for request`, async () => {
|
||||
const mockConfig = createMockConfig();
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature();
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
|
||||
const request = {};
|
||||
|
||||
const result = mode.useRbacForRequest(request);
|
||||
expect(result).toBe(false);
|
||||
expect(mockLogger).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
test(`returns true if legacy fallback is disabled`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': false,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
|
||||
const request = {};
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
|
||||
describe(`#useRbac`, () => {
|
||||
test(`returns false if xpackInfoFeature.getLicenseCheckResults().allowRbac is false`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': true,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(false);
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
|
||||
const request = {};
|
||||
const mode = authorizationModeFactory(mockXpackInfoFeature);
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
const result = mode.useRbac();
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
|
||||
test(`returns false if shieldClient getUserPrivileges returns no applications`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': true,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
test(`returns true if xpackInfoFeature.getLicenseCheckResults().allowRbac is true`, async () => {
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
|
||||
const mockShieldClient = createMockShieldClient({
|
||||
applications: []
|
||||
});
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
|
||||
const request = {
|
||||
headers: {
|
||||
foo: 'bar'
|
||||
}
|
||||
};
|
||||
const mode = authorizationModeFactory(mockXpackInfoFeature);
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
expect(result).toBe(false);
|
||||
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
|
||||
});
|
||||
|
||||
test(`returns false if shieldClient getUserPrivileges returns incorrect application`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': true,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
|
||||
const mockShieldClient = createMockShieldClient({
|
||||
applications: [{
|
||||
application: 'kibana-.kibana-marketing'
|
||||
}]
|
||||
});
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
|
||||
const request = {
|
||||
headers: {
|
||||
foo: 'bar'
|
||||
}
|
||||
};
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
expect(result).toBe(false);
|
||||
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
|
||||
});
|
||||
|
||||
test(`returns true if shieldClient getUserPrivileges returns * and incorrect application`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': true,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
|
||||
const mockShieldClient = createMockShieldClient({
|
||||
applications: [{
|
||||
application: 'kibana-.kibana-marketing'
|
||||
}, {
|
||||
application: '*'
|
||||
}]
|
||||
});
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
|
||||
const request = {
|
||||
headers: {
|
||||
foo: 'bar'
|
||||
}
|
||||
};
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
const result = mode.useRbac();
|
||||
expect(result).toBe(true);
|
||||
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
|
||||
});
|
||||
|
||||
test(`returns true if shieldClient getUserPrivileges returns matching application and incorrect application`, async () => {
|
||||
const mockConfig = createMockConfig({
|
||||
'xpack.security.authorization.legacyFallback.enabled': true,
|
||||
});
|
||||
const mockLogger = createMockLogger();
|
||||
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
|
||||
const mockShieldClient = createMockShieldClient({
|
||||
applications: [{
|
||||
application: 'kibana-.kibana-marketing'
|
||||
}, {
|
||||
application
|
||||
}]
|
||||
});
|
||||
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
|
||||
const request = {
|
||||
headers: {
|
||||
foo: 'bar'
|
||||
}
|
||||
};
|
||||
|
||||
await mode.initialize(request);
|
||||
const result = mode.useRbacForRequest(request);
|
||||
expect(result).toBe(true);
|
||||
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -17,10 +17,6 @@ export function createAuthorizationService(server, xpackInfoFeature) {
|
|||
const application = `kibana-${config.get('kibana.index')}`;
|
||||
const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(actions, application, shieldClient);
|
||||
const mode = authorizationModeFactory(
|
||||
application,
|
||||
config,
|
||||
(...args) => server.log(...args),
|
||||
shieldClient,
|
||||
xpackInfoFeature,
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -64,10 +64,6 @@ test(`calls server.expose with exposed services`, () => {
|
|||
expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
|
||||
expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockActions, application, mockShieldClient);
|
||||
expect(authorizationModeFactory).toHaveBeenCalledWith(
|
||||
application,
|
||||
mockConfig,
|
||||
expect.any(Function),
|
||||
mockShieldClient,
|
||||
mockXpackInfoFeature,
|
||||
);
|
||||
});
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ describe('Authentication routes', () => {
|
|||
let loginRoute;
|
||||
let request;
|
||||
let authenticateStub;
|
||||
let authorizationModeStub;
|
||||
|
||||
beforeEach(() => {
|
||||
loginRoute = serverStub.route
|
||||
|
|
@ -52,7 +51,6 @@ describe('Authentication routes', () => {
|
|||
authenticateStub = serverStub.plugins.security.authenticate.withArgs(
|
||||
sinon.match(BasicCredentials.decorateRequest(request, 'user', 'password'))
|
||||
);
|
||||
authorizationModeStub = serverStub.plugins.security.authorization.mode;
|
||||
});
|
||||
|
||||
it('correctly defines route.', async () => {
|
||||
|
|
@ -117,34 +115,15 @@ describe('Authentication routes', () => {
|
|||
});
|
||||
|
||||
describe('authentication succeeds', () => {
|
||||
const getDeprecationMessage = username =>
|
||||
`${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
|
||||
|
||||
it(`returns user data and doesn't log deprecation warning if authorization.mode.useRbacForRequest returns true.`, async () => {
|
||||
it(`returns user data`, async () => {
|
||||
const user = { username: 'user' };
|
||||
authenticateStub.returns(
|
||||
Promise.resolve(AuthenticationResult.succeeded(user))
|
||||
);
|
||||
authorizationModeStub.useRbacForRequest.returns(true);
|
||||
|
||||
await loginRoute.handler(request, hStub);
|
||||
|
||||
sinon.assert.calledWithExactly(authorizationModeStub.useRbacForRequest, request);
|
||||
sinon.assert.neverCalledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
|
||||
sinon.assert.calledOnce(hStub.response);
|
||||
});
|
||||
|
||||
it(`returns user data and logs deprecation warning if authorization.mode.useRbacForRequest returns false.`, async () => {
|
||||
const user = { username: 'user' };
|
||||
authenticateStub.returns(
|
||||
Promise.resolve(AuthenticationResult.succeeded(user))
|
||||
);
|
||||
authorizationModeStub.useRbacForRequest.returns(false);
|
||||
|
||||
await loginRoute.handler(request, hStub);
|
||||
|
||||
sinon.assert.calledWithExactly(authorizationModeStub.useRbacForRequest, request);
|
||||
sinon.assert.calledWith(serverStub.log, ['warning', 'deprecated', 'security'], getDeprecationMessage(user.username));
|
||||
sinon.assert.calledOnce(hStub.response);
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -37,12 +37,6 @@ export function initAuthenticateApi(server) {
|
|||
throw Boom.unauthorized(authenticationResult.error);
|
||||
}
|
||||
|
||||
const { authorization } = server.plugins.security;
|
||||
if (!authorization.mode.useRbacForRequest(request)) {
|
||||
const msg = `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
|
||||
server.log(['warning', 'deprecated', 'security'], msg);
|
||||
}
|
||||
|
||||
return h.response();
|
||||
} catch(err) {
|
||||
throw wrapError(err);
|
||||
|
|
|
|||
|
|
@ -2,22 +2,22 @@
|
|||
|
||||
exports[`#create authorization is null throws bad request when we are at the maximum number of spaces 1`] = `"Unable to create Space, this exceeds the maximum number of spaces set by the xpack.spaces.maxSpaces setting"`;
|
||||
|
||||
exports[`#create authorization.mode.useRbacForRequest returns false throws bad request when we're at the maximum number of spaces 1`] = `"Unable to create Space, this exceeds the maximum number of spaces set by the xpack.spaces.maxSpaces setting"`;
|
||||
exports[`#create authorization.mode.useRbac returns false throws bad request when we're at the maximum number of spaces 1`] = `"Unable to create Space, this exceeds the maximum number of spaces set by the xpack.spaces.maxSpaces setting"`;
|
||||
|
||||
exports[`#create useRbacForRequest is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to create spaces"`;
|
||||
exports[`#create useRbac is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to create spaces"`;
|
||||
|
||||
exports[`#create useRbacForRequest is true throws bad request when we are at the maximum number of spaces 1`] = `"Unable to create Space, this exceeds the maximum number of spaces set by the xpack.spaces.maxSpaces setting"`;
|
||||
exports[`#create useRbac is true throws bad request when we are at the maximum number of spaces 1`] = `"Unable to create Space, this exceeds the maximum number of spaces set by the xpack.spaces.maxSpaces setting"`;
|
||||
|
||||
exports[`#delete authorization is null throws bad request when the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
|
||||
|
||||
exports[`#delete authorization.mode.useRbacForRequest returns false throws bad request when the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
|
||||
exports[`#delete authorization.mode.useRbac returns false throws bad request when the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
|
||||
|
||||
exports[`#delete authorization.mode.useRbacForRequest returns true throws Boom.forbidden if the user isn't authorized 1`] = `"Unauthorized to delete spaces"`;
|
||||
exports[`#delete authorization.mode.useRbac returns true throws Boom.forbidden if the user isn't authorized 1`] = `"Unauthorized to delete spaces"`;
|
||||
|
||||
exports[`#delete authorization.mode.useRbacForRequest returns true throws bad request if the user is authorized but the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
|
||||
exports[`#delete authorization.mode.useRbac returns true throws bad request if the user is authorized but the space is reserved 1`] = `"This Space cannot be deleted because it is reserved."`;
|
||||
|
||||
exports[`#get useRbacForRequest is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to get foo-space space"`;
|
||||
exports[`#get useRbac is true throws Boom.forbidden if the user isn't authorized at space 1`] = `"Unauthorized to get foo-space space"`;
|
||||
|
||||
exports[`#getAll useRbacForRequest is true throws Boom.forbidden when user isn't authorized for any spaces 1`] = `"Forbidden"`;
|
||||
exports[`#getAll useRbac is true throws Boom.forbidden when user isn't authorized for any spaces 1`] = `"Forbidden"`;
|
||||
|
||||
exports[`#update useRbacForRequest is true throws Boom.forbidden when user isn't authorized at space 1`] = `"Unauthorized to update spaces"`;
|
||||
exports[`#update useRbac is true throws Boom.forbidden when user isn't authorized at space 1`] = `"Unauthorized to update spaces"`;
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ const createMockAuthorization = () => {
|
|||
globally: mockCheckPrivilegesGlobally,
|
||||
})),
|
||||
mode: {
|
||||
useRbacForRequest: jest.fn(),
|
||||
useRbac: jest.fn(),
|
||||
},
|
||||
};
|
||||
|
||||
|
|
@ -132,12 +132,12 @@ describe('#getAll', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe(`authorization.mode.useRbacForRequest returns false`, () => {
|
||||
describe(`authorization.mode.useRbac returns false`, () => {
|
||||
test(`finds spaces using callWithRequestRepository`, async () => {
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
find: jest.fn().mockReturnValue({
|
||||
saved_objects: savedObjects,
|
||||
|
|
@ -167,19 +167,19 @@ describe('#getAll', () => {
|
|||
perPage: maxSpaces,
|
||||
sortField: 'name.keyword',
|
||||
});
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
|
||||
expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
|
||||
});
|
||||
});
|
||||
|
||||
describe('useRbacForRequest is true', () => {
|
||||
describe('useRbac is true', () => {
|
||||
test(`throws Boom.forbidden when user isn't authorized for any spaces`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesAtSpaces } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesAtSpaces.mockReturnValue({
|
||||
username,
|
||||
spacePrivileges: {
|
||||
|
|
@ -219,7 +219,7 @@ describe('#getAll', () => {
|
|||
perPage: maxSpaces,
|
||||
sortField: 'name.keyword',
|
||||
});
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesAtSpaces).toHaveBeenCalledWith(
|
||||
savedObjects.map(savedObject => savedObject.id),
|
||||
|
|
@ -234,7 +234,7 @@ describe('#getAll', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesAtSpaces } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesAtSpaces.mockReturnValue({
|
||||
username,
|
||||
spacePrivileges: {
|
||||
|
|
@ -275,7 +275,7 @@ describe('#getAll', () => {
|
|||
perPage: maxSpaces,
|
||||
sortField: 'name.keyword',
|
||||
});
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesAtSpaces).toHaveBeenCalledWith(
|
||||
savedObjects.map(savedObject => savedObject.id),
|
||||
|
|
@ -314,12 +314,12 @@ describe('#canEnumerateSpaces', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe(`authorization.mode.useRbacForRequest is false`, () => {
|
||||
describe(`authorization.mode.useRbac is false`, () => {
|
||||
test(`returns true`, async () => {
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const request = Symbol();
|
||||
|
||||
const client = new SpacesClient(
|
||||
|
|
@ -339,13 +339,13 @@ describe('#canEnumerateSpaces', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe('useRbacForRequest is true', () => {
|
||||
describe('useRbac is true', () => {
|
||||
test(`returns false if user is not authorized to enumerate spaces`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: false,
|
||||
|
|
@ -379,7 +379,7 @@ describe('#canEnumerateSpaces', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -456,12 +456,12 @@ describe('#get', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe(`authorization.mode.useRbacForRequest returns false`, () => {
|
||||
describe(`authorization.mode.useRbac returns false`, () => {
|
||||
test(`gets space using callWithRequestRepository`, async () => {
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
get: jest.fn().mockReturnValue(savedObject),
|
||||
};
|
||||
|
|
@ -480,20 +480,20 @@ describe('#get', () => {
|
|||
const actualSpace = await client.get(id);
|
||||
|
||||
expect(actualSpace).toEqual(expectedSpace);
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
|
||||
expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
|
||||
expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
|
||||
});
|
||||
});
|
||||
|
||||
describe('useRbacForRequest is true', () => {
|
||||
describe('useRbac is true', () => {
|
||||
test(`throws Boom.forbidden if the user isn't authorized at space`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesAtSpace } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesAtSpace.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: false,
|
||||
|
|
@ -526,7 +526,7 @@ describe('#get', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesAtSpace } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesAtSpace.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -675,13 +675,13 @@ describe('#create', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe(`authorization.mode.useRbacForRequest returns false`, () => {
|
||||
describe(`authorization.mode.useRbac returns false`, () => {
|
||||
test(`creates space using callWithRequestRepository when we're under the max`, async () => {
|
||||
const maxSpaces = 5;
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
create: jest.fn().mockReturnValue(savedObject),
|
||||
find: jest.fn().mockReturnValue({
|
||||
|
|
@ -706,7 +706,7 @@ describe('#create', () => {
|
|||
const actualSpace = await client.create(spaceToCreate);
|
||||
|
||||
expect(actualSpace).toEqual(expectedReturnedSpace);
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.find).toHaveBeenCalledWith({
|
||||
type: 'space',
|
||||
page: 1,
|
||||
|
|
@ -724,7 +724,7 @@ describe('#create', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
create: jest.fn().mockReturnValue(savedObject),
|
||||
find: jest.fn().mockReturnValue({
|
||||
|
|
@ -748,7 +748,7 @@ describe('#create', () => {
|
|||
|
||||
await expect(client.create(spaceToCreate)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.find).toHaveBeenCalledWith({
|
||||
type: 'space',
|
||||
page: 1,
|
||||
|
|
@ -760,13 +760,13 @@ describe('#create', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe('useRbacForRequest is true', () => {
|
||||
describe('useRbac is true', () => {
|
||||
test(`throws Boom.forbidden if the user isn't authorized at space`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: false,
|
||||
|
|
@ -785,7 +785,7 @@ describe('#create', () => {
|
|||
|
||||
await expect(client.create(spaceToCreate)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -800,7 +800,7 @@ describe('#create', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -837,7 +837,7 @@ describe('#create', () => {
|
|||
expect(mockInternalRepository.create).toHaveBeenCalledWith('space', attributes, {
|
||||
id,
|
||||
});
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -852,7 +852,7 @@ describe('#create', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -886,7 +886,7 @@ describe('#create', () => {
|
|||
perPage: 0,
|
||||
});
|
||||
expect(mockInternalRepository.create).not.toHaveBeenCalled();
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -960,12 +960,12 @@ describe('#update', () => {
|
|||
expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
|
||||
});
|
||||
});
|
||||
describe(`authorization.mode.useRbacForRequest returns false`, () => {
|
||||
describe(`authorization.mode.useRbac returns false`, () => {
|
||||
test(`updates space using callWithRequestRepository`, async () => {
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
update: jest.fn(),
|
||||
get: jest.fn().mockReturnValue(savedObject),
|
||||
|
|
@ -985,7 +985,7 @@ describe('#update', () => {
|
|||
const actualSpace = await client.update(id, spaceToUpdate);
|
||||
|
||||
expect(actualSpace).toEqual(expectedReturnedSpace);
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.update).toHaveBeenCalledWith('space', id, attributes);
|
||||
expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
|
||||
expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
|
||||
|
|
@ -993,7 +993,7 @@ describe('#update', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe('useRbacForRequest is true', () => {
|
||||
describe('useRbac is true', () => {
|
||||
test(`throws Boom.forbidden when user isn't authorized at space`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
|
|
@ -1003,7 +1003,7 @@ describe('#update', () => {
|
|||
hasAllRequested: false,
|
||||
username,
|
||||
});
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
const request = Symbol();
|
||||
|
||||
const client = new SpacesClient(
|
||||
|
|
@ -1018,7 +1018,7 @@ describe('#update', () => {
|
|||
const id = savedObject.id;
|
||||
await expect(client.update(id, spaceToUpdate)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -1036,7 +1036,7 @@ describe('#update', () => {
|
|||
hasAllRequested: true,
|
||||
username,
|
||||
});
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
const mockInternalRepository = {
|
||||
update: jest.fn(),
|
||||
get: jest.fn().mockReturnValue(savedObject),
|
||||
|
|
@ -1056,7 +1056,7 @@ describe('#update', () => {
|
|||
const actualSpace = await client.update(id, spaceToUpdate);
|
||||
|
||||
expect(actualSpace).toEqual(expectedReturnedSpace);
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -1150,12 +1150,12 @@ describe('#delete', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe(`authorization.mode.useRbacForRequest returns false`, () => {
|
||||
describe(`authorization.mode.useRbac returns false`, () => {
|
||||
test(`throws bad request when the space is reserved`, async () => {
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
get: jest.fn().mockReturnValue(reservedSavedObject),
|
||||
};
|
||||
|
|
@ -1173,7 +1173,7 @@ describe('#delete', () => {
|
|||
|
||||
await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
|
||||
expect(mockAuditLogger.spacesAuthorizationFailure).toHaveBeenCalledTimes(0);
|
||||
expect(mockAuditLogger.spacesAuthorizationSuccess).toHaveBeenCalledTimes(0);
|
||||
|
|
@ -1183,7 +1183,7 @@ describe('#delete', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(false);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(false);
|
||||
const mockCallWithRequestRepository = {
|
||||
get: jest.fn().mockReturnValue(notReservedSavedObject),
|
||||
delete: jest.fn(),
|
||||
|
|
@ -1204,7 +1204,7 @@ describe('#delete', () => {
|
|||
|
||||
await client.delete(id);
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockCallWithRequestRepository.get).toHaveBeenCalledWith('space', id);
|
||||
expect(mockCallWithRequestRepository.delete).toHaveBeenCalledWith('space', id);
|
||||
expect(mockCallWithRequestRepository.deleteByNamespace).toHaveBeenCalledWith(id);
|
||||
|
|
@ -1213,13 +1213,13 @@ describe('#delete', () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe('authorization.mode.useRbacForRequest returns true', () => {
|
||||
describe('authorization.mode.useRbac returns true', () => {
|
||||
test(`throws Boom.forbidden if the user isn't authorized`, async () => {
|
||||
const username = Symbol();
|
||||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: false,
|
||||
|
|
@ -1237,7 +1237,7 @@ describe('#delete', () => {
|
|||
|
||||
await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -1251,7 +1251,7 @@ describe('#delete', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -1272,7 +1272,7 @@ describe('#delete', () => {
|
|||
|
||||
await expect(client.delete(id)).rejects.toThrowErrorMatchingSnapshot();
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
@ -1287,7 +1287,7 @@ describe('#delete', () => {
|
|||
const mockAuditLogger = createMockAuditLogger();
|
||||
const mockDebugLogger = createMockDebugLogger();
|
||||
const { mockAuthorization, mockCheckPrivilegesGlobally } = createMockAuthorization();
|
||||
mockAuthorization.mode.useRbacForRequest.mockReturnValue(true);
|
||||
mockAuthorization.mode.useRbac.mockReturnValue(true);
|
||||
mockCheckPrivilegesGlobally.mockReturnValue({
|
||||
username,
|
||||
hasAllRequested: true,
|
||||
|
|
@ -1311,7 +1311,7 @@ describe('#delete', () => {
|
|||
|
||||
await client.delete(id);
|
||||
|
||||
expect(mockAuthorization.mode.useRbacForRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockAuthorization.mode.useRbac).toHaveBeenCalled();
|
||||
expect(mockAuthorization.checkPrivilegesWithRequest).toHaveBeenCalledWith(request);
|
||||
expect(mockCheckPrivilegesGlobally).toHaveBeenCalledWith(
|
||||
mockAuthorization.actions.manageSpaces
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ export class SpacesClient {
|
|||
return hasAllRequested;
|
||||
}
|
||||
|
||||
// If not RBAC, then we are legacy, and all legacy users can enumerate all spaces
|
||||
// If not RBAC, then security isn't enabled and we can enumerate all spaces
|
||||
this.debugLogger(`SpacesClient.canEnumerateSpaces, NOT USING RBAC. Result: true`);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -196,7 +196,7 @@ export class SpacesClient {
|
|||
}
|
||||
|
||||
private useRbac(): boolean {
|
||||
return this.authorization && this.authorization.mode.useRbacForRequest(this.request);
|
||||
return this.authorization && this.authorization.mode.useRbac();
|
||||
}
|
||||
|
||||
private async ensureAuthorizedGlobally(action: string, method: string, forbiddenMessage: string) {
|
||||
|
|
|
|||
|
|
@ -17,10 +17,6 @@ export const AUTHENTICATION = {
|
|||
username: 'a_kibana_legacy_user',
|
||||
password: 'password',
|
||||
},
|
||||
KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
|
||||
username: 'a_kibana_legacy_dashboard_only_user',
|
||||
password: 'password',
|
||||
},
|
||||
KIBANA_DUAL_PRIVILEGES_USER: {
|
||||
username: 'a_kibana_dual_privileges_user',
|
||||
password: 'password',
|
||||
|
|
|
|||
|
|
@ -18,17 +18,6 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
|
|||
},
|
||||
});
|
||||
|
||||
await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user').send({
|
||||
elasticsearch: {
|
||||
indices: [
|
||||
{
|
||||
names: ['.kibana'],
|
||||
privileges: ['read', 'view_index_metadata'],
|
||||
},
|
||||
],
|
||||
},
|
||||
});
|
||||
|
||||
await supertest.put('/api/security/role/kibana_dual_privileges_user').send({
|
||||
elasticsearch: {
|
||||
indices: [
|
||||
|
|
@ -121,16 +110,6 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
|
|||
},
|
||||
});
|
||||
|
||||
await es.shield.putUser({
|
||||
username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username,
|
||||
body: {
|
||||
password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.password,
|
||||
roles: ['kibana_legacy_dashboard_only_user'],
|
||||
full_name: 'a kibana legacy dashboard only user',
|
||||
email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
|
||||
},
|
||||
});
|
||||
|
||||
await es.shield.putUser({
|
||||
username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username,
|
||||
body: {
|
||||
|
|
|
|||
|
|
@ -67,15 +67,6 @@ const createBulkRequests = (spaceId: string) => [
|
|||
const isGlobalType = (type: string) => type === 'globaltype';
|
||||
|
||||
export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/write/bulk] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/bulk] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectResults = (spaceId = DEFAULT_SPACE_ID) => async (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
|
|
@ -185,7 +176,6 @@ export function bulkCreateTestSuiteFactory(es: any, esArchiver: any, supertest:
|
|||
|
||||
return {
|
||||
bulkCreateTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -42,15 +42,6 @@ const createBulkRequests = (spaceId: string) => [
|
|||
];
|
||||
|
||||
export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/read/mget] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/mget] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFoundResults = (spaceId: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
saved_objects: [
|
||||
|
|
@ -157,7 +148,6 @@ export function bulkGetTestSuiteFactory(esArchiver: any, supertest: SuperTest<an
|
|||
|
||||
return {
|
||||
bulkGetTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectNotFoundResults,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
|
|
|
|||
|
|
@ -36,15 +36,6 @@ const spaceAwareType = 'visualization';
|
|||
const notSpaceAwareType = 'globaltype';
|
||||
|
||||
export function createTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/write/index] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/index] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
|
|
@ -181,7 +172,6 @@ export function createTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
|
|||
createTest.only = makeCreateTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareResults,
|
||||
createTest,
|
||||
expectNotSpaceAwareRbacForbidden,
|
||||
|
|
|
|||
|
|
@ -29,15 +29,6 @@ interface DeleteTestDefinition {
|
|||
}
|
||||
|
||||
export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFound = (spaceId: string, type: string, id: string) => (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
|
|
@ -130,7 +121,6 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
deleteTest.only = makeDeleteTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareNotFound,
|
||||
createExpectUnknownDocNotFound,
|
||||
deleteTest,
|
||||
|
|
|
|||
|
|
@ -54,15 +54,6 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
|
|||
});
|
||||
};
|
||||
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const expectNotSpaceAwareResults = (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
page: 1,
|
||||
|
|
@ -195,7 +186,6 @@ export function findTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
|
|||
|
||||
return {
|
||||
createExpectEmpty,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectRbacForbidden,
|
||||
createExpectVisualizationResults,
|
||||
expectNotSpaceAwareResults,
|
||||
|
|
|
|||
|
|
@ -36,15 +36,6 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
|
|||
return createExpectNotFound(doesntExistId, spaceId);
|
||||
};
|
||||
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFound = (id: string, spaceId = DEFAULT_SPACE_ID) => (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
|
|
@ -173,7 +164,6 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
|
|||
|
||||
return {
|
||||
createExpectDoesntExistNotFound,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectNotSpaceAwareNotFound,
|
||||
createExpectNotSpaceAwareRbacForbidden,
|
||||
createExpectNotSpaceAwareResults,
|
||||
|
|
|
|||
|
|
@ -29,15 +29,6 @@ interface UpdateTestDefinition {
|
|||
}
|
||||
|
||||
export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
// eslint-disable-next-line max-len
|
||||
message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFound = (type: string, id: string, spaceId = DEFAULT_SPACE_ID) => (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
|
|
@ -183,7 +174,6 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
updateTest.only = makeUpdateTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectDoesntExistNotFound,
|
||||
createExpectSpaceAwareNotFound,
|
||||
expectDoesntExistRbacForbidden,
|
||||
|
|
|
|||
|
|
@ -15,12 +15,11 @@ export default function({ getService }: TestInvoker) {
|
|||
const esArchiver = getService('esArchiver');
|
||||
const es = getService('es');
|
||||
|
||||
const {
|
||||
bulkCreateTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
} = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
|
||||
const { bulkCreateTest, createExpectResults, expectRbacForbidden } = bulkCreateTestSuiteFactory(
|
||||
es,
|
||||
esArchiver,
|
||||
supertest
|
||||
);
|
||||
|
||||
describe('_bulk_create', () => {
|
||||
[
|
||||
|
|
@ -30,7 +29,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -46,7 +44,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -63,7 +60,7 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -82,21 +79,10 @@ export default function({ getService }: TestInvoker) {
|
|||
bulkCreateTest(`legacy user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyAll,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
bulkCreateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -14,12 +14,10 @@ export default function({ getService }: TestInvoker) {
|
|||
const supertest = getService('supertestWithoutAuth');
|
||||
const esArchiver = getService('esArchiver');
|
||||
|
||||
const {
|
||||
bulkGetTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
} = bulkGetTestSuiteFactory(esArchiver, supertest);
|
||||
const { bulkGetTest, createExpectResults, expectRbacForbidden } = bulkGetTestSuiteFactory(
|
||||
esArchiver,
|
||||
supertest
|
||||
);
|
||||
|
||||
describe('_bulk_get', () => {
|
||||
[
|
||||
|
|
@ -29,7 +27,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -45,7 +42,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -62,7 +58,7 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -83,19 +79,8 @@ export default function({ getService }: TestInvoker) {
|
|||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
bulkGetTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(scenario.spaceId),
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
const {
|
||||
createTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareResults,
|
||||
expectNotSpaceAwareResults,
|
||||
expectNotSpaceAwareRbacForbidden,
|
||||
|
|
@ -32,7 +31,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -48,7 +46,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -59,17 +56,17 @@ export default function({ getService }: TestInvoker) {
|
|||
},
|
||||
},
|
||||
].forEach(scenario => {
|
||||
createTest(`user with no access within the ${scenario.spaceId} space`, {
|
||||
createTest(`user with no access within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.noAccess,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -92,29 +89,14 @@ export default function({ getService }: TestInvoker) {
|
|||
createTest(`legacy user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyAll,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(scenario.spaceId),
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
createTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
describe('delete', () => {
|
||||
const {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectUnknownDocNotFound,
|
||||
deleteTest,
|
||||
expectEmpty,
|
||||
|
|
@ -32,7 +31,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -48,7 +46,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -65,15 +62,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacSpaceAwareForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacNotSpaceAwareForbidden,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacInvalidIdForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -100,37 +97,18 @@ export default function({ getService }: TestInvoker) {
|
|||
deleteTest(`legacy user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyAll,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectEmpty,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectEmpty,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 404,
|
||||
response: createExpectUnknownDocNotFound(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
deleteTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectRbacSpaceAwareForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectRbacNotSpaceAwareForbidden,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectRbacInvalidIdForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ export default function({ getService }: TestInvoker) {
|
|||
const {
|
||||
createExpectEmpty,
|
||||
createExpectRbacForbidden,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectVisualizationResults,
|
||||
expectNotSpaceAwareResults,
|
||||
expectTypeRequired,
|
||||
|
|
@ -32,7 +31,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -48,7 +46,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -66,27 +63,27 @@ export default function({ getService }: TestInvoker) {
|
|||
spaceAwareType: {
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'forbidden login and find globaltype message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('globaltype'),
|
||||
},
|
||||
unknownType: {
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
|
|
@ -138,66 +135,29 @@ export default function({ getService }: TestInvoker) {
|
|||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAwareType: {
|
||||
description: 'only the visualization',
|
||||
statusCode: 200,
|
||||
response: createExpectVisualizationResults(scenario.spaceId),
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'only the globaltype',
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
description: 'forbidden login and find globaltype message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('globaltype'),
|
||||
},
|
||||
unknownType: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(100, 100, 1),
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
statusCode: 400,
|
||||
response: expectTypeRequired,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
findTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAwareType: {
|
||||
description: 'only the visualization',
|
||||
statusCode: 200,
|
||||
response: createExpectVisualizationResults(scenario.spaceId),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'only the globaltype',
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
unknownType: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(100, 100, 1),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
const {
|
||||
createExpectDoesntExistNotFound,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareResults,
|
||||
createExpectNotSpaceAwareResults,
|
||||
expectSpaceAwareRbacForbidden,
|
||||
|
|
@ -33,7 +32,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -49,7 +47,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -66,15 +63,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -103,35 +100,16 @@ export default function({ getService }: TestInvoker) {
|
|||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(scenario.spaceId),
|
||||
statusCode: 403,
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectNotSpaceAwareResults(scenario.spaceId),
|
||||
statusCode: 403,
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
getTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(scenario.spaceId),
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectNotSpaceAwareResults(scenario.spaceId),
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(scenario.spaceId),
|
||||
statusCode: 403,
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
describe('update', () => {
|
||||
const {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectDoesntExistNotFound,
|
||||
expectDoesntExistRbacForbidden,
|
||||
expectNotSpaceAwareResults,
|
||||
|
|
@ -33,7 +32,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -49,7 +47,6 @@ export default function({ getService }: TestInvoker) {
|
|||
noAccess: AUTHENTICATION.NOT_A_KIBANA_USER,
|
||||
superuser: AUTHENTICATION.SUPERUSER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
|
|
@ -66,15 +63,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -101,37 +98,18 @@ export default function({ getService }: TestInvoker) {
|
|||
updateTest(`legacy user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyAll,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectSpaceAwareResults,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
updateTest(`legacy readonly user within the ${scenario.spaceId} space`, {
|
||||
user: scenario.users.legacyRead,
|
||||
spaceId: scenario.spaceId,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -14,12 +14,11 @@ export default function({ getService }: TestInvoker) {
|
|||
const esArchiver = getService('esArchiver');
|
||||
const es = getService('es');
|
||||
|
||||
const {
|
||||
bulkCreateTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
} = bulkCreateTestSuiteFactory(es, esArchiver, supertest);
|
||||
const { bulkCreateTest, createExpectResults, expectRbacForbidden } = bulkCreateTestSuiteFactory(
|
||||
es,
|
||||
esArchiver,
|
||||
supertest
|
||||
);
|
||||
|
||||
describe('_bulk_create', () => {
|
||||
bulkCreateTest(`user with no access`, {
|
||||
|
|
@ -27,7 +26,7 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -44,22 +43,10 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
bulkCreateTest(`legacy user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
bulkCreateTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -13,12 +13,10 @@ export default function({ getService }: TestInvoker) {
|
|||
const supertest = getService('supertestWithoutAuth');
|
||||
const esArchiver = getService('esArchiver');
|
||||
|
||||
const {
|
||||
bulkGetTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResults,
|
||||
expectRbacForbidden,
|
||||
} = bulkGetTestSuiteFactory(esArchiver, supertest);
|
||||
const { bulkGetTest, createExpectResults, expectRbacForbidden } = bulkGetTestSuiteFactory(
|
||||
esArchiver,
|
||||
supertest
|
||||
);
|
||||
|
||||
describe('_bulk_get', () => {
|
||||
bulkGetTest(`user with no access`, {
|
||||
|
|
@ -26,7 +24,7 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -45,18 +43,8 @@ export default function({ getService }: TestInvoker) {
|
|||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
bulkGetTest(`legacy reeadonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(),
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
const {
|
||||
createTest,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareResults,
|
||||
expectNotSpaceAwareResults,
|
||||
expectNotSpaceAwareRbacForbidden,
|
||||
|
|
@ -29,11 +28,11 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -54,32 +53,14 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
createTest(`legacy user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(),
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
createTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
describe('delete', () => {
|
||||
const {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectUnknownDocNotFound,
|
||||
deleteTest,
|
||||
expectEmpty,
|
||||
|
|
@ -29,15 +28,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectRbacSpaceAwareForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectRbacNotSpaceAwareForbidden,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectRbacInvalidIdForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -62,42 +61,18 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
deleteTest(`legacy user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectEmpty,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectEmpty,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 404,
|
||||
response: createExpectUnknownDocNotFound(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
deleteTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectRbacSpaceAwareForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectRbacNotSpaceAwareForbidden,
|
||||
},
|
||||
invalidId: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectRbacInvalidIdForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ export default function({ getService }: TestInvoker) {
|
|||
const {
|
||||
createExpectEmpty,
|
||||
createExpectRbacForbidden,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectVisualizationResults,
|
||||
expectNotSpaceAwareResults,
|
||||
expectTypeRequired,
|
||||
|
|
@ -30,27 +29,27 @@ export default function({ getService }: TestInvoker) {
|
|||
spaceAwareType: {
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'forbidden legacy message',
|
||||
description: 'forbidden login and find globaltype message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('globaltype'),
|
||||
},
|
||||
unknownType: {
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
|
|
@ -100,65 +99,29 @@ export default function({ getService }: TestInvoker) {
|
|||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
spaceAwareType: {
|
||||
description: 'only the visualization',
|
||||
statusCode: 200,
|
||||
response: createExpectVisualizationResults(),
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'only the globaltype',
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
description: 'forbidden login and find globaltype message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('globaltype'),
|
||||
},
|
||||
unknownType: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(100, 100, 1),
|
||||
description: 'forbidden login and find visualization message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('visualization'),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
statusCode: 400,
|
||||
response: expectTypeRequired,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
findTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
spaceAwareType: {
|
||||
description: 'only the visualization',
|
||||
statusCode: 200,
|
||||
response: createExpectVisualizationResults(),
|
||||
},
|
||||
notSpaceAwareType: {
|
||||
description: 'only the globaltype',
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
unknownType: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
},
|
||||
pageBeyondTotal: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(100, 100, 1),
|
||||
},
|
||||
unknownSearchField: {
|
||||
description: 'empty result',
|
||||
statusCode: 200,
|
||||
response: createExpectEmpty(1, 20, 0),
|
||||
description: 'forbidden login and find wigwags message',
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden('wigwags'),
|
||||
},
|
||||
noType: {
|
||||
description: 'bad request, type is required',
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
const {
|
||||
createExpectDoesntExistNotFound,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectSpaceAwareResults,
|
||||
createExpectNotSpaceAwareResults,
|
||||
expectSpaceAwareRbacForbidden,
|
||||
|
|
@ -30,15 +29,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -65,34 +64,16 @@ export default function({ getService }: TestInvoker) {
|
|||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(),
|
||||
statusCode: 403,
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectNotSpaceAwareResults(),
|
||||
statusCode: 403,
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
getTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceAwareResults(),
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: createExpectNotSpaceAwareResults(),
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(),
|
||||
statusCode: 403,
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ export default function({ getService }: TestInvoker) {
|
|||
describe('update', () => {
|
||||
const {
|
||||
createExpectDoesntExistNotFound,
|
||||
createExpectLegacyForbidden,
|
||||
expectDoesntExistRbacForbidden,
|
||||
expectNotSpaceAwareResults,
|
||||
expectNotSpaceAwareRbacForbidden,
|
||||
|
|
@ -30,15 +29,15 @@ export default function({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.username),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -63,42 +62,18 @@ export default function({ getService }: TestInvoker) {
|
|||
|
||||
updateTest(`legacy user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectSpaceAwareResults,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 200,
|
||||
response: expectNotSpaceAwareResults,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: createExpectDoesntExistNotFound(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
updateTest(`legacy readonly user`, {
|
||||
user: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
tests: {
|
||||
spaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectSpaceAwareRbacForbidden,
|
||||
},
|
||||
notSpaceAware: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectNotSpaceAwareRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username
|
||||
),
|
||||
response: expectDoesntExistRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
|
|||
|
|
@ -17,10 +17,6 @@ export const AUTHENTICATION = {
|
|||
username: 'a_kibana_legacy_user',
|
||||
password: 'password',
|
||||
},
|
||||
KIBANA_LEGACY_DASHBOARD_ONLY_USER: {
|
||||
username: 'a_kibana_legacy_dashboard_only_user',
|
||||
password: 'password',
|
||||
},
|
||||
KIBANA_DUAL_PRIVILEGES_USER: {
|
||||
username: 'a_kibana_dual_privileges_user',
|
||||
password: 'password',
|
||||
|
|
|
|||
|
|
@ -18,17 +18,6 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
|
|||
},
|
||||
});
|
||||
|
||||
await supertest.put('/api/security/role/kibana_legacy_dashboard_only_user').send({
|
||||
elasticsearch: {
|
||||
indices: [
|
||||
{
|
||||
names: ['.kibana*'],
|
||||
privileges: ['read', 'view_index_metadata'],
|
||||
},
|
||||
],
|
||||
},
|
||||
});
|
||||
|
||||
await supertest.put('/api/security/role/kibana_dual_privileges_user').send({
|
||||
elasticsearch: {
|
||||
indices: [
|
||||
|
|
@ -155,16 +144,6 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest<any>) =>
|
|||
},
|
||||
});
|
||||
|
||||
await es.shield.putUser({
|
||||
username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.username,
|
||||
body: {
|
||||
password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.password,
|
||||
roles: ['kibana_legacy_dashboard_only_user'],
|
||||
full_name: 'a kibana legacy dashboard only user',
|
||||
email: 'a_kibana_legacy_dashboard_only_user@elastic.co',
|
||||
},
|
||||
});
|
||||
|
||||
await es.shield.putUser({
|
||||
username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username,
|
||||
body: {
|
||||
|
|
|
|||
|
|
@ -27,16 +27,6 @@ interface CreateTestDefinition {
|
|||
}
|
||||
|
||||
export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbiddenResponse = (username: string, action = 'write/index') => (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const expectConflictResponse = (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']);
|
||||
expect(resp.body.error).to.equal('Conflict');
|
||||
|
|
@ -132,7 +122,6 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
createTest.only = makeCreateTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbiddenResponse,
|
||||
createTest,
|
||||
expectConflictResponse,
|
||||
expectNewSpaceResult,
|
||||
|
|
|
|||
|
|
@ -26,16 +26,6 @@ interface DeleteTestDefinition {
|
|||
}
|
||||
|
||||
export function deleteTestSuiteFactory(es: any, esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string, action: string) => (resp: {
|
||||
[key: string]: any;
|
||||
}) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectResult = (expectedResult: any) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql(expectedResult);
|
||||
};
|
||||
|
|
@ -201,7 +191,6 @@ export function deleteTestSuiteFactory(es: any, esArchiver: any, supertest: Supe
|
|||
deleteTest.only = makeDeleteTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbidden,
|
||||
createExpectResult,
|
||||
deleteTest,
|
||||
expectEmptyResult,
|
||||
|
|
|
|||
|
|
@ -31,14 +31,6 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
|
|||
expect(resp.body).to.eql('');
|
||||
};
|
||||
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFoundResult = () => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
error: 'Not Found',
|
||||
|
|
@ -104,7 +96,6 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent<any>)
|
|||
createExpectRbacForbidden,
|
||||
createExpectEmptyResult,
|
||||
createExpectNotFoundResult,
|
||||
createExpectLegacyForbidden,
|
||||
getTest,
|
||||
nonExistantSpaceId,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -24,14 +24,6 @@ interface GetAllTestDefinition {
|
|||
}
|
||||
|
||||
export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>) {
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectResults = (...spaceIds: string[]) => (resp: { [key: string]: any }) => {
|
||||
const expectedBody = [
|
||||
{
|
||||
|
|
@ -58,6 +50,14 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
expect(resp.body).to.eql('');
|
||||
};
|
||||
|
||||
const expectRbacForbidden = (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
error: 'Forbidden',
|
||||
message: 'Forbidden',
|
||||
statusCode: 403,
|
||||
});
|
||||
};
|
||||
|
||||
const makeGetAllTest = (describeFn: DescribeFn) => (
|
||||
description: string,
|
||||
{ user = {}, spaceId, tests }: GetAllTestDefinition
|
||||
|
|
@ -82,7 +82,7 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
|
||||
return {
|
||||
createExpectResults,
|
||||
createExpectLegacyForbidden,
|
||||
expectRbacForbidden,
|
||||
getAllTest,
|
||||
expectEmptyResult,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -33,14 +33,6 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
expect(resp.body).to.eql('');
|
||||
};
|
||||
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const createExpectNotFoundResult = () => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
error: 'Not Found',
|
||||
|
|
@ -119,7 +111,6 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
|
||||
return {
|
||||
createExpectEmptyResult,
|
||||
createExpectLegacyForbidden,
|
||||
createExpectNotFoundResult,
|
||||
createExpectRbacForbidden,
|
||||
createExpectResults,
|
||||
|
|
|
|||
|
|
@ -34,14 +34,6 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
});
|
||||
};
|
||||
|
||||
const createExpectLegacyForbidden = (username: string) => (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
statusCode: 403,
|
||||
error: 'Forbidden',
|
||||
message: `action [indices:data/write/update] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/update] is unauthorized for user [${username}]`,
|
||||
});
|
||||
};
|
||||
|
||||
const expectNotFound = (resp: { [key: string]: any }) => {
|
||||
expect(resp.body).to.eql({
|
||||
error: 'Not Found',
|
||||
|
|
@ -134,7 +126,6 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest<any
|
|||
updateTest.only = makeUpdateTest(describe.only);
|
||||
|
||||
return {
|
||||
createExpectLegacyForbidden,
|
||||
expectAlreadyExistsResult,
|
||||
expectDefaultSpaceResult,
|
||||
expectNotFound,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
expectReservedSpecifiedResult,
|
||||
expectConflictResponse,
|
||||
expectRbacForbiddenResponse,
|
||||
createExpectLegacyForbiddenResponse,
|
||||
} = createTestSuiteFactory(esArchiver, supertestWithoutAuth);
|
||||
|
||||
describe('create', () => {
|
||||
|
|
@ -34,7 +33,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -48,7 +46,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -60,24 +57,15 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
newSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(
|
||||
scenario.users.noAccess.username,
|
||||
'read/search'
|
||||
),
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
alreadyExists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(
|
||||
scenario.users.noAccess.username,
|
||||
'read/search'
|
||||
),
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
reservedSpecified: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(
|
||||
scenario.users.noAccess.username,
|
||||
'read/search'
|
||||
),
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -144,16 +132,16 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
newSpace: {
|
||||
statusCode: 200,
|
||||
response: expectNewSpaceResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
alreadyExists: {
|
||||
statusCode: 409,
|
||||
response: expectConflictResponse,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
reservedSpecified: {
|
||||
statusCode: 200,
|
||||
response: expectReservedSpecifiedResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbiddenResponse,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -196,25 +184,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
createTest(`legacy readonly user from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
newSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
|
||||
},
|
||||
alreadyExists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
|
||||
},
|
||||
reservedSpecified: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbiddenResponse(scenario.users.legacyRead.username),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
createTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.allAtSpace,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
|
||||
const {
|
||||
deleteTest,
|
||||
createExpectLegacyForbidden,
|
||||
expectRbacForbidden,
|
||||
expectEmptyResult,
|
||||
expectNotFound,
|
||||
|
|
@ -35,7 +34,6 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -49,7 +47,6 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -61,15 +58,15 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
exists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
reservedSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username, 'read/get'),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -136,16 +133,16 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
exists: {
|
||||
statusCode: 204,
|
||||
response: expectEmptyResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
reservedSpace: {
|
||||
statusCode: 400,
|
||||
response: expectReservedSpaceResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: expectNotFound,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -188,28 +185,6 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
deleteTest(`legacy readonly user from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
exists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(
|
||||
scenario.users.legacyRead.username,
|
||||
'write/delete'
|
||||
),
|
||||
},
|
||||
reservedSpace: {
|
||||
statusCode: 400,
|
||||
response: expectReservedSpaceResult,
|
||||
},
|
||||
doesntExist: {
|
||||
statusCode: 404,
|
||||
response: expectNotFound,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
deleteTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.allAtSpace,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
createExpectResults,
|
||||
createExpectNotFoundResult,
|
||||
createExpectRbacForbidden,
|
||||
createExpectLegacyForbidden,
|
||||
nonExistantSpaceId,
|
||||
} = getTestSuiteFactory(esArchiver, supertestWithoutAuth);
|
||||
|
||||
|
|
@ -37,7 +36,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
readAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
|
||||
allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -54,7 +52,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
|
||||
allAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -67,7 +64,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: createExpectRbacForbidden(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -114,8 +111,8 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(scenario.spaceId),
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -144,18 +141,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
getTest(`legacy readonly`, {
|
||||
currentSpaceId: scenario.spaceId,
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults(scenario.spaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
getTest(`rbac user with read at space from the ${scenario.spaceId} space`, {
|
||||
currentSpaceId: scenario.spaceId,
|
||||
spaceId: scenario.spaceId,
|
||||
|
|
@ -196,7 +181,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -232,8 +216,8 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 404,
|
||||
response: createExpectNotFoundResult(),
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden(scenario.otherSpaceId),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -262,18 +246,6 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
getTest(`legacy readonly user`, {
|
||||
currentSpaceId: scenario.spaceId,
|
||||
spaceId: scenario.otherSpaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 404,
|
||||
response: createExpectNotFoundResult(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
getTest(`rbac user with all at default space`, {
|
||||
currentSpaceId: scenario.spaceId,
|
||||
spaceId: scenario.otherSpaceId,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
const supertestWithoutAuth = getService('supertestWithoutAuth');
|
||||
const esArchiver = getService('esArchiver');
|
||||
|
||||
const { getAllTest, createExpectResults, createExpectLegacyForbidden } = getAllTestSuiteFactory(
|
||||
const { getAllTest, createExpectResults, expectRbacForbidden } = getAllTestSuiteFactory(
|
||||
esArchiver,
|
||||
supertestWithoutAuth
|
||||
);
|
||||
|
|
@ -33,7 +33,6 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
readAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -50,7 +49,6 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
allAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER,
|
||||
readAtDefaultSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -62,7 +60,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
exists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -100,13 +98,13 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
getAllTest(`legacy user can access all spaces from ${scenario.spaceId}`, {
|
||||
getAllTest(`legacy user can't access any spaces from ${scenario.spaceId}`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
exists: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults('default', 'space_1', 'space_2'),
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -133,17 +131,6 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
getAllTest(`legacy readonly user can access all spaces from ${scenario.spaceId}`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
exists: {
|
||||
statusCode: 200,
|
||||
response: createExpectResults('default', 'space_1', 'space_2'),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
getAllTest(`rbac user with all at space_1 can access space_1 from ${scenario.spaceId}`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.allAtSpace_1,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
createExpectSpaceResponse,
|
||||
createExpectRbacForbidden,
|
||||
createExpectNotFoundResult,
|
||||
createExpectLegacyForbidden,
|
||||
} = selectTestSuiteFactory(esArchiver, supertestWithoutAuth);
|
||||
|
||||
describe('select', () => {
|
||||
|
|
@ -35,7 +34,6 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -49,7 +47,6 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
allGlobally: AUTHENTICATION.KIBANA_RBAC_USER,
|
||||
readGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -66,7 +63,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
default: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: createExpectRbacForbidden(scenario.selectSpaceId),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
@ -131,8 +128,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceResponse(scenario.selectSpaceId),
|
||||
statusCode: 403,
|
||||
response: createExpectRbacForbidden(scenario.selectSpaceId),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
@ -169,22 +166,6 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
}
|
||||
);
|
||||
|
||||
selectTest(
|
||||
`legacy readonly user selects ${scenario.selectSpaceId} space
|
||||
from the ${scenario.currentSpaceId} space`,
|
||||
{
|
||||
currentSpaceId: scenario.currentSpaceId,
|
||||
selectSpaceId: scenario.selectSpaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
default: {
|
||||
statusCode: 200,
|
||||
response: createExpectSpaceResponse(scenario.selectSpaceId),
|
||||
},
|
||||
},
|
||||
}
|
||||
);
|
||||
});
|
||||
|
||||
// Select the same space that you're currently in with users which have space specific privileges.
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
expectAlreadyExistsResult,
|
||||
expectDefaultSpaceResult,
|
||||
expectRbacForbidden,
|
||||
createExpectLegacyForbidden,
|
||||
} = updateTestSuiteFactory(esArchiver, supertestWithoutAuth);
|
||||
|
||||
describe('update', () => {
|
||||
|
|
@ -35,7 +34,6 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
|
||||
readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -50,7 +48,6 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
allAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
|
||||
readAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
|
||||
legacyAll: AUTHENTICATION.KIBANA_LEGACY_USER,
|
||||
legacyRead: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER,
|
||||
dualAll: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER,
|
||||
dualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER,
|
||||
},
|
||||
|
|
@ -62,15 +59,15 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
tests: {
|
||||
alreadyExists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
defaultSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
newSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.noAccess.username),
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -137,16 +134,16 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
user: scenario.users.legacyAll,
|
||||
tests: {
|
||||
alreadyExists: {
|
||||
statusCode: 200,
|
||||
response: expectAlreadyExistsResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
defaultSpace: {
|
||||
statusCode: 200,
|
||||
response: expectDefaultSpaceResult,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
newSpace: {
|
||||
statusCode: 404,
|
||||
response: expectNotFound,
|
||||
statusCode: 403,
|
||||
response: expectRbacForbidden,
|
||||
},
|
||||
},
|
||||
});
|
||||
|
|
@ -189,25 +186,6 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) {
|
|||
},
|
||||
});
|
||||
|
||||
updateTest(`legacy readonly user from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.legacyRead,
|
||||
tests: {
|
||||
alreadyExists: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
},
|
||||
defaultSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
},
|
||||
newSpace: {
|
||||
statusCode: 403,
|
||||
response: createExpectLegacyForbidden(scenario.users.legacyRead.username),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
updateTest(`rbac user with all at space from the ${scenario.spaceId} space`, {
|
||||
spaceId: scenario.spaceId,
|
||||
user: scenario.users.allAtSpace,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue