github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

Removes Kibana version from authorization model to support zero-downtime upgrades (#156280)

Browse source 
Closes https://github.com/elastic/kibana/issues/153820

## Summary

This PR removes the version string from all actions, and removes the
actions.version property altogether. This will support zero-downtime
upgrades, where the need to continue to authorize user actions during an
upgrade is required.

### Caveats
Without the version string or version property, we will no longer check
for a strict match of Kibana versions in a cluster ('Multiple versions
of Kibana are running against the same Elasticsearch cluster, unable to
authorize user'). We do not feel this will be an issue - the check was
originally an extra precaution to ensure future versions could not
inadvertently grant additional privileges to users by default, but this
is no longer considered a real concern.

### Questions
Will we need any further changes to support ZDT upgrades? During
testing, I had attempted to run two different versions of Kibana
containing versionless actions to see if there would be any unforeseen
issues. Unfortunately, there are many other mechanisms which interfere
with doing this and it was not possible to circumvent them all. The
on-prem and ESS upgrade paths appear to work as expected, where after
migration everything behaves as it should but without versioned actions.

## Testing
This change can be tested by creating one or more roles with specific
privileges in various categories/solutions, assigning those roles to
different users, logging in as those users and validating that the
appropriate actions are either allowed or blocked.

Additionally, start ES & Kibana 8.8.0 and perform the steps above, then
stop Kibana 8.8.0, and start Kibana from this PR with
`elasticsearch.ignoreVersionMismatch` set to true. Re-check privileges
for the test roles. Check the master list of actions with `GET
/_security/privilege` and verify that the version number is not
included.

Relevant automated tests:
-
x-pack/plugins/security/server/authorization/authorization_service.test.ts
-
x-pack/plugins/security/server/authorization/privileges/privileges.test.ts
- x-pack/plugins/security/server/authorization/api_authorization.test.ts
- x-pack/plugins/security/server/authorization/app_authorization.test.ts
- x-pack/plugins/security/server/authorization/actions/actions.test.ts
- x-pack/plugins/security/server/authorization/actions/app.test.ts 
- x-pack/plugins/security/server/authorization/actions/cases.test.ts 
-
x-pack/plugins/security/server/authorization/actions/saved_object.test.ts
- x-pack/plugins/security/server/authorization/actions/space.test.ts 
- x-pack/plugins/security/server/authorization/actions/ui.test.ts    
- x-pack/plugins/security/server/authorization/actions/alerting.test.ts
- x-pack/plugins/security/server/authorization/actions/api.test.ts  
- x-pack/plugins/features/server/oss_features.test.ts   
-
x-pack/plugins/security/server/authorization/register_privileges_with_cluster.test.ts
- x-pack/plugins/security/server/authorization/check_privileges.test.ts
-
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.test.ts
-
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.test.ts
- x-pack/plugins/fleet/jest.integration.config.js
-
x-pack/plugins/fleet/server/integration_tests/upgrade_package_install_version.test.ts
-
x-pack/plugins/fleet/server/integration_tests/reset_preconfiguration.test.ts
- x-pack/plugins/security/server/saved_objects/ensure_authorized.test.ts
-
x-pack/plugins/security/server/saved_objects/authorization_utils.test.ts
-
x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts
- x-pack/plugins/security/server/plugin.test.ts

Flaky test runner:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/2205
This commit is contained in:
Jeramy Soucy 2023-05-10 09:05:13 -04:00 committed by GitHub
parent dcf1bd1e12
commit 1a3343dc82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
31 changed files with 372 additions and 690 deletions
Download patch file Download diff file Expand all files Collapse all files

6
x-pack/plugins/security/public/management/roles/__fixtures__/kibana_privileges.ts
View file

@ -27,11 +27,7 @@ export const createRawKibanaPrivileges = (
hasAtLeast: (licenseType: LicenseType) => licenseType === 'basic',
};
return privilegesFactory(
new Actions('unit_test_version'),
featuresService,
licensingService
).get();
return privilegesFactory(new Actions(), featuresService, licensingService).get();
};
export const createKibanaPrivileges = (

15
x-pack/plugins/security/server/authorization/actions/actions.mock.ts
View file

@ -24,15 +24,14 @@ jest.mock('./cases');
const create = (versionNumber: string) => {
const t = {
api: new ApiActions(versionNumber),
app: new AppActions(versionNumber),
api: new ApiActions(),
app: new AppActions(),
login: 'login:',
savedObject: new SavedObjectActions(versionNumber),
alerting: new AlertingActions(versionNumber),
cases: new CasesActions(versionNumber),
space: new SpaceActions(versionNumber),
ui: new UIActions(versionNumber),
version: `version:${versionNumber}`,
savedObject: new SavedObjectActions(),
alerting: new AlertingActions(),
cases: new CasesActions(),
space: new SpaceActions(),
ui: new UIActions(),
} as unknown as jest.Mocked<Actions>;
return t;
};

19
x-pack/plugins/security/server/authorization/actions/actions.test.ts
View file

@ -7,27 +7,10 @@
import { Actions } from './actions';
describe('#constructor', () => {
test(`doesn't allow an empty string`, () => {
expect(() => new Actions('')).toThrowErrorMatchingInlineSnapshot(
`"version can't be an empty string"`
);
});
});
describe('#login', () => {
test('returns login:', () => {
const actions = new Actions('mock-version');
const actions = new Actions();
expect(actions.login).toBe('login:');
});
});
describe('#version', () => {
test("returns `version:${config.get('pkg.version')}`", () => {
const version = 'mock-version';
const actions = new Actions(version);
expect(actions.version).toBe(`version:${version}`);
});
});

22
x-pack/plugins/security/server/authorization/actions/actions.ts
View file

@ -26,21 +26,15 @@ export class Actions {
public readonly alerting: AlertingActions;
public readonly space: SpaceActions;
public readonly ui: UIActions;
public readonly version: string;
constructor(private readonly versionNumber: string) {
if (versionNumber === '') {
throw new Error(`version can't be an empty string`);
}
this.api = new ApiActions(this.versionNumber);
this.app = new AppActions(this.versionNumber);
this.cases = new CasesActions(this.versionNumber);
constructor() {
this.api = new ApiActions();
this.app = new AppActions();
this.cases = new CasesActions();
this.login = 'login:';
this.savedObject = new SavedObjectActions(this.versionNumber);
this.alerting = new AlertingActions(this.versionNumber);
this.space = new SpaceActions(this.versionNumber);
this.ui = new UIActions(this.versionNumber);
this.version = `version:${this.versionNumber}`;
this.savedObject = new SavedObjectActions();
this.alerting = new AlertingActions();
this.space = new SpaceActions();
this.ui = new UIActions();
}
}

14
x-pack/plugins/security/server/authorization/actions/alerting.test.ts
View file

@ -7,12 +7,10 @@
import { AlertingActions } from './alerting';
const version = '1.0.0-zeta1';
describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((ruleType: any) => {
test(`ruleType of ${JSON.stringify(ruleType)} throws error`, () => {
const alertingActions = new AlertingActions(version);
const alertingActions = new AlertingActions();
expect(() =>
alertingActions.get(ruleType, 'consumer', 'alertingType', 'foo-action')
).toThrowErrorMatchingSnapshot();
@ -21,7 +19,7 @@ describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((operation: any) => {
test(`operation of ${JSON.stringify(operation)} throws error`, () => {
const alertingActions = new AlertingActions(version);
const alertingActions = new AlertingActions();
expect(() =>
alertingActions.get('foo-ruleType', 'consumer', 'alertingType', operation)
).toThrowErrorMatchingSnapshot();
@ -30,7 +28,7 @@ describe('#get', () => {
[null, '', 1, true, undefined, {}].forEach((consumer: any) => {
test(`consumer of ${JSON.stringify(consumer)} throws error`, () => {
const alertingActions = new AlertingActions(version);
const alertingActions = new AlertingActions();
expect(() =>
alertingActions.get('foo-ruleType', consumer, 'alertingType', 'operation')
).toThrowErrorMatchingSnapshot();
@ -39,7 +37,7 @@ describe('#get', () => {
[null, '', 1, true, undefined, {}].forEach((alertingType: any) => {
test(`alertingType of ${JSON.stringify(alertingType)} throws error`, () => {
const alertingActions = new AlertingActions(version);
const alertingActions = new AlertingActions();
expect(() =>
alertingActions.get('foo-ruleType', 'consumer', alertingType, 'operation')
).toThrowErrorMatchingSnapshot();
@ -47,9 +45,9 @@ describe('#get', () => {
});
test('returns `alerting:${ruleType}/${consumer}/${alertingType}/${operation}`', () => {
const alertingActions = new AlertingActions(version);
const alertingActions = new AlertingActions();
expect(alertingActions.get('foo-ruleType', 'consumer', 'alertingType', 'bar-operation')).toBe(
'alerting:1.0.0-zeta1:foo-ruleType/consumer/alertingType/bar-operation'
'alerting:foo-ruleType/consumer/alertingType/bar-operation'
);
});
});

4
x-pack/plugins/security/server/authorization/actions/alerting.ts
View file

@ -10,8 +10,8 @@ import { isString } from 'lodash';
export class AlertingActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `alerting:${versionNumber}:`;
constructor() {
this.prefix = `alerting:`;
}
public get(

10
x-pack/plugins/security/server/authorization/actions/api.test.ts
View file

@ -7,18 +7,16 @@
import { ApiActions } from './api';
const version = '1.0.0-zeta1';
describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((operation: any) => {
test(`operation of ${JSON.stringify(operation)} throws error`, () => {
const apiActions = new ApiActions(version);
const apiActions = new ApiActions();
expect(() => apiActions.get(operation)).toThrowErrorMatchingSnapshot();
});
});
test('returns `api:${version}:${operation}`', () => {
const apiActions = new ApiActions(version);
expect(apiActions.get('foo-operation')).toBe('api:1.0.0-zeta1:foo-operation');
test('returns `api:${operation}`', () => {
const apiActions = new ApiActions();
expect(apiActions.get('foo-operation')).toBe('api:foo-operation');
});
});

4
x-pack/plugins/security/server/authorization/actions/api.ts
View file

@ -10,8 +10,8 @@ import { isString } from 'lodash';
export class ApiActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `api:${versionNumber}:`;
constructor() {
this.prefix = `api:`;
}
public get(operation: string) {

9
x-pack/plugins/security/server/authorization/actions/app.test.ts
View file

@ -7,18 +7,11 @@
import { AppActions } from './app';
const version = '1.0.0-zeta1';
describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((appid: any) => {
test(`appId of ${JSON.stringify(appid)} throws error`, () => {
const appActions = new AppActions(version);
const appActions = new AppActions();
expect(() => appActions.get(appid)).toThrowErrorMatchingSnapshot();
});
});
test('returns `app:${version}:${appId}`', () => {
const appActions = new AppActions(version);
expect(appActions.get('foo-app')).toBe('app:1.0.0-zeta1:foo-app');
});
});

4
x-pack/plugins/security/server/authorization/actions/app.ts
View file

@ -10,8 +10,8 @@ import { isString } from 'lodash';
export class AppActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `app:${versionNumber}:`;
constructor() {
this.prefix = `app:`;
}
public get(appId: string) {

12
x-pack/plugins/security/server/authorization/actions/cases.test.ts
View file

@ -7,8 +7,6 @@
import { CasesActions } from './cases';
const version = '1.0.0-zeta1';
describe('#get', () => {
it.each`
operation
@ -19,7 +17,7 @@ describe('#get', () => {
${true}
${{}}
`(`operation of ${JSON.stringify('$operation')}`, ({ operation }) => {
const actions = new CasesActions(version);
const actions = new CasesActions();
expect(() => actions.get('owner', operation)).toThrowErrorMatchingSnapshot();
});
@ -32,14 +30,12 @@ describe('#get', () => {
${true}
${{}}
`(`owner of ${JSON.stringify('$owner')}`, ({ owner }) => {
const actions = new CasesActions(version);
const actions = new CasesActions();
expect(() => actions.get(owner, 'operation')).toThrowErrorMatchingSnapshot();
});
it('returns `cases:${owner}/${operation}`', () => {
const alertingActions = new CasesActions(version);
expect(alertingActions.get('security', 'bar-operation')).toBe(
'cases:1.0.0-zeta1:security/bar-operation'
);
const alertingActions = new CasesActions();
expect(alertingActions.get('security', 'bar-operation')).toBe('cases:security/bar-operation');
});
});

4
x-pack/plugins/security/server/authorization/actions/cases.ts
View file

@ -10,8 +10,8 @@ import { isString } from 'lodash';
export class CasesActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `cases:${versionNumber}:`;
constructor() {
this.prefix = `cases:`;
}
public get(owner: string, operation: string): string {

10
x-pack/plugins/security/server/authorization/actions/saved_object.test.ts
View file

@ -7,12 +7,10 @@
import { SavedObjectActions } from './saved_object';
const version = '1.0.0-zeta1';
describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((type: any) => {
test(`type of ${JSON.stringify(type)} throws error`, () => {
const savedObjectActions = new SavedObjectActions(version);
const savedObjectActions = new SavedObjectActions();
expect(() => savedObjectActions.get(type, 'foo-action')).toThrowError(
'type is required and must be a string'
);
@ -21,7 +19,7 @@ describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((operation: any) => {
test(`operation of ${JSON.stringify(operation)} throws error`, () => {
const savedObjectActions = new SavedObjectActions(version);
const savedObjectActions = new SavedObjectActions();
expect(() => savedObjectActions.get('foo-type', operation)).toThrowError(
'operation is required and must be a string'
);
@ -29,9 +27,9 @@ describe('#get', () => {
});
test('returns `saved_object:${type}/${operation}`', () => {
const savedObjectActions = new SavedObjectActions(version);
const savedObjectActions = new SavedObjectActions();
expect(savedObjectActions.get('foo-type', 'bar-operation')).toBe(
'saved_object:1.0.0-zeta1:foo-type/bar-operation'
'saved_object:foo-type/bar-operation'
);
});
});

4
x-pack/plugins/security/server/authorization/actions/saved_object.ts
View file

@ -10,8 +10,8 @@ import { isString } from 'lodash';
export class SavedObjectActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `saved_object:${versionNumber}:`;
constructor() {
this.prefix = `saved_object:`;
}
public get(type: string, operation: string): string {

8
x-pack/plugins/security/server/authorization/actions/space.test.ts
View file

@ -7,11 +7,9 @@
import { SpaceActions } from './space';
const version = '1.0.0-zeta1';
describe(`#manage`, () => {
test('returns `space:${version}:manage`', () => {
const spaceActions = new SpaceActions(version);
expect(spaceActions.manage).toBe('space:1.0.0-zeta1:manage');
test('returns `space:manage`', () => {
const spaceActions = new SpaceActions();
expect(spaceActions.manage).toBe('space:manage');
});
});

4
x-pack/plugins/security/server/authorization/actions/space.ts
View file

@ -8,8 +8,8 @@
export class SpaceActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `space:${versionNumber}:`;
constructor() {
this.prefix = `space:`;
}
public get manage(): string {

20
x-pack/plugins/security/server/authorization/actions/ui.test.ts
View file

@ -7,32 +7,28 @@
import { UIActions } from './ui';
const version = '1.0.0-zeta1';
describe('#get', () => {
[null, undefined, '', 1, true, {}].forEach((featureId: any) => {
test(`featureId of ${JSON.stringify(featureId)} throws error`, () => {
const uiActions = new UIActions(version);
const uiActions = new UIActions();
expect(() => uiActions.get(featureId, 'foo-capability')).toThrowErrorMatchingSnapshot();
});
});
[null, undefined, '', 1, true, '!'].forEach((uiCapability: any) => {
test(`uiCapability of ${JSON.stringify(uiCapability)} throws error`, () => {
const uiActions = new UIActions(version);
const uiActions = new UIActions();
expect(() => uiActions.get('foo', uiCapability)).toThrowErrorMatchingSnapshot();
});
});
test('returns `ui:${version}:${featureId}/${uiCapaility}`', () => {
const uiActions = new UIActions(version);
expect(uiActions.get('foo', 'foo-capability')).toBe('ui:1.0.0-zeta1:foo/foo-capability');
test('returns `ui:${featureId}/${uiCapaility}`', () => {
const uiActions = new UIActions();
expect(uiActions.get('foo', 'foo-capability')).toBe('ui:foo/foo-capability');
});
test('returns `ui:${version}:${featureId}/${uiCapabilityPart}/${uiCapabilitySubPart}', () => {
const uiActions = new UIActions(version);
expect(uiActions.get('foo', 'fooCapability', 'subFoo')).toBe(
'ui:1.0.0-zeta1:foo/fooCapability/subFoo'
);
test('returns `ui:${featureId}/${uiCapabilityPart}/${uiCapabilitySubPart}', () => {
const uiActions = new UIActions();
expect(uiActions.get('foo', 'fooCapability', 'subFoo')).toBe('ui:foo/fooCapability/subFoo');
});
});

4
x-pack/plugins/security/server/authorization/actions/ui.ts
View file

@ -13,8 +13,8 @@ import { uiCapabilitiesRegex } from '@kbn/features-plugin/server';
export class UIActions {
private readonly prefix: string;
constructor(versionNumber: string) {
this.prefix = `ui:${versionNumber}:`;
constructor() {
this.prefix = `ui:`;
}
public get(featureId: keyof UICapabilities, ...uiCapabilityParts: string[]) {

1
x-pack/plugins/security/server/authorization/authorization_service.test.ts
View file

@ -84,7 +84,6 @@ it(`#setup returns exposed services`, () => {
customBranding: mockCoreSetup.customBranding,
});
expect(authz.actions.version).toBe('version:some-version');
expect(authz.applicationName).toBe(application);
expect(authz.checkPrivilegesWithRequest).toBe(mockCheckPrivilegesWithRequest);

2
x-pack/plugins/security/server/authorization/authorization_service.tsx
View file

@ -125,7 +125,7 @@ export class AuthorizationService {
this.applicationName = `${APPLICATION_PREFIX}${kibanaIndexName}`;
const mode = authorizationModeFactory(license);
const actions = new Actions(packageVersion);
const actions = new Actions();
this.privileges = privilegesFactory(actions, features, license);
const { checkPrivilegesWithRequest, checkUserProfilesPrivileges } = checkPrivilegesFactory(

165
x-pack/plugins/security/server/authorization/check_privileges.test.ts
View file

@ -17,7 +17,6 @@ const application = 'kibana-our_application';
const mockActions = {
login: 'mock-action:login',
version: 'mock-action:version',
};
const savedObjectTypes = ['foo-type', 'bar-type'];
@ -82,13 +81,12 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
resources: [`space:${options.spaceId}`],
privileges: options.kibanaPrivileges
? uniq([
mockActions.version,
mockActions.login,
...(Array.isArray(options.kibanaPrivileges)
? options.kibanaPrivileges
: [options.kibanaPrivileges]),
])
: [mockActions.version, mockActions.login],
: [mockActions.login],
},
],
},
@ -111,7 +109,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -149,7 +146,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: false,
[mockActions.version]: true,
},
},
},
@ -176,28 +172,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
`);
});
test(`throws error when checking for login and user has login but doesn't have version`, async () => {
const result = await checkPrivilegesAtSpaceTest({
spaceId: 'space_1',
kibanaPrivileges: mockActions.login,
esHasPrivilegesResponse: {
has_all_requested: false,
username: 'foo-username',
application: {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: false,
},
},
},
},
});
expect(result).toMatchInlineSnapshot(
`[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`
);
});
test(`successful when checking for two actions and the user has both`, async () => {
const result = await checkPrivilegesAtSpaceTest({
spaceId: 'space_1',
@ -212,7 +186,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -260,7 +233,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -306,7 +278,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -330,7 +301,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -361,7 +331,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -427,7 +396,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -493,7 +461,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -559,7 +526,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -623,7 +589,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -675,7 +640,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -739,7 +703,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -816,7 +779,6 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -884,9 +846,7 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
index: {},
application: {
[application]: {
'space:space_1': {
[mockActions.version]: true,
},
'space:space_1': {},
},
},
});
@ -906,7 +866,7 @@ describe('#checkPrivilegesWithRequest.atSpace', () => {
{
application,
resources: [`space:space_1`],
privileges: [mockActions.version],
privileges: [],
},
],
},
@ -964,13 +924,12 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
resources: options.spaceIds.map((spaceId) => `space:${spaceId}`),
privileges: options.kibanaPrivileges
? uniq([
mockActions.version,
mockActions.login,
...(Array.isArray(options.kibanaPrivileges)
? options.kibanaPrivileges
: [options.kibanaPrivileges]),
])
: [mockActions.version, mockActions.login],
: [mockActions.login],
},
],
},
@ -993,11 +952,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -1040,11 +997,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: false,
[mockActions.version]: true,
},
},
},
@ -1076,32 +1031,6 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
`);
});
test(`throws error when checking for login and user has login but doesn't have version`, async () => {
const result = await checkPrivilegesAtSpacesTest({
spaceIds: ['space_1', 'space_2'],
kibanaPrivileges: mockActions.login,
esHasPrivilegesResponse: {
has_all_requested: false,
username: 'foo-username',
application: {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: false,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: false,
},
},
},
},
});
expect(result).toMatchInlineSnapshot(
`[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`
);
});
test(`throws error when Elasticsearch returns malformed response`, async () => {
const result = await checkPrivilegesAtSpacesTest({
spaceIds: ['space_1', 'space_2'],
@ -1145,13 +1074,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -1209,13 +1136,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -1273,13 +1198,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -1337,13 +1260,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -1399,13 +1320,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
},
@ -1428,11 +1347,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
},
@ -1455,17 +1372,14 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
'space:space_3': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
},
@ -1488,7 +1402,6 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
},
},
@ -1520,13 +1433,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -1602,13 +1513,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -1684,13 +1593,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -1766,13 +1673,11 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -1846,11 +1751,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -1902,11 +1805,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -1970,11 +1871,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2051,11 +1950,9 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
[application]: {
'space:space_1': {
[mockActions.login]: true,
[mockActions.version]: true,
},
'space:space_2': {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2123,9 +2020,7 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
index: {},
application: {
[application]: {
'space:space_1': {
[mockActions.version]: true,
},
'space:space_1': {},
},
},
});
@ -2145,7 +2040,7 @@ describe('#checkPrivilegesWithRequest.atSpaces', () => {
{
application,
resources: [`space:space_1`],
privileges: [mockActions.version],
privileges: [],
},
],
},
@ -2202,13 +2097,12 @@ describe('#checkPrivilegesWithRequest.globally', () => {
resources: [GLOBAL_RESOURCE],
privileges: options.kibanaPrivileges
? uniq([
mockActions.version,
mockActions.login,
...(Array.isArray(options.kibanaPrivileges)
? options.kibanaPrivileges
: [options.kibanaPrivileges]),
])
: [mockActions.version, mockActions.login],
: [mockActions.login],
},
],
},
@ -2230,7 +2124,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2267,7 +2160,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: false,
[mockActions.version]: true,
},
},
},
@ -2294,27 +2186,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
`);
});
test(`throws error when checking for login and user has login but doesn't have version`, async () => {
const result = await checkPrivilegesGloballyTest({
kibanaPrivileges: mockActions.login,
esHasPrivilegesResponse: {
has_all_requested: false,
username: 'foo-username',
application: {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: false,
},
},
},
},
});
expect(result).toMatchInlineSnapshot(
`[Error: Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.]`
);
});
test(`throws error when Elasticsearch returns malformed response`, async () => {
const result = await checkPrivilegesGloballyTest({
kibanaPrivileges: [
@ -2352,7 +2223,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -2399,7 +2269,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -2444,7 +2313,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -2467,7 +2335,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2497,7 +2364,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -2562,7 +2428,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -2627,7 +2492,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: true,
[`saved_object:${savedObjectTypes[1]}/get`]: true,
},
@ -2692,7 +2556,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
[`saved_object:${savedObjectTypes[0]}/get`]: false,
[`saved_object:${savedObjectTypes[1]}/get`]: false,
},
@ -2755,7 +2618,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2806,7 +2668,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2869,7 +2730,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -2945,7 +2805,6 @@ describe('#checkPrivilegesWithRequest.globally', () => {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.login]: true,
[mockActions.version]: true,
},
},
},
@ -3013,9 +2872,7 @@ describe('#checkPrivilegesWithRequest.globally', () => {
index: {},
application: {
[application]: {
[GLOBAL_RESOURCE]: {
[mockActions.version]: true,
},
[GLOBAL_RESOURCE]: {},
},
},
});
@ -3035,7 +2892,7 @@ describe('#checkPrivilegesWithRequest.globally', () => {
{
application,
resources: [GLOBAL_RESOURCE],
privileges: [mockActions.version],
privileges: [],
},
],
},
@ -3084,8 +2941,8 @@ describe('#checkUserProfilesPrivileges.atSpace', () => {
application,
resources: [`space:${options.spaceId}`],
privileges: options.kibanaPrivileges
? uniq([mockActions.version, mockActions.login, ...options.kibanaPrivileges])
: [mockActions.version, mockActions.login],
? uniq([mockActions.login, ...options.kibanaPrivileges])
: [mockActions.login],
},
],
},

16
x-pack/plugins/security/server/authorization/check_privileges.ts
View file

@ -27,7 +27,6 @@ import { validateEsPrivilegeResponse } from './validate_es_response';
interface CheckPrivilegesActions {
login: string;
version: string;
}
export function checkPrivilegesFactory(
@ -35,14 +34,6 @@ export function checkPrivilegesFactory(
getClusterClient: () => Promise<IClusterClient>,
applicationName: string
) {
const hasIncompatibleVersion = (
applicationPrivilegesResponse: HasPrivilegesResponseApplication
) => {
return Object.values(applicationPrivilegesResponse).some(
(resource) => !resource[actions.version] && resource[actions.login]
);
};
const createApplicationPrivilegesCheck = (
resources: string[],
kibanaPrivileges: string | string[],
@ -56,7 +47,6 @@ export function checkPrivilegesFactory(
application: applicationName,
resources,
privileges: uniq([
actions.version,
...(requireLoginAction ? [actions.login] : []),
...normalizedKibanaPrivileges,
]),
@ -163,12 +153,6 @@ export function checkPrivilegesFactory(
};
}, {});
if (hasIncompatibleVersion(applicationPrivilegesResponse)) {
throw new Error(
'Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.'
);
}
// we need to filter out the non requested privileges from the response
const resourcePrivileges = transform(applicationPrivilegesResponse, (result, value, key) => {
result[key!] = pick(value, privileges.kibana ?? []);

4
x-pack/plugins/security/server/authorization/disable_ui_capabilities.test.ts
View file

@ -22,11 +22,11 @@ type MockAuthzOptions =
};
};
const actions = new Actions('1.0.0-zeta1');
const actions = new Actions();
const mockRequest = httpServerMock.createKibanaRequest();
const createMockAuthz = (options: MockAuthzOptions) => {
const mock = authorizationMock.create({ version: '1.0.0-zeta1' });
const mock = authorizationMock.create();
// plug actual ui actions into mock Actions with
mock.actions = actions;

60
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/__snapshots__/cases.test.ts.snap generated
View file

@ -2,60 +2,60 @@
exports[`cases feature_privilege_builder within feature grants all privileges under feature with id observability 1`] = `
Array [
"cases:1.0.0-zeta1:observability/pushCase",
"cases:1.0.0-zeta1:observability/createCase",
"cases:1.0.0-zeta1:observability/createComment",
"cases:1.0.0-zeta1:observability/createConfiguration",
"cases:1.0.0-zeta1:observability/getCase",
"cases:1.0.0-zeta1:observability/getComment",
"cases:1.0.0-zeta1:observability/getTags",
"cases:1.0.0-zeta1:observability/getReporters",
"cases:1.0.0-zeta1:observability/getUserActions",
"cases:1.0.0-zeta1:observability/findConfigurations",
"cases:1.0.0-zeta1:observability/updateCase",
"cases:1.0.0-zeta1:observability/updateComment",
"cases:1.0.0-zeta1:observability/updateConfiguration",
"cases:1.0.0-zeta1:observability/deleteCase",
"cases:1.0.0-zeta1:observability/deleteComment",
"cases:observability/pushCase",
"cases:observability/createCase",
"cases:observability/createComment",
"cases:observability/createConfiguration",
"cases:observability/getCase",
"cases:observability/getComment",
"cases:observability/getTags",
"cases:observability/getReporters",
"cases:observability/getUserActions",
"cases:observability/findConfigurations",
"cases:observability/updateCase",
"cases:observability/updateComment",
"cases:observability/updateConfiguration",
"cases:observability/deleteCase",
"cases:observability/deleteComment",
]
`;
exports[`cases feature_privilege_builder within feature grants create privileges under feature with id securitySolution 1`] = `
Array [
"cases:1.0.0-zeta1:securitySolution/createCase",
"cases:1.0.0-zeta1:securitySolution/createComment",
"cases:1.0.0-zeta1:securitySolution/createConfiguration",
"cases:securitySolution/createCase",
"cases:securitySolution/createComment",
"cases:securitySolution/createConfiguration",
]
`;
exports[`cases feature_privilege_builder within feature grants delete privileges under feature with id securitySolution 1`] = `
Array [
"cases:1.0.0-zeta1:securitySolution/deleteCase",
"cases:1.0.0-zeta1:securitySolution/deleteComment",
"cases:securitySolution/deleteCase",
"cases:securitySolution/deleteComment",
]
`;
exports[`cases feature_privilege_builder within feature grants push privileges under feature with id obs 1`] = `
Array [
"cases:1.0.0-zeta1:obs/pushCase",
"cases:obs/pushCase",
]
`;
exports[`cases feature_privilege_builder within feature grants read privileges under feature with id observability 1`] = `
Array [
"cases:1.0.0-zeta1:observability/getCase",
"cases:1.0.0-zeta1:observability/getComment",
"cases:1.0.0-zeta1:observability/getTags",
"cases:1.0.0-zeta1:observability/getReporters",
"cases:1.0.0-zeta1:observability/getUserActions",
"cases:1.0.0-zeta1:observability/findConfigurations",
"cases:observability/getCase",
"cases:observability/getComment",
"cases:observability/getTags",
"cases:observability/getReporters",
"cases:observability/getUserActions",
"cases:observability/findConfigurations",
]
`;
exports[`cases feature_privilege_builder within feature grants update privileges under feature with id observability 1`] = `
Array [
"cases:1.0.0-zeta1:observability/updateCase",
"cases:1.0.0-zeta1:observability/updateComment",
"cases:1.0.0-zeta1:observability/updateConfiguration",
"cases:observability/updateCase",
"cases:observability/updateComment",
"cases:observability/updateConfiguration",
]
`;

334
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.test.ts
View file

@ -11,12 +11,10 @@ import { KibanaFeature } from '@kbn/features-plugin/server';
import { Actions } from '../../actions';
import { FeaturePrivilegeAlertingBuilder } from './alerting';
const version = '1.0.0-zeta1';
describe(`feature_privilege_builder`, () => {
describe(`alerting`, () => {
test('grants no privileges by default', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -54,7 +52,7 @@ describe(`feature_privilege_builder`, () => {
describe(`within feature`, () => {
test('grants `read` privileges to rules under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -85,19 +83,19 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
]
`);
});
test('grants `read` privileges to alerts under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -128,16 +126,16 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/alert/get",
"alerting:alert-type/my-feature/alert/find",
"alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:alert-type/my-feature/alert/getAlertSummary",
]
`);
});
test('grants `read` privileges to rules and alerts under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -172,23 +170,23 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/alert/get",
"alerting:alert-type/my-feature/alert/find",
"alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:alert-type/my-feature/alert/getAlertSummary",
]
`);
});
test('grants `all` privileges to rules under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -219,35 +217,35 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/updateApiKey",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/enable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/disable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/snooze",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEdit",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDelete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEnable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDisable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unsnooze",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/create",
"alerting:alert-type/my-feature/rule/delete",
"alerting:alert-type/my-feature/rule/update",
"alerting:alert-type/my-feature/rule/updateApiKey",
"alerting:alert-type/my-feature/rule/enable",
"alerting:alert-type/my-feature/rule/disable",
"alerting:alert-type/my-feature/rule/muteAll",
"alerting:alert-type/my-feature/rule/unmuteAll",
"alerting:alert-type/my-feature/rule/muteAlert",
"alerting:alert-type/my-feature/rule/unmuteAlert",
"alerting:alert-type/my-feature/rule/snooze",
"alerting:alert-type/my-feature/rule/bulkEdit",
"alerting:alert-type/my-feature/rule/bulkDelete",
"alerting:alert-type/my-feature/rule/bulkEnable",
"alerting:alert-type/my-feature/rule/bulkDisable",
"alerting:alert-type/my-feature/rule/unsnooze",
]
`);
});
test('grants `all` privileges to alerts under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -278,17 +276,17 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/update",
"alerting:alert-type/my-feature/alert/get",
"alerting:alert-type/my-feature/alert/find",
"alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/alert/update",
]
`);
});
test('grants `all` privileges to rules and alerts under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -323,40 +321,40 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/updateApiKey",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/enable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/disable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/snooze",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEdit",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDelete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEnable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDisable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unsnooze",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/update",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/create",
"alerting:alert-type/my-feature/rule/delete",
"alerting:alert-type/my-feature/rule/update",
"alerting:alert-type/my-feature/rule/updateApiKey",
"alerting:alert-type/my-feature/rule/enable",
"alerting:alert-type/my-feature/rule/disable",
"alerting:alert-type/my-feature/rule/muteAll",
"alerting:alert-type/my-feature/rule/unmuteAll",
"alerting:alert-type/my-feature/rule/muteAlert",
"alerting:alert-type/my-feature/rule/unmuteAlert",
"alerting:alert-type/my-feature/rule/snooze",
"alerting:alert-type/my-feature/rule/bulkEdit",
"alerting:alert-type/my-feature/rule/bulkDelete",
"alerting:alert-type/my-feature/rule/bulkEnable",
"alerting:alert-type/my-feature/rule/bulkDisable",
"alerting:alert-type/my-feature/rule/unsnooze",
"alerting:alert-type/my-feature/alert/get",
"alerting:alert-type/my-feature/alert/find",
"alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/alert/update",
]
`);
});
test('grants both `all` and `read` to rules privileges under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -387,42 +385,42 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/updateApiKey",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/enable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/disable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/snooze",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEdit",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDelete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEnable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDisable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unsnooze",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/create",
"alerting:alert-type/my-feature/rule/delete",
"alerting:alert-type/my-feature/rule/update",
"alerting:alert-type/my-feature/rule/updateApiKey",
"alerting:alert-type/my-feature/rule/enable",
"alerting:alert-type/my-feature/rule/disable",
"alerting:alert-type/my-feature/rule/muteAll",
"alerting:alert-type/my-feature/rule/unmuteAll",
"alerting:alert-type/my-feature/rule/muteAlert",
"alerting:alert-type/my-feature/rule/unmuteAlert",
"alerting:alert-type/my-feature/rule/snooze",
"alerting:alert-type/my-feature/rule/bulkEdit",
"alerting:alert-type/my-feature/rule/bulkDelete",
"alerting:alert-type/my-feature/rule/bulkEnable",
"alerting:alert-type/my-feature/rule/bulkDisable",
"alerting:alert-type/my-feature/rule/unsnooze",
"alerting:readonly-alert-type/my-feature/rule/get",
"alerting:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:readonly-alert-type/my-feature/rule/find",
"alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:readonly-alert-type/my-feature/rule/runSoon",
]
`);
});
test('grants both `all` and `read` to alerts privileges under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -453,21 +451,21 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/alert/update",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/alert/get",
"alerting:alert-type/my-feature/alert/find",
"alerting:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/alert/update",
"alerting:readonly-alert-type/my-feature/alert/get",
"alerting:readonly-alert-type/my-feature/alert/find",
"alerting:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:readonly-alert-type/my-feature/alert/getAlertSummary",
]
`);
});
test('grants both `all` and `read` to rules and alerts privileges under feature consumer', () => {
const actions = new Actions(version);
const actions = new Actions();
const alertingFeaturePrivileges = new FeaturePrivilegeAlertingBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -502,45 +500,45 @@ describe(`feature_privilege_builder`, () => {
expect(alertingFeaturePrivileges.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/updateApiKey",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/enable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/disable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAll",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/muteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unmuteAlert",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/snooze",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEdit",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDelete",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkEnable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/bulkDisable",
"alerting:1.0.0-zeta1:alert-type/my-feature/rule/unsnooze",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/get",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/find",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/runSoon",
"alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/getAlertSummary",
"alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/update",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/get",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/find",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:1.0.0-zeta1:readonly-alert-type/my-feature/alert/getAlertSummary",
"alerting:alert-type/my-feature/rule/get",
"alerting:alert-type/my-feature/rule/getRuleState",
"alerting:alert-type/my-feature/rule/getAlertSummary",
"alerting:alert-type/my-feature/rule/getExecutionLog",
"alerting:alert-type/my-feature/rule/find",
"alerting:alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:alert-type/my-feature/rule/runSoon",
"alerting:alert-type/my-feature/rule/create",
"alerting:alert-type/my-feature/rule/delete",
"alerting:alert-type/my-feature/rule/update",
"alerting:alert-type/my-feature/rule/updateApiKey",
"alerting:alert-type/my-feature/rule/enable",
"alerting:alert-type/my-feature/rule/disable",
"alerting:alert-type/my-feature/rule/muteAll",
"alerting:alert-type/my-feature/rule/unmuteAll",
"alerting:alert-type/my-feature/rule/muteAlert",
"alerting:alert-type/my-feature/rule/unmuteAlert",
"alerting:alert-type/my-feature/rule/snooze",
"alerting:alert-type/my-feature/rule/bulkEdit",
"alerting:alert-type/my-feature/rule/bulkDelete",
"alerting:alert-type/my-feature/rule/bulkEnable",
"alerting:alert-type/my-feature/rule/bulkDisable",
"alerting:alert-type/my-feature/rule/unsnooze",
"alerting:readonly-alert-type/my-feature/rule/get",
"alerting:readonly-alert-type/my-feature/rule/getRuleState",
"alerting:readonly-alert-type/my-feature/rule/getAlertSummary",
"alerting:readonly-alert-type/my-feature/rule/getExecutionLog",
"alerting:readonly-alert-type/my-feature/rule/find",
"alerting:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
"alerting:readonly-alert-type/my-feature/rule/runSoon",
"alerting:another-alert-type/my-feature/alert/get",
"alerting:another-alert-type/my-feature/alert/find",
"alerting:another-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:another-alert-type/my-feature/alert/getAlertSummary",
"alerting:another-alert-type/my-feature/alert/update",
"alerting:readonly-alert-type/my-feature/alert/get",
"alerting:readonly-alert-type/my-feature/alert/find",
"alerting:readonly-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
"alerting:readonly-alert-type/my-feature/alert/getAlertSummary",
]
`);
});

142
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.test.ts
View file

@ -11,12 +11,10 @@ import { KibanaFeature } from '@kbn/features-plugin/server';
import { Actions } from '../../actions';
import { FeaturePrivilegeCasesBuilder } from './cases';
const version = '1.0.0-zeta1';
describe(`cases`, () => {
describe(`feature_privilege_builder`, () => {
it('grants no privileges by default', () => {
const actions = new Actions(version);
const actions = new Actions();
const casesFeaturePrivileges = new FeaturePrivilegeCasesBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -50,7 +48,7 @@ describe(`cases`, () => {
['update', 'observability'],
['delete', 'securitySolution'],
])('grants %s privileges under feature with id %s', (operation, featureID) => {
const actions = new Actions(version);
const actions = new Actions();
const casesFeaturePrivilege = new FeaturePrivilegeCasesBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -80,7 +78,7 @@ describe(`cases`, () => {
});
it('grants all privileges under feature', () => {
const actions = new Actions(version);
const actions = new Actions();
const casesFeaturePrivilege = new FeaturePrivilegeCasesBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -112,36 +110,36 @@ describe(`cases`, () => {
expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"cases:1.0.0-zeta1:security/pushCase",
"cases:1.0.0-zeta1:security/createCase",
"cases:1.0.0-zeta1:security/createComment",
"cases:1.0.0-zeta1:security/createConfiguration",
"cases:1.0.0-zeta1:security/getCase",
"cases:1.0.0-zeta1:security/getComment",
"cases:1.0.0-zeta1:security/getTags",
"cases:1.0.0-zeta1:security/getReporters",
"cases:1.0.0-zeta1:security/getUserActions",
"cases:1.0.0-zeta1:security/findConfigurations",
"cases:1.0.0-zeta1:security/updateCase",
"cases:1.0.0-zeta1:security/updateComment",
"cases:1.0.0-zeta1:security/updateConfiguration",
"cases:1.0.0-zeta1:security/deleteCase",
"cases:1.0.0-zeta1:security/deleteComment",
"cases:1.0.0-zeta1:obs/getCase",
"cases:1.0.0-zeta1:obs/getComment",
"cases:1.0.0-zeta1:obs/getTags",
"cases:1.0.0-zeta1:obs/getReporters",
"cases:1.0.0-zeta1:obs/getUserActions",
"cases:1.0.0-zeta1:obs/findConfigurations",
"cases:1.0.0-zeta1:obs/updateCase",
"cases:1.0.0-zeta1:obs/updateComment",
"cases:1.0.0-zeta1:obs/updateConfiguration",
"cases:security/pushCase",
"cases:security/createCase",
"cases:security/createComment",
"cases:security/createConfiguration",
"cases:security/getCase",
"cases:security/getComment",
"cases:security/getTags",
"cases:security/getReporters",
"cases:security/getUserActions",
"cases:security/findConfigurations",
"cases:security/updateCase",
"cases:security/updateComment",
"cases:security/updateConfiguration",
"cases:security/deleteCase",
"cases:security/deleteComment",
"cases:obs/getCase",
"cases:obs/getComment",
"cases:obs/getTags",
"cases:obs/getReporters",
"cases:obs/getUserActions",
"cases:obs/findConfigurations",
"cases:obs/updateCase",
"cases:obs/updateComment",
"cases:obs/updateConfiguration",
]
`);
});
it('grants both `all` and `read` privileges under feature with multiple values in cases array', () => {
const actions = new Actions(version);
const actions = new Actions();
const casesFeaturePrivilege = new FeaturePrivilegeCasesBuilder(actions);
const privilege: FeatureKibanaPrivileges = {
@ -170,48 +168,48 @@ describe(`cases`, () => {
expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
Array [
"cases:1.0.0-zeta1:security/pushCase",
"cases:1.0.0-zeta1:security/createCase",
"cases:1.0.0-zeta1:security/createComment",
"cases:1.0.0-zeta1:security/createConfiguration",
"cases:1.0.0-zeta1:security/getCase",
"cases:1.0.0-zeta1:security/getComment",
"cases:1.0.0-zeta1:security/getTags",
"cases:1.0.0-zeta1:security/getReporters",
"cases:1.0.0-zeta1:security/getUserActions",
"cases:1.0.0-zeta1:security/findConfigurations",
"cases:1.0.0-zeta1:security/updateCase",
"cases:1.0.0-zeta1:security/updateComment",
"cases:1.0.0-zeta1:security/updateConfiguration",
"cases:1.0.0-zeta1:security/deleteCase",
"cases:1.0.0-zeta1:security/deleteComment",
"cases:1.0.0-zeta1:other-security/pushCase",
"cases:1.0.0-zeta1:other-security/createCase",
"cases:1.0.0-zeta1:other-security/createComment",
"cases:1.0.0-zeta1:other-security/createConfiguration",
"cases:1.0.0-zeta1:other-security/getCase",
"cases:1.0.0-zeta1:other-security/getComment",
"cases:1.0.0-zeta1:other-security/getTags",
"cases:1.0.0-zeta1:other-security/getReporters",
"cases:1.0.0-zeta1:other-security/getUserActions",
"cases:1.0.0-zeta1:other-security/findConfigurations",
"cases:1.0.0-zeta1:other-security/updateCase",
"cases:1.0.0-zeta1:other-security/updateComment",
"cases:1.0.0-zeta1:other-security/updateConfiguration",
"cases:1.0.0-zeta1:other-security/deleteCase",
"cases:1.0.0-zeta1:other-security/deleteComment",
"cases:1.0.0-zeta1:obs/getCase",
"cases:1.0.0-zeta1:obs/getComment",
"cases:1.0.0-zeta1:obs/getTags",
"cases:1.0.0-zeta1:obs/getReporters",
"cases:1.0.0-zeta1:obs/getUserActions",
"cases:1.0.0-zeta1:obs/findConfigurations",
"cases:1.0.0-zeta1:other-obs/getCase",
"cases:1.0.0-zeta1:other-obs/getComment",
"cases:1.0.0-zeta1:other-obs/getTags",
"cases:1.0.0-zeta1:other-obs/getReporters",
"cases:1.0.0-zeta1:other-obs/getUserActions",
"cases:1.0.0-zeta1:other-obs/findConfigurations",
"cases:security/pushCase",
"cases:security/createCase",
"cases:security/createComment",
"cases:security/createConfiguration",
"cases:security/getCase",
"cases:security/getComment",
"cases:security/getTags",
"cases:security/getReporters",
"cases:security/getUserActions",
"cases:security/findConfigurations",
"cases:security/updateCase",
"cases:security/updateComment",
"cases:security/updateConfiguration",
"cases:security/deleteCase",
"cases:security/deleteComment",
"cases:other-security/pushCase",
"cases:other-security/createCase",
"cases:other-security/createComment",
"cases:other-security/createConfiguration",
"cases:other-security/getCase",
"cases:other-security/getComment",
"cases:other-security/getTags",
"cases:other-security/getReporters",
"cases:other-security/getUserActions",
"cases:other-security/findConfigurations",
"cases:other-security/updateCase",
"cases:other-security/updateComment",
"cases:other-security/updateConfiguration",
"cases:other-security/deleteCase",
"cases:other-security/deleteComment",
"cases:obs/getCase",
"cases:obs/getComment",
"cases:obs/getTags",
"cases:obs/getReporters",
"cases:obs/getUserActions",
"cases:obs/findConfigurations",
"cases:other-obs/getCase",
"cases:other-obs/getComment",
"cases:other-obs/getTags",
"cases:other-obs/getReporters",
"cases:other-obs/getUserActions",
"cases:other-obs/findConfigurations",
]
`);
});

119
x-pack/plugins/security/server/authorization/privileges/privileges.test.ts
View file

@ -12,7 +12,7 @@ import { licenseMock } from '../../../common/licensing/index.mock';
import { Actions } from '../actions';
import { privilegesFactory } from './privileges';
const actions = new Actions('1.0.0-zeta1');
const actions = new Actions();
const mockLicenseServiceBasic = licenseMock.create({ allowSubFeaturePrivileges: false }, 'basic');
const mockLicenseServiceGold = licenseMock.create({ allowSubFeaturePrivileges: true }, 'gold');
@ -59,10 +59,10 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty('features.foo-feature', {
all: [actions.login, actions.version],
read: [actions.login, actions.version],
minimal_all: [actions.login, actions.version],
minimal_read: [actions.login, actions.version],
all: [actions.login],
read: [actions.login],
minimal_all: [actions.login],
minimal_read: [actions.login],
});
});
@ -98,7 +98,6 @@ describe('features', () => {
const expectedAllPrivileges = [
actions.login,
actions.version,
actions.savedObject.get('all-savedObject-all-1', 'bulk_get'),
actions.savedObject.get('all-savedObject-all-1', 'get'),
actions.savedObject.get('all-savedObject-all-1', 'find'),
@ -139,7 +138,6 @@ describe('features', () => {
const expectedReadPrivileges = [
actions.login,
actions.version,
actions.savedObject.get('read-savedObject-all-1', 'bulk_get'),
actions.savedObject.get('read-savedObject-all-1', 'get'),
actions.savedObject.get('read-savedObject-all-1', 'find'),
@ -281,7 +279,6 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty(`${group}.all`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectGetFeatures ? [actions.api.get('taskManager')] : []),
@ -424,7 +421,6 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty(`${group}.read`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGlobalSettings ? [actions.ui.get('globalSettings', 'show')] : []),
actions.ui.get('catalogue', 'read-catalogue-1'),
@ -507,7 +503,6 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty(`${group}.all`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectGetFeatures ? [actions.api.get('taskManager')] : []),
@ -525,7 +520,6 @@ describe('features', () => {
]);
expect(actual).toHaveProperty(`${group}.read`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGlobalSettings ? [actions.ui.get('globalSettings', 'show')] : []),
]);
@ -577,7 +571,6 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty(`${group}.all`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectGetFeatures ? [actions.api.get('taskManager')] : []),
@ -595,7 +588,6 @@ describe('features', () => {
]);
expect(actual).toHaveProperty(`${group}.read`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGlobalSettings ? [actions.ui.get('globalSettings', 'show')] : []),
]);
@ -648,7 +640,6 @@ describe('features', () => {
const actual = privileges.get();
expect(actual).toHaveProperty(`${group}.all`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGetFeatures ? [actions.api.get('features')] : []),
...(expectGetFeatures ? [actions.api.get('taskManager')] : []),
@ -666,7 +657,6 @@ describe('features', () => {
]);
expect(actual).toHaveProperty(`${group}.read`, [
actions.login,
actions.version,
...(expectDecryptedTelemetry ? [actions.api.get('decryptedTelemetry')] : []),
...(expectGlobalSettings ? [actions.ui.get('globalSettings', 'show')] : []),
]);
@ -711,7 +701,7 @@ describe('reserved', () => {
const privileges = privilegesFactory(actions, mockFeaturesPlugin, mockLicenseServiceBasic);
const actual = privileges.get();
expect(actual).toHaveProperty('reserved.foo', [actions.version]);
expect(actual).toHaveProperty('reserved.foo');
});
test(`actions only specified at the privilege are alright too`, () => {
@ -746,7 +736,6 @@ describe('reserved', () => {
const actual = privileges.get();
expect(actual).toHaveProperty('reserved.foo', [
actions.version,
actions.savedObject.get('savedObject-all-1', 'bulk_get'),
actions.savedObject.get('savedObject-all-1', 'get'),
actions.savedObject.get('savedObject-all-1', 'find'),
@ -878,7 +867,6 @@ describe('subFeatures', () => {
const actual = privileges.get();
expect(actual.features).toHaveProperty(`foo.subFeaturePriv1`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -901,29 +889,24 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty('foo.all', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty('foo.minimal_all', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty('foo.read', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty('foo.minimal_read', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -938,22 +921,13 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('space.all', [actions.login, actions.ui.get('foo', 'foo')]);
expect(actual).toHaveProperty('space.read', [actions.login, actions.ui.get('foo', 'foo')]);
});
});
@ -1013,7 +987,6 @@ describe('subFeatures', () => {
const actual = privileges.get();
expect(actual.features).toHaveProperty(`foo.subFeaturePriv1`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1036,7 +1009,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1060,13 +1032,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1090,13 +1060,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -1129,7 +1097,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
@ -1155,7 +1122,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1178,7 +1144,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1257,7 +1222,6 @@ describe('subFeatures', () => {
const actual = privileges.get();
expect(actual.features).toHaveProperty(`foo.subFeaturePriv1`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1280,7 +1244,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1304,13 +1267,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1334,13 +1295,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -1354,13 +1313,12 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
]);
expect(actual).toHaveProperty('space.all', [actions.login, actions.version]);
expect(actual).toHaveProperty('space.read', [actions.login, actions.version]);
expect(actual).toHaveProperty('space.all', [actions.login]);
expect(actual).toHaveProperty('space.read', [actions.login]);
});
});
@ -1420,7 +1378,6 @@ describe('subFeatures', () => {
const actual = privileges.get();
expect(actual.features).toHaveProperty(`foo.subFeaturePriv1`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1443,7 +1400,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1467,25 +1423,21 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -1518,7 +1470,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.ui.get('foo', 'foo'),
@ -1526,7 +1477,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1547,11 +1497,7 @@ describe('subFeatures', () => {
actions.ui.get('foo', 'foo'),
actions.ui.get('foo', 'sub-feature-ui'),
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('space.read', [actions.login, actions.ui.get('foo', 'foo')]);
});
test(`should augment the primary 'all' feature privileges, but not the base privileges if the feature is excluded from them`, () => {
@ -1610,7 +1556,6 @@ describe('subFeatures', () => {
const actual = privileges.get();
expect(actual.features).toHaveProperty(`foo.subFeaturePriv1`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1633,7 +1578,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1657,25 +1601,21 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -1689,13 +1629,12 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
]);
expect(actual).toHaveProperty('space.all', [actions.login, actions.version]);
expect(actual).toHaveProperty('space.read', [actions.login, actions.version]);
expect(actual).toHaveProperty('space.all', [actions.login]);
expect(actual).toHaveProperty('space.read', [actions.login]);
});
});
@ -1757,7 +1696,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1781,13 +1719,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1811,13 +1747,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -1850,7 +1784,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
@ -1876,7 +1809,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1899,7 +1831,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -1979,7 +1910,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2003,13 +1933,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2033,13 +1961,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -2072,7 +1998,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
@ -2098,7 +2023,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2121,7 +2045,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2220,7 +2143,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2244,13 +2166,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2274,13 +2194,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -2313,7 +2231,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
@ -2339,7 +2256,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2362,7 +2278,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2461,7 +2376,6 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.all`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2503,13 +2417,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_all`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual.features).toHaveProperty(`foo.read`, [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2551,13 +2463,11 @@ describe('subFeatures', () => {
expect(actual.features).toHaveProperty(`foo.minimal_read`, [
actions.login,
actions.version,
actions.ui.get('foo', 'foo'),
]);
expect(actual).toHaveProperty('global.all', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -2608,7 +2518,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('global.read', [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
@ -2652,7 +2561,6 @@ describe('subFeatures', () => {
expect(actual).toHaveProperty('space.all', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),
@ -2693,7 +2601,6 @@ describe('subFeatures', () => {
]);
expect(actual).toHaveProperty('space.read', [
actions.login,
actions.version,
actions.savedObject.get('all-sub-feature-type', 'bulk_get'),
actions.savedObject.get('all-sub-feature-type', 'get'),
actions.savedObject.get('all-sub-feature-type', 'find'),

10
x-pack/plugins/security/server/authorization/privileges/privileges.ts
View file

@ -66,7 +66,6 @@ export function privilegesFactory(
})) {
featurePrivileges[feature.id][featurePrivilege.privilegeId] = [
actions.login,
actions.version,
...uniq(featurePrivilegeBuilder.getActions(featurePrivilege.privilege, feature)),
];
}
@ -77,7 +76,6 @@ export function privilegesFactory(
})) {
featurePrivileges[feature.id][`minimal_${featurePrivilege.privilegeId}`] = [
actions.login,
actions.version,
...uniq(featurePrivilegeBuilder.getActions(featurePrivilege.privilege, feature)),
];
}
@ -92,7 +90,6 @@ export function privilegesFactory(
)) {
featurePrivileges[feature.id][subFeaturePrivilege.id] = [
actions.login,
actions.version,
...uniq(featurePrivilegeBuilder.getActions(subFeaturePrivilege, feature)),
];
}
@ -107,7 +104,6 @@ export function privilegesFactory(
global: {
all: [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.api.get('features'),
actions.api.get('taskManager'),
@ -122,21 +118,19 @@ export function privilegesFactory(
],
read: [
actions.login,
actions.version,
actions.api.get('decryptedTelemetry'),
actions.ui.get('globalSettings', 'show'),
...readActions,
],
},
space: {
all: [actions.login, actions.version, ...allActions],
read: [actions.login, actions.version, ...readActions],
all: [actions.login, ...allActions],
read: [actions.login, ...readActions],
},
reserved: features.reduce((acc: Record<string, string[]>, feature: KibanaFeature) => {
if (feature.reserved) {
feature.reserved.privileges.forEach((reservedPrivilege) => {
acc[reservedPrivilege.id] = [
actions.version,
...uniq(featurePrivilegeBuilder.getActions(reservedPrivilege.privilege, feature)),
];
});

32
x-pack/plugins/security/server/plugin.test.ts
View file

@ -81,29 +81,27 @@ describe('Security Plugin', () => {
"authz": Object {
"actions": Actions {
"alerting": AlertingActions {
"prefix": "alerting:version:",
"prefix": "alerting:",
},
"api": ApiActions {
"prefix": "api:version:",
"prefix": "api:",
},
"app": AppActions {
"prefix": "app:version:",
"prefix": "app:",
},
"cases": CasesActions {
"prefix": "cases:version:",
"prefix": "cases:",
},
"login": "login:",
"savedObject": SavedObjectActions {
"prefix": "saved_object:version:",
"prefix": "saved_object:",
},
"space": SpaceActions {
"prefix": "space:version:",
"prefix": "space:",
},
"ui": UIActions {
"prefix": "ui:version:",
"prefix": "ui:",
},
"version": "version:version",
"versionNumber": "version",
},
"checkPrivilegesDynamicallyWithRequest": [Function],
"checkPrivilegesWithRequest": [Function],
@ -152,29 +150,27 @@ describe('Security Plugin', () => {
"authz": Object {
"actions": Actions {
"alerting": AlertingActions {
"prefix": "alerting:version:",
"prefix": "alerting:",
},
"api": ApiActions {
"prefix": "api:version:",
"prefix": "api:",
},
"app": AppActions {
"prefix": "app:version:",
"prefix": "app:",
},
"cases": CasesActions {
"prefix": "cases:version:",
"prefix": "cases:",
},
"login": "login:",
"savedObject": SavedObjectActions {
"prefix": "saved_object:version:",
"prefix": "saved_object:",
},
"space": SpaceActions {
"prefix": "space:version:",
"prefix": "space:",
},
"ui": UIActions {
"prefix": "ui:version:",
"prefix": "ui:",
},
"version": "version:version",
"versionNumber": "version",
},
"checkPrivilegesDynamicallyWithRequest": [Function],
"checkPrivilegesWithRequest": [Function],

2
x-pack/plugins/security/server/saved_objects/ensure_authorized.test.ts
View file

@ -19,7 +19,7 @@ import {
describe('ensureAuthorized', () => {
function setupDependencies() {
const actions = new Actions('some-version');
const actions = new Actions();
jest
.spyOn(actions.savedObject, 'get')
.mockImplementation((type: string, action: string) => `mock-saved_object:${type}/${action}`);

2
x-pack/plugins/security/server/saved_objects/saved_objects_security_extension.test.ts
View file

@ -96,7 +96,7 @@ function setupSimpleCheckPrivsMockResolve(
}
function setup() {
const actions = new Actions('some-version');
const actions = new Actions();
jest
.spyOn(actions.savedObject, 'get')
.mockImplementation((type: string, action: string) => `mock-saved_object:${type}/${action}`);