github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-28 11:05:39 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution][Endpoint] Update t3_analyst role to ensure it only has read access to Policy Details (#163634)

Browse source 
## Summary

- Updates the roles YAML file (used in testing) to match update done to
project-controller for serverless
- adds additional tests to validate `t3_analyst` role in serverless
This commit is contained in:
Paul Tavares 2023-08-14 09:28:45 -04:00 committed by GitHub
parent 5c103e054f
commit 1fe8ffd0c8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts
View file

@ -13,6 +13,7 @@ import {
EndpointArtifactPageId, EndpointArtifactPageId,
ensureArtifactPageAuthzAccess, ensureArtifactPageAuthzAccess,
ensureEndpointListPageAuthzAccess, ensureEndpointListPageAuthzAccess,
ensurePolicyListPageAuthzAccess,
getArtifactListEmptyStateAddButton, getArtifactListEmptyStateAddButton,
getEndpointManagementPageList, getEndpointManagementPageList,
getEndpointManagementPageMap, getEndpointManagementPageMap,
@ -31,6 +32,7 @@ import {
getConsoleHelpPanelResponseActionTestSubj, getConsoleHelpPanelResponseActionTestSubj,
openConsoleHelpPanel, openConsoleHelpPanel,
} from '../../../screens/endpoint_management/response_console'; } from '../../../screens/endpoint_management/response_console';
import { ensurePolicyDetailsPageAuthzAccess } from '../../../screens/endpoint_management/policy_details';
describe( describe(
'User Roles for Security Complete PLI with Endpoint Complete addon', 'User Roles for Security Complete PLI with Endpoint Complete addon',
@ -132,6 +134,11 @@ describe(
ensureEndpointListPageAuthzAccess('all', true); ensureEndpointListPageAuthzAccess('all', true);
}); });
it('should have read access to Endpoint Policy Management', () => {
ensurePolicyListPageAuthzAccess('read', true);
ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'read', true);
});
for (const { title, id } of artifactPagesFullAccess) { for (const { title, id } of artifactPagesFullAccess) {
it(`should have CRUD access to: ${title}`, () => { it(`should have CRUD access to: ${title}`, () => {
ensureArtifactPageAuthzAccess('all', id as EndpointArtifactPageId); ensureArtifactPageAuthzAccess('all', id as EndpointArtifactPageId);

3
x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
View file

@ -23,6 +23,7 @@ import {
visitFleetAgentList, visitFleetAgentList,
} from '../../../screens'; } from '../../../screens';
import { ServerlessRoleName } from '../../../../../../../shared/lib'; import { ServerlessRoleName } from '../../../../../../../shared/lib';
import { ensurePolicyDetailsPageAuthzAccess } from '../../../screens/endpoint_management/policy_details';
describe( describe(
'Roles for Security Essential PLI with Endpoint Essentials addon', 'Roles for Security Essential PLI with Endpoint Essentials addon',
@ -98,6 +99,7 @@ describe(
it('should have read access to Endpoint Policy Management', () => { it('should have read access to Endpoint Policy Management', () => {
ensurePolicyListPageAuthzAccess('read', true); ensurePolicyListPageAuthzAccess('read', true);
ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'read', true);
}); });
for (const { title, id } of artifactPagesFullAccess) { for (const { title, id } of artifactPagesFullAccess) {
@ -173,6 +175,7 @@ describe(
it('should have access to policy management', () => { it('should have access to policy management', () => {
ensurePolicyListPageAuthzAccess('all', true); ensurePolicyListPageAuthzAccess('all', true);
ensurePolicyDetailsPageAuthzAccess(loadedEndpoints.integrationPolicies[0].id, 'all', true);
}); });
it(`should NOT have access to Host Isolation Exceptions`, () => { it(`should NOT have access to Host Isolation Exceptions`, () => {

22
x-pack/test_serverless/functional/test_suites/security/cypress/screens/endpoint_management/policy_details.ts
View file

@ -6,7 +6,29 @@
*/ */
import { APP_POLICIES_PATH } from '@kbn/security-solution-plugin/common/constants'; import { APP_POLICIES_PATH } from '@kbn/security-solution-plugin/common/constants';
import { UserAuthzAccessLevel } from './types';
import { getNoPrivilegesPage } from './common';
export const visitPolicyDetails = (policyId: string): Cypress.Chainable => { export const visitPolicyDetails = (policyId: string): Cypress.Chainable => {
return cy.visit(`${APP_POLICIES_PATH}/${policyId}`); return cy.visit(`${APP_POLICIES_PATH}/${policyId}`);
}; };
export const ensurePolicyDetailsPageAuthzAccess = (
policyId: string,
accessLevel: UserAuthzAccessLevel,
visitPage: boolean = false
): Cypress.Chainable => {
if (visitPage) {
visitPolicyDetails(policyId);
}
if (accessLevel === 'none') {
return getNoPrivilegesPage().should('exist');
}
if (accessLevel === 'read') {
return cy.getByTestSubj('policyDetailsSaveButton').should('not.exist');
}
return cy.getByTestSubj('policyDetailsSaveButton').should('exist');
};

2
x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml
View file

@ -165,7 +165,7 @@ t3_analyst:
- event_filters_all - event_filters_all
- host_isolation_exceptions_all - host_isolation_exceptions_all
- blocklist_all - blocklist_all
- policy_management_all # Elastic Defend Policy Management - policy_management_read # Elastic Defend Policy Management
- host_isolation_all - host_isolation_all
- process_operations_all - process_operations_all
- actions_log_management_all # Response actions history - actions_log_management_all # Response actions history