[Upgrade Assistant] Restrict UI to Kibana admins (#127922)

2025-04-24 09:48:58 -04:00 · 2022-03-23 14:46:05 -04:00 · 2022-03-23 14:46:05 -04:00 · 6f62c25b1d
commit 6f62c25b1d
parent 79e9748fbc
7 changed files with 103 additions and 11 deletions
--- a/x-pack/plugins/upgrade_assistant/jest/client_integration/app/privileges.test.tsx
+++ b/x-pack/plugins/upgrade_assistant/jest/client_integration/app/privileges.test.tsx
@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { act } from 'react-dom/test-utils';
+
+import { AppDependencies } from '../../../public/types';
+import { setupEnvironment, kibanaVersion, getAppContextMock } from '../helpers';
+import { AppTestBed, setupAppPage } from './app.helpers';
+
+describe('Privileges', () => {
+  let testBed: AppTestBed;
+  let httpSetup: ReturnType<typeof setupEnvironment>['httpSetup'];
+  beforeEach(async () => {
+    const mockEnvironment = setupEnvironment();
+    httpSetup = mockEnvironment.httpSetup;
+  });
+
+  describe('when user is not a Kibana global admin', () => {
+    beforeEach(async () => {
+      const appContextMock = getAppContextMock(kibanaVersion) as unknown as AppDependencies;
+      const servicesMock = {
+        ...appContextMock.services,
+        core: {
+          ...appContextMock.services.core,
+          application: {
+            capabilities: {
+              spaces: {
+                manage: false,
+              },
+            },
+          },
+        },
+      };
+
+      await act(async () => {
+        testBed = await setupAppPage(httpSetup, { services: servicesMock });
+      });
+
+      testBed.component.update();
+    });
+
+    test('renders not authorized message', () => {
+      const { exists } = testBed;
+      expect(exists('overview')).toBe(false);
+      expect(exists('missingKibanaPrivilegesMessage')).toBe(true);
+    });
+  });
+});
--- a/x-pack/plugins/upgrade_assistant/jest/client_integration/helpers/app_context.mock.ts
+++ b/x-pack/plugins/upgrade_assistant/jest/client_integration/helpers/app_context.mock.ts
@ -88,7 +88,14 @@ export const getAppContextMock = (kibanaVersion: SemVer) => ({
      notifications: notificationServiceMock.createStartContract(),
      docLinks: docLinksServiceMock.createStartContract(),
      history: scopedHistoryMock.create(),
-      application: applicationServiceMock.createStartContract(),
+      application: {
+        ...applicationServiceMock.createStartContract(),
+        capabilities: {
+          spaces: {
+            manage: true,
+          },
+        },
+      },
    },
  },
  plugins: {
--- a/x-pack/plugins/upgrade_assistant/jest/client_integration/helpers/index.ts
+++ b/x-pack/plugins/upgrade_assistant/jest/client_integration/helpers/index.ts
@ -7,3 +7,4 @@

 export { setupEnvironment, WithAppDependencies, kibanaVersion } from './setup_environment';
 export { advanceTime } from './time_manipulation';
+export { getAppContextMock } from './app_context.mock';
--- a/x-pack/plugins/upgrade_assistant/public/application/app.tsx
+++ b/x-pack/plugins/upgrade_assistant/public/application/app.tsx
@ -14,7 +14,12 @@ import { ScopedHistory } from 'src/core/public';
 import { RedirectAppLinks } from '../../../../../src/plugins/kibana_react/public';
 import { API_BASE_PATH } from '../../common/constants';
 import { ClusterUpgradeState } from '../../common/types';
-import { APP_WRAPPER_CLASS, GlobalFlyout, AuthorizationProvider } from '../shared_imports';
+import {
+  APP_WRAPPER_CLASS,
+  GlobalFlyout,
+  AuthorizationProvider,
+  NotAuthorizedSection,
+} from '../shared_imports';
 import { AppDependencies } from '../types';
 import { AppContextProvider, useAppContext } from './app_context';
 import {
@ -30,18 +35,46 @@ const { GlobalFlyoutProvider } = GlobalFlyout;
 const AppHandlingClusterUpgradeState: React.FunctionComponent = () => {
  const {
    isReadOnlyMode,
-    services: { api },
+    services: { api, core },
  } = useAppContext();

-  const [clusterUpgradeState, setClusterUpradeState] =
+  const missingManageSpacesPrivilege = core.application.capabilities.spaces.manage !== true;
+
+  const [clusterUpgradeState, setClusterUpgradeState] =
    useState<ClusterUpgradeState>('isPreparingForUpgrade');

  useEffect(() => {
    api.onClusterUpgradeStateChange((newClusterUpgradeState: ClusterUpgradeState) => {
-      setClusterUpradeState(newClusterUpgradeState);
+      setClusterUpgradeState(newClusterUpgradeState);
    });
  }, [api]);

+  if (missingManageSpacesPrivilege) {
+    return (
+      <EuiPageContent
+        verticalPosition="center"
+        horizontalPosition="center"
+        color="subdued"
+        data-test-subj="missingKibanaPrivilegesMessage"
+      >
+        <NotAuthorizedSection
+          title={
+            <FormattedMessage
+              id="xpack.upgradeAssistant.app.deniedPrivilegeTitle"
+              defaultMessage="Kibana admin role required"
+            />
+          }
+          message={
+            <FormattedMessage
+              id="xpack.upgradeAssistant.app.deniedPrivilegeDescription"
+              defaultMessage="To use Upgrade Assistant and resolve deprecation issues, you must have access to manage all Kibana spaces."
+            />
+          }
+        />
+      </EuiPageContent>
+    );
+  }
+
  // Read-only mode will be enabled up until the last minor before the next major release
  if (isReadOnlyMode) {
    return <ComingSoonPrompt />;
--- a/x-pack/plugins/upgrade_assistant/public/shared_imports.ts
+++ b/x-pack/plugins/upgrade_assistant/public/shared_imports.ts
@ -21,6 +21,7 @@ export {
  WithPrivileges,
  AuthorizationProvider,
  AuthorizationContext,
+  NotAuthorizedSection,
 } from '../../../../src/plugins/es_ui_shared/public/';

 export { Storage } from '../../../../src/plugins/kibana_utils/public';
--- a/x-pack/test/functional/apps/upgrade_assistant/feature_controls/upgrade_assistant_security.ts
+++ b/x-pack/test/functional/apps/upgrade_assistant/feature_controls/upgrade_assistant_security.ts
@ -56,11 +56,11 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {

      describe('[SkipCloud] global dashboard read with global_upgrade_assistant_role', function () {
        this.tags('skipCloud');
-        it('should render the "Stack" section with Upgrde Assistant', async function () {
+        it('should render the "Stack" section with Upgrade Assistant', async function () {
          await PageObjects.common.navigateToApp('management');
          const sections = await managementMenu.getSections();
-          expect(sections).to.have.length(3);
-          expect(sections[2]).to.eql({
+          expect(sections).to.have.length(5);
+          expect(sections[4]).to.eql({
            sectionId: 'stack',
            sectionLinks: ['license_management', 'upgrade_assistant'],
          });
--- a/x-pack/test/functional/config.js
+++ b/x-pack/test/functional/config.js
@ -451,9 +451,7 @@ export default async function ({ readConfigFile }) {
          },
          kibana: [
            {
-              feature: {
-                discover: ['read'],
-              },
+              base: ['all'],
              spaces: ['*'],
            },
          ],