[RAM] bug on _run_soon API (#151218)

## Summary FIX https://github.com/elastic/kibana/issues/149432 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
2025-04-24 17:59:23 -04:00 · 2023-02-15 17:13:44 -05:00 · 2023-02-15 17:13:44 -05:00 · e87d3a151c
commit e87d3a151c
parent 467891e760
4 changed files with 85 additions and 0 deletions
--- a/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.test.ts
+++ b/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.test.ts
@ -91,6 +91,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
          ]
        `);
      });
@ -177,6 +178,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:alert-type/my-feature/alert/get",
            "alerting:1.0.0-zeta1:alert-type/my-feature/alert/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/alert/getAuthorizedAlertsIndices",
@ -223,6 +225,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
@ -326,6 +329,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
@ -389,6 +393,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
@ -411,6 +416,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/runSoon",
          ]
        `);
      });
@ -502,6 +508,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/create",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/delete",
            "alerting:1.0.0-zeta1:alert-type/my-feature/rule/update",
@ -524,6 +531,7 @@ describe(`feature_privilege_builder`, () => {
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getExecutionLog",
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/find",
            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/getRuleExecutionKPI",
+            "alerting:1.0.0-zeta1:readonly-alert-type/my-feature/rule/runSoon",
            "alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/get",
            "alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/find",
            "alerting:1.0.0-zeta1:another-alert-type/my-feature/alert/getAuthorizedAlertsIndices",
--- a/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.ts
+++ b/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.ts
@ -24,6 +24,7 @@ const readOperations: Record<AlertingEntity, string[]> = {
    'getExecutionLog',
    'find',
    'getRuleExecutionKPI',
+    'runSoon',
  ],
  alert: ['get', 'find', 'getAuthorizedAlertsIndices', 'getAlertSummary'],
 };
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/index.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/index.ts
@ -26,6 +26,7 @@ export default function alertingTests({ loadTestFile, getService }: FtrProviderC
      loadTestFile(require.resolve('./bulk_disable'));
      loadTestFile(require.resolve('./clone'));
      loadTestFile(require.resolve('./get_flapping_settings'));
+      loadTestFile(require.resolve('./run_soon'));
      loadTestFile(require.resolve('./update_flapping_settings'));
    });
  });
--- a/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/run_soon.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/group3/tests/alerting/run_soon.ts
@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { UserAtSpaceScenarios } from '../../../scenarios';
+import {
+  getTestRuleData,
+  getConsumerUnauthorizedErrorMessage,
+  getUrlPrefix,
+  ObjectRemover,
+} from '../../../../common/lib';
+import { FtrProviderContext } from '../../../../common/ftr_provider_context';
+
+// eslint-disable-next-line import/no-default-export
+export default function createAlertTests({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+
+  describe('runSoon', () => {
+    const objectRemover = new ObjectRemover(supertest);
+
+    afterEach(async () => {
+      await objectRemover.removeAll();
+    });
+
+    for (const scenario of UserAtSpaceScenarios) {
+      const { user, space } = scenario;
+      describe(scenario.id, () => {
+        it('should handle run soon rule request appropriately', async () => {
+          const responseRule = await supertest
+            .post(`${getUrlPrefix(space.id)}/api/alerting/rule`)
+            .set('kbn-xsrf', 'foo')
+            .send(getTestRuleData());
+
+          const response = await supertestWithoutAuth
+            .post(
+              `${getUrlPrefix(space.id)}/internal/alerting/rule/${responseRule.body.id}/_run_soon`
+            )
+            .set('kbn-xsrf', 'foo')
+            .auth(user.username, user.password)
+            .send();
+
+          switch (scenario.id) {
+            case 'no_kibana_privileges at space1':
+            case 'space_1_all at space2':
+              expect(response.statusCode).to.eql(403);
+              expect(response.body).to.eql({
+                error: 'Forbidden',
+                message: getConsumerUnauthorizedErrorMessage(
+                  'runSoon',
+                  'test.noop',
+                  'alertsFixture'
+                ),
+                statusCode: 403,
+              });
+              break;
+            case 'global_read at space1':
+            case 'space_1_all_alerts_none_actions at space1':
+            case 'superuser at space1':
+            case 'space_1_all at space1':
+            case 'space_1_all_with_restricted_fixture at space1':
+              expect(response.statusCode === 200 || response.statusCode === 204).to.be(true);
+              break;
+            default:
+              throw new Error(`Scenario untested: ${JSON.stringify(scenario)}`);
+          }
+        });
+      });
+    }
+  });
+}