[Fleet] Allow readonly user to access /agent_policies_spaces API (#203434)

2025-04-24 01:38:56 -04:00 · 2024-12-10 10:00:50 -05:00 · 2024-12-10 10:00:50 -05:00 · ebcbb0b26e
commit ebcbb0b26e
parent 9089dbebca
3 changed files with 31 additions and 1 deletions
--- a/x-pack/plugins/fleet/server/routes/app/index.ts
+++ b/x-pack/plugins/fleet/server/routes/app/index.ts
@ -237,7 +237,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType
      path: APP_API_ROUTES.AGENT_POLICIES_SPACES,
      access: 'internal',
      fleetAuthz: {
-        fleet: { allAgentPolicies: true },
+        fleet: { readAgentPolicies: true },
      },
    })
    .addVersion(
--- a/x-pack/test/fleet_api_integration/apis/space_awareness/agent_policies.ts
+++ b/x-pack/test/fleet_api_integration/apis/space_awareness/agent_policies.ts
@ -27,6 +27,10 @@ export default function (providerContext: FtrProviderContext) {
      username: testUsers.fleet_all_int_all.username,
      password: testUsers.fleet_all_int_all.password,
    });
+    const apiClientReadOnly = new SpaceTestApiClient(supertestWithoutAuth, {
+      username: testUsers.fleet_read_only.username,
+      password: testUsers.fleet_read_only.password,
+    });

    let defaultSpacePolicy1: CreateAgentPolicyResponse;
    let spaceTest1Policy1: CreateAgentPolicyResponse;
@ -113,5 +117,19 @@ export default function (providerContext: FtrProviderContext) {
        expect(res.item.id).to.eql(`${TEST_SPACE_1}-fleet-server-policy`);
      });
    });
+
+    describe('GET /agent_policies_spaces', () => {
+      it('should return all spaces user can write agent policies to', async () => {
+        const res = await apiClient.getAgentPoliciesSpaces();
+
+        expect(res.items.map(({ id }: { id: string }) => id)).to.eql(['default', 'test1']);
+      });
+
+      it('should return no spaces for user with readonly access', async () => {
+        const res = await apiClientReadOnly.getAgentPoliciesSpaces();
+
+        expect(res.items.map(({ id }: { id: string }) => id)).to.eql([]);
+      });
+    });
  });
 }
--- a/x-pack/test/fleet_api_integration/apis/space_awareness/api_helper.ts
+++ b/x-pack/test/fleet_api_integration/apis/space_awareness/api_helper.ts
@ -179,6 +179,18 @@ export class SpaceTestApiClient {

    return res;
  }
+
+  async getAgentPoliciesSpaces(spaceId?: string) {
+    const { body: res } = await this.supertest
+      .get(`${this.getBaseUrl(spaceId)}/internal/fleet/agent_policies_spaces`)
+      .auth(this.auth.username, this.auth.password)
+      .set('kbn-xsrf', 'xxxx')
+      .set('elastic-api-version', '1')
+      .expect(200);
+
+    return res;
+  }
+
  // Enrollment API Keys
  async getEnrollmentApiKey(
    keyId: string,