github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Using ES list privileges API to determine the authorization mode (#24211) (#24220)

Browse source 
* Making it easier and more terse to specify the user for a test

* Using ES list privileges API to determine the authorization mode

This let's us correct use RBAC authorization for the proper users when
security is enabled, and spaces is disabled to detect whether they have
privileges of any kind and if so use RBAC.

* Fixing authorization service test

* Fixing tests referencing wrong expects

* Putting create test back

* Update x-pack/plugins/security/server/lib/authorization/mode.js

* Update x-pack/plugins/security/server/lib/authorization/mode.js
This commit is contained in:
Brandon Kobel 2018-10-22 18:08:50 -07:00 committed by GitHub
parent 52043e0fa1
commit f52f72dcc5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 260 additions and 287 deletions
Download patch file Download diff file Expand all files Collapse all files

43
x-pack/plugins/security/server/lib/authorization/mode.js
View file

@ -3,53 +3,32 @@
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
import { GLOBAL_RESOURCE } from '../../../common/constants';
import { spaceApplicationPrivilegesSerializer } from './space_application_privileges_serializer';
const hasAnyPrivileges = privileges => {
return Object.values(privileges).some(hasPrivilege => hasPrivilege === true);
};
const hasAnyResourcePrivileges = resourcePrivileges => {
return Object.values(resourcePrivileges).some(resource => hasAnyPrivileges(resource));
};
export function authorizationModeFactory(
actions,
checkPrivilegesWithRequest,
application,
config,
log,
plugins,
savedObjects,
shieldClient,
xpackInfoFeature,
) {
const useRbacForRequestCache = new WeakMap();
// TODO: This logic will change once we have the ES API to list all privileges
// and is not covered by unit tests currently
const shouldUseRbacForRequest = async (request) => {
if (!config.get('xpack.security.authorization.legacyFallback.enabled')) {
return true;
}
const adminCluster = plugins.elasticsearch.getCluster('admin');
const { callWithInternalUser } = adminCluster;
const { callWithRequest } = shieldClient;
const internalSavedObjectsRepository = savedObjects.getSavedObjectsRepository(
callWithInternalUser
);
const getUserPrivilegesResponse = await callWithRequest(request, 'shield.getUserPrivileges');
const checkPrivileges = checkPrivilegesWithRequest(request);
if (!plugins.spaces) {
const { privileges } = await checkPrivileges.globally(actions.login);
return hasAnyPrivileges(privileges);
}
// Superusers have `*` and all other roles will have the explicit application.
// We aren't using wildcards at this time, so if the user somehow specifies them
// using the ES apis directly (which is documented as unsupported) they won't work here.
const result = getUserPrivilegesResponse.applications
.some(entry => entry.application === '*' || entry.application === application);
const { saved_objects: spaceSavedObjects } = await internalSavedObjectsRepository.find({ type: 'space' });
const spaceResources = spaceSavedObjects.map(space => spaceApplicationPrivilegesSerializer.resource.serialize(space.id));
const allResources = [GLOBAL_RESOURCE, ...spaceResources];
const { resourcePrivileges } = await checkPrivileges.atResources(allResources, actions.login);
return hasAnyResourcePrivileges(resourcePrivileges);
return result;
};
const isRbacEnabled = () => xpackInfoFeature.getLicenseCheckResults().allowRbac;
@ -62,7 +41,7 @@ export function authorizationModeFactory(
}
if (!isRbacEnabled()) {
useRbacForRequestCache.set(request, true);
useRbacForRequestCache.set(request, false);
return;
}

127
x-pack/plugins/security/server/lib/authorization/mode.test.js
View file

@ -6,6 +6,8 @@
import { authorizationModeFactory } from './mode';
const application = 'kibana-.kibana';
const createMockConfig = (settings) => {
const mockConfig = {
get: jest.fn()
@ -30,12 +32,16 @@ const createMockXpackInfoFeature = (allowRbac) => {
};
};
const createMockShieldClient = (getUserPrivilegesResponse) => ({
callWithRequest: jest.fn().mockReturnValue(getUserPrivilegesResponse)
});
describe(`#initialize`, () => {
test(`can't be initialized twice for the same request`, async () => {
const mockConfig = createMockConfig();
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature();
const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature);
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
const request = {};
await mode.initialize(request);
@ -50,7 +56,7 @@ describe(`#useRbacForRequest`, () => {
const mockConfig = createMockConfig();
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature();
const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature);
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
const request = {};
const result = mode.useRbacForRequest(request);
@ -63,13 +69,124 @@ describe(`#useRbacForRequest`, () => {
'xpack.security.authorization.legacyFallback.enabled': false,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature();
const mode = authorizationModeFactory({}, {}, mockConfig, mockLogger, {}, {}, mockXpackInfoFeature);
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
const request = {};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(true);
expect(mockLogger).not.toHaveBeenCalled();
});
test(`returns false if xpackInfoFeature.getLicenseCheckResults().allowRbac is false`, async () => {
const mockConfig = createMockConfig({
'xpack.security.authorization.legacyFallback.enabled': true,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature(false);
const mode = authorizationModeFactory(application, mockConfig, mockLogger, null, mockXpackInfoFeature);
const request = {};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(false);
});
test(`returns false if shieldClient getUserPrivileges returns no applications`, async () => {
const mockConfig = createMockConfig({
'xpack.security.authorization.legacyFallback.enabled': true,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
const mockShieldClient = createMockShieldClient({
applications: []
});
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
const request = {
headers: {
foo: 'bar'
}
};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(false);
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
});
test(`returns false if shieldClient getUserPrivileges returns incorrect application`, async () => {
const mockConfig = createMockConfig({
'xpack.security.authorization.legacyFallback.enabled': true,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
const mockShieldClient = createMockShieldClient({
applications: [{
application: 'kibana-.kibana-marketing'
}]
});
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
const request = {
headers: {
foo: 'bar'
}
};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(false);
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
});
test(`returns true if shieldClient getUserPrivileges returns * and incorrect application`, async () => {
const mockConfig = createMockConfig({
'xpack.security.authorization.legacyFallback.enabled': true,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
const mockShieldClient = createMockShieldClient({
applications: [{
application: 'kibana-.kibana-marketing'
}, {
application: '*'
}]
});
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
const request = {
headers: {
foo: 'bar'
}
};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(true);
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
});
test(`returns true if shieldClient getUserPrivileges returns matching application and incorrect application`, async () => {
const mockConfig = createMockConfig({
'xpack.security.authorization.legacyFallback.enabled': true,
});
const mockLogger = createMockLogger();
const mockXpackInfoFeature = createMockXpackInfoFeature(true);
const mockShieldClient = createMockShieldClient({
applications: [{
application: 'kibana-.kibana-marketing'
}, {
application
}]
});
const mode = authorizationModeFactory(application, mockConfig, mockLogger, mockShieldClient, mockXpackInfoFeature);
const request = {
headers: {
foo: 'bar'
}
};
await mode.initialize(request);
const result = mode.useRbacForRequest(request);
expect(result).toBe(true);
expect(mockShieldClient.callWithRequest).toHaveBeenCalledWith(request, 'shield.getUserPrivileges');
});
});

8
x-pack/plugins/security/server/lib/authorization/service.js
View file

@ -17,13 +17,11 @@ export function createAuthorizationService(server, xpackInfoFeature) {
const application = `kibana-${config.get('kibana.index')}`;
const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory(actions, application, shieldClient);
const mode = authorizationModeFactory(
actions,
checkPrivilegesWithRequest,
application,
config,
(...args) => server.log(...args),
server.plugins,
server.savedObjects,
xpackInfoFeature
shieldClient,
xpackInfoFeature,
);
return {

6
x-pack/plugins/security/server/lib/authorization/service.test.js
View file

@ -64,12 +64,10 @@ test(`calls server.expose with exposed services`, () => {
expect(actionsFactory).toHaveBeenCalledWith(mockConfig);
expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith(mockActions, application, mockShieldClient);
expect(authorizationModeFactory).toHaveBeenCalledWith(
mockActions,
mockCheckPrivilegesWithRequest,
application,
mockConfig,
expect.any(Function),
mockServer.plugins,
mockServer.savedObjects,
mockShieldClient,
mockXpackInfoFeature,
);
});

13
x-pack/server/lib/esjs_shield_plugin.js
View file

@ -258,6 +258,19 @@
method: 'PUT'
});
/**
* Perform a [shield.getUserPrivileges](Retrieve a user's list of privileges) request
*
*/
shield.getUserPrivileges = ca({
params: {},
urls: [
{
fmt: '/_xpack/security/user/_privileges'
}
]
});
/**
* Asks Elasticsearch to prepare SAML authentication request to be sent to
* the 3rd-party SAML identity provider.

22
x-pack/test/saved_object_api_integration/common/suites/get.ts
View file

@ -81,17 +81,21 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
});
};
const createExpectRbacForbidden = (type: string) => (resp: { [key: string]: any }) => {
expect(resp.body).to.eql({
error: 'Forbidden',
message: `Unable to get ${type}, missing action:saved_objects/${type}/get`,
statusCode: 403,
});
};
const createExpectSpaceAwareNotFound = (spaceId = DEFAULT_SPACE_ID) => {
return createExpectNotFound(spaceAwareId, spaceId);
};
const createExpectSpaceAwareRbacForbidden = () => (resp: { [key: string]: any }) => {
expect(resp.body).to.eql({
error: 'Forbidden',
message: `Unable to get visualization, missing action:saved_objects/visualization/get`,
statusCode: 403,
});
};
const expectSpaceAwareRbacForbidden = createExpectRbacForbidden('visualization');
const expectNotSpaceAwareRbacForbidden = createExpectRbacForbidden('globaltype');
const expectDoesntExistRbacForbidden = createExpectRbacForbidden('visualization');
const createExpectSpaceAwareResults = (spaceId = DEFAULT_SPACE_ID) => (resp: {
[key: string]: any;
@ -174,8 +178,10 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperTest<any>)
createExpectNotSpaceAwareRbacForbidden,
createExpectNotSpaceAwareResults,
createExpectSpaceAwareNotFound,
createExpectSpaceAwareRbacForbidden,
createExpectSpaceAwareResults,
expectSpaceAwareRbacForbidden,
expectNotSpaceAwareRbacForbidden,
expectDoesntExistRbacForbidden,
getTest,
};
}

11
x-pack/test/saved_object_api_integration/security_and_spaces/apis/get.ts
View file

@ -17,10 +17,11 @@ export default function({ getService }: TestInvoker) {
const {
createExpectDoesntExistNotFound,
createExpectLegacyForbidden,
createExpectSpaceAwareRbacForbidden,
createExpectSpaceAwareResults,
createExpectNotSpaceAwareResults,
createExpectNotSpaceAwareRbacForbidden,
expectSpaceAwareRbacForbidden,
expectNotSpaceAwareRbacForbidden,
expectDoesntExistRbacForbidden,
getTest,
} = getTestSuiteFactory(esArchiver, supertest);
@ -255,15 +256,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectSpaceAwareRbacForbidden(),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectNotSpaceAwareRbacForbidden(),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectSpaceAwareRbacForbidden(),
response: expectDoesntExistRbacForbidden,
},
},
});

16
x-pack/test/saved_object_api_integration/security_only/apis/bulk_create.ts
View file

@ -109,9 +109,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -121,9 +119,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -133,9 +129,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -145,9 +139,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectRbacForbidden,
},
},
});

26
x-pack/test/saved_object_api_integration/security_only/apis/bulk_get.ts
View file

@ -13,10 +13,12 @@ export default function({ getService }: TestInvoker) {
const supertest = getService('supertestWithoutAuth');
const esArchiver = getService('esArchiver');
const { bulkGetTest, createExpectLegacyForbidden, createExpectResults } = bulkGetTestSuiteFactory(
esArchiver,
supertest
);
const {
bulkGetTest,
createExpectLegacyForbidden,
createExpectResults,
expectRbacForbidden,
} = bulkGetTestSuiteFactory(esArchiver, supertest);
describe('_bulk_get', () => {
bulkGetTest(`user with no access`, {
@ -104,9 +106,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -116,9 +116,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -128,9 +126,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectRbacForbidden,
},
},
});
@ -140,9 +136,7 @@ export default function({ getService }: TestInvoker) {
tests: {
default: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectRbacForbidden,
},
},
});

32
x-pack/test/saved_object_api_integration/security_only/apis/create.ts
View file

@ -145,15 +145,11 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
},
});
@ -163,15 +159,11 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
},
});
@ -181,15 +173,11 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
},
});
@ -199,15 +187,11 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
},
});

48
x-pack/test/saved_object_api_integration/security_only/apis/delete.ts
View file

@ -179,21 +179,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectRbacSpaceAwareForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectRbacNotSpaceAwareForbidden,
},
invalidId: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectRbacInvalidIdForbidden,
},
},
});
@ -203,21 +197,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectRbacSpaceAwareForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectRbacNotSpaceAwareForbidden,
},
invalidId: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectRbacInvalidIdForbidden,
},
},
});
@ -227,21 +215,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectRbacSpaceAwareForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectRbacNotSpaceAwareForbidden,
},
invalidId: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectRbacInvalidIdForbidden,
},
},
});
@ -251,21 +233,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectRbacSpaceAwareForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectRbacNotSpaceAwareForbidden,
},
invalidId: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectRbacInvalidIdForbidden,
},
},
});

96
x-pack/test/saved_object_api_integration/security_only/apis/find.ts
View file

@ -318,37 +318,27 @@ export default function({ getService }: TestInvoker) {
spaceAwareType: {
description: 'only the visualization',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
notSpaceAwareType: {
description: 'only the globaltype',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: createExpectRbacForbidden('globaltype'),
},
unknownType: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
pageBeyondTotal: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
unknownSearchField: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
noType: {
description: 'bad request, type is required',
@ -364,37 +354,27 @@ export default function({ getService }: TestInvoker) {
spaceAwareType: {
description: 'only the visualization',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
notSpaceAwareType: {
description: 'only the globaltype',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: createExpectRbacForbidden('globaltype'),
},
unknownType: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
pageBeyondTotal: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
unknownSearchField: {
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
noType: {
description: 'bad request, type is required',
@ -408,39 +388,29 @@ export default function({ getService }: TestInvoker) {
user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER,
tests: {
spaceAwareType: {
description: 'forbidden login and find visualization message',
description: 'only the visualization',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
notSpaceAwareType: {
description: 'only the globaltype',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: createExpectRbacForbidden('globaltype'),
},
unknownType: {
description: 'forbidden login and find wigwags message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
pageBeyondTotal: {
description: 'forbidden login and find visualization message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
unknownSearchField: {
description: 'forbidden login and find wigwags message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
noType: {
description: 'bad request, type is required',
@ -454,39 +424,29 @@ export default function({ getService }: TestInvoker) {
user: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER,
tests: {
spaceAwareType: {
description: 'forbidden login and find visualization message',
description: 'only the visualization',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
notSpaceAwareType: {
description: 'only the globaltype',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: createExpectRbacForbidden('globaltype'),
},
unknownType: {
description: 'forbidden login and find wigwags message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
pageBeyondTotal: {
description: 'forbidden login and find visualization message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: createExpectRbacForbidden('visualization'),
},
unknownSearchField: {
description: 'forbidden login and find wigwags message',
description: 'empty result',
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: createExpectRbacForbidden('wigwags'),
},
noType: {
description: 'bad request, type is required',

51
x-pack/test/saved_object_api_integration/security_only/apis/get.ts
View file

@ -18,6 +18,9 @@ export default function({ getService }: TestInvoker) {
createExpectLegacyForbidden,
createExpectSpaceAwareResults,
createExpectNotSpaceAwareResults,
expectSpaceAwareRbacForbidden,
expectNotSpaceAwareRbacForbidden,
expectDoesntExistRbacForbidden,
getTest,
} = getTestSuiteFactory(esArchiver, supertest);
@ -171,21 +174,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -195,21 +192,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -219,21 +210,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -243,21 +228,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});

48
x-pack/test/saved_object_api_integration/security_only/apis/update.ts
View file

@ -180,21 +180,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -204,21 +198,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -228,21 +216,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});
@ -252,21 +234,15 @@ export default function({ getService }: TestInvoker) {
tests: {
spaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectSpaceAwareRbacForbidden,
},
notSpaceAware: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectNotSpaceAwareRbacForbidden,
},
doesntExist: {
statusCode: 403,
response: createExpectLegacyForbidden(
AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username
),
response: expectDoesntExistRbacForbidden,
},
},
});