## Summary
Adds `All`/`None` RBAC for the Elastic AI Assistant within the Security
app via Kibana feature privileges, and also via serverless PLI App
Features for the Security `complete` product (see
https://github.com/elastic/security-team/issues/7023).
Added as high-level category to enable future support of sub-features
(included sample `Create Conversation` sub-feature plumbed as example).
<p align="center">
<img width="500"
src="b42ab3fe-65e1-49b9-a379-262f2438c0eb"
/>
</p>
Note: Since [`minimumLicense:
'enterprise'`](https://github.com/elastic/kibana/pull/163031/files#diff-56de8b6234daf4e0e69efe680e5a4afc4f88d152243b773d90c3991fa9dabc19R28)
is configured on this privilege, when the license check isn't satisfied,
the privilege will be hidden (not disabled).
## Testing
Feature is available for `enterprise` licenses and when `All` privilege
is set, otherwise Assistant is hidden in Timeline, all `Chat` UI
elements are hidden, and the `cmd/ctrl + ;` shortcut is unavailable.
---
### On Prem Testing:
Create two roles, one for each `all`/`none` Security Elastic AI
Assistant privilege (via Dev Tools):
<details><summary>PUT /_security/role/assistant_all</summary>
<p>
``` ts
PUT /_security/role/assistant_all
{
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_securitySolutionAssistant.minimal_all",
"feature_siem.all",
"feature_securitySolutionCases.all",
"feature_actions.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
```
</p>
</details>
<details><summary>PUT /_security/role/assistant_none</summary>
<p>
``` ts
PUT /_security/role/assistant_none
{
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_siem.all",
"feature_securitySolutionCases.all",
"feature_actions.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
```
</p>
</details>
Create a new `assistant_user` (assigned both roles above), log in and
test assistant availability, then remove one role at a time testing
each:
<details><summary>POST /_security/user/assistant_user (ALL)</summary>
<p>
``` ts
POST /_security/user/assistant_user
{
"username": "assistant_user",
"password": "changeme",
"roles": [
"assistant_all",
"assistant_none"
],
"full_name": "Assistant User",
"email": "assistant-user@elastic.co",
"metadata": {},
"enabled": true
}
```
</p>
</details>
Test that assistant is available in UI via `Chat` buttons and shortcut
keys.
<details><summary>PUT /_security/user/assistant_user (NONE)</summary>
<p>
``` ts
PUT /_security/user/assistant_user
{
"username": "assistant_user",
"roles": [
"assistant_none"
],
"full_name": "Assistant User",
"email": "assistant-user@elastic.co",
"metadata": {},
"enabled": true
}
```
</p>
</details>
Test that assistant is **NOT** available in UI via `Chat` buttons or
shortcut keys.
---
### Serverless Testing:
To test with the Assistant available, set `productTypes` to `complete`
in `config/serverless.security.yml`
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'security', product_tier: 'complete' },
{ product_line: 'endpoint', product_tier: 'complete' },
]
```
otherwise to test without the Assistant, pick a different product type like `essentials`:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'security', product_tier: 'essentials' },
{ product_line: 'endpoint', product_tier: 'essentials' },
]
```
Then start Serverless Kibana: `yarn serverless-security`
---
### Checklist
Delete any items that are not applicable to this PR.
- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary
Fixes https://github.com/elastic/kibana/issues/149132
This PR adds a Kibana feature for the guided onboarding plugin for
better permissions handling. By default `kibana_admin` and `editor`
roles are granted access to guided onboarding. The role `viewer` on the
other hand doesn't have enough permissions to see or use guided
onboarding. For any roles that don't have the correct permissions,
guided onboarding is completely disabled, the same as it's disabled
on-prem.
When creating a new role, the feature "Setup guides" can be enabled or
disabled.
### How to test
1. Add `xpack.cloud.id: 'testID'` to `/config/kibana.dev.yml`
1. Start ES with `yarn es snapshot` and Kibana with `yarn start``
2. Login as elastic and create a test user with the role `viewer`
3. Clear everything from your browser's local storage
4. Login as the test user and check the following
- On the first visit, the "on-prem" welcome message is shown (not the
guided onboarding landing page)
- The url `/app/home#/getting_started` is unknown and redirects back to
the home page
- There is no button "Setup guides" in the header
- There is no link "Setup guides" in the help menu
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
From 8.8 `responseActionExecuteEnabled` is set to `true` by default
## Summary
Enables the `responseActionExecuteEnabled` feature flag by default for
`execute` response action.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Resolves: https://github.com/elastic/kibana/issues/152270
Specs:
https://docs.google.com/document/u/1/d/1-QblF6P19W9o5-10Us3bfgN80GRfjSIhybHrvJS_ObA/edit
This PR implements the following:
- New maintenance window SO
- New maintenance window client in the alerting plugin (generates and
queries maintenance window events, and other CRUD functionality around
the SO)
- New maintenance window REST APIs
- Kibana privileges for reading/writing maintenance window
This PR does not include integration with task runner, a new PR will be
created to do that work.
## APIs:
```
Find all maintenance windows in current space
GET `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/_find`
body: {}
```
```
Create maintenance window:
POST `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window`
body: {
title: string,
duration: number,
r_rule: RRule
}
```
```
Update maintenance window by ID:
POST `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/{id}`,
body: {
title?: string,
duration?: number,
enabled?: boolean,
r_rule?: RRule,
}
```
```
Get maintenance window by ID:
GET `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/{id}`,
```
```
Delete maintenance window by ID:
DELETE `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/{id}`,
```
```
Archive maintenance window by ID:
POST `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/{id}/_archive`,
body: {
archive: boolean
}
```
```
Finish maintenance window by ID:
POST `${INTERNAL_BASE_ALERTING_API_PATH}/rules/maintenance_window/{id}/_finish`,
```
## Maintenance window response schema:
```
{
id: string;
title: string;
enabled: boolean;
duration: number;
expirationDate: string;
events: DateRange[];
rRule: RRuleParams;
status: 'running' | 'upcoming' | 'finished' | 'archived';
startDate: string | null;
endDate: string | null;
createdBy: string | null;
updatedBy: string | null;
createdAt: string;
updatedAt: string;
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Sets the Get File feature flag to true by default in preparation for the
release of the feature.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Enable the RBAC feature flag for Endpoint management RBAC by default.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Introduce a default file kind for images in Kibana. This file kind will
be the download/upload target usable for all images across Kibana.
Consider the following:
A Kibana user wants to add a branding logo to their dashboard. They need
to create a new image or select from a set of existing images (i.e.,
images already uploaded). This set of images is the "default image" set.
The idea will be this set of images can be access across dashboards and
solutions. For example, the same user can access the branding image they
uploaded in Cases.
## How it works
* We added a new default file kind specifically for images, this is
registered from the files plugin
* In order to access these files over HTTP users will need the
`files:defaultImage` privilege
* This is a distinct privilege from the file management privilege and
allows users to access HTTP endpoints controlled by
`access:files:defaultImage` as well as the underlying `file` saved
object
* Consider a dashboard user that wants to add an image embeddable: they
will need access to `file` saved object as well as the endpoints for
creating/reading/deleting the default file kind. In order to get this
their role must grant the new "Shared images" privilege.
<img width="749" alt="Screenshot 2022-11-22 at 10 34 25"
src="https://user-images.githubusercontent.com/8155004/203295230-24a0be94-9c59-4a53-8757-336e9fc8f6c4.png">
## Summary
Files management UI that rounds out the files MVP. This is UI is
intended to be progressively enhanced and provides a way for system
administrators get some insight and manage the files created and stored
in Kibana.
## To reviewers
* This is UI for retrieval and deletion of files (the R+D of CRUD)
* Creating and deleting tags to be supported in a future version
* This UI is intended to form part of the broader content management
experience
* We use the `TableListView` component as far as possible
## How to test
1. Start Kibana with `yarn start --run-examples`
2. Go to the "Developer Examples" from the left nav menu
3. Go to the "Files example" plugin
4. Click the "Upload file" button, upload a few different image types
(PNG, JPG and WEBP)
5. Go to "Stack management" > "Files"
6. Behold your files in the management UI
7. (Bonus) check that the UI and API `GET /api/files/find`, `GET
/api/files/metrics` and `DELETE /api/files/blobs` are not accessible to
non-admin or appropriately privileged users (i.e., those with "Files
management" access).
## List of functionality
- [x] List all saved objects (scoped to admin)
- [x] Is able to bulk-delete files
- [x] Shows basic storage diagnostics
- [x] Is able to search and filter files
## Screenshots
<details>
<summary>screenshots</summary>
<img width="1545" alt="Screenshot 2022-11-08 at 13 56 54"
src="https://user-images.githubusercontent.com/8155004/200570783-cfefdbf3-c5ff-4ece-ba24-48a455fcca75.png">
<img width="910" alt="Screenshot 2022-11-10 at 12 52 35"
src="https://user-images.githubusercontent.com/8155004/201083812-bc9f25f5-b423-43a6-9229-5e2a4cdd943a.png">
<img width="451" alt="Screenshot 2022-11-10 at 12 37 07"
src="https://user-images.githubusercontent.com/8155004/201081039-832a1980-684c-4abb-bb05-0c7c6a849d4d.png">
<img width="959" alt="Screenshot 2022-11-08 at 13 57 15"
src="https://user-images.githubusercontent.com/8155004/200570797-f122cff5-7043-4e01-9b51-d5663c1b26d6.png">
<img width="500" alt="Screenshot 2022-11-08 at 13 57 38"
src="https://user-images.githubusercontent.com/8155004/200570801-35cdbd99-0256-4dee-9f78-2f6ad853305f.png">
</details>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Remove `file_operations_all` from list of sub-feature of SIEM
(security solution). This sub-feature [was recently placed behind an
experimental feature
flag](https://github.com/elastic/kibana/pull/145042), which is disabled
by default for 8.6.
- Un-skips tests
Fixes: #145134Fixes: #145135Fixes: #145136
## Summary
- Updates the `get-file` action response `outputs` to match latest from
endpoint
- Fix server size `doesFileHanveChunks()` and remove the `.keyword` from
the search field term (index mapping will be setup correctly for these
indexes)
- Updates the names of the File storage indexes
- Sets the `endpointRbacV1Enabled` FF to `true` (enables feature by
default)
- Uses Fleet exposed function utilities to retrieve the indexes for
File's metadata and data chunks
The following Fleet changes were also done
- Created common methods in fleet for retrieving the file metadata and
data indexes using an integration name (should protect us against index
names going forward and avoid having integrations in kibana keep
hard-coded values)
- Removed the .keyword from a few places in the file server service
(still need to test)
- Adjusted both the Fleet and the Security Solution code to use the new
methods for getting the integration specific index names (cc/
@juliaElastic )
* Augments /api/security/privileges with optional respectLicenseLevel parameter for use by the edit_role_page.
Implements fix for 125289 - Show sub-feature privileges when using the Basic license
* Changed EuiTooltip to EuiIconTip.
* Updated unit tests for feature table expanded row to include new property checks.
* Renamed property to improve readability and reduce confusion. Fixed state of switch checked in sub-feature customization.
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Fixed privilege get API default for 'respectLicenseLevel'. Updated privilege unit tests.
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* Uodated test description to match property name.
* Updated privilege API integration tests to include new 'respectLicenseLevel' optional parameter.
* Replaced empty fragment with undefined.
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com>
* Starting conversion to permissions from userCanCrud
* Migrating userCanCrud to context
* Fixing tests
* Fix type error
* Removing missed userCanCrud
* Fixing tests and addressing permissions.all feedback
* Fixing test
* Adding deletion sub feature priv
* Fixing type errors
* Fixing tests and adding more granular permissions
* Trying to get plugin tests to work
* Removing unnecessary tests
* First pass at fixing tests
* Moving createUICapabilities to a normal function
* Adding more tests for permissions
* Fixing tests
* Fixing and adding more tests
* Addressing feedback and fixing tests
* Reverting permissions.all changes except delete
* Revert "Reverting permissions.all changes except delete"
This reverts commit 609c150b7d.
* Fixing test
* Adjusting permissions for add to new or existing case
* Switching a few all permissions to create and read
* check permisions inside of actions menu
* Addressing initial feedback
* Adding functional tests for deletion
* Changing deletion text
* Addressing feedback and fixing tests
* Fixing deeplinks to allow create when no delete
* Addressing feedback
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [Fleet] Split Fleet and Integration privileges
* Update UI when Fleet has All privileges and Integrations have None
* Replace remaining superuser checks
* Updates to server/plugin
* Update getAuthzFromRequest
* Update start method in the client side
* Fix tests
* Fix functional tests
* Make changes to the UI based on new privilege system
* Further UI changes
* Make capabilities accessible to unit tests in createStartServices
* Fix failing tests
* Fix ts checks
* Address most review comments
* Introduce hook exposing authz and make UI checks more granular; address rest of comments
* Remove capabilities hook
* Get rid of useCapabilites
* Address review comments
* Other fixes
* Fix tutorial app privileges
* Address code review comments and update privileges naming
* Fix i18n failing check
* Block fleet server setup UI when user does not have manage_service_account privilege
* Minor changes
* Use unique i18n id
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Josh Dover <doverfake@elastic.co>
* add the new top cases feature in security
* fix api intyegration and cypress
* fix api integration
* fix cypress roles test
* missing api integration
* review Joe
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Remove timelion app and stuff which related to it
* Fix CI
* Fix lint
* Fix tests
* Fix tests
* Fis tests
* Fix some comments
* Clean up
* fix CI
* fix some comments
* Fix deprecation examples
* Return `enabled` property in config for timelion vis
* Remove unused angular lib
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Alexey Antonov <alexwizp@gmail.com>
* remove custom kibana server settings for reporting in default x-pack test config
* have tests use the deprecated built-in role granting reporting access
* restore test user default privilege for canvas
* fix app privileges in tests
* fix test_user not able to access canvas in the dashboard test
* simplify some tests setup
* update csv export timerange and snapshot
* update fn tests for app privileges
* fix feature controls test
* Update discover_security.ts
* fix reporting tests
* test using defaults in the security privilege test
* fix read-only privileges with url_create Permalinks
* fix security api anonymous
* fix anonymous capabilities tests
* fix discover csv export tests
* Update screenshots.ts
* update discover csv fn tests
* update snapshots
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* wip to remove rbac
* Revert "[Cases] Include rule registry client for updating alert statuses (#108588)"
This reverts commit 1fd7038b34.
This leaves the rule registry mock changes
* remove rbac on Trend/Count alert
* update detection api for status
* remove @kbn-alerts packages
* fix leftover
* Switching cases to leverage update by query for alert status
* Adding missed files
* fix bad logic
* updating tests for use_alerts_privileges
* remove index alias/fields
* fix types
* fix plugin to get the right index names
* left over of alis on template
* forget to use current user for create/read route index
* updated alerts page to not show table when no privileges and updates to tests
* fix bug when switching between o11y and security solution
* updates tests and move to use privileges page when user tries to access alerts without proper access
* updating jest tests
* pairing with yara
* bring back kbn-alerts after discussion with the team
* fix types
* fix index field for o11y
* fix bug with updating index priv state
* fix i18n issue and update api docs
* fix refresh on alerts
* fix render view on alerts
* updating tests and checking for null in alerts page to not show no privileges page before load
* fix details rules
Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co>
Co-authored-by: Yara Tercero <yara.tercero@elastic.co>
An MVP of the RBAC work required for the "alerts as data" effort. An example of the existing implementation for alerts would be that of the security solution. The security solution stores its alerts generated from rules in a single data index - .siem-signals. In order to gain or restrict access to alerts, users do so by following the Elasticsearch privilege architecture. A user would need to go into the Kibana role access UI and give explicit read/write/manage permissions for the index itself.
Kibana as a whole is moving away from this model and instead having all user interactions run through the Kibana privilege model. When solutions use saved objects, this authentication layer is abstracted away for them. Because we have chosen to use data indices for alerts, we cannot rely on this abstracted out layer that saved objects provide - we need to provide our own RBAC! Instead of giving users explicit permission to an alerts index, users are instead given access to features. They don't need to know anything about indices, that work we do under the covers now.
Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
Co-authored-by: Yara Tercero <yara.tercero@elastic.co>
* Adding feature flag for auth
* Hiding SOs and adding consumer field
* First pass at adding security changes
* Consumer as the app's plugin ID
* Create addConsumerToSO migration helper
* Fix mapping's SO consumer
* Add test for CasesActions
* Declare hidden types on SO client
* Restructure integration tests
* Init spaces_only integration tests
* Implementing the cases security string
* Adding security plugin tests for cases
* Rough concept for authorization class
* Adding comments
* Fix merge
* Get requiredPrivileges for classes
* Check privillages
* Ensure that all classes are available
* Success if hasAllRequested is true
* Failure if hasAllRequested is false
* Adding schema updates for feature plugin
* Seperate basic from trial
* Enable SIR on integration tests
* Starting the plumbing for authorization in plugin
* Unit tests working
* Move find route logic to case client
* Create integration test helper functions
* Adding auth to create call
* Create getClassFilter helper
* Add class attribute to find request
* Create getFindAuthorizationFilter
* Ensure savedObject is authorized in find method
* Include fields for authorization
* Combine authorization filter with cases & subcases filter
* Fix isAuthorized flag
* Fix merge issue
* Create/delete spaces & users before and after tests
* Add more user and roles
* [Cases] Convert filters from strings to KueryNode (#95288)
* [Cases] RBAC: Rename class to scope (#95535)
* [Cases][RBAC] Rename scope to owner (#96035)
* [Cases] RBAC: Create & Find integration tests (#95511)
* [Cases] Cases client enchantment (#95923)
* [Cases] Authorization and Client Audit Logger (#95477)
* Starting audit logger
* Finishing auth audit logger
* Fixing tests and types
* Adding audit event creator
* Renaming class to scope
* Adding audit logger messages to create and find
* Adding comments and fixing import issue
* Fixing type errors
* Fixing tests and adding username to message
* Addressing PR feedback
* Removing unneccessary log and generating id
* Fixing module issue and remove expect.anything
* [Cases] Migrate sub cases routes to a client (#96461)
* Adding sub cases client
* Move sub case routes to case client
* Throw when attempting to access the sub cases client
* Fixing throw and removing user ans soclients
* [Cases] RBAC: Migrate routes' unit tests to integration tests (#96374)
Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co>
* [Cases] Move remaining HTTP functionality to client (#96507)
* Moving deletes and find for attachments
* Moving rest of comment apis
* Migrating configuration routes to client
* Finished moving routes, starting utils refactor
* Refactoring utilites and fixing integration tests
* Addressing PR feedback
* Fixing mocks and types
* Fixing integration tests
* Renaming status_stats
* Fixing test type errors
* Adding plugins to kibana.json
* Adding cases to required plugin
* [Cases] Refactoring authorization (#97483)
* Refactoring authorization
* Wrapping auth calls in helper for try catch
* Reverting name change
* Hardcoding the saved object types
* Switching ensure to owner array
* [Cases] Add authorization to configuration & cases routes (#97228)
* [Cases] Attachments RBAC (#97756)
* Starting rbac for comments
* Adding authorization to rest of comment apis
* Starting the comment rbac tests
* Fixing some of the rbac tests
* Adding some integration tests
* Starting patch tests
* Working tests for comments
* Working tests
* Fixing some tests
* Fixing type issues from pulling in master
* Fixing connector tests that only work in trial license
* Attempting to fix cypress
* Mock return of array for configure
* Fixing cypress test
* Cleaning up
* Addressing PR comments
* Reducing operations
* [Cases] Add RBAC to remaining Cases APIs (#98762)
* Starting rbac for comments
* Adding authorization to rest of comment apis
* Starting the comment rbac tests
* Fixing some of the rbac tests
* Adding some integration tests
* Starting patch tests
* Working tests for comments
* Working tests
* Fixing some tests
* Fixing type issues from pulling in master
* Fixing connector tests that only work in trial license
* Attempting to fix cypress
* Mock return of array for configure
* Fixing cypress test
* Cleaning up
* Working case update tests
* Addressing PR comments
* Reducing operations
* Working rbac push case tests
* Starting stats apis
* Working status tests
* User action tests and fixing migration errors
* Fixing type errors
* including error in message
* Addressing pr feedback
* Fixing some type errors
* [Cases] Add space only tests (#99409)
* Starting spaces tests
* Finishing space only tests
* Refactoring createCaseWithConnector
* Fixing spelling
* Addressing PR feedback and creating alert tests
* Fixing mocks
* [Cases] Add security only tests (#99679)
* Starting spaces tests
* Finishing space only tests
* Refactoring createCaseWithConnector
* Fixing spelling
* Addressing PR feedback and creating alert tests
* Fixing mocks
* Starting security only tests
* Adding remainder security only tests
* Using helper objects
* Fixing type error for null space
* Renaming utility variables
* Refactoring users and roles for security only tests
* Adding sub feature
* [Cases] Cleaning up the services and TODOs (#99723)
* Cleaning up the service intialization
* Fixing type errors
* Adding comments for the api
* Working test for cases client
* Fix type error
* Adding generated docs
* Adding more docs and cleaning up types
* Cleaning up readme
* More clean up and links
* Changing some file names
* Renaming docs
* Integration tests for cases privs and fixes (#100038)
* [Cases] RBAC on UI (#99478)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Fixing case ids by alert id route call
* [Cases] Fixing UI feature permissions and adding UI tests (#100074)
* Integration tests for cases privs and fixes
* Fixing ui cases permissions and adding tests
* Adding test for collection failure and fixing jest
* Renaming variables
* Fixing type error
* Adding some comments
* Validate cases features
* Fix new schema
* Adding owner param for the status stats
* Fix get case status tests
* Adjusting permissions text and fixing status
* Address PR feedback
* Adding top level feature back
* Fixing feature privileges
* Renaming
* Removing uneeded else
* Fixing tests and adding cases merge tests
* [Cases][Security Solution] Basic license security solution API tests (#100925)
* Cleaning up the fixture plugins
* Adding basic feature test
* renaming to unsecuredSavedObjectsClient (#101215)
* [Cases] RBAC Refactoring audit logging (#100952)
* Refactoring audit logging
* Adding unit tests for authorization classes
* Addressing feedback and adding util tests
* return undefined on empty array
* fixing eslint
* [Cases] Cleaning up RBAC integration tests (#101324)
* Adding tests for space permissions
* Adding tests for testing a disable feature
Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* fix(NA): windows ts_project outside sandbox compilation adding tsconfig paths for packages
* chore(NA): missing @kbn paths for node_modules so types can work
* chore(NA): missing @kbn paths for node_modules so types can work
* chore(NA): organizing deps on non ts_project packages
* chore(NA): change order to find @kbn packages on node_modules first
* chore(NA): add @kbn/expect typings setting on package.json
* chore(NA): fix typechecking
* chore(NA): add missing change on tsconfig file
* chore(NA): unblock windows build by not depending on the pkg_npm rule symlink in the package.json
* chore(NA): add missing depedencies on BUILD.bazel file for io-ts-list-types
* chore(NA): remove rootDirs configs
* chore(NA): change kbn/monaco targets order
* chore(NA): update kbn-monaco build
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Use filter to bulk find
* Update x-pack/plugins/data_enhanced/server/search/session/session_service.ts
Co-authored-by: Lukas Olson <olson.lukas@gmail.com>
* Dashboard in space test
* Add warning on update failure
* fix merge
* Added functional test for sessions in space
* snapshot
* test cleanup
* sub perms
* test snapshots
* Update tests
* test
* code review
* snap
* Added discover test
* Update x-pack/plugins/data_enhanced/public/search/ui/connected_background_session_indicator/connected_background_session_indicator.tsx
Co-authored-by: Anton Dosov <dosantappdev@gmail.com>
Co-authored-by: Lukas Olson <olson.lukas@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Anton Dosov <dosantappdev@gmail.com>
* create xpack plugin skeleton, start to implement management section
* add tag creation modal
* first implementation of the tags table
* use InMemoryTable
* add edit modal and delete action
* update plugin list
* add tag list, fix types
* add capabilities check on client-side
* add tag combo box component
* add missing i18n keys
* fix privilege FTR tests
* add base structure for FTR tests
* fix feature ftr test
* use string literals for i18n
* create savedObjectsTaggingOss plugin, move API types to oss plugin, start to wire to SO management page.
* update plugin list
* fix types
* allow to use `_find` with multiple references
* add FTR test for _find API on references fields
* add _find integration tests
* update generated doc
* start to implement tag filtering on SO management section
* update generated docs
* wire tagging API to dashboard listing page
* fix i18n namespace
* fix type & tests
* update dashboard listing snapshots
* adapt FTR listingTable service to search for parsable queries
* wite tagging API to visualize listing
* update tagging plugin limits
* add server-side and client-side validation for tag create/edit
* rename title field to name
* fix types
* fix types bis
* add removeReferencesTo API to SOR/SOC
* update generated doc
* add server-side unit test for `savedObjectsTagging` plugin
* move tagging API types to its own file
* add savedObjectsTaggingOss mock
* add tags_cache tests
* add tests for client-side tag client
* extract uiApi to distinct files
* various API improvements
* add more tests
* add link between tag and so management sections + add connection counts
* add base functional test suite for tagging
* add more FTR tests
* improve feature control func test
* update codeowners
* update generated doc
* fix access to proxy modal
* adapt SO save modal to allow to add tag field
* add SO decorator registry and tag implementation
* add unit tests for SO tag decorator
* add functional tests for visualize integration
* add tag SO read permission for vis/dash feature
* add RBAC api integ tests
* add API integration tests
* add test for getTagConnectionsUrl
* add SOM test suite
* add dashboard integration suite
* remove test line
* add missing unit tests
* improve API types doc
* fix create modal save button label
* remove console.log
* improve doc
* self review
* add refresh interval for tag cache
* improve page object doc
* minor cleanup
* address review comments
* small layout fixes
* add initial focus
* use lazy accessor for tag request handler context
* adapt SOM export and export route to handle references
* remove icon from feature config due to master changes
* fix SO table tests
* update generated docs
* sort tags by name in filter dropdown and listing component
* wire SO tagging to dashboard save modal
* fix types
* - add 'create tag' action in tag selector
- add notifications on update/create/delete from management
- delete modal wording
* add description max length validation
* remove real-time validation
* fix i18n bundle id
* update expected size of savedObjectsTagging plugin
* use own useIfMounted
* update limit again, contract components cannot be lazy loaded atm.
* math is hard
* remove single usage of lodash for bundle size
* add async imports for create/edit modal
* add FTR test for 'create tag' action from tag selector
* allow 'create new' option to prepopulate name field
* extract savedObjectToTag
* add advancedSettings read user for security api_integ suite
* add audit login for security client wrapper
* use import type when possible
* wire SO tagging to lens visualization
* fix lens jest test
* Fix `create tag` option being selected when closing the selector dropdown
* add sorting to tag column from getTableColumnDef
* address some of restrry comments
* rename tag selector's setSelected option to onTagsSelected
* fix audit logging even type for saved_object_remove_references
* update plugin size limit to current size
* adapt maxlength validation wording
* remove selection column until we have batch action menu
* remove connections link when user lack read privilege to savedObjectManagement
* forbid registering multiple SO decorators with the same priority
* add so decorator test
* extract getTagFindReferences and create API mock
* update audit-logging ascidoc
* doc nit
* throw conflict error if update returns any failure
* use refresh=true as default
* wording nits
* export: rename `references` to `hasReference`
* update generated doc
* set description max length to 100
* do not initialize tag cache on anonymous pages
* split fetchObjectsToExport into two distinct functions
* change tag client `delete` call order
* tsdoc nits
* more nits
* add README for oss plugin
* add oss plugin start tests
* SavedObject.find: rename `references` to `hasReference`
* change section description label
* remove url prefix constants
* last nits and comments
* update generated doc
Renames "Built-In Alerts" feature to "Stack Alerts" and "Actions" feature to "Actions and Connectors" as we've decided these names make more appropriate and better communicate what these features are.
This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: https://github.com/elastic/kibana/issues/43994
This also closes https://github.com/elastic/kibana/issues/62438
This PR includes the following:
1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
* chore(NA): upgrade oss to lodash4
chore(NA): migrate cli, cli_plugin, cli_keystore, dev, test_utils and apm src script to lodash4
chore(NA): missing file for cli plugin
chore(NA): add src core
chore(NA): es archiver and fixtures
chore(NA): try to fix functional test failure
chore(NA): migrate src/legacy entirely to lodash4 except src/legacy/core_plugins
chore(NA): move legacy core plugins to lodash4
chore(NA): upgrade optimize to lodash4
chore(NA): upgrade to lodash4 on advanced_settings, charts, console and dashboard
chore(NA): migrate to lodash4 on dev_tools, discover, embeddable, es_ui)shared, expressions, home plugins
chore(NA): upgrade data plugin to lodash4
chore(NA): upgrade usage_collection, ui_actions, tile_map, telemtry, share, saved_objects, saved_objects_management, region_map and navigation to lodash4
chore(NA): missing data upgrades to lodash4
Revert "chore(NA): upgrade usage_collection, ui_actions, tile_map, telemtry, share, saved_objects, saved_objects_management, region_map and navigation to lodash4"
This reverts commit 137055c5fed2fc52bb26547e0bc1ad2e3d4fe309.
Revert "Revert "chore(NA): upgrade usage_collection, ui_actions, tile_map, telemtry, share, saved_objects, saved_objects_management, region_map and navigation to lodash4""
This reverts commit f7e73688782998513d9fb6d7e8f0765e9beb28d1.
Revert "chore(NA): missing data upgrades to lodash4"
This reverts commit 92b85bf947a89bfc70cc4052738a6b2128ffb076.
Revert "chore(NA): upgrade data plugin to lodash4"
This reverts commit 88fdb075ee1e26c4ac979b6681d8a2b002df74c6.
chore(NA): upgrade idx_pattern_mgt, input_control_vis, inspector, kbn_legacy, kbn_react, kbn_usage_collections, kbn_utils, management and maps_legacy to lodash4
chore(NA): map src plugin data to lodash3
chore(NA): missing lodash.clonedeep dep
chore(NA): change packages kbn-config-schema deps
chore(NA): update renovate config
chore(NA): upgrade vis_type plugins to lodash4
chore(NA): move vis_type_vislib to lodash3
chore(NA): update visualizations and visualize to lodash4
chore(NA): remove lodash 3 types from src and move test to lodash4
chore(NA): move home, usage_collection and management to lodash 3
Revert "chore(NA): move home, usage_collection and management to lodash 3"
This reverts commit f86e8585f02d21550746569af54215b076a79a3d.
chore(NA): move kibana_legacy, saved_objects saved_objects_management into lodash3
chore(NA): update x-pack test to mock lodash4
Revert "chore(NA): move kibana_legacy, saved_objects saved_objects_management into lodash3"
This reverts commit 2d10fe450533e1b36db21d99cfae3ce996a244e0.
* chore(NA): move x-pack and packages to lodash 4
* chore(NA): remove mention to lodash from main package.json
* chore(NA): remove helper alias for lodash4 and make it the default lodash
* chore(NA): fix last failing types in the repo
* chore(NA): fix public api
* chore(NA): fix types for agg_row.tsx
* chore(NA): fix increment of optimizer modules in the rollup plugin
* chore(NA): migrate `src/core/public/http/fetch.ts` (#5)
* omit undefined query props
* just remove merge usage
* fix types
* chore(NA): fixes for feedback from apm team
* chore(NA): recover old behaviour on apm LoadingIndeicatorContext.tsx
* chore(NA): fixes for feedback from watson
* Platform lodash4 tweaks (#6)
* chore(NA): fix types and behaviour on src/core/server/elasticsearch/errors.ts
* Canvas fixes for lodash upgrade
* [APM] Adds unit test for APM service maps transform (#7)
* Adds a snapshot unit test for getConnections and rearranges some code to make testing easier
* reverts `ArrayList` back to `String[]` in the painless script within `fetch_service_paths_from_trace_ids.ts`
* chore(NA): update yarn.lock
* chore(NA): remove any and use a real type for alerts task runner
Co-authored-by: Gidi Meir Morris <github@gidi.io>
* chore(NA): used named import for triggers_actions_ui file
* chore(NA): fix eslint
* chore(NA): fix types
* Delete most uptime lodash references.
* Simplify. Clean up types.
* [Uptime] Delete most uptime lodash references (#8)
* Delete most uptime lodash references.
* Simplify. Clean up types.
* chore(NA): add eslint rule to avoid using lodash3
* chore(NA): apply changes on feedback from es-ui team
* fix some types (#9)
* Clean up some expressions types.
* chore(NA): missing ts-expect-error statements
* Upgrade lodash 4 vislib (#11)
* replace lodash 3 with lodash 4 on vislib plugin
* Further changes
* further replacement of lodash3 to 4
* further work on upgrading to lodash 4
* final changes to update lodash
* chore(NA): upgrade data plugin to lodash4
chore(NA): upgrade data plugin public to lodash4
chore(NA): fix typecheck task
chore(NA): fix agg_config with hasIn
chore(NA): assign to assignIn and has to hasIn
chore(NA): upgrade data plugin server to lodash4
chore(NA): new signature for core api
fix(NA): match behaviour between lodash3 and lodash4 for set in search_source
* chore(NA): remove lodash3 completely from the repo
* chore(NA): fix x-pack/test/api_integration/apis/metrics_ui/snapshot.ts missing content
* chore(NA): fix lodash usage on apm
* chore(NA): fix typecheck for maps
* Patch lodash template (#12)
* Applying changes from https://github.com/elastic/kibana/pull/64985
* Using isIterateeCall, because it seems less brittle
* Also patching `lodash/template` and `lodash/fp/template`
* Reorganizing some files...
* Revising comment
* Ends up `_` is a function also... I hate JavaScript
Co-authored-by: Pierre Gayvallet <pierre.gayvallet@gmail.com>
Co-authored-by: Josh Dover <me@joshdover.com>
Co-authored-by: Clint Andrew Hall <clint.hall@elastic.co>
Co-authored-by: Oliver Gupte <ogupte@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Gidi Meir Morris <github@gidi.io>
Co-authored-by: Justin Kambic <justin.kambic@elastic.co>
Co-authored-by: Stratoula Kalafateli <stratoula1@gmail.com>
Co-authored-by: Luke Elmers <luke.elmers@elastic.co>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>
Co-authored-by: kobelb <brandon.kobel@elastic.co>
