mirror of
https://github.com/elastic/kibana.git
synced 2025-06-29 03:24:45 -04:00
fccbd5c331
## Summary
closes; https://github.com/elastic/kibana/issues/173138
Looking into this, it turns out this issue was happening because the
header value for `content-disposition` contained invalid characters
given we were using the filename as is.
See Screenshot resulting from debugging the request;
<img width="846" alt="Screenshot 2024-02-13 at 13 38 53"
src="c1fbc09c-53c3-4d5b-8ba9-8752a56a9a6b">
To fix this, I've opted to leverage the ~package
[content-disposition](https://github.com/jshttp/content-disposition), in
place of some custom approach to fix this~ `res.file` handler which
correctly handles computation for content-disposition in place of
`res.ok` ~and providing our own computation of the value for
content-disposition~.
## Verifying the fix:
- Navigate to cases, (found in the the nav menu for stack management)
- create a new case, if there isn't one you can readily use
- click the files tab and grab an image you'd like to upload, before you
do rename said image to `Screenshot 2023-12-11 at 1 29 07 PM` keeping
it's extension
- on image upload complete, you should be able to view the preview for
the just uploaded image.
<!--
### Checklist
Delete any items that are not applicable to this PR.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
-->
346 lines
11 KiB
TypeScript
346 lines
11 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the Elastic License
|
|
* 2.0; you may not use this file except in compliance with the Elastic License
|
|
* 2.0.
|
|
*/
|
|
|
|
import expect from '@kbn/expect';
|
|
|
|
import { BaseFilesClient } from '@kbn/shared-ux-file-types';
|
|
import { User } from '../../../cases_api_integration/common/lib/authentication/types';
|
|
import {
|
|
createFile,
|
|
uploadFile,
|
|
downloadFile,
|
|
createAndUploadFile,
|
|
listFiles,
|
|
getFileById,
|
|
deleteAllFilesForKind,
|
|
deleteFileForFileKind,
|
|
} from '../../../cases_api_integration/common/lib/api';
|
|
import { FtrProviderContext } from '../../ftr_provider_context';
|
|
import {
|
|
casesAllUser,
|
|
casesReadUser,
|
|
obsCasesAllUser,
|
|
obsCasesReadUser,
|
|
secAllUser,
|
|
secReadCasesReadUser,
|
|
} from './common/users';
|
|
import {
|
|
CASES_FILE_KIND,
|
|
OBSERVABILITY_FILE_KIND,
|
|
SECURITY_SOLUTION_FILE_KIND,
|
|
} from '../../../cases_api_integration/common/lib/constants';
|
|
|
|
interface TestScenario {
|
|
user: User;
|
|
fileKind: string;
|
|
}
|
|
|
|
export default ({ getService }: FtrProviderContext): void => {
|
|
const supertestWithoutAuth = getService('supertestWithoutAuth');
|
|
const supertest = getService('supertest');
|
|
|
|
describe('files', () => {
|
|
describe('failure requests', () => {
|
|
const createFileFailure = async (scenario: TestScenario) => {
|
|
await createFile({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
params: {
|
|
kind: scenario.fileKind,
|
|
name: 'testFile',
|
|
mimeType: 'image/png',
|
|
},
|
|
expectedHttpCode: 403,
|
|
});
|
|
};
|
|
|
|
const deleteFileFailure = async (scenario: TestScenario) => {
|
|
await deleteFileForFileKind({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
fileKind: scenario.fileKind,
|
|
id: 'abc',
|
|
expectedHttpCode: 404,
|
|
});
|
|
};
|
|
|
|
const uploadFileFailure = async (scenario: TestScenario) => {
|
|
await uploadFile({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
data: 'abc',
|
|
kind: scenario.fileKind,
|
|
mimeType: 'image/png',
|
|
fileId: '123',
|
|
expectedHttpCode: 403,
|
|
});
|
|
};
|
|
|
|
const listFilesFailure = async (scenario: TestScenario) => {
|
|
await listFiles({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
params: {
|
|
kind: scenario.fileKind,
|
|
},
|
|
expectedHttpCode: 403,
|
|
});
|
|
};
|
|
|
|
const downloadFileFailure = async (scenario: TestScenario) => {
|
|
await downloadFile({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
fileId: 'abc',
|
|
fileName: '123',
|
|
mimeType: 'image/png',
|
|
kind: scenario.fileKind,
|
|
expectedHttpCode: 401,
|
|
});
|
|
};
|
|
|
|
const getFileByIdFailure = async (scenario: TestScenario) => {
|
|
await getFileById({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
id: 'abc',
|
|
kind: scenario.fileKind,
|
|
expectedHttpCode: 403,
|
|
});
|
|
};
|
|
|
|
describe('delete api does not exist', () => {
|
|
const testScenarios: TestScenario[] = [
|
|
{ user: secAllUser, fileKind: SECURITY_SOLUTION_FILE_KIND },
|
|
{ user: casesAllUser, fileKind: CASES_FILE_KIND },
|
|
{ user: obsCasesAllUser, fileKind: OBSERVABILITY_FILE_KIND },
|
|
];
|
|
|
|
for (const scenario of testScenarios) {
|
|
it('should fail to delete a file', async () => {
|
|
await deleteFileFailure(scenario);
|
|
});
|
|
}
|
|
});
|
|
|
|
describe('user not authorized for write operations', () => {
|
|
const testScenarios: TestScenario[] = [
|
|
{ user: secReadCasesReadUser, fileKind: SECURITY_SOLUTION_FILE_KIND },
|
|
{ user: casesReadUser, fileKind: CASES_FILE_KIND },
|
|
{ user: obsCasesReadUser, fileKind: OBSERVABILITY_FILE_KIND },
|
|
];
|
|
|
|
for (const scenario of testScenarios) {
|
|
it('should fail to create a file', async () => {
|
|
await createFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to upload a file', async () => {
|
|
await uploadFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to delete a file', async () => {
|
|
await deleteFileFailure(scenario);
|
|
});
|
|
}
|
|
});
|
|
|
|
describe('user not authorized for file kind', () => {
|
|
const testScenarios: TestScenario[] = [
|
|
{ user: secAllUser, fileKind: CASES_FILE_KIND },
|
|
{
|
|
user: casesAllUser,
|
|
fileKind: SECURITY_SOLUTION_FILE_KIND,
|
|
},
|
|
{
|
|
user: obsCasesAllUser,
|
|
fileKind: CASES_FILE_KIND,
|
|
},
|
|
];
|
|
|
|
for (const scenario of testScenarios) {
|
|
describe(`scenario user: ${scenario.user.username} fileKind: ${scenario.fileKind}`, () => {
|
|
it('should fail to create a file', async () => {
|
|
await createFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to upload a file', async () => {
|
|
await uploadFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to delete a file', async () => {
|
|
await deleteFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to list files', async () => {
|
|
await listFilesFailure(scenario);
|
|
});
|
|
|
|
it('should fail to download a file', async () => {
|
|
await downloadFileFailure(scenario);
|
|
});
|
|
|
|
it('should fail to get a file by its id', async () => {
|
|
await getFileByIdFailure(scenario);
|
|
});
|
|
});
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('successful requests', () => {
|
|
describe('users with read privileges', () => {
|
|
const testScenarios: TestScenario[] = [
|
|
{ user: secReadCasesReadUser, fileKind: SECURITY_SOLUTION_FILE_KIND },
|
|
{ user: casesReadUser, fileKind: CASES_FILE_KIND },
|
|
{ user: obsCasesReadUser, fileKind: OBSERVABILITY_FILE_KIND },
|
|
];
|
|
|
|
for (const scenario of testScenarios) {
|
|
describe(`scenario user: ${scenario.user.username} fileKind: ${scenario.fileKind}`, () => {
|
|
let createdFile: Awaited<ReturnType<BaseFilesClient['create']>>;
|
|
|
|
beforeEach(async () => {
|
|
const { create } = await createAndUploadFile({
|
|
supertest,
|
|
data: 'abc',
|
|
createFileParams: {
|
|
name: 'testFile',
|
|
mimeType: 'image/png',
|
|
kind: scenario.fileKind,
|
|
},
|
|
});
|
|
createdFile = create;
|
|
});
|
|
|
|
afterEach(async () => {
|
|
await deleteAllFilesForKind({
|
|
supertest,
|
|
kind: scenario.fileKind,
|
|
});
|
|
});
|
|
|
|
it('should list files', async () => {
|
|
const files = await listFiles({
|
|
supertest: supertestWithoutAuth,
|
|
params: { kind: scenario.fileKind },
|
|
auth: { user: scenario.user, space: null },
|
|
});
|
|
|
|
expect(files.total).to.be(1);
|
|
expect(files.files[0].name).to.be(createdFile.file.name);
|
|
});
|
|
|
|
it('should get a file by its id', async () => {
|
|
const file = await getFileById({
|
|
supertest: supertestWithoutAuth,
|
|
id: createdFile.file.id,
|
|
kind: scenario.fileKind,
|
|
auth: { user: scenario.user, space: null },
|
|
});
|
|
|
|
expect(file.file.name).to.be(createdFile.file.name);
|
|
});
|
|
});
|
|
}
|
|
});
|
|
|
|
describe('users with all privileges', () => {
|
|
const testScenarios: TestScenario[] = [
|
|
{ user: secAllUser, fileKind: SECURITY_SOLUTION_FILE_KIND },
|
|
{ user: casesAllUser, fileKind: CASES_FILE_KIND },
|
|
{ user: obsCasesAllUser, fileKind: OBSERVABILITY_FILE_KIND },
|
|
];
|
|
|
|
for (const scenario of testScenarios) {
|
|
describe(`scenario user: ${scenario.user.username} fileKind: ${scenario.fileKind}`, () => {
|
|
describe('delete created file after test', () => {
|
|
afterEach(async () => {
|
|
await deleteAllFilesForKind({
|
|
supertest,
|
|
kind: scenario.fileKind,
|
|
});
|
|
});
|
|
|
|
it('should list files', async () => {
|
|
const { create } = await createAndUploadFile({
|
|
supertest: supertestWithoutAuth,
|
|
data: 'abc',
|
|
createFileParams: {
|
|
name: 'testFile',
|
|
mimeType: 'image/png',
|
|
kind: scenario.fileKind,
|
|
},
|
|
auth: { user: scenario.user, space: null },
|
|
});
|
|
|
|
const files = await listFiles({
|
|
supertest: supertestWithoutAuth,
|
|
params: { kind: scenario.fileKind },
|
|
auth: { user: scenario.user, space: null },
|
|
});
|
|
|
|
expect(files.total).to.be(1);
|
|
expect(files.files[0].name).to.be(create.file.name);
|
|
});
|
|
|
|
it('should download a file', async () => {
|
|
const { create } = await createAndUploadFile({
|
|
supertest: supertestWithoutAuth,
|
|
data: 'abc',
|
|
createFileParams: {
|
|
name: 'testFile',
|
|
mimeType: 'image/png',
|
|
kind: scenario.fileKind,
|
|
},
|
|
auth: { user: scenario.user, space: null },
|
|
});
|
|
|
|
const { body: buffer, header } = await downloadFile({
|
|
supertest,
|
|
auth: { user: scenario.user, space: null },
|
|
fileId: create.file.id,
|
|
kind: scenario.fileKind,
|
|
mimeType: 'image/png',
|
|
fileName: 'test.png',
|
|
});
|
|
|
|
expect(header['content-type']).to.eql('image/png');
|
|
expect(header['content-disposition']).to.eql('attachment; filename=test.png');
|
|
expect(buffer.toString('utf8')).to.eql('abc');
|
|
});
|
|
|
|
it('should upload a file', async () => {
|
|
const createResult = await createFile({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
params: {
|
|
kind: scenario.fileKind,
|
|
name: 'testFile',
|
|
mimeType: 'image/png',
|
|
},
|
|
});
|
|
|
|
const uploadResult = await uploadFile({
|
|
supertest: supertestWithoutAuth,
|
|
auth: { user: scenario.user, space: null },
|
|
data: 'abc',
|
|
kind: scenario.fileKind,
|
|
mimeType: 'image/png',
|
|
fileId: createResult.file.id,
|
|
});
|
|
|
|
expect(uploadResult.ok).to.be(true);
|
|
expect(uploadResult.size).to.be(3);
|
|
});
|
|
});
|
|
});
|
|
}
|
|
});
|
|
});
|
|
});
|
|
};
|