From d9e141f160a2e76b554cb966fa19bee732e5ff71 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Mon, 20 Jul 2020 11:00:59 -0600 Subject: [PATCH] [SIEM][Detection Engine][Lists] Adds list permissions (#72335) ## Summary * Adds list permissions as a feature control to SIEM. * Separates the controls between two, one of which is `access:lists-all` and the other is `access:lists-read` * Grants SIEM the ability to utilize both depending on which feature mode the space is in. --- .../routes/create_endpoint_list_item_route.ts | 2 +- .../routes/create_endpoint_list_route.ts | 2 +- .../routes/create_exception_list_item_route.ts | 2 +- .../routes/create_exception_list_route.ts | 2 +- .../server/routes/create_list_index_route.ts | 2 +- .../server/routes/create_list_item_route.ts | 2 +- .../lists/server/routes/create_list_route.ts | 2 +- .../routes/delete_endpoint_list_item_route.ts | 2 +- .../routes/delete_exception_list_item_route.ts | 2 +- .../routes/delete_exception_list_route.ts | 2 +- .../server/routes/delete_list_index_route.ts | 2 +- .../server/routes/delete_list_item_route.ts | 2 +- .../lists/server/routes/delete_list_route.ts | 2 +- .../server/routes/export_list_item_route.ts | 2 +- .../routes/find_endpoint_list_item_route.ts | 2 +- .../routes/find_exception_list_item_route.ts | 2 +- .../server/routes/find_exception_list_route.ts | 2 +- .../server/routes/find_list_item_route.ts | 2 +- .../lists/server/routes/find_list_route.ts | 2 +- .../server/routes/import_list_item_route.ts | 2 +- .../server/routes/patch_list_item_route.ts | 2 +- .../lists/server/routes/patch_list_route.ts | 2 +- .../routes/read_endpoint_list_item_route.ts | 2 +- .../routes/read_exception_list_item_route.ts | 2 +- .../server/routes/read_exception_list_route.ts | 2 +- .../server/routes/read_list_index_route.ts | 2 +- .../server/routes/read_list_item_route.ts | 2 +- .../lists/server/routes/read_list_route.ts | 2 +- .../server/routes/read_privileges_route.ts | 2 +- .../routes/update_endpoint_list_item_route.ts | 2 +- .../routes/update_exception_list_item_route.ts | 2 +- .../routes/update_exception_list_route.ts | 2 +- .../server/routes/update_list_item_route.ts | 2 +- .../lists/server/routes/update_list_route.ts | 2 +- .../plugins/security_solution/server/plugin.ts | 18 ++++++++++++++++-- 35 files changed, 50 insertions(+), 36 deletions(-) diff --git a/x-pack/plugins/lists/server/routes/create_endpoint_list_item_route.ts b/x-pack/plugins/lists/server/routes/create_endpoint_list_item_route.ts index b6eacc3b7dd04..5ff2a9d9df9f4 100644 --- a/x-pack/plugins/lists/server/routes/create_endpoint_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/create_endpoint_list_item_route.ts @@ -21,7 +21,7 @@ export const createEndpointListItemRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: ENDPOINT_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/create_endpoint_list_route.ts b/x-pack/plugins/lists/server/routes/create_endpoint_list_route.ts index cac69ce65623f..b1e589be67cd1 100644 --- a/x-pack/plugins/lists/server/routes/create_endpoint_list_route.ts +++ b/x-pack/plugins/lists/server/routes/create_endpoint_list_route.ts @@ -26,7 +26,7 @@ export const createEndpointListRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: ENDPOINT_LIST_URL, validate: false, diff --git a/x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts b/x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts index c331eeb4bd2d0..e4885c7393bd4 100644 --- a/x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/create_exception_list_item_route.ts @@ -22,7 +22,7 @@ export const createExceptionListItemRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/create_exception_list_route.ts b/x-pack/plugins/lists/server/routes/create_exception_list_route.ts index bd29a65c9450a..897d82d6a9ba0 100644 --- a/x-pack/plugins/lists/server/routes/create_exception_list_route.ts +++ b/x-pack/plugins/lists/server/routes/create_exception_list_route.ts @@ -21,7 +21,7 @@ export const createExceptionListRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/create_list_index_route.ts b/x-pack/plugins/lists/server/routes/create_list_index_route.ts index 5ec2b36da61b0..1bffdd6bd5b5f 100644 --- a/x-pack/plugins/lists/server/routes/create_list_index_route.ts +++ b/x-pack/plugins/lists/server/routes/create_list_index_route.ts @@ -17,7 +17,7 @@ export const createListIndexRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_INDEX, validate: false, diff --git a/x-pack/plugins/lists/server/routes/create_list_item_route.ts b/x-pack/plugins/lists/server/routes/create_list_item_route.ts index 8ac5db3c7fd1c..656d6af2c6c9a 100644 --- a/x-pack/plugins/lists/server/routes/create_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/create_list_item_route.ts @@ -17,7 +17,7 @@ export const createListItemRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/create_list_route.ts b/x-pack/plugins/lists/server/routes/create_list_route.ts index eee7517523b0f..ff041699054c9 100644 --- a/x-pack/plugins/lists/server/routes/create_list_route.ts +++ b/x-pack/plugins/lists/server/routes/create_list_route.ts @@ -17,7 +17,7 @@ export const createListRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/delete_endpoint_list_item_route.ts b/x-pack/plugins/lists/server/routes/delete_endpoint_list_item_route.ts index b8946c542b27e..2d5028bd9525a 100644 --- a/x-pack/plugins/lists/server/routes/delete_endpoint_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_endpoint_list_item_route.ts @@ -21,7 +21,7 @@ export const deleteEndpointListItemRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: ENDPOINT_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/delete_exception_list_item_route.ts b/x-pack/plugins/lists/server/routes/delete_exception_list_item_route.ts index f363252dada50..06ff051925407 100644 --- a/x-pack/plugins/lists/server/routes/delete_exception_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_exception_list_item_route.ts @@ -21,7 +21,7 @@ export const deleteExceptionListItemRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/delete_exception_list_route.ts b/x-pack/plugins/lists/server/routes/delete_exception_list_route.ts index b1bf705dcc5f6..f2bf517f55ae3 100644 --- a/x-pack/plugins/lists/server/routes/delete_exception_list_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_exception_list_route.ts @@ -21,7 +21,7 @@ export const deleteExceptionListRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/delete_list_index_route.ts b/x-pack/plugins/lists/server/routes/delete_list_index_route.ts index cb2e16b3602a7..be58d8aeed17d 100644 --- a/x-pack/plugins/lists/server/routes/delete_list_index_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_list_index_route.ts @@ -33,7 +33,7 @@ export const deleteListIndexRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_INDEX, validate: false, diff --git a/x-pack/plugins/lists/server/routes/delete_list_item_route.ts b/x-pack/plugins/lists/server/routes/delete_list_item_route.ts index bb278ba436725..50313cd1294ae 100644 --- a/x-pack/plugins/lists/server/routes/delete_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_list_item_route.ts @@ -17,7 +17,7 @@ export const deleteListItemRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/delete_list_route.ts b/x-pack/plugins/lists/server/routes/delete_list_route.ts index 600e4b00c29ca..4eeb6d8f126ad 100644 --- a/x-pack/plugins/lists/server/routes/delete_list_route.ts +++ b/x-pack/plugins/lists/server/routes/delete_list_route.ts @@ -17,7 +17,7 @@ export const deleteListRoute = (router: IRouter): void => { router.delete( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/export_list_item_route.ts b/x-pack/plugins/lists/server/routes/export_list_item_route.ts index 8148c9b1ed824..98167931c4346 100644 --- a/x-pack/plugins/lists/server/routes/export_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/export_list_item_route.ts @@ -18,7 +18,7 @@ export const exportListItemRoute = (router: IRouter): void => { router.post( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${LIST_ITEM_URL}/_export`, validate: { diff --git a/x-pack/plugins/lists/server/routes/find_endpoint_list_item_route.ts b/x-pack/plugins/lists/server/routes/find_endpoint_list_item_route.ts index 7374ff7dc92ea..9f83761cc501a 100644 --- a/x-pack/plugins/lists/server/routes/find_endpoint_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/find_endpoint_list_item_route.ts @@ -21,7 +21,7 @@ export const findEndpointListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${ENDPOINT_LIST_ITEM_URL}/_find`, validate: { diff --git a/x-pack/plugins/lists/server/routes/find_exception_list_item_route.ts b/x-pack/plugins/lists/server/routes/find_exception_list_item_route.ts index a318d653450c7..270aad85796b2 100644 --- a/x-pack/plugins/lists/server/routes/find_exception_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/find_exception_list_item_route.ts @@ -21,7 +21,7 @@ export const findExceptionListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${EXCEPTION_LIST_ITEM_URL}/_find`, validate: { diff --git a/x-pack/plugins/lists/server/routes/find_exception_list_route.ts b/x-pack/plugins/lists/server/routes/find_exception_list_route.ts index 97e1de834cd37..c5cae7a1e0bb8 100644 --- a/x-pack/plugins/lists/server/routes/find_exception_list_route.ts +++ b/x-pack/plugins/lists/server/routes/find_exception_list_route.ts @@ -21,7 +21,7 @@ export const findExceptionListRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${EXCEPTION_LIST_URL}/_find`, validate: { diff --git a/x-pack/plugins/lists/server/routes/find_list_item_route.ts b/x-pack/plugins/lists/server/routes/find_list_item_route.ts index 52d534b08df2b..55617e2ba1b8f 100644 --- a/x-pack/plugins/lists/server/routes/find_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/find_list_item_route.ts @@ -22,7 +22,7 @@ export const findListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${LIST_ITEM_URL}/_find`, validate: { diff --git a/x-pack/plugins/lists/server/routes/find_list_route.ts b/x-pack/plugins/lists/server/routes/find_list_route.ts index 2fa43c6368b5c..268eb36a5e26e 100644 --- a/x-pack/plugins/lists/server/routes/find_list_route.ts +++ b/x-pack/plugins/lists/server/routes/find_list_route.ts @@ -18,7 +18,7 @@ export const findListRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: `${LIST_URL}/_find`, validate: { diff --git a/x-pack/plugins/lists/server/routes/import_list_item_route.ts b/x-pack/plugins/lists/server/routes/import_list_item_route.ts index 2e629d7516dd1..5e88ca0f2569a 100644 --- a/x-pack/plugins/lists/server/routes/import_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/import_list_item_route.ts @@ -26,7 +26,7 @@ export const importListItemRoute = (router: IRouter, config: ConfigType): void = maxBytes: config.maxImportPayloadBytes, parse: false, }, - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: `${LIST_ITEM_URL}/_import`, validate: { diff --git a/x-pack/plugins/lists/server/routes/patch_list_item_route.ts b/x-pack/plugins/lists/server/routes/patch_list_item_route.ts index f706559dffdbd..d7ac3d61edf64 100644 --- a/x-pack/plugins/lists/server/routes/patch_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/patch_list_item_route.ts @@ -17,7 +17,7 @@ export const patchListItemRoute = (router: IRouter): void => { router.patch( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/patch_list_route.ts b/x-pack/plugins/lists/server/routes/patch_list_route.ts index 3a0d8714a14cd..9e59f74371595 100644 --- a/x-pack/plugins/lists/server/routes/patch_list_route.ts +++ b/x-pack/plugins/lists/server/routes/patch_list_route.ts @@ -17,7 +17,7 @@ export const patchListRoute = (router: IRouter): void => { router.patch( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_endpoint_list_item_route.ts b/x-pack/plugins/lists/server/routes/read_endpoint_list_item_route.ts index 5e7ed901bf0cb..fd932746ce990 100644 --- a/x-pack/plugins/lists/server/routes/read_endpoint_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/read_endpoint_list_item_route.ts @@ -21,7 +21,7 @@ export const readEndpointListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: ENDPOINT_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_exception_list_item_route.ts b/x-pack/plugins/lists/server/routes/read_exception_list_item_route.ts index c4e969b27fcf4..fe8256fbda5cd 100644 --- a/x-pack/plugins/lists/server/routes/read_exception_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/read_exception_list_item_route.ts @@ -21,7 +21,7 @@ export const readExceptionListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: EXCEPTION_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_exception_list_route.ts b/x-pack/plugins/lists/server/routes/read_exception_list_route.ts index 6cb91c10aea55..0512876d298d4 100644 --- a/x-pack/plugins/lists/server/routes/read_exception_list_route.ts +++ b/x-pack/plugins/lists/server/routes/read_exception_list_route.ts @@ -21,7 +21,7 @@ export const readExceptionListRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: EXCEPTION_LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_list_index_route.ts b/x-pack/plugins/lists/server/routes/read_list_index_route.ts index 4664bed3e7a8b..87a4d85e0d254 100644 --- a/x-pack/plugins/lists/server/routes/read_list_index_route.ts +++ b/x-pack/plugins/lists/server/routes/read_list_index_route.ts @@ -17,7 +17,7 @@ export const readListIndexRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: LIST_INDEX, validate: false, diff --git a/x-pack/plugins/lists/server/routes/read_list_item_route.ts b/x-pack/plugins/lists/server/routes/read_list_item_route.ts index 24011d3b50d27..b7cf2b9f7123b 100644 --- a/x-pack/plugins/lists/server/routes/read_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/read_list_item_route.ts @@ -17,7 +17,7 @@ export const readListItemRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_list_route.ts b/x-pack/plugins/lists/server/routes/read_list_route.ts index 34924b70fd4df..4bce09ecd3bde 100644 --- a/x-pack/plugins/lists/server/routes/read_list_route.ts +++ b/x-pack/plugins/lists/server/routes/read_list_route.ts @@ -17,7 +17,7 @@ export const readListRoute = (router: IRouter): void => { router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/read_privileges_route.ts b/x-pack/plugins/lists/server/routes/read_privileges_route.ts index 892b6406a28ec..a4ec878613608 100644 --- a/x-pack/plugins/lists/server/routes/read_privileges_route.ts +++ b/x-pack/plugins/lists/server/routes/read_privileges_route.ts @@ -20,7 +20,7 @@ export const readPrivilegesRoute = ( router.get( { options: { - tags: ['access:lists'], + tags: ['access:lists-read'], }, path: LIST_PRIVILEGES_URL, validate: false, diff --git a/x-pack/plugins/lists/server/routes/update_endpoint_list_item_route.ts b/x-pack/plugins/lists/server/routes/update_endpoint_list_item_route.ts index 1ecf4e8a9765d..92d41c5f4294d 100644 --- a/x-pack/plugins/lists/server/routes/update_endpoint_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/update_endpoint_list_item_route.ts @@ -21,7 +21,7 @@ export const updateEndpointListItemRoute = (router: IRouter): void => { router.put( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: ENDPOINT_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/update_exception_list_item_route.ts b/x-pack/plugins/lists/server/routes/update_exception_list_item_route.ts index f6c7bcebedc13..29174143708ed 100644 --- a/x-pack/plugins/lists/server/routes/update_exception_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/update_exception_list_item_route.ts @@ -21,7 +21,7 @@ export const updateExceptionListItemRoute = (router: IRouter): void => { router.put( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/update_exception_list_route.ts b/x-pack/plugins/lists/server/routes/update_exception_list_route.ts index cff78614d05ba..b314b9c675141 100644 --- a/x-pack/plugins/lists/server/routes/update_exception_list_route.ts +++ b/x-pack/plugins/lists/server/routes/update_exception_list_route.ts @@ -21,7 +21,7 @@ export const updateExceptionListRoute = (router: IRouter): void => { router.put( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: EXCEPTION_LIST_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/update_list_item_route.ts b/x-pack/plugins/lists/server/routes/update_list_item_route.ts index 3e231e319104b..ea48e876ada1e 100644 --- a/x-pack/plugins/lists/server/routes/update_list_item_route.ts +++ b/x-pack/plugins/lists/server/routes/update_list_item_route.ts @@ -17,7 +17,7 @@ export const updateListItemRoute = (router: IRouter): void => { router.put( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_ITEM_URL, validate: { diff --git a/x-pack/plugins/lists/server/routes/update_list_route.ts b/x-pack/plugins/lists/server/routes/update_list_route.ts index a6d9f8329c7c8..fe3f3b9b4161d 100644 --- a/x-pack/plugins/lists/server/routes/update_list_route.ts +++ b/x-pack/plugins/lists/server/routes/update_list_route.ts @@ -17,7 +17,7 @@ export const updateListRoute = (router: IRouter): void => { router.put( { options: { - tags: ['access:lists'], + tags: ['access:lists-all'], }, path: LIST_URL, validate: { diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 17192057d2ad3..22b55c64a1657 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -167,7 +167,14 @@ export class Plugin implements IPlugin