Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cases] Cleaning up RBAC integration tests #101324

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,39 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
},
},
});

features.registerKibanaFeature({
id: 'testDisabledFixtureID',
name: 'TestDisabledFixture',
app: ['kibana'],
category: { id: 'cases-fixtures', label: 'Cases Fixtures' },
// testDisabledFixture is disabled in space1
cases: ['testDisabledFixture'],
privileges: {
all: {
app: ['kibana'],
cases: {
all: ['testDisabledFixture'],
},
savedObject: {
all: [],
read: [],
},
ui: [],
},
read: {
app: ['kibana'],
cases: {
read: ['testDisabledFixture'],
},
savedObject: {
all: [],
read: [],
},
ui: [],
},
},
});
}
public start() {}
public stop() {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,31 @@ export const globalRead: Role = {
},
};

export const testDisabledPluginAll: Role = {
name: 'test_disabled_plugin_all',
privileges: {
elasticsearch: {
indices: [
{
names: ['*'],
privileges: ['all'],
},
],
},
kibana: [
{
feature: {
testDisabledFixtureID: ['all'],
securitySolutionFixture: ['all'],
actions: ['all'],
actionsSimulators: ['all'],
},
spaces: ['space1'],
},
],
},
};

export const securitySolutionOnlyAll: Role = {
name: 'sec_only_all',
privileges: {
Expand Down Expand Up @@ -149,6 +174,7 @@ export const roles = [
securitySolutionOnlyRead,
observabilityOnlyAll,
observabilityOnlyRead,
testDisabledPluginAll,
];

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import { Space } from './types';
const space1: Space = {
id: 'space1',
name: 'Space 1',
disabledFeatures: [],
disabledFeatures: ['testDisabledFixtureID'],
};

const space2: Space = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import {
securitySolutionOnlyReadSpacesAll,
observabilityOnlyAllSpacesAll,
observabilityOnlyReadSpacesAll,
testDisabledPluginAll,
} from './roles';
import { User } from './types';

Expand All @@ -25,6 +26,12 @@ export const superUser: User = {
roles: ['superuser'],
};

export const testDisabled: User = {
username: 'test_disabled',
password: 'test_disabled',
roles: [testDisabledPluginAll.name],
};

export const secOnly: User = {
username: 'sec_only',
password: 'sec_only',
Expand Down Expand Up @@ -83,6 +90,7 @@ export const users = [
obsSecRead,
globalRead,
noKibanaPrivileges,
testDisabled,
];

/**
Expand Down
8 changes: 7 additions & 1 deletion x-pack/test/case_api_integration/common/lib/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -273,12 +273,17 @@ export const createSubCaseComment = async ({
return { newSubCaseInfo: caseConnector.body.data, modifiedSubCases: closedSubCases };
};

type ConfigRequestParams = Partial<CaseConnector> & {
overrides?: Record<string, unknown>;
};

export const getConfigurationRequest = ({
id = 'none',
name = 'none',
type = ConnectorTypes.none,
fields = null,
}: Partial<CaseConnector> = {}): CasesConfigureRequest => {
overrides,
}: ConfigRequestParams = {}): CasesConfigureRequest => {
return {
connector: {
id,
Expand All @@ -288,6 +293,7 @@ export const getConfigurationRequest = ({
} as CaseConnector,
closure_type: 'close-by-user',
owner: 'securitySolutionFixture',
...overrides,
};
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -285,10 +285,27 @@ export default ({ getService }: FtrProviderContext): void => {
);

/**
* We expect a 404 because the bulkGet inside the delete
* route should return a 404 when requesting a case from
* a different space.
* */
* secOnly does not have access to space2 so it should 403
*/
await deleteCases({
supertest: supertestWithoutAuth,
caseIDs: [postedCase.id],
expectedHttpCode: 403,
auth: { user: secOnly, space: 'space2' },
});
});

it('should NOT delete a case created in space2 by making a request to space1', async () => {
const postedCase = await createCase(
supertestWithoutAuth,
getPostCaseRequest({ owner: 'securitySolutionFixture' }),
200,
{
user: superUser,
space: 'space2',
}
);

await deleteCases({
supertest: supertestWithoutAuth,
caseIDs: [postedCase.id],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import {
obsOnlyRead,
obsSecRead,
noKibanaPrivileges,
testDisabled,
} from '../../../../common/lib/authentication/users';
import { FtrProviderContext } from '../../../../common/ftr_provider_context';

Expand Down Expand Up @@ -240,6 +241,22 @@ export default ({ getService }: FtrProviderContext): void => {
});

describe('rbac', () => {
it('returns a 403 when attempting to create a case with an owner that was from a disabled feature in the space', async () => {
const theCase = ((await createCase(
supertestWithoutAuth,
getPostCaseRequest({ owner: 'testDisabledFixture' }),
403,
{
user: testDisabled,
space: 'space1',
}
)) as unknown) as { message: string };

expect(theCase.message).to.eql(
'Unauthorized to create case with owners: "testDisabledFixture"'
);
});

it('User: security solution only - should create a case', async () => {
const theCase = await createCase(
supertestWithoutAuth,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,37 @@ export default ({ getService }: FtrProviderContext): void => {
auth: { user: superUser, space: 'space2' },
});

await deleteComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
commentId: commentResp.comments![0].id,
auth: { user: secOnly, space: 'space2' },
expectedHttpCode: 403,
});

await deleteAllComments({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
auth: { user: secOnly, space: 'space2' },
expectedHttpCode: 403,
});
});

it('should NOT delete a comment created in space2 by making a request to space1', async () => {
const postedCase = await createCase(
supertestWithoutAuth,
getPostCaseRequest({ owner: 'securitySolutionFixture' }),
200,
{ user: superUser, space: 'space2' }
);

const commentResp = await createComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
params: postCommentUserReq,
auth: { user: superUser, space: 'space2' },
});

await deleteComment({
supertest: supertestWithoutAuth,
caseId: postedCase.id,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,32 @@ export default ({ getService }: FtrProviderContext): void => {
}
);

await updateConfiguration(
supertestWithoutAuth,
configuration.id,
{
closure_type: 'close-by-pushing',
version: configuration.version,
},
403,
{
user: secOnly,
space: 'space2',
}
);
});

it('should NOT update a configuration created in space2 by making a request to space1', async () => {
const configuration = await createConfiguration(
supertestWithoutAuth,
{ ...getConfigurationRequest(), owner: 'securitySolutionFixture' },
200,
{
user: superUser,
space: 'space2',
}
);

await updateConfiguration(
supertestWithoutAuth,
configuration.id,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import {
globalRead,
obsSecRead,
superUser,
testDisabled,
} from '../../../../common/lib/authentication/users';

// eslint-disable-next-line import/no-default-export
Expand Down Expand Up @@ -196,6 +197,22 @@ export default ({ getService }: FtrProviderContext): void => {
});

describe('rbac', () => {
it('returns a 403 when attempting to create a configuration with an owner that was from a disabled feature in the space', async () => {
const configuration = ((await createConfiguration(
supertestWithoutAuth,
getConfigurationRequest({ overrides: { owner: 'testDisabledFixture' } }),
403,
{
user: testDisabled,
space: 'space1',
}
)) as unknown) as { message: string };

expect(configuration.message).to.eql(
'Unauthorized to create case configuration with owners: "testDisabledFixture"'
);
});

it('User: security solution only - should create a configuration', async () => {
const configuration = await createConfiguration(
supertestWithoutAuth,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
expect(comment).to.eql(patchedCase.comments![0]);
});

it('should not get a comment in space2', async () => {
it('should not get a comment in space2 when it was created in space1', async () => {
const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1);
const patchedCase = await createComment({
supertest,
Expand Down