[Cases] Add RBAC to remaining Cases APIs

x-pack/plugins/cases/common/api/cases/case.ts

@@ -13,6 +13,7 @@ import { CommentResponseRt } from './comment';
 import { CasesStatusResponseRt, CaseStatusRt } from './status';
 import { CaseConnectorRt, ESCaseConnector } from '../connectors';
 import { SubCaseResponseRt } from './sub_case';
+import { OWNER_FIELD } from './constants';
 
 export enum CaseType {
   collection = 'collection',
@@ -38,8 +39,7 @@ const CaseBasicRt = rt.type({
   [caseTypeField]: CaseTypeRt,
   connector: CaseConnectorRt,
   settings: SettingsRt,
-  // TODO: should a user be able to update the owner?
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
 const CaseExternalServiceBasicRt = rt.type({
@@ -80,7 +80,7 @@ const CasePostRequestNoTypeRt = rt.type({
   title: rt.string,
   connector: CaseConnectorRt,
   settings: SettingsRt,
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
 /**
@@ -115,7 +115,7 @@ export const CasesFindRequestRt = rt.partial({
   searchFields: rt.union([rt.array(rt.string), rt.string]),
   sortField: rt.string,
   sortOrder: rt.union([rt.literal('desc'), rt.literal('asc')]),
-  owner: rt.union([rt.array(rt.string), rt.string]),
+  [OWNER_FIELD]: rt.union([rt.array(rt.string), rt.string]),
 });
 
 export const CaseResponseRt = rt.intersection([
@@ -177,7 +177,7 @@ export const ExternalServiceResponseRt = rt.intersection([
 ]);
 
 export const AllTagsFindRequestRt = rt.partial({
-  owner: rt.union([rt.array(rt.string), rt.string]),
+  [OWNER_FIELD]: rt.union([rt.array(rt.string), rt.string]),
 });
 
 export const AllReportersFindRequestRt = AllTagsFindRequestRt;

x-pack/plugins/cases/common/api/cases/comment.ts

@@ -6,6 +6,7 @@
  */
 
 import * as rt from 'io-ts';
+import { OWNER_FIELD } from './constants';
 import { SavedObjectFindOptionsRt } from '../saved_object';
 
 import { UserRT } from '../user';
@@ -28,7 +29,7 @@ export const CommentAttributesBasicRt = rt.type({
   ]),
   created_at: rt.string,
   created_by: UserRT,
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
   pushed_at: rt.union([rt.string, rt.null]),
   pushed_by: rt.union([UserRT, rt.null]),
   updated_at: rt.union([rt.string, rt.null]),
@@ -44,7 +45,7 @@ export enum CommentType {
 export const ContextTypeUserRt = rt.type({
   comment: rt.string,
   type: rt.literal(CommentType.user),
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
 /**
@@ -60,7 +61,7 @@ export const AlertCommentRequestRt = rt.type({
     id: rt.union([rt.string, rt.null]),
     name: rt.union([rt.string, rt.null]),
   }),
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
 const AttributesTypeUserRt = rt.intersection([ContextTypeUserRt, CommentAttributesBasicRt]);

x-pack/plugins/cases/common/api/cases/configure.ts

@@ -10,17 +10,20 @@ import * as rt from 'io-ts';
 import { UserRT } from '../user';
 import { CaseConnectorRt, ConnectorMappingsRt, ESCaseConnector } from '../connectors';
 import { OmitProp } from '../runtime_types';
+import { OWNER_FIELD } from './constants';
 
 // TODO: we will need to add this type rt.literal('close-by-third-party')
 const ClosureTypeRT = rt.union([rt.literal('close-by-user'), rt.literal('close-by-pushing')]);
 
 const CasesConfigureBasicRt = rt.type({
   connector: CaseConnectorRt,
   closure_type: ClosureTypeRT,
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
-const CasesConfigureBasicWithoutOwnerRt = rt.type(OmitProp(CasesConfigureBasicRt.props, 'owner'));
+const CasesConfigureBasicWithoutOwnerRt = rt.type(
+  OmitProp(CasesConfigureBasicRt.props, OWNER_FIELD)
+);
 
 export const CasesConfigureRequestRt = CasesConfigureBasicRt;
 export const CasesConfigurePatchRt = rt.intersection([
@@ -45,12 +48,12 @@ export const CaseConfigureResponseRt = rt.intersection([
     id: rt.string,
     version: rt.string,
     error: rt.union([rt.string, rt.null]),
-    owner: rt.string,
+    [OWNER_FIELD]: rt.string,
   }),
 ]);
 
 export const GetConfigureFindRequestRt = rt.partial({
-  owner: rt.union([rt.array(rt.string), rt.string]),
+  [OWNER_FIELD]: rt.union([rt.array(rt.string), rt.string]),
 });
 
 export const CaseConfigureRequestParamsRt = rt.type({

x-pack/plugins/cases/common/api/cases/constants.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * The field used for authorization in various entities within cases.
+ */
+export const OWNER_FIELD = 'owner';

x-pack/plugins/cases/common/api/cases/index.ts

@@ -11,3 +11,4 @@ export * from './comment';
 export * from './status';
 export * from './user_actions';
 export * from './sub_case';
+export * from './constants';

x-pack/plugins/cases/common/api/cases/sub_case.ts

@@ -10,6 +10,7 @@ import * as rt from 'io-ts';
 import { NumberFromString } from '../saved_object';
 import { UserRT } from '../user';
 import { CommentResponseRt } from './comment';
+import { OWNER_FIELD } from './constants';
 import { CasesStatusResponseRt } from './status';
 import { CaseStatusRt } from './status';
 
@@ -26,6 +27,7 @@ export const SubCaseAttributesRt = rt.intersection([
     created_by: rt.union([UserRT, rt.null]),
     updated_at: rt.union([rt.string, rt.null]),
     updated_by: rt.union([UserRT, rt.null]),
+    [OWNER_FIELD]: rt.string,
   }),
 ]);
 

x-pack/plugins/cases/common/api/cases/user_actions.ts

@@ -6,6 +6,7 @@
  */
 
 import * as rt from 'io-ts';
+import { OWNER_FIELD } from './constants';
 
 import { UserRT } from '../user';
 
@@ -22,7 +23,7 @@ const UserActionFieldTypeRt = rt.union([
   rt.literal('status'),
   rt.literal('settings'),
   rt.literal('sub_case'),
-  rt.literal('owner'),
+  rt.literal(OWNER_FIELD),
 ]);
 const UserActionFieldRt = rt.array(UserActionFieldTypeRt);
 const UserActionRt = rt.union([
@@ -41,6 +42,7 @@ const CaseUserActionBasicRT = rt.type({
   action_by: UserRT,
   new_value: rt.union([rt.string, rt.null]),
   old_value: rt.union([rt.string, rt.null]),
+  [OWNER_FIELD]: rt.string,
 });
 
 const CaseUserActionResponseRT = rt.intersection([

x-pack/plugins/cases/common/api/connectors/mappings.ts

@@ -6,6 +6,7 @@
  */
 
 import * as rt from 'io-ts';
+import { OWNER_FIELD } from '../cases/constants';
 
 const ActionTypeRT = rt.union([
   rt.literal('append'),
@@ -31,7 +32,7 @@ export const ConnectorMappingsAttributesRT = rt.type({
 
 export const ConnectorMappingsRt = rt.type({
   mappings: rt.array(ConnectorMappingsAttributesRT),
-  owner: rt.string,
+  [OWNER_FIELD]: rt.string,
 });
 
 export type ConnectorMappingsAttributes = rt.TypeOf<typeof ConnectorMappingsAttributesRT>;

x-pack/plugins/cases/server/authorization/index.ts

@@ -10,6 +10,7 @@ import {
   CASE_COMMENT_SAVED_OBJECT,
   CASE_CONFIGURE_SAVED_OBJECT,
   CASE_SAVED_OBJECT,
+  CASE_USER_ACTION_SAVED_OBJECT,
 } from '../../common/constants';
 import { Verbs, ReadOperations, WriteOperations, OperationDetails } from './types';
 
@@ -101,6 +102,14 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
     docType: 'case',
     savedObjectType: CASE_SAVED_OBJECT,
   },
+  [WriteOperations.PushCase]: {
+    type: EVENT_TYPES.change,
+    name: WriteOperations.PushCase,
+    action: 'push-case',
+    verbs: updateVerbs,
+    docType: 'case',
+    savedObjectType: CASE_SAVED_OBJECT,
+  },
   [WriteOperations.CreateConfiguration]: {
     type: EVENT_TYPES.creation,
     name: WriteOperations.CreateConfiguration,
@@ -214,4 +223,22 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
     docType: 'comments',
     savedObjectType: CASE_COMMENT_SAVED_OBJECT,
   },
+  // stats operations
+  [ReadOperations.GetCaseStatuses]: {
+    type: EVENT_TYPES.access,
+    name: ACCESS_CASE_OPERATION,
+    action: 'find-case-statuses',
+    verbs: accessVerbs,
+    docType: 'cases',
+    savedObjectType: CASE_SAVED_OBJECT,
+  },
+  // user actions operations
+  [ReadOperations.GetUserActions]: {
+    type: EVENT_TYPES.access,
+    name: ReadOperations.GetUserActions,
+    action: 'get-user-actions',
+    verbs: accessVerbs,
+    docType: 'user actions',
+    savedObjectType: CASE_USER_ACTION_SAVED_OBJECT,
+  },
 };

x-pack/plugins/cases/server/authorization/types.ts

@@ -29,12 +29,14 @@ export type GetSpaceFn = (request: KibanaRequest) => Promise<Space | undefined>;
 export enum ReadOperations {
   GetCase = 'getCase',
   FindCases = 'findCases',
+  GetCaseStatuses = 'getCaseStatuses',
   GetComment = 'getComment',
   GetAllComments = 'getAllComments',
   FindComments = 'findComments',
   GetTags = 'getTags',
   GetReporters = 'getReporters',
   FindConfigurations = 'findConfigurations',
+  GetUserActions = 'getUserActions',
 }
 
 /**
@@ -47,6 +49,7 @@ export enum WriteOperations {
   CreateCase = 'createCase',
   DeleteCase = 'deleteCase',
   UpdateCase = 'updateCase',
+  PushCase = 'pushCase',
   CreateComment = 'createComment',
   DeleteAllComments = 'deleteAllComments',
   DeleteComment = 'deleteComment',

x-pack/plugins/cases/server/authorization/utils.ts

@@ -7,11 +7,12 @@
 
 import { remove, uniq } from 'lodash';
 import { nodeBuilder, KueryNode } from '../../../../../src/plugins/data/common';
+import { OWNER_FIELD } from '../../common/api';
 
 export const getOwnersFilter = (savedObjectType: string, owners: string[]): KueryNode => {
   return nodeBuilder.or(
     owners.reduce<KueryNode[]>((query, owner) => {
-      ensureFieldIsSafeForQuery('owner', owner);
+      ensureFieldIsSafeForQuery(OWNER_FIELD, owner);
       query.push(nodeBuilder.is(`${savedObjectType}.attributes.owner`, owner));
       return query;
     }, [])
@@ -53,5 +54,5 @@ export const includeFieldsRequiredForAuthentication = (fields?: string[]): strin
   if (fields === undefined) {
     return;
   }
-  return uniq([...fields, 'owner']);
+  return uniq([...fields, OWNER_FIELD]);
 };

x-pack/plugins/cases/server/client/attachments/add.ts

@@ -105,6 +105,7 @@ async function getSubCase({
         subCaseId: newSubCase.id,
         fields: ['status', 'sub_case'],
         newValue: JSON.stringify({ status: newSubCase.attributes.status }),
+        owner: newSubCase.attributes.owner,
       }),
     ],
   });
@@ -222,6 +223,7 @@ const addGeneratedAlerts = async (
           commentId: newComment.id,
           fields: ['comment'],
           newValue: JSON.stringify(query),
+          owner: newComment.attributes.owner,
         }),
       ],
     });
@@ -396,6 +398,7 @@ export const addComment = async (
           commentId: newComment.id,
           fields: ['comment'],
           newValue: JSON.stringify(query),
+          owner: newComment.attributes.owner,
         }),
       ],
     });

x-pack/plugins/cases/server/client/attachments/delete.ts

@@ -95,6 +95,7 @@ export async function deleteAll(
           subCaseId: subCaseID,
           commentId: comment.id,
           fields: ['comment'],
+          owner: comment.attributes.owner,
         })
       ),
     });
@@ -167,6 +168,7 @@ export async function deleteComment(
           subCaseId: subCaseID,
           commentId: attachmentID,
           fields: ['comment'],
+          owner: myComment.attributes.owner,
         }),
       ],
     });

x-pack/plugins/cases/server/client/attachments/update.ts

@@ -181,6 +181,7 @@ export async function update(
             // myComment.attribute contains also CommentAttributesBasicRt attributes
             pick(Object.keys(queryRestAttributes), myComment.attributes)
           ),
+          owner: myComment.attributes.owner,
         }),
       ],
     });

x-pack/plugins/cases/server/client/cases/create.ts

@@ -20,6 +20,7 @@ import {
   CasesClientPostRequestRt,
   CasePostRequest,
   CaseType,
+  OWNER_FIELD,
 } from '../../../common/api';
 import { buildCaseUserActionItem } from '../../services/user_actions/helpers';
 import { ensureAuthorized, getConnectorFromConfiguration } from '../utils';
@@ -108,8 +109,9 @@ export const create = async (
           actionAt: createdDate,
           actionBy: { username, full_name, email },
           caseId: newCase.id,
-          fields: ['description', 'status', 'tags', 'title', 'connector', 'settings', 'owner'],
+          fields: ['description', 'status', 'tags', 'title', 'connector', 'settings', OWNER_FIELD],
           newValue: JSON.stringify(query),
+          owner: newCase.attributes.owner,
         }),
       ],
     });

x-pack/plugins/cases/server/client/cases/delete.ts

@@ -14,6 +14,7 @@ import { AttachmentService, CaseService } from '../../services';
 import { buildCaseUserActionItem } from '../../services/user_actions/helpers';
 import { Operations } from '../../authorization';
 import { ensureAuthorized } from '../utils';
+import { OWNER_FIELD } from '../../../common/api';
 
 async function deleteSubCases({
   attachmentService,
@@ -133,23 +134,24 @@ export async function deleteCases(ids: string[], clientArgs: CasesClientArgs): P
 
     await userActionService.bulkCreate({
       soClient,
-      actions: ids.map((id) =>
+      actions: cases.saved_objects.map((caseInfo) =>
         buildCaseUserActionItem({
           action: 'delete',
           actionAt: deleteDate,
           actionBy: user,
-          caseId: id,
+          caseId: caseInfo.id,
           fields: [
             'description',
             'status',
             'tags',
             'title',
             'connector',
             'settings',
-            'owner',
+            OWNER_FIELD,
             'comment',
             ...(ENABLE_CASE_CONNECTOR ? ['sub_case'] : []),
           ],
+          owner: caseInfo.attributes.owner,
         })
       ),
     });