Skip to content

Commit

Permalink
Bypass permission check if no principals
Browse files Browse the repository at this point in the history 
Signed-off-by: gaobinlong <gbinlong@amazon.com>
  • Loading branch information
@gaobinlong
gaobinlong committed Sep 22, 2023
1 parent a2abcf2 commit 28521c8
Show file tree
Hide file tree
Showing 2 changed files with 225 additions and 47 deletions.
225 changes: 194 additions & 31 deletions src/core/server/saved_objects/permission_control/acl.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@

import { Principals, Permissions, ACL } from './acl';

describe('SavedObjectTypeRegistry', () => {
let acl: ACL;

describe('acl', () => {
it('test has permission', () => {
const principals: Principals = {
users: ['user1'],
Expand All @@ -16,53 +14,79 @@ describe('SavedObjectTypeRegistry', () => {
const permissions: Permissions = {
read: principals,
};
acl = new ACL(permissions);
const acl = new ACL(permissions);
expect(
acl.hasPermission(['read'], {
users: ['user1'],
groups: [],
})
).toEqual(true);

expect(
acl.hasPermission(['read'], {
users: ['user2'],
groups: [],
})
).toEqual(false);

expect(
acl.hasPermission([], {
users: ['user2'],
groups: [],
})
).toEqual(false);

const nullValue: unknown = undefined;
expect(acl.hasPermission(['read'], nullValue as Principals)).toEqual(false);
expect(acl.hasPermission(['read'], {})).toEqual(false);

acl.resetPermissions();
expect(acl.hasPermission(['read'], nullValue as Principals)).toEqual(true);
expect(acl.hasPermission(['read'], {})).toEqual(true);
expect(acl.hasPermission(['read'], principals)).toEqual(false);
});

it('test add permission', () => {
acl = new ACL();
const result1 = acl
const acl = new ACL();
let result = acl
.addPermission(['read'], {
users: ['user1'],
groups: [],
})
.getPermissions();
expect(result1?.read?.users).toEqual(['user1']);
expect(result?.read?.users).toEqual(['user1']);

acl.resetPermissions();
const result2 = acl
result = acl
.addPermission(['write', 'management'], {
users: ['user2'],
groups: ['group1', 'group2'],
})
.getPermissions();
expect(result2?.write?.users).toEqual(['user2']);
expect(result2?.management?.groups).toEqual(['group1', 'group2']);
expect(result?.write?.users).toEqual(['user2']);
expect(result?.management?.groups).toEqual(['group1', 'group2']);

acl.resetPermissions();
const nullValue: unknown = undefined;
result = acl.addPermission([], nullValue as Principals).getPermissions();
expect(result).toEqual({});

acl.resetPermissions();
result = acl.addPermission(nullValue as string[], {} as Principals).getPermissions();
expect(result).toEqual({});
});

it('test remove permission', () => {
const principals1: Principals = {
let principals: Principals = {
users: ['user1'],
groups: ['group1', 'group2'],
};
const permissions1 = {
read: principals1,
write: principals1,
let permissions = {
read: principals,
write: principals,
};
acl = new ACL(permissions1);
const result1 = acl
let acl = new ACL(permissions);
let result = acl
.removePermission(['read'], {
users: ['user1'],
groups: [],
Expand All @@ -71,32 +95,47 @@ describe('SavedObjectTypeRegistry', () => {
users: [],
groups: ['group2'],
})
.removePermission(['write'], {
users: ['user3'],
groups: ['group3'],
})
.removePermission(['library_write'], {
users: ['user1'],
groups: ['group1'],
})
.getPermissions();
expect(result1?.read?.users).toEqual([]);
expect(result1?.write?.groups).toEqual(['group1']);
expect(result?.read?.users).toEqual([]);
expect(result?.write?.groups).toEqual(['group1']);

const principals2: Principals = {
principals = {
users: ['*'],
groups: ['*'],
};

const permissions2 = {
read: principals2,
write: principals2,
permissions = {
read: principals,
write: principals,
};

acl = new ACL(permissions2);
const result2 = acl
acl = new ACL(permissions);
result = acl
.removePermission(['read', 'write'], {
users: ['user1'],
groups: ['group1'],
})
.getPermissions();
expect(result2?.read?.users).toEqual(['*']);
expect(result2?.write?.groups).toEqual(['*']);
expect(result?.read?.users).toEqual(['*']);
expect(result?.write?.groups).toEqual(['*']);

acl.resetPermissions();
const nullValue: unknown = undefined;
result = acl.removePermission([], nullValue as Principals).getPermissions();
expect(result).toEqual({});

acl.resetPermissions();
result = acl.removePermission(nullValue as string[], principals).getPermissions();
expect(result).toEqual({});
});

it('test transform permission', () => {
it('test toFlatList', () => {
const principals: Principals = {
users: ['user1'],
groups: ['group1', 'group2'],
Expand All @@ -105,7 +144,7 @@ describe('SavedObjectTypeRegistry', () => {
read: principals,
write: principals,
};
acl = new ACL(permissions);
const acl = new ACL(permissions);
const result = acl.toFlatList();
expect(result).toHaveLength(3);
expect(result).toEqual(
Expand All @@ -120,11 +159,55 @@ describe('SavedObjectTypeRegistry', () => {
});

it('test generate query DSL', () => {
const nullValue: unknown = undefined;
let result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], nullValue as Principals);
expect(result).toEqual({
query: {
bool: {
filter: [
{
bool: {
should: [],
},
},
],
},
},
});

result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], {}, 'workspace');
expect(result).toEqual({
query: {
bool: {
filter: [
{
bool: {
should: [],
},
},
{
terms: {
type: ['workspace'],
},
},
],
},
},
});

const principals = {
users: ['user1'],
groups: ['group1'],
};
const result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], principals, 'workspace');

result = ACL.generateGetPermittedSavedObjectsQueryDSL(nullValue as string[], principals);
expect(result).toEqual({
query: {
match_none: {},
},
});

result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], principals, 'workspace');
expect(result).toEqual({
query: {
bool: {
Expand Down Expand Up @@ -164,5 +247,85 @@ describe('SavedObjectTypeRegistry', () => {
},
},
});

result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], principals, [
'workspace',
'index-pattern',
]);
expect(result).toEqual({
query: {
bool: {
filter: [
{
bool: {
should: [
{
terms: {
'permissions.read.users': ['user1'],
},
},
{
term: {
'permissions.read.users': '*',
},
},
{
terms: {
'permissions.read.groups': ['group1'],
},
},
{
term: {
'permissions.read.groups': '*',
},
},
],
},
},
{
terms: {
type: ['workspace', 'index-pattern'],
},
},
],
},
},
});

result = ACL.generateGetPermittedSavedObjectsQueryDSL(['read'], principals);
expect(result).toEqual({
query: {
bool: {
filter: [
{
bool: {
should: [
{
terms: {
'permissions.read.users': ['user1'],
},
},
{
term: {
'permissions.read.users': '*',
},
},
{
terms: {
'permissions.read.groups': ['group1'],
},
},
{
term: {
'permissions.read.groups': '*',
},
},
],
},
},
],
},
},
});
});
});
Loading

0 comments on commit 28521c8

Please sign in to comment.