diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index 8ead2197be3ea..0af28f82a1dec 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -2,6 +2,15 @@ The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`. +## Roles + +Roles defined in `roles.yml` intended to mock a Serverless deployment. It must be in sync with `project-controller` defined roles and used in real (MKI) environments. In case of some differences tests may pass against Serverless snapshot environment but fail against MKI environments creating confusion. + +### Why `security_roles.json` is here? + +`security_roles.json` is a subset of defined in `roles.yml` roles in a JSON format and extended with necessary fields +to be compatible with `/api/security/role/{roleName}` endpoint. It's consumed by test environments like Cypress to be able to run different scenarios. + ## Users ### Default user diff --git a/packages/kbn-es/src/serverless_resources/security_roles.json b/packages/kbn-es/src/serverless_resources/security_roles.json new file mode 100644 index 0000000000000..5ac286a41c164 --- /dev/null +++ b/packages/kbn-es/src/serverless_resources/security_roles.json @@ -0,0 +1,353 @@ +{ + "t1_analyst": { + "name": "t1_analyst", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write", "maintenance"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "t2_analyst": { + "name": "t2_analyst", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write", "maintenance"] + }, + { + "names": [ + ".lists*", + ".items*", + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "t3_analyst": { + "name": "t3_analyst", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": [ + "all", + "read_alerts", + "crud_alerts", + "endpoint_list_all", + "trusted_applications_all", + "event_filters_all", + "host_isolation_exceptions_all", + "blocklist_all", + "policy_management_read", + "host_isolation_all", + "process_operations_all", + "actions_log_management_all", + "file_operations_all" + ], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "osquery": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "rule_author": { + "name": "rule_author", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + ".lists*", + ".items*" + ], + "privileges": ["read", "write"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["read", "write", "maintenance", "view_index_metadata"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "soc_manager": { + "name": "soc_manager", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + ".lists*", + ".items*" + ], + "privileges": ["read", "write"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["read", "write", "manage"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "detections_admin": { + "name": "detections_admin", + "elasticsearch": { + "cluster": ["manage"], + "indices": [ + { + "names": [ + ".siem-signals-*", + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".lists*", + ".items*", + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["manage", "write", "read"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["all"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "dev_tools": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "platform_engineer": { + "name": "platform_engineer", + "elasticsearch": { + "cluster": ["manage"], + "indices": [ + { + "names": [".lists*", ".items*"], + "privileges": ["all"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["all"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["all"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["all"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + } +} diff --git a/packages/kbn-es/tsconfig.json b/packages/kbn-es/tsconfig.json index deece402b3794..75059c2ef69cd 100644 --- a/packages/kbn-es/tsconfig.json +++ b/packages/kbn-es/tsconfig.json @@ -3,19 +3,14 @@ "compilerOptions": { "outDir": "target/types" }, - "include": [ - "**/*.ts", - "**/*.js" - ], - "exclude": [ - "target/**/*", - ], + "include": ["**/*.ts", "**/*.js", "**/*.json"], + "exclude": ["target/**/*"], "kbn_references": [ "@kbn/tooling-log", "@kbn/dev-utils", "@kbn/dev-proc-runner", "@kbn/ci-stats-reporter", "@kbn/jest-serializers", - "@kbn/repo-info", + "@kbn/repo-info" ] } diff --git a/test/common/services/security/role.ts b/test/common/services/security/role.ts index 51b50a5dda82f..692a691cd87f4 100644 --- a/test/common/services/security/role.ts +++ b/test/common/services/security/role.ts @@ -18,7 +18,10 @@ export class Role { const { data, status, statusText } = await this.kibanaServer.request({ path: `/api/security/role/${name}`, method: 'PUT', - body: role, + body: { + kibana: role.kibana, + elasticsearch: role.elasticsearch, + }, retries: 0, }); if (status !== 204) { diff --git a/test/tsconfig.json b/test/tsconfig.json index fb20896356807..a763d6f6a44d6 100644 --- a/test/tsconfig.json +++ b/test/tsconfig.json @@ -70,6 +70,6 @@ "@kbn/core-http-common", "@kbn/event-annotation-plugin", "@kbn/event-annotation-common", - "@kbn/links-plugin" + "@kbn/links-plugin", ] } diff --git a/x-pack/plugins/security_solution/common/test/ess_roles.json b/x-pack/plugins/security_solution/common/test/ess_roles.json new file mode 100644 index 0000000000000..d21fe90e2de02 --- /dev/null +++ b/x-pack/plugins/security_solution/common/test/ess_roles.json @@ -0,0 +1,136 @@ +{ + "reader": { + "name": "reader", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + ".siem-signals-*", + ".alerts-security*", + ".lists*", + ".items*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + }, + { + "names": ["*"], + "privileges": ["read", "maintenance", "view_index_metadata"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["none"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "hunter": { + "name": "hunter", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "hunter_no_actions": { + "name": "hunter_no_actions", + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + } +} diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index bb1d5e9db489a..ac2fd661320ce 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -5,17 +5,30 @@ * 2.0. */ -// For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754 +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import essRoleDefinitions from './ess_roles.json'; + +type ServerlessSecurityRoleName = keyof typeof serverlessRoleDefinitions; +type EssSecurityRoleName = keyof typeof essRoleDefinitions; + +export const KNOWN_SERVERLESS_ROLE_DEFINITIONS = serverlessRoleDefinitions; +export const KNOWN_ESS_ROLE_DEFINITIONS = essRoleDefinitions; + +export type SecurityRoleName = ServerlessSecurityRoleName | EssSecurityRoleName; + export enum ROLES { - soc_manager = 'soc_manager', - reader = 'reader', + // Serverless roles t1_analyst = 't1_analyst', t2_analyst = 't2_analyst', - hunter = 'hunter', - hunter_no_actions = 'hunter_no_actions', + t3_analyst = 't3_analyst', rule_author = 'rule_author', - platform_engineer = 'platform_engineer', + soc_manager = 'soc_manager', detections_admin = 'detections_admin', + platform_engineer = 'platform_engineer', + // ESS roles + reader = 'reader', + hunter = 'hunter', + hunter_no_actions = 'hunter_no_actions', } /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md deleted file mode 100644 index 3d6ac856a79ad..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md +++ /dev/null @@ -1,13 +0,0 @@ -1. When first starting up elastic, detections will not be available until you visit the page with a SOC Manager role or Platform Engineer role -2. I gave the Hunter role "all" privileges for saved objects management and builtInAlerts so that they can create rules. -3. Rule Author has the ability to create rules and create value lists - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :------------------------------------------: | :----------: | :-------------------------------: | :---------: | :--------------: | :---------------: | :------------------------------: | -| Reader (read-only user) | read | read | read | read | read | read | -| T1 Analyst | read | read | none | read | read | read, write | -| T2 Analyst | read | read | read | read | read | read, write | -| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | -| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata | -| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage | -| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all | all | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md deleted file mode 100644 index 2ebcedcc75d95..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md +++ /dev/null @@ -1 +0,0 @@ -This user contains all the possible privileges listed in our detections privileges docs https://www.elastic.co/guide/en/security/current/detections-permissions-section.html This user has higher privileges than the Platform Engineer user diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh deleted file mode 100755 index c8bcdb151e740..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/detections_admin diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json deleted file mode 100644 index 133083cec2601..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "elasticsearch": { - "cluster": ["manage"], - "indices": [ - { - "names": [ - ".siem-signals-*", - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".lists*", - ".items*", - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["manage", "write", "read"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["all"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"], - "dev_tools": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json deleted file mode 100644 index 9910d9b516a20..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["detections_admin"], - "full_name": "Detections User", - "email": "detections-user@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh deleted file mode 100755 index a29728642ed40..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/detections_admin | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts deleted file mode 100644 index 5ed44652b5946..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as detectionsAdminUser from './detections_user.json'; -import * as detectionsAdminRole from './detections_role.json'; -export { detectionsAdminUser, detectionsAdminRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh deleted file mode 100755 index 56b3901700c8c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh +++ /dev/null @@ -1,12 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/detections_admin \ --d @detections_role.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh deleted file mode 100755 index 55f845128889b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/detections_admin \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md deleted file mode 100644 index 1344c5bbb0891..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md +++ /dev/null @@ -1,11 +0,0 @@ -This user can CRUD rules and signals. The main difference here is the user has - -```json -"builtInAlerts": ["all"], -``` - -privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh deleted file mode 100755 index 595f0a49282d8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json deleted file mode 100644 index 23a1256dac4aa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["read", "write"] - }, - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write"] - }, - { - "names": [".lists*", ".items*"], - "privileges": ["read", "write"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json deleted file mode 100644 index f9454cc0ad2fe..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["hunter"], - "full_name": "Hunter", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh deleted file mode 100755 index 7ec850ce220bb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/hunter | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh deleted file mode 100755 index debffe0fcac4c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/hunter \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh deleted file mode 100755 index ab2a053081394..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/hunter \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md deleted file mode 100644 index 7708972614098..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md +++ /dev/null @@ -1,11 +0,0 @@ -This user can CRUD rules and signals. The main difference here is the user has - -```json -"builtInAlerts": ["all"], -``` - -privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Hunter / T3 Analyst | read, write | read | read | read, write | none | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh deleted file mode 100755 index 8f2ffcb27f111..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter_no_actions diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json deleted file mode 100644 index 6b392c18f8caa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["read", "write"] - }, - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write"] - }, - { - "names": [".lists*", ".items*"], - "privileges": ["read", "write"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json deleted file mode 100644 index c059863b3ca1f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["hunter_no_actions"], - "full_name": "Hunter No Actions", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh deleted file mode 100755 index 49deae0c6c450..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/hunter_no_actions | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts deleted file mode 100644 index 16d50f9b59daa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as hunterNoActionsUser from './detections_user.json'; -import * as hunterNoActionsRole from './detections_role.json'; -export { hunterNoActionsUser, hunterNoActionsRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh deleted file mode 100755 index aa4f832649b08..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/hunter_no_actions \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh deleted file mode 100755 index 4840cf3c903eb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/hunter_no_actions \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts deleted file mode 100644 index 7bcef506a6671..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export * from './detections_admin'; -export * from './hunter'; -export * from './hunter_no_actions'; -export * from './platform_engineer'; -export * from './reader'; -export * from './rule_author'; -export * from './soc_manager'; -export * from './t1_analyst'; -export * from './t2_analyst'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md deleted file mode 100644 index b9173c973abab..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md +++ /dev/null @@ -1,5 +0,0 @@ -essentially a superuser for security solution - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :------------------------------------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Platform Engineer (data ingest, cluster ops) | all | all | all | read, write | all | all | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh deleted file mode 100755 index cb2b0467f44ca..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/platform_engineer diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json deleted file mode 100644 index 17b6e45f8c72d..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "elasticsearch": { - "cluster": ["manage"], - "indices": [ - { - "names": [".lists*", ".items*"], - "privileges": ["all"] - }, - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["all"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["all"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["all"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json deleted file mode 100644 index 8c4eab8b05e6e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["platform_engineer"], - "full_name": "platform engineer", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh deleted file mode 100755 index 95fa058193b58..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/platform_engineer | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts deleted file mode 100644 index c017c970af35f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as platformEngineerUser from './detections_user.json'; -import * as platformEngineerRole from './detections_role.json'; -export { platformEngineerUser, platformEngineerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh deleted file mode 100755 index 1272b309ca60b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/platform_engineer \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh deleted file mode 100755 index bc0f17f09455e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/platform_engineer \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md deleted file mode 100644 index 313ccdd9478e2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md +++ /dev/null @@ -1,3 +0,0 @@ -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Actions Connectors | Signals/Alerts | -| :----: | :----------: | :-------------------------------: | :---: | :--------------: | :----------------: | :------------: | -| Reader | read | read | read | read | read | read | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh deleted file mode 100755 index 57704f7abf0d3..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/reader diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json deleted file mode 100644 index 137091bc7f795..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names" : [ - ".siem-signals-*", - ".alerts-security*", - ".lists*", - ".items*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges" : ["read"] - }, - { - "names": [ - "*" - ], - "privileges": ["read", "maintenance", "view_index_metadata"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["none"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json deleted file mode 100644 index 25d514a1d738b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["reader"], - "full_name": "Reader", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh deleted file mode 100755 index 37db6e10ced55..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/reader | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts deleted file mode 100644 index bde1710e25aa1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as readerUser from './detections_user.json'; -import * as readerRole from './detections_role.json'; -export { readerUser, readerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh deleted file mode 100755 index 8805d641a8257..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -# Uses a default if no argument is specified -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/reader \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh deleted file mode 100755 index 8a93326a820b7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/reader \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md deleted file mode 100644 index 1d2ef736f580c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md +++ /dev/null @@ -1,5 +0,0 @@ -rule author has the same privileges as hunter with the additional privileges of uploading value lists - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------------------------------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :------------------------------: | -| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh deleted file mode 100755 index 112657b1b5b8a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/rule_author diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json deleted file mode 100644 index dafe85548d4d0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - ".lists*", - ".items*" - ], - "privileges": ["read", "write"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["read", "write", "maintenance", "view_index_metadata"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json deleted file mode 100644 index ae08072b5890e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["rule_author"], - "full_name": "rule author", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh deleted file mode 100755 index a4ab0a60400b6..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/rule_author | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts deleted file mode 100644 index 90efa9179bd10..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as ruleAuthorUser from './detections_user.json'; -import * as ruleAuthorRole from './detections_role.json'; -export { ruleAuthorUser, ruleAuthorRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh deleted file mode 100755 index e78ae27fa1fbc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/rule_author \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh deleted file mode 100755 index 34b1f10ca6d47..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/rule_author \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md deleted file mode 100644 index fef99dfed2fbb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md +++ /dev/null @@ -1,5 +0,0 @@ -SOC Manager has all of the privileges of a rule author role with the additional privilege of managing the signals index. It can't create the signals index though. - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :---------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :-----------------: | -| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh deleted file mode 100755 index 1bf103592b682..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/soc_manager diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json deleted file mode 100644 index 5e3aa868f6147..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - ".lists*", - ".items*" - ], - "privileges": ["read", "write"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["read", "write", "manage"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json deleted file mode 100644 index 18c7cc2312bf5..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["soc_manager"], - "full_name": "SOC manager", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh deleted file mode 100755 index b6bf637bfc9d8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/soc_manager | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts deleted file mode 100644 index 4aea99753641d..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as socManagerUser from './detections_user.json'; -import * as socManagerRole from './detections_role.json'; -export { socManagerUser, socManagerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh deleted file mode 100755 index bf7c19e2e3ab0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/soc_manager \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh deleted file mode 100755 index 447bf7ea7cb00..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/soc_manager \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md deleted file mode 100644 index 9ba0deba763aa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md +++ /dev/null @@ -1,3 +0,0 @@ -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Actions Connectors | Signals/Alerts | -| :--------: | :----------: | :------------------: | :---: | :--------------: | :----------------: | :------------: | -| T1 Analyst | read | read | none | read | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh deleted file mode 100755 index d08b15e589bf1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/t1_analyst diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json deleted file mode 100644 index d670fd9555f59..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { "names": [".alerts-security*", ".siem-signals-*"], "privileges": ["read", "write", "maintenance"] }, - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json deleted file mode 100644 index 203abec8ad433..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["t1_analyst"], - "full_name": "T1 Analyst", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh deleted file mode 100755 index bbf34ece0d6be..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/t1_analyst | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts deleted file mode 100644 index 402b29c9ffde2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t1AnalystUser from './detections_user.json'; -import * as t1AnalystRole from './detections_role.json'; -export { t1AnalystUser, t1AnalystRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh deleted file mode 100755 index c091b87f29153..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -# Uses a default if no argument is specified -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/t1_analyst \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh deleted file mode 100755 index 234ff7d005cf6..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/t1_analyst \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md deleted file mode 100644 index 3988e88870755..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This role can view rules. Essentially there is no difference between a T1 and T2 analyst. - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :--------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| T2 Analyst | read | read | read | read | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh deleted file mode 100755 index 6dccb0d8c6067..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/t2_analyst diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json deleted file mode 100644 index 4db91de93709a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write", "maintenance"] - }, - { - "names": [ - ".lists*", - ".items*", - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json deleted file mode 100644 index 3f5da2752314f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["t2_analyst"], - "full_name": "t2 analyst", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh deleted file mode 100755 index ce9149d8b9fc7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/t2_analyst | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts deleted file mode 100644 index 5ca611d2ea075..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t2AnalystUser from './detections_user.json'; -import * as t2AnalystRole from './detections_role.json'; -export { t2AnalystUser, t2AnalystRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh deleted file mode 100755 index 4523b65b67cb7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/t2_analyst \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh deleted file mode 100755 index 3a901490515af..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/t2_analyst \ --d @${USER} diff --git a/x-pack/plugins/security_solution/tsconfig.json b/x-pack/plugins/security_solution/tsconfig.json index 59acd2f3422cb..16ad154a95d83 100644 --- a/x-pack/plugins/security_solution/tsconfig.json +++ b/x-pack/plugins/security_solution/tsconfig.json @@ -9,6 +9,7 @@ "server/**/*", "scripts/**/*", // have to declare *.json explicitly due to https://github.com/microsoft/TypeScript/issues/25636 + "common/**/*.json", "server/**/*.json", "scripts/**/*.json", "public/**/*.json", diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index f8e18fadc992e..f88a8de03eaf0 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -5,32 +5,17 @@ * 2.0. */ -import { assertUnreachable } from '@kbn/security-solution-plugin/common/utility_types'; import { - t1AnalystUser, - t2AnalystUser, - hunterUser, - hunterNoActionsUser, - ruleAuthorUser, - socManagerUser, - platformEngineerUser, - detectionsAdminUser, - readerUser, - t1AnalystRole, - t2AnalystRole, - hunterRole, - hunterNoActionsRole, - ruleAuthorRole, - socManagerRole, - platformEngineerRole, - detectionsAdminRole, - readerRole, -} from '@kbn/security-solution-plugin/server/lib/detection_engine/scripts/roles_users'; - -import { ROLES } from '@kbn/security-solution-plugin/common/test'; + KNOWN_ESS_ROLE_DEFINITIONS, + KNOWN_SERVERLESS_ROLE_DEFINITIONS, +} from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -export { ROLES }; +const KNOWN_ROLE_DEFINITIONS = { + ...KNOWN_SERVERLESS_ROLE_DEFINITIONS, + ...KNOWN_ESS_ROLE_DEFINITIONS, +}; /** * creates a security solution centric role and a user (both having the same name) @@ -39,45 +24,18 @@ export { ROLES }; */ export const createUserAndRole = async ( getService: FtrProviderContext['getService'], - role: ROLES + role: SecurityRoleName ): Promise => { - switch (role) { - case ROLES.detections_admin: - return postRoleAndUser( - ROLES.detections_admin, - detectionsAdminRole, - detectionsAdminUser, - getService - ); - case ROLES.t1_analyst: - return postRoleAndUser(ROLES.t1_analyst, t1AnalystRole, t1AnalystUser, getService); - case ROLES.t2_analyst: - return postRoleAndUser(ROLES.t2_analyst, t2AnalystRole, t2AnalystUser, getService); - case ROLES.hunter: - return postRoleAndUser(ROLES.hunter, hunterRole, hunterUser, getService); - case ROLES.hunter_no_actions: - return postRoleAndUser( - ROLES.hunter_no_actions, - hunterNoActionsRole, - hunterNoActionsUser, - getService - ); - case ROLES.rule_author: - return postRoleAndUser(ROLES.rule_author, ruleAuthorRole, ruleAuthorUser, getService); - case ROLES.soc_manager: - return postRoleAndUser(ROLES.soc_manager, socManagerRole, socManagerUser, getService); - case ROLES.platform_engineer: - return postRoleAndUser( - ROLES.platform_engineer, - platformEngineerRole, - platformEngineerUser, - getService - ); - case ROLES.reader: - return postRoleAndUser(ROLES.reader, readerRole, readerUser, getService); - default: - return assertUnreachable(role); - } + const securityService = getService('security'); + const roleDefinition = KNOWN_ROLE_DEFINITIONS[role]; + + await securityService.role.create(role, roleDefinition); + await securityService.user.create(role, { + password: 'changeme', + roles: [role], + full_name: role, + email: 'detections-reader@example.com', + }); }; /** @@ -88,53 +46,9 @@ export const createUserAndRole = async ( */ export const deleteUserAndRole = async ( getService: FtrProviderContext['getService'], - roleName: ROLES + roleName: SecurityRoleName ): Promise => { const securityService = getService('security'); await securityService.user.delete(roleName); await securityService.role.delete(roleName); }; - -interface UserInterface { - password: string; - roles: string[]; - full_name: string; - email: string; -} - -interface RoleInterface { - elasticsearch: { - cluster: string[]; - indices: Array<{ - names: string[]; - privileges: string[]; - }>; - }; - kibana: Array<{ - feature: { - ml: string[]; - siem: string[]; - actions?: string[]; - builtInAlerts: string[]; - }; - spaces: string[]; - }>; -} - -export const postRoleAndUser = async ( - roleName: string, - role: RoleInterface, - user: UserInterface, - getService: FtrProviderContext['getService'] -): Promise => { - const securityService = getService('security'); - await securityService.role.create(roleName, { - kibana: role.kibana, - elasticsearch: role.elasticsearch, - }); - await securityService.user.create(roleName, { - password: 'changeme', - full_name: user.full_name, - roles: user.roles, - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts index fa5453f07d22f..b95c6771367f4 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts @@ -77,71 +77,6 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should return expected privileges for a "reader" user', async () => { - await createUserAndRole(getService, ROLES.reader); - const { body } = await supertestWithoutAuth - .get(DETECTION_ENGINE_PRIVILEGES_URL) - .auth(ROLES.reader, 'changeme') - .send() - .expect(200); - expect(body).to.eql({ - username: 'reader', - has_all_requested: false, - cluster: { - monitor_ml: false, - manage_ccr: false, - manage_index_templates: false, - monitor_watcher: false, - monitor_transform: false, - read_ilm: false, - manage_api_key: false, - manage_security: false, - manage_own_api_key: false, - manage_saml: false, - all: false, - manage_ilm: false, - manage_ingest_pipelines: false, - read_ccr: false, - manage_rollup: false, - monitor: false, - manage_watcher: false, - manage: false, - manage_transform: false, - manage_token: false, - manage_ml: false, - manage_pipeline: false, - monitor_rollup: false, - transport_client: false, - create_snapshot: false, - }, - index: { - '.alerts-security.alerts-default': { - all: false, - manage_ilm: false, - read: true, - create_index: false, - read_cross_cluster: false, - index: false, - monitor: false, - delete: false, - manage: false, - delete_index: false, - create_doc: false, - view_index_metadata: true, - create: false, - manage_follow_index: false, - manage_leader_index: false, - maintenance: true, - write: false, - }, - }, - application: {}, - is_authenticated: true, - has_encryption_key: true, - }); - await deleteUserAndRole(getService, ROLES.reader); - }); - it('should return expected privileges for a "t1_analyst" user', async () => { await createUserAndRole(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts index f38899300ed7f..d6b4aec5bf3ea 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts @@ -24,8 +24,8 @@ import { import { ruleDetailsUrl } from '../../../urls/rule_details'; const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.reader); - visit(url, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); waitForPageTitleToBeShown(); }; @@ -44,8 +44,7 @@ const waitForPageTitleToBeShown = () => { cy.get(PAGE_TITLE).should('be.visible'); }; -// TODO: https://github.com/elastic/kibana/issues/161539 -describe('Detections > Callouts', { tags: ['@ess', '@skipInServerless'] }, () => { +describe('Detections > Callouts', { tags: ['@ess', '@serverless'] }, () => { before(() => { // First, we have to open the app on behalf of a privileged user in order to initialize it. // Otherwise the app will be disabled and show a "welcome"-like page. diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts index f95a4274a5181..052306817a87d 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts @@ -57,20 +57,18 @@ const RULE_2 = createRuleAssetSavedObject({ }); const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.reader); - visit(url, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); }; const loginPageAsWriteAuthorizedUser = (url: string) => { - login(ROLES.hunter); - visit(url); + login(ROLES.t3_analyst); + visit(url, { role: ROLES.t3_analyst }); }; -// TODO: https://github.com/elastic/kibana/issues/164451 We should find a way to make this spec work in Serverless -// TODO: https://github.com/elastic/kibana/issues/161540 describe( 'Detection rules, Prebuilt Rules Installation and Update - Authorization/RBAC', - { tags: ['@ess', '@serverless', '@skipInServerless'] }, + { tags: ['@ess', '@serverless'] }, () => { beforeEach(() => { preventPrebuiltRulesPackageInstallation(); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts index 9b7ef2a116b30..51fdcd6c242f1 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts @@ -34,8 +34,8 @@ describe('All rules - read only', { tags: ['@ess', '@serverless', '@skipInServer }); beforeEach(() => { - login(ROLES.reader); - visitRulesManagementTable(ROLES.reader); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); cy.get(RULE_NAME).should('have.text', getNewRule().name); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts index fafbb2232e55b..935668db1a5a6 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts @@ -54,8 +54,8 @@ describe('Exceptions viewer read only', { tags: ['@ess'] }, () => { ); }); - login(ROLES.reader); - visitRulesManagementTable(ROLES.reader); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); goToRuleDetailsOf('Test exceptions rule'); goToExceptionsTab(); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts index b0ba8beae3821..b115508e2b598 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts @@ -31,8 +31,8 @@ describe('Shared exception lists - read only', { tags: ['@ess', '@skipInServerle // Create exception list not used by any rules createExceptionList(getExceptionList(), getExceptionList().list_id); - login(ROLES.reader); - visit(EXCEPTIONS_URL, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(EXCEPTIONS_URL, { role: ROLES.t1_analyst }); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts index f10681a516146..83f31f35bc7ad 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES, SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { getNewRule } from '../../../objects/rule'; @@ -19,7 +19,7 @@ import { ALERTS_URL } from '../../../urls/navigation'; import { ATTACH_ALERT_TO_CASE_BUTTON, TIMELINE_CONTEXT_MENU_BTN } from '../../../screens/alerts'; import { LOADING_INDICATOR } from '../../../screens/security_header'; -const loadDetectionsPage = (role: ROLES) => { +const loadDetectionsPage = (role: SecurityRoleName) => { login(role); visit(ALERTS_URL, { role }); waitForAlertsToPopulate(); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts index 79730b3c45854..6e66299f5d42a 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts @@ -53,6 +53,7 @@ import { login } from '../../../tasks/login'; import { visit, visitWithTimeRange } from '../../../tasks/navigation'; import { CASES_URL, OVERVIEW_URL } from '../../../urls/navigation'; +import { ELASTICSEARCH_USERNAME } from '../../../env_var_names_constants'; // Tracked by https://github.com/elastic/security-team/issues/7696 describe('Cases', { tags: ['@ess', '@serverless'] }, () => { @@ -107,10 +108,10 @@ describe('Cases', { tags: ['@ess', '@serverless'] }, () => { ); cy.get(CASE_DETAILS_USERNAMES) .eq(REPORTER) - .should('have.text', Cypress.env('ELASTICSEARCH_USERNAME')); + .should('have.text', Cypress.env(ELASTICSEARCH_USERNAME)); cy.get(CASE_DETAILS_USERNAMES) .eq(PARTICIPANTS) - .should('have.text', Cypress.env('ELASTICSEARCH_USERNAME')); + .should('have.text', Cypress.env(ELASTICSEARCH_USERNAME)); cy.get(CASE_DETAILS_TAGS).should('have.text', expectedTags); EXPECTED_METRICS.forEach((metric) => { diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts index b7236d7ea0d80..9ffeade285dc7 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts @@ -88,8 +88,8 @@ describe('Timelines', (): void => { context('Privileges: READ', { tags: '@ess' }, () => { beforeEach(() => { - login(ROLES.reader); - visitWithTimeRange(OVERVIEW_URL, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visitWithTimeRange(OVERVIEW_URL, { role: ROLES.t1_analyst }); }); it('should not be able to create/update timeline ', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts new file mode 100644 index 0000000000000..20f44653f72f0 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/** + * The `CYPRESS_ELASTICSEARCH_USERNAME` environment variable specifies the + * username to be used when authenticating with Kibana + */ +export const ELASTICSEARCH_USERNAME = 'ELASTICSEARCH_USERNAME'; + +/** + * The `CYPRESS_ELASTICSEARCH_PASSWORD` environment variable specifies the + * username to be used when authenticating with Kibana + */ +export const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; + +/** + * The `IS_SERVERLESS` environment variable specifies wether the currently running + * environment is serverless snapshot. + */ +export const IS_SERVERLESS = 'IS_SERVERLESS'; + +/** + * The `CLOUD_SERVERLESS` environment variable specifies wether the currently running + * environment is a real MKI. + */ +export const CLOUD_SERVERLESS = 'CLOUD_SERVERLESS'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts b/x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts similarity index 63% rename from x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts rename to x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts index 3411589de7721..d771f32f48672 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts +++ b/x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts @@ -5,6 +5,8 @@ * 2.0. */ -import * as hunterUser from './detections_user.json'; -import * as hunterRole from './detections_role.json'; -export { hunterUser, hunterRole }; +declare module '@cypress/grep' { + function registerCypressGrep(): void; + + export = registerCypressGrep; +} diff --git a/x-pack/test/security_solution_cypress/cypress/support/e2e.js b/x-pack/test/security_solution_cypress/cypress/support/e2e.js deleted file mode 100644 index 4335470845f9b..0000000000000 --- a/x-pack/test/security_solution_cypress/cypress/support/e2e.js +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -// *********************************************************** -// This example support/index.js is processed and -// loaded automatically before your test files. -// -// This is a great place to put global configuration and -// behavior that modifies Cypress. -// -// You can change the location of this file or turn off -// automatically serving support files with the -// 'supportFile' configuration option. -// -// You can read more here: -// https://on.cypress.io/configuration -// *********************************************************** - -// Import commands.js using ES2015 syntax: -import './commands'; -import 'cypress-real-events/support'; -import registerCypressGrep from '@cypress/grep'; - -before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); -}); - -registerCypressGrep(); - -Cypress.on('uncaught:exception', () => { - return false; -}); - -// Alternatively you can use CommonJS syntax: -// require('./commands') diff --git a/x-pack/test/security_solution_cypress/cypress/support/e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts new file mode 100644 index 0000000000000..eb3488178485f --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import './commands'; +import 'cypress-real-events/support'; +import registerCypressGrep from '@cypress/grep'; +import { + KNOWN_ESS_ROLE_DEFINITIONS, + KNOWN_SERVERLESS_ROLE_DEFINITIONS, +} from '@kbn/security-solution-plugin/common/test'; +import { setupUsers } from './setup_users'; +import { CLOUD_SERVERLESS, IS_SERVERLESS } from '../env_var_names_constants'; + +before(() => { + cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); +}); + +if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { + // Create Serverless + ESS roles and corresponding users. This helps to seamlessly reuse tests + // between ESS and Serverless having all the necessary users set up. + before(() => { + const KNOWN_ROLE_DEFINITIONS = [ + ...Object.values(KNOWN_SERVERLESS_ROLE_DEFINITIONS), + ...Object.values(KNOWN_ESS_ROLE_DEFINITIONS), + ]; + + setupUsers(KNOWN_ROLE_DEFINITIONS); + }); +} + +registerCypressGrep(); + +Cypress.on('uncaught:exception', () => { + return false; +}); diff --git a/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts b/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts new file mode 100644 index 0000000000000..e1dc4c952eac7 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Role } from '@kbn/security-plugin/common'; +import { rootRequest } from '../tasks/common'; + +/** + * Utility function creates roles and corresponding users per each role with names + * matching role names. Each user gets the same `password` passed in which is + * `changeme` by default. + * + * @param roles an array of security `Role`s + * @param password custom password if `changeme` doesn't fit + */ +export function setupUsers(roles: Role[], password = 'changeme'): void { + for (const role of roles) { + createRole(role); + createUser(role.name, password, [role.name]); + } +} + +function createRole(role: Role): void { + const { name: roleName, ...roleDefinition } = role; + + rootRequest({ + method: 'PUT', + url: `/api/security/role/${roleName}`, + body: roleDefinition, + }); +} + +function createUser(username: string, password: string, roles: string[] = []): void { + const user = { + username, + password, + roles, + full_name: username, + email: '', + }; + + rootRequest({ + method: 'POST', + url: `/internal/security/users/${username}`, + body: user, + }); +} diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts index f42916db561f5..3337d122ab936 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts @@ -11,6 +11,7 @@ import { KIBANA_LOADING_ICON } from '../screens/security_header'; import { EUI_BASIC_TABLE_LOADING } from '../screens/common/controls'; import { deleteAllDocuments } from './api_calls/elasticsearch'; import { DEFAULT_ALERTS_INDEX_PATTERN } from './api_calls/alerts'; +import { ELASTICSEARCH_PASSWORD, ELASTICSEARCH_USERNAME } from '../env_var_names_constants'; const primaryButton = 0; @@ -21,11 +22,14 @@ const primaryButton = 0; const dndSloppyClickDetectionThreshold = 5; export const API_AUTH = Object.freeze({ - user: Cypress.env('ELASTICSEARCH_USERNAME'), - pass: Cypress.env('ELASTICSEARCH_PASSWORD'), + user: Cypress.env(ELASTICSEARCH_USERNAME), + pass: Cypress.env(ELASTICSEARCH_PASSWORD), }); -export const API_HEADERS = Object.freeze({ 'kbn-xsrf': 'cypress' }); +export const API_HEADERS = Object.freeze({ + 'kbn-xsrf': 'cypress-creds', + 'x-elastic-internal-origin': 'security-solution', +}); export const rootRequest = ( options: Partial diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts index fa7e2bd175dc0..0f3d9ee86529d 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { BACK_TO_RULE_DETAILS, EDIT_SUBMIT_BUTTON } from '../screens/edit_rule'; import { editRuleUrl } from '../urls/edit_rule'; import { visit } from './navigation'; -export function visitEditRulePage(ruleId: string, role?: ROLES): void { +export function visitEditRulePage(ruleId: string, role?: SecurityRoleName): void { visit(editRuleUrl(ruleId), { role }); } diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index e01b80e7c1f06..26702a47c9427 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -8,10 +8,17 @@ import * as yaml from 'js-yaml'; import type { UrlObject } from 'url'; import Url from 'url'; - -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; import { LoginState } from '@kbn/security-plugin/common/login_state'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import { KNOWN_SERVERLESS_ROLE_DEFINITIONS } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; +import { rootRequest } from './common'; +import { + CLOUD_SERVERLESS, + ELASTICSEARCH_PASSWORD, + ELASTICSEARCH_USERNAME, + IS_SERVERLESS, +} from '../env_var_names_constants'; /** * Credentials in the `kibana.dev.yml` config file will be used to authenticate @@ -32,16 +39,33 @@ const ELASTICSEARCH_USERNAME_CONFIG_PATH = 'config.elasticsearch.username'; const ELASTICSEARCH_PASSWORD_CONFIG_PATH = 'config.elasticsearch.password'; /** - * The `CYPRESS_ELASTICSEARCH_USERNAME` environment variable specifies the - * username to be used when authenticating with Kibana + * Authenticates with Kibana using, if specified, credentials specified by + * environment variables. The credentials in `kibana.dev.yml` will be used + * for authentication when the environment variables are unset. + * + * To speed the execution of tests, prefer this non-interactive authentication, + * which is faster than authentication via Kibana's interactive login page. */ -const ELASTICSEARCH_USERNAME = 'ELASTICSEARCH_USERNAME'; +export const login = (role?: SecurityRoleName): void => { + if (role != null) { + loginWithRole(role); + } else if (credentialsProvidedByEnvironment()) { + loginViaEnvironmentCredentials(); + } else { + loginViaConfig(); + } +}; -/** - * The `CYPRESS_ELASTICSEARCH_PASSWORD` environment variable specifies the - * username to be used when authenticating with Kibana - */ -const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; +export interface User { + username: string; + password: string; +} + +export const loginWithUser = (user: User): void => { + cy.session(user, () => { + loginWithUsernameAndPassword(user.username, user.password); + }); +}; /** * cy.visit will default to the baseUrl which uses the default kibana test user @@ -51,7 +75,7 @@ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; * @param role string role/user to log in with * @param route string route to visit */ -export const getUrlWithRoute = (role: ROLES, route: string) => { +export const getUrlWithRoute = (role: SecurityRoleName, route: string): string => { const url = Cypress.config().baseUrl; const kibana = new URL(String(url)); const theUrl = `${Url.format({ @@ -66,18 +90,13 @@ export const getUrlWithRoute = (role: ROLES, route: string) => { return theUrl; }; -export interface User { - username: string; - password: string; -} - /** * Builds a URL with basic auth using the passed in user. * * @param user the user information to build the basic auth with * @param route string route to visit */ -export const constructUrlWithUser = (user: User, route: string) => { +export const constructUrlWithUser = (user: User, route: string): string => { const url = Cypress.config().baseUrl; const kibana = new URL(String(url)); const hostname = kibana.hostname; @@ -94,103 +113,27 @@ export const constructUrlWithUser = (user: User, route: string) => { return builtUrl.href; }; -const getCurlScriptEnvVars = () => ({ - ELASTICSEARCH_URL: Cypress.env('ELASTICSEARCH_URL'), - ELASTICSEARCH_USERNAME: Cypress.env('ELASTICSEARCH_USERNAME'), - ELASTICSEARCH_PASSWORD: Cypress.env('ELASTICSEARCH_PASSWORD'), - KIBANA_URL: Cypress.config().baseUrl, -}); - -const postRoleAndUser = (role: ROLES) => { - const env = getCurlScriptEnvVars(); - const detectionsRoleScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/post_detections_role.sh`; - const detectionsRoleJsonPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/detections_role.json`; - const detectionsUserScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/post_detections_user.sh`; - const detectionsUserJsonPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/detections_user.json`; - - // post the role - cy.exec(`bash ${detectionsRoleScriptPath} ${detectionsRoleJsonPath}`, { - env, - }); - - // post the user associated with the role to elasticsearch - cy.exec(`bash ${detectionsUserScriptPath} ${detectionsUserJsonPath}`, { - env, - }); -}; - -export const deleteRoleAndUser = (role: ROLES) => { - const env = getCurlScriptEnvVars(); - const detectionsUserDeleteScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/delete_detections_user.sh`; - - // delete the role - cy.exec(`bash ${detectionsUserDeleteScriptPath}`, { - env, - }); -}; - -const loginWithUsernameAndPassword = (username: string, password: string) => { - const baseUrl = Cypress.config().baseUrl; - if (!baseUrl) { - throw Error(`Cypress config baseUrl not set!`); +/** + * Authenticates with a predefined role + * + * @param role role name + */ +const loginWithRole = (role: SecurityRoleName): void => { + if ( + (Cypress.env(IS_SERVERLESS) || Cypress.env(CLOUD_SERVERLESS)) && + !(role in KNOWN_SERVERLESS_ROLE_DEFINITIONS) + ) { + throw new Error(`An attempt to log in with unsupported by Serverless role "${role}".`); } - // Programmatically authenticate without interacting with the Kibana login page. - const headers = { 'kbn-xsrf': 'cypress-creds', 'x-elastic-internal-origin': 'security-solution' }; - cy.request({ headers, url: `${baseUrl}/internal/security/login_state` }).then( - (loginState) => { - const basicProvider = loginState.body.selector.providers.find( - (provider) => provider.type === 'basic' - ); - - return cy.request({ - url: `${baseUrl}/internal/security/login`, - method: 'POST', - headers, - body: { - providerType: basicProvider?.type, - providerName: basicProvider?.name, - currentURL: '/', - params: { username, password }, - }, - }); - } - ); -}; - -export const loginWithUser = (user: User) => { - cy.session(user, () => { - loginWithUsernameAndPassword(user.username, user.password); - }); -}; - -const loginWithRole = (role: ROLES) => { - postRoleAndUser(role); + const password = 'changeme'; cy.log(`origin: ${Cypress.config().baseUrl}`); cy.session(role, () => { - loginWithUsernameAndPassword(role, 'changeme'); + loginWithUsernameAndPassword(role, password); }); }; -/** - * Authenticates with Kibana using, if specified, credentials specified by - * environment variables. The credentials in `kibana.dev.yml` will be used - * for authentication when the environment variables are unset. - * - * To speed the execution of tests, prefer this non-interactive authentication, - * which is faster than authentication via Kibana's interactive login page. - */ -export const login = (role?: ROLES) => { - if (role != null) { - loginWithRole(role); - } else if (credentialsProvidedByEnvironment()) { - loginViaEnvironmentCredentials(); - } else { - loginViaConfig(); - } -}; - /** * Returns `true` if the credentials used to login to Kibana are provided * via environment variables @@ -204,7 +147,7 @@ const credentialsProvidedByEnvironment = (): boolean => * environment variables, and POSTing the username and password directly to * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed). */ -const loginViaEnvironmentCredentials = () => { +const loginViaEnvironmentCredentials = (): void => { cy.log( `Authenticating via environment credentials from the \`CYPRESS_${ELASTICSEARCH_USERNAME}\` and \`CYPRESS_${ELASTICSEARCH_PASSWORD}\` environment variables` ); @@ -222,7 +165,7 @@ const loginViaEnvironmentCredentials = () => { * `kibana.dev.yml` file and POSTing the username and password directly to * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed). */ -const loginViaConfig = () => { +const loginViaConfig = (): void => { cy.log( `Authenticating via config credentials \`${ELASTICSEARCH_USERNAME_CONFIG_PATH}\` and \`${ELASTICSEARCH_PASSWORD_CONFIG_PATH}\` from \`${KIBANA_DEV_YML_PATH}\`` ); @@ -256,6 +199,33 @@ export const getEnvAuth = (): User => { } }; -export const logout = () => { +export const logout = (): void => { cy.visit(LOGOUT_URL); }; + +const loginWithUsernameAndPassword = (username: string, password: string): void => { + const baseUrl = Cypress.config().baseUrl; + if (!baseUrl) { + throw Error(`Cypress config baseUrl not set!`); + } + + // Programmatically authenticate without interacting with the Kibana login page. + rootRequest({ + url: `${baseUrl}/internal/security/login_state`, + }).then((loginState) => { + const basicProvider = loginState.body.selector.providers.find( + (provider) => provider.type === 'basic' + ); + + return rootRequest({ + url: `${baseUrl}/internal/security/login`, + method: 'POST', + body: { + providerType: basicProvider?.type, + providerName: basicProvider?.name, + currentURL: '/', + params: { username, password }, + }, + }); + }); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts index dc12c26d1f9c9..20e34387d7f12 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts @@ -7,8 +7,8 @@ import { encode } from '@kbn/rison'; -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; import { NEW_FEATURES_TOUR_STORAGE_KEYS } from '@kbn/security-solution-plugin/common/constants'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { hostDetailsUrl, userDetailsUrl } from '../urls/navigation'; import { constructUrlWithUser, getUrlWithRoute, User } from './login'; @@ -16,7 +16,7 @@ export const visit = ( url: string, options?: { visitOptions?: Partial; - role?: ROLES; + role?: SecurityRoleName; } ) => { cy.visit(options?.role ? getUrlWithRoute(options.role, url) : url, { @@ -35,7 +35,7 @@ export const visitWithTimeRange = ( url: string, options?: { visitOptions?: Partial; - role?: ROLES; + role?: SecurityRoleName; } ) => { const timerangeConfig = { @@ -74,7 +74,7 @@ export const visitWithTimeRange = ( }); }; -export const visitTimeline = (timelineId: string, role?: ROLES) => { +export const visitTimeline = (timelineId: string, role?: SecurityRoleName) => { const route = `/app/security/timelines?timeline=(id:'${timelineId}',isOpen:!t)`; cy.visit(role ? getUrlWithRoute(role, route) : route, { onBeforeLoad: disableNewFeaturesTours, diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts index a81be48d229e9..1dadb67a96987 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import type { Exception } from '../objects/exception'; import { RULE_MANAGEMENT_PAGE_BREADCRUMB } from '../screens/breadcrumbs'; import { PAGE_CONTENT_SPINNER } from '../screens/common/page'; @@ -47,7 +47,7 @@ import { visit } from './navigation'; interface VisitRuleDetailsPageOptions { tab?: RuleDetailsTabs; - role?: ROLES; + role?: SecurityRoleName; } export function visitRuleDetailsPage(ruleId: string, options?: VisitRuleDetailsPageOptions): void { diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts b/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts index 5f795ce97d524..663692aa905d4 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts @@ -5,13 +5,13 @@ * 2.0. */ -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { LAST_BREADCRUMB, RULE_MANAGEMENT_PAGE_BREADCRUMB } from '../screens/breadcrumbs'; import { RULES_MANAGEMENT_URL } from '../urls/rules_management'; import { resetRulesTableState } from './common'; import { visit } from './navigation'; -export function visitRulesManagementTable(role?: ROLES): void { +export function visitRulesManagementTable(role?: SecurityRoleName): void { resetRulesTableState(); // Clear persistent rules filter data before page loading visit(RULES_MANAGEMENT_URL, { role }); } diff --git a/x-pack/test/security_solution_cypress/cypress/tsconfig.json b/x-pack/test/security_solution_cypress/cypress/tsconfig.json index b82ce28aa8f04..ff33f1ac69a13 100644 --- a/x-pack/test/security_solution_cypress/cypress/tsconfig.json +++ b/x-pack/test/security_solution_cypress/cypress/tsconfig.json @@ -38,6 +38,6 @@ "@kbn/lists-plugin", "@kbn/securitysolution-list-constants", "@kbn/security-plugin", - "@kbn/management-settings-ids" + "@kbn/management-settings-ids", ] } diff --git a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts index 6e1850373af81..51d6ae8bcfadc 100644 --- a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts +++ b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts @@ -7,12 +7,9 @@ import expect from '@kbn/expect'; import { IndexedHostsAndAlertsResponse } from '@kbn/security-solution-plugin/common/endpoint/index_data'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -import { - createUserAndRole, - deleteUserAndRole, - ROLES, -} from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; export default ({ getPageObjects, getService }: FtrProviderContext) => { const PageObjects = getPageObjects(['security', 'endpoint', 'detections', 'hosts']); @@ -35,11 +32,22 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { }); // Run the same set of tests against all of the Security Solution roles - for (const role of Object.keys(ROLES) as Array) { + const ROLES: SecurityRoleName[] = [ + 't1_analyst', + 't2_analyst', + 'rule_author', + 'soc_manager', + 'detections_admin', + 'platform_engineer', + 'hunter', + 'hunter_no_actions', + ]; + + for (const role of ROLES) { describe(`when running with user/role [${role}]`, () => { before(async () => { // create role/user - await createUserAndRole(getService, ROLES[role]); + await createUserAndRole(getService, role); // log back in with new uer await PageObjects.security.login(role, 'changeme'); @@ -51,7 +59,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { await PageObjects.security.forceLogout(); // delete role/user - await deleteUserAndRole(getService, ROLES[role]); + await deleteUserAndRole(getService, role); }); it('should NOT allow access to endpoint management pages', async () => {