Skip to content

Commit

Permalink
Feature Controls - either base or feature (#35321) (#35371)
Browse files Browse the repository at this point in the history
* Only allowing either base or feature privileges

* Get roles route return transform error if base and feature privileges

* Treating [] and {} as undefined

* Updating the role api integration tests
  • Loading branch information
kobelb authored Apr 19, 2019
1 parent 1e5e699 commit 3536e17
Show file tree
Hide file tree
Showing 5 changed files with 322 additions and 50 deletions.
13 changes: 13 additions & 0 deletions x-pack/plugins/security/server/routes/api/public/roles/get.js
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,19 @@ export function initGetRolesApi(server, callWithRequest, routePreCheckLicenseFn,
};
}

// if base privilege assigned with feature privileges, we won't transform these
if (roleKibanaApplications.some(entry =>
entry.privileges.some(privilege => PrivilegeSerializer.isSerializedFeaturePrivilege(privilege)) &&
(
entry.privileges.some(privilege => PrivilegeSerializer.isSerializedGlobalBasePrivilege(privilege)) ||
entry.privileges.some(privilege => PrivilegeSerializer.isSerializedSpaceBasePrivilege(privilege))
)
)) {
return {
success: false
};
}

// if any application entry contains the '*' resource in addition to another resource, we can't transform these
if (roleKibanaApplications.some(entry => entry.resources.includes(GLOBAL_RESOURCE) && entry.resources.length > 1)) {
return {
Expand Down
182 changes: 182 additions & 0 deletions x-pack/plugins/security/server/routes/api/public/roles/get.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -1032,6 +1032,98 @@ describe('GET roles', () => {
},
});

getRolesTest(
`global base privilege assigned with a feature privilege returns empty kibana section with _transform_error set to ['kibana']`, {
callWithRequestImpl: async () => ({
first_role: {
cluster: [],
indices: [],
applications: [
{
application,
privileges: ['all', 'feature_foo.foo-privilege-1'],
resources: ['*'],
}
],
run_as: [],
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
},
}),
asserts: {
statusCode: 200,
result: [
{
name: 'first_role',
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
elasticsearch: {
cluster: [],
indices: [],
run_as: [],
},
kibana: [],
_transform_error: ['kibana'],
_unrecognized_applications: [],
},
],
},
});

getRolesTest(
`space base privilege assigned with a feature privilege returns empty kibana section with _transform_error set to ['kibana']`, {
callWithRequestImpl: async () => ({
first_role: {
cluster: [],
indices: [],
applications: [
{
application,
privileges: ['space_all', 'feature_foo.foo-privilege-1'],
resources: ['space:space_1'],
}
],
run_as: [],
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
},
}),
asserts: {
statusCode: 200,
result: [
{
name: 'first_role',
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
elasticsearch: {
cluster: [],
indices: [],
run_as: [],
},
kibana: [],
_transform_error: ['kibana'],
_unrecognized_applications: [],
},
],
},
});

getRolesTest(`transforms unrecognized applications`, {
callWithRequestImpl: async () => ({
first_role: {
Expand Down Expand Up @@ -2149,6 +2241,96 @@ describe('GET role', () => {
},
});

getRoleTest(
`global base privilege assigned with a feature privilege returns empty kibana section with _transform_error set to ['kibana']`, {
name: 'first_role',
callWithRequestImpl: async () => ({
first_role: {
cluster: [],
indices: [],
applications: [
{
application,
privileges: ['all', 'feature_foo.foo-privilege-1'],
resources: ['*'],
}
],
run_as: [],
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
},
}),
asserts: {
statusCode: 200,
result: {
name: 'first_role',
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
elasticsearch: {
cluster: [],
indices: [],
run_as: [],
},
kibana: [],
_transform_error: ['kibana'],
_unrecognized_applications: [],
},
},
});

getRoleTest(
`space base privilege assigned with a feature privilege returns empty kibana section with _transform_error set to ['kibana']`, {
name: 'first_role',
callWithRequestImpl: async () => ({
first_role: {
cluster: [],
indices: [],
applications: [
{
application,
privileges: ['space_all', 'feature_foo.foo-privilege-1'],
resources: ['space:space_1'],
}
],
run_as: [],
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
},
}),
asserts: {
statusCode: 200,
result: {
name: 'first_role',
metadata: {
_reserved: true,
},
transient_metadata: {
enabled: true,
},
elasticsearch: {
cluster: [],
indices: [],
run_as: [],
},
kibana: [],
_transform_error: ['kibana'],
_unrecognized_applications: [],
},
},
});

getRoleTest(`transforms unrecognized applications`, {
name: 'first_role',
callWithRequestImpl: async () => ({
Expand Down
10 changes: 7 additions & 3 deletions x-pack/plugins/security/server/routes/api/public/roles/put.js
Original file line number Diff line number Diff line change
Expand Up @@ -86,15 +86,19 @@ export function initPutRolesApi(
Joi.object({
base: Joi.alternatives().when('spaces', {
is: allSpacesSchema,
then: Joi.array().items(Joi.string().valid(Object.keys(privileges.global))),
otherwise: Joi.array().items(Joi.string().valid(Object.keys(privileges.space))),
then: Joi.array().items(Joi.string().valid(Object.keys(privileges.global))).empty(Joi.array().length(0)),
otherwise: Joi.array().items(Joi.string().valid(Object.keys(privileges.space))).empty(Joi.array().length(0)),
}),
feature: Joi.object().pattern(/^[a-zA-Z0-9_-]+$/, Joi.array().items(Joi.string().regex(/^[a-zA-Z0-9_-]+$/))),
feature: Joi.object()
.pattern(/^[a-zA-Z0-9_-]+$/, Joi.array().items(Joi.string().regex(/^[a-zA-Z0-9_-]+$/)))
.empty(Joi.object().length(0)),
spaces: Joi.alternatives(
allSpacesSchema,
Joi.array().items(Joi.string().regex(/^[a-z0-9_-]+$/)),
).default([GLOBAL_RESOURCE]),
})
// the following can be replaced with .oxor once we upgrade Joi
.without('base', ['feature'])
).unique((a, b) => {
return intersection(a.spaces, b.spaces).length !== 0;
});
Expand Down
Loading

0 comments on commit 3536e17

Please sign in to comment.