Skip to content

Commit

Permalink
[Fleet][RBAC v2] Update agent_status route to use `calculateRouteAu…
Browse files Browse the repository at this point in the history
…thz` (#147696)

## Summary

Follow up PR to update `api/fleet/agent_status` route.
refs /pull/145361
refs elastic/security-team/issues/5539

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

Co-authored-by: kibanamachine <[email protected]>
  • Loading branch information
ashokaditya and kibanamachine authored Jan 3, 2023
1 parent 3abf705 commit 72d2f75
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 5 deletions.
14 changes: 10 additions & 4 deletions x-pack/plugins/fleet/server/routes/agent/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@
* 2.0.
*/

import type { FleetAuthzRouter } from '../../services/security';
import type { FleetAuthz } from '../../../common';

import { getRouteRequiredAuthz, type FleetAuthzRouter } from '../../services/security';

import { AGENT_API_ROUTES } from '../../constants';
import {
Expand Down Expand Up @@ -35,6 +37,8 @@ import type { FleetConfigType } from '../..';

import { PostBulkUpdateAgentTagsRequestSchema } from '../../types/rest_spec/agent';

import { calculateRouteAuthz } from '../../services/security/security';

import {
getAgentsHandler,
getAgentTagsHandler,
Expand Down Expand Up @@ -234,9 +238,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
{
path: AGENT_API_ROUTES.STATUS_PATTERN,
validate: GetAgentStatusRequestSchema,
fleetAuthz: {
fleet: { all: true },
},
fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
calculateRouteAuthz(
fleetAuthz,
getRouteRequiredAuthz('get', AGENT_API_ROUTES.STATUS_PATTERN)
).granted,
},
getAgentStatusForAgentPolicyHandler
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import { deepFreeze } from '@kbn/std';

import type { RouteMethod } from '@kbn/core-http-server';

import { PACKAGE_POLICY_API_ROUTES } from '../../../common';
import { PACKAGE_POLICY_API_ROUTES, AGENT_API_ROUTES } from '../../../common';

import type { FleetRouteRequiredAuthz } from './types';

Expand Down Expand Up @@ -126,6 +126,24 @@ const ROUTE_AUTHZ_REQUIREMENTS = deepFreeze<Record<string, FleetRouteRequiredAut
},
},
},

// agent status fo policy API
[`get:${AGENT_API_ROUTES.STATUS_PATTERN}`]: {
any: {
fleet: {
all: true,
},
packagePrivileges: {
endpoint: {
actions: {
readPolicyManagement: {
executePackageAction: true,
},
},
},
},
},
},
});

/**
Expand Down
28 changes: 28 additions & 0 deletions x-pack/test/fleet_api_integration/apis/agents/status.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,13 @@ import expect from '@kbn/expect';

import { AGENTS_INDEX } from '@kbn/fleet-plugin/common';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { testUsers } from '../test_users';

export default function ({ getService }: FtrProviderContext) {
const es = getService('es');
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const superTestWithoutAuth = getService('supertestWithoutAuth');

describe('fleet_agents_status', () => {
before(async () => {
Expand Down Expand Up @@ -197,5 +199,31 @@ export default function ({ getService }: FtrProviderContext) {
it('should work with deprecated api', async () => {
await supertest.get(`/api/fleet/agent-status`).expect(200);
});

it('should work with adequate package privileges', async () => {
await superTestWithoutAuth
.get(`/api/fleet/agent_status`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_fleet_all_integr_read_policy.username,
testUsers.endpoint_fleet_all_integr_read_policy.password
)
.expect(200);
});

it('should not work without adequate package privileges', async () => {
await superTestWithoutAuth
.get(`/api/fleet/agent_status`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_fleet_read_integr_none.username,
testUsers.endpoint_fleet_read_integr_none.password
)
.expect(403, {
error: 'Forbidden',
message: 'Forbidden',
statusCode: 403,
});
});
});
}
24 changes: 24 additions & 0 deletions x-pack/test/fleet_api_integration/apis/test_users.ts
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,30 @@ export const testUsers: {
username: 'endpoint_integr_write_policy',
password: 'changeme',
},
// agent status API
endpoint_fleet_all_integr_read_policy: {
permissions: {
feature: {
fleet: ['all'],
siem: ['minimal_all', 'policy_management_read'],
},
spaces: ['*'],
},
username: 'endpoint_fleet_all_integr_read_policy',
password: 'changeme',
},
// no access to integrations or policies
endpoint_fleet_read_integr_none: {
permissions: {
feature: {
fleet: ['read'],
siem: ['minimal_all'],
},
spaces: ['*'],
},
username: 'endpoint_fleet_read_integr_none',
password: 'changeme',
},
};

export const setupTestUsers = async (security: SecurityService) => {
Expand Down

0 comments on commit 72d2f75

Please sign in to comment.