Skip to content

Commit

Permalink
[Cases] Suggest user profiles with read permission (#172047)
Browse files Browse the repository at this point in the history 
Fixes #171446

## Summary

We will now also suggest users with only `Read Cases` permissions for
case assignment.

## Release notes

Fixed a bug that prevented users with read permission from being
assigned to cases.
  • Loading branch information
@adcoelho
adcoelho authored Nov 29, 2023
1 parent a766fe6 commit e333c6e
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 24 deletions.
4 changes: 1 addition & 3 deletions x-pack/plugins/cases/server/services/user_profiles/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,9 +151,7 @@ export class UserProfileService {
private static buildRequiredPrivileges(owners: string[], security: SecurityPluginStart) {
const privileges: string[] = [];
for (const owner of owners) {
for (const operation of [Operations.updateCase.name, Operations.getCase.name]) {
privileges.push(security.authz.actions.cases.get(owner, operation));
}
privileges.push(security.authz.actions.cases.get(owner, Operations.getCase.name));
}

return privileges;
Expand Down
5 changes: 1 addition & 4 deletions x-pack/test/cases_api_integration/security_and_spaces/tests/trial/cases/find_cases.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@

import expect from '@kbn/expect';
import { Cookie } from 'tough-cookie';
import { User } from '@kbn/cases-plugin/common/types/domain';
import { UserProfile } from '@kbn/security-plugin/common';
import { FtrProviderContext } from '../../../../common/ftr_provider_context';

Expand All @@ -20,7 +19,6 @@ import {
loginUsers,
} from '../../../../common/lib/api';
import { secOnlySpacesAll, superUser } from '../../../../common/lib/authentication/users';
import { getUserInfo } from '../../../../common/lib/authentication';
import { createUsersAndRoles, deleteUsersAndRoles } from '../../../../common/lib/authentication';
import { securitySolutionOnlyAllSpacesRole } from '../../../../common/lib/authentication/roles';

Expand All @@ -31,7 +29,6 @@ export default ({ getService }: FtrProviderContext): void => {
const supertestWithoutAuth = getService('supertestWithoutAuth');

describe('find_cases', () => {
const secOnlyInfo: User = getUserInfo(secOnlySpacesAll);
let cookies: Cookie[];
let suggestedSecUsers: UserProfile[];
let superUserHeaders: { Cookie: string };
Expand Down Expand Up @@ -62,7 +59,7 @@ export default ({ getService }: FtrProviderContext): void => {
suggestedSecUsers = await suggestUserProfiles({
supertest: supertestWithoutAuth,
req: {
name: secOnlyInfo.username!,
name: 'all_spaces',
owners: ['securitySolutionFixture'],
size: 1,
},
Expand Down
61 changes: 44 additions & 17 deletions ...t/cases_api_integration/security_and_spaces/tests/trial/internal/suggest_user_profiles.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,30 @@ export default function ({ getService }: FtrProviderContext) {
`);
});

it('find a user who only has read privilege for cases', async () => {
const profiles = await suggestUserProfiles({
supertest: supertestWithoutAuth,
req: {
name: 'read',
owners: ['securitySolutionFixture'],
},
auth: { user: superUser, space: 'space1' },
});

expectSnapshot(profiles.map(({ user, data }) => ({ user, data }))).toMatchInline(`
Array [
Object {
"data": Object {},
"user": Object {
"email": "[email protected]",
"full_name": "sec only_read",
"username": "sec_only_read",
},
},
]
`);
});

it('does not find a user who does not have access to the default space', async () => {
const profiles = await suggestUserProfiles({
supertest: supertestWithoutAuth,
Expand Down Expand Up @@ -85,6 +109,14 @@ export default function ({ getService }: FtrProviderContext) {
expect(profiles.filter(({ user }) => user.username === obsOnly.username)).to.be.empty();
expectSnapshot(profiles.map(({ user, data }) => ({ user, data }))).toMatchInline(`
Array [
Object {
"data": Object {},
"user": Object {
"email": "[email protected]",
"full_name": "sec only_read",
"username": "sec_only_read",
},
},
Object {
"data": Object {},
"user": Object {
Expand All @@ -105,19 +137,6 @@ export default function ({ getService }: FtrProviderContext) {
`);
});

it('does not find a user who does not have update privileges to cases', async () => {
const profiles = await suggestUserProfiles({
supertest: supertestWithoutAuth,
req: {
name: 'read',
owners: ['securitySolutionFixture'],
},
auth: { user: superUser, space: 'space1' },
});

expect(profiles).to.be.empty();
});

it('fails with a 403 because the user making the request does not have the appropriate api kibana endpoint privileges', async () => {
await suggestUserProfiles({
supertest: supertestWithoutAuth,
Expand Down Expand Up @@ -186,9 +205,9 @@ export default function ({ getService }: FtrProviderContext) {
Object {
"data": Object {},
"user": Object {
"email": "sec_only_no_delete@elastic.co",
"full_name": "sec only_no_delete",
"username": "sec_only_no_delete",
"email": "sec_only_read@elastic.co",
"full_name": "sec only_read",
"username": "sec_only_read",
},
},
]
Expand Down Expand Up @@ -242,7 +261,7 @@ export default function ({ getService }: FtrProviderContext) {
await deleteUsersAndRoles(getService, users, roles);
});

it('finds 3 profiles when searching for the name sec when a user has both security and observability privileges', async () => {
it('finds 4 profiles when searching for the name sec when a user has both security and observability privileges', async () => {
const profiles = await suggestUserProfiles({
supertest: supertestWithoutAuth,
req: {
Expand All @@ -254,6 +273,14 @@ export default function ({ getService }: FtrProviderContext) {

expectSnapshot(profiles.map(({ user, data }) => ({ user, data }))).toMatchInline(`
Array [
Object {
"data": Object {},
"user": Object {
"email": "[email protected]",
"full_name": "sec only_read",
"username": "sec_only_read",
},
},
Object {
"data": Object {},
"user": Object {
Expand Down

0 comments on commit e333c6e

Please sign in to comment.