Allow applications to register feature privileges which are excluded …

…from the base privileges (elastic#41300) * Allowing features with reserved and normal privileges to be listed * Allowing privileges to be excluded from the base privileges * Defaulting to custom when creating new privilege entries * Adjusting logic for the privilege space table and adding tests Prior to these changes, if we gave the user global base all and then a custom set of privileges at a space granting access to the reservedAndNormal feature, it'd show "All" for the space specific privileges. * Better naming for tests * Using a common rawKibanaPrivileges fixture * Rendering tooltip when feature isn't part of the base privileges * i18n'ing a string * Properly i18n'ing the string?
nreese · Jul 30, 2019 · d4a512f · d4a512f
1 parent 2e619f1
commit d4a512f
Show file tree

Hide file tree

Showing 14 changed files with 1,075 additions and 66 deletions.
diff --git a/...c/views/management/edit_role/components/privileges/kibana/feature_table/feature_table.tsx b/...c/views/management/edit_role/components/privileges/kibana/feature_table/feature_table.tsx
@@ -63,11 +63,17 @@ export class FeatureTable extends Component<Props, {}> {
 
     const items: TableRow[] = features
       .sort((feature1, feature2) => {
-        if (feature1.reserved && !feature2.reserved) {
+        if (
+          Object.keys(feature1.privileges).length === 0 &&
+          Object.keys(feature2.privileges).length > 0
+        ) {
           return 1;
         }
 
-        if (feature2.reserved && !feature1.reserved) {
+        if (
+          Object.keys(feature2.privileges).length === 0 &&
+          Object.keys(feature1.privileges).length > 0
+        ) {
           return -1;
         }
 
@@ -165,9 +171,9 @@ export class FeatureTable extends Component<Props, {}> {
         </span>
       ),
       render: (roleEntry: Role, record: TableRow) => {
-        const { id: featureId, reserved } = record.feature;
+        const { id: featureId, name: featureName, reserved, privileges } = record.feature;
 
-        if (reserved) {
+        if (reserved && Object.keys(privileges).length === 0) {
           return <EuiText size={'s'}>{reserved.description}</EuiText>;
         }
 
@@ -194,8 +200,27 @@ export class FeatureTable extends Component<Props, {}> {
           !this.props.disabled && (allowsNone || enabledFeaturePrivileges.length > 1);
 
         if (!canChangePrivilege) {
+          const assignedBasePrivilege =
+            this.props.role.kibana[this.props.spacesIndex].base.length > 0;
+
+          const excludedFromBasePrivilegsTooltip = (
+            <FormattedMessage
+              id="xpack.security.management.editRole.featureTable.excludedFromBasePrivilegsTooltip"
+              defaultMessage='Use "Custom" privileges to grant access. {featureName} isn&apos;t part of the base privileges.'
+              values={{ featureName }}
+            />
+          );
+
           return (
-            <PrivilegeDisplay privilege={actualPrivilegeValue} explanation={privilegeExplanation} />
+            <PrivilegeDisplay
+              privilege={actualPrivilegeValue}
+              explanation={privilegeExplanation}
+              tooltipContent={
+                assignedBasePrivilege && actualPrivilegeValue === NO_PRIVILEGE_VALUE
+                  ? excludedFromBasePrivilegsTooltip
+                  : undefined
+              }
+            />
           );
         }
 

diff --git a/...dit_role/components/privileges/kibana/space_aware_privilege_section/__fixtures__/index.ts b/...dit_role/components/privileges/kibana/space_aware_privilege_section/__fixtures__/index.ts
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { rawKibanaPrivileges } from './raw_kibana_privileges';
diff --git a/...nts/privileges/kibana/space_aware_privilege_section/__fixtures__/raw_kibana_privileges.ts b/...nts/privileges/kibana/space_aware_privilege_section/__fixtures__/raw_kibana_privileges.ts
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { RawKibanaPrivileges } from '../../../../../../../../../common/model';
+
+export const rawKibanaPrivileges: RawKibanaPrivileges = {
+  global: {
+    all: ['normal-feature-all', 'normal-feature-read', 'just-global-all'],
+    read: ['normal-feature-read'],
+  },
+  space: {
+    all: ['normal-feature-all', 'normal-feature-read'],
+    read: ['normal-feature-read'],
+  },
+  reserved: {},
+  features: {
+    normal: {
+      all: ['normal-feature-all', 'normal-feature-read'],
+      read: ['normal-feature-read'],
+    },
+    excludedFromBase: {
+      all: ['excluded-from-base-all', 'excluded-from-base-read'],
+      read: ['excluded-from-base-read'],
+    },
+  },
+};
diff --git a/...ges/kibana/space_aware_privilege_section/__snapshots__/privilege_space_form.test.tsx.snap b/...ges/kibana/space_aware_privilege_section/__snapshots__/privilege_space_form.test.tsx.snap
diff --git a/...ole/components/privileges/kibana/space_aware_privilege_section/privilege_display.test.tsx b/...ole/components/privileges/kibana/space_aware_privilege_section/privilege_display.test.tsx
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { EuiIconTip, EuiText } from '@elastic/eui';
+import { EuiIconTip, EuiText, EuiToolTip } from '@elastic/eui';
 import React from 'react';
 import { mountWithIntl, shallowWithIntl } from 'test_utils/enzyme_helpers';
 import { PRIVILEGE_SOURCE } from '../../../../../../../lib/kibana_privilege_calculator';
@@ -26,7 +26,17 @@ describe('PrivilegeDisplay', () => {
 
   it('renders a privilege with tooltip, if provided', () => {
     const wrapper = mountWithIntl(
-      <PrivilegeDisplay privilege={'all'} tooltipContent={<b>ahh</b>} iconType={'asterisk'} />
+      <PrivilegeDisplay privilege={'all'} tooltipContent={<b>ahh</b>} />
+    );
+    expect(wrapper.text().trim()).toEqual('All');
+    expect(wrapper.find(EuiToolTip).props()).toMatchObject({
+      content: <b>ahh</b>,
+    });
+  });
+
+  it('renders a privilege with icon tooltip, if provided', () => {
+    const wrapper = mountWithIntl(
+      <PrivilegeDisplay privilege={'all'} iconTooltipContent={<b>ahh</b>} iconType={'asterisk'} />
     );
     expect(wrapper.text().trim()).toEqual('All');
     expect(wrapper.find(EuiIconTip).props()).toMatchObject({

diff --git a/...dit_role/components/privileges/kibana/space_aware_privilege_section/privilege_display.tsx b/...dit_role/components/privileges/kibana/space_aware_privilege_section/privilege_display.tsx
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-import { EuiIcon, EuiIconTip, EuiText, IconType, PropsOf } from '@elastic/eui';
+import { EuiIcon, EuiIconTip, EuiText, IconType, PropsOf, EuiToolTip } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n/react';
 import _ from 'lodash';
 import React, { ReactNode, SFC } from 'react';
@@ -17,6 +17,7 @@ interface Props extends PropsOf<typeof EuiText> {
   privilege: string | string[] | undefined;
   explanation?: PrivilegeExplanation;
   iconType?: IconType;
+  iconTooltipContent?: ReactNode;
   tooltipContent?: ReactNode;
 }
 
@@ -39,13 +40,19 @@ export const PrivilegeDisplay: SFC<Props> = (props: Props) => {
 };
 
 const SimplePrivilegeDisplay: SFC<Props> = (props: Props) => {
-  const { privilege, iconType, tooltipContent, explanation, ...rest } = props;
+  const { privilege, iconType, iconTooltipContent, explanation, tooltipContent, ...rest } = props;
 
-  return (
+  const text = (
     <EuiText {...rest}>
-      {getDisplayValue(privilege)} {getIconTip(iconType, tooltipContent)}
+      {getDisplayValue(privilege)} {getIconTip(iconType, iconTooltipContent)}
     </EuiText>
   );
+
+  if (tooltipContent) {
+    return <EuiToolTip content={tooltipContent}>{text}</EuiToolTip>;
+  }
+
+  return text;
 };
 
 export const SupersededPrivilegeDisplay: SFC<Props> = (props: Props) => {
@@ -56,7 +63,7 @@ export const SupersededPrivilegeDisplay: SFC<Props> = (props: Props) => {
     <SimplePrivilegeDisplay
       {...props}
       iconType={'lock'}
-      tooltipContent={
+      iconTooltipContent={
         <FormattedMessage
           id="xpack.security.management.editRole.spaceAwarePrivilegeDisplay.privilegeSupercededMessage"
           defaultMessage="Original privilege of {supersededPrivilege} has been overriden by {actualPrivilegeSource}"
@@ -75,15 +82,17 @@ export const EffectivePrivilegeDisplay: SFC<Props> = (props: Props) => {
 
   const source = getReadablePrivilegeSource(explanation!.actualPrivilegeSource);
 
-  const tooltipContent = (
+  const iconTooltipContent = (
     <FormattedMessage
       id="xpack.security.management.editRole.spaceAwarePrivilegeDisplay.effectivePrivilegeMessage"
       defaultMessage="Granted via {source}."
       values={{ source }}
     />
   );
 
-  return <SimplePrivilegeDisplay {...rest} iconType={'lock'} tooltipContent={tooltipContent} />;
+  return (
+    <SimplePrivilegeDisplay {...rest} iconType={'lock'} iconTooltipContent={iconTooltipContent} />
+  );
 };
 
 PrivilegeDisplay.defaultProps = {