Skip to content

Commit

Permalink
[Alerting] Refactor alerts authorization client (elastic#99078)
Browse files Browse the repository at this point in the history 
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract

* Updating alerting feature privilege builder to handle different alerting types

* Passing in alerting authorization type to AlertingActions class string builder

* Passing in authorization type in each function call

* Passing in exempt consumer ids. Adding authorization type to audit logger

* Changing alertType to ruleType

* Changing alertType to ruleType

* Updating unit tests

* Updating unit tests

* Passing field names into authorization query builder. Adding kql/es dsl option

* Converting to es query if requested

* Fixing functional tests

* Removing ability to specify feature privilege name in constructor

* Fixing some types and tests

* Consolidating alerting authorization kuery filter options

* Cleanup and tests

* Cleanup and tests

* Throwing error when AlertingAuthorizationClientFactory is not defined

* Renaming authorizationType to entity

* Renaming AlertsAuthorization to AlertingAuthorization

* Fixing unit tests

* Updating privilege string terminology

* Updating privilege string terminology

Co-authored-by: Kibana Machine <[email protected]>
  • Loading branch information
@ymao1 @kibanamachine @yctercero
2 people authored and yctercero committed May 25, 2021
1 parent 32093be commit 7d42c25
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 24 deletions.
6 changes: 3 additions & 3 deletions x-pack/plugins/alerting/server/alerts_client/tests/get_alert_state.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,13 +222,13 @@ describe('getAlertState()', () => {
const alertsClient = new AlertsClient(alertsClientParams);
// `get` check
authorization.ensureAuthorized.mockResolvedValueOnce();
// `getAlertState` check
// `getRuleState` check
authorization.ensureAuthorized.mockRejectedValueOnce(
new Error(`Unauthorized to getAlertState a "myType" alert for "myApp"`)
new Error(`Unauthorized to getRuleState a "myType" alert for "myApp"`)
);

await expect(alertsClient.getAlertState({ id: '1' })).rejects.toMatchInlineSnapshot(
`[Error: Unauthorized to getAlertState a "myType" alert for "myApp"]`
`[Error: Unauthorized to getRuleState a "myType" alert for "myApp"]`
);

expect(authorization.ensureAuthorized).toHaveBeenCalledWith({
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/alerting/server/alerts_client/tests/mute_instance.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,13 +170,13 @@ describe('muteInstance()', () => {
test('throws when user is not authorised to muteInstance this type of alert', async () => {
const alertsClient = new AlertsClient(alertsClientParams);
authorization.ensureAuthorized.mockRejectedValue(
new Error(`Unauthorized to muteInstance a "myType" alert for "myApp"`)
new Error(`Unauthorized to muteAlert a "myType" alert for "myApp"`)
);

await expect(
alertsClient.muteInstance({ alertId: '1', alertInstanceId: '2' })
).rejects.toMatchInlineSnapshot(
`[Error: Unauthorized to muteInstance a "myType" alert for "myApp"]`
`[Error: Unauthorized to muteAlert a "myType" alert for "myApp"]`
);

expect(authorization.ensureAuthorized).toHaveBeenCalledWith({
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/alerting/server/alerts_client/tests/unmute_instance.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,13 +168,13 @@ describe('unmuteInstance()', () => {
test('throws when user is not authorised to unmuteInstance this type of alert', async () => {
const alertsClient = new AlertsClient(alertsClientParams);
authorization.ensureAuthorized.mockRejectedValue(
new Error(`Unauthorized to unmuteInstance a "myType" alert for "myApp"`)
new Error(`Unauthorized to unmuteAlert a "myType" alert for "myApp"`)
);

await expect(
alertsClient.unmuteInstance({ alertId: '1', alertInstanceId: '2' })
).rejects.toMatchInlineSnapshot(
`[Error: Unauthorized to unmuteInstance a "myType" alert for "myApp"]`
`[Error: Unauthorized to unmuteAlert a "myType" alert for "myApp"]`
);

expect(authorization.ensureAuthorized).toHaveBeenCalledWith({
Expand Down
15 changes: 11 additions & 4 deletions x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ export enum AlertingAuthorizationEntity {

export enum ReadOperations {
Get = 'get',
GetAlertState = 'getAlertState',
GetAlertInstanceSummary = 'getAlertInstanceSummary',
GetRuleState = 'getRuleState',
GetAlertSummary = 'getAlertSummary',
Find = 'find',
}

Expand All @@ -42,8 +42,15 @@ export enum WriteOperations {
Disable = 'disable',
MuteAll = 'muteAll',
UnmuteAll = 'unmuteAll',
MuteInstance = 'muteInstance',
UnmuteInstance = 'unmuteInstance',
MuteAlert = 'muteAlert',
UnmuteAlert = 'unmuteAlert',
}

export interface EnsureAuthorizedOpts {
ruleTypeId: string;
consumer: string;
operation: ReadOperations | WriteOperations;
entity: AlertingAuthorizationEntity;
}

export interface EnsureAuthorizedOpts {
Expand Down
14 changes: 7 additions & 7 deletions x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/mute_instance.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.noop',
'alertsFixture'
),
Expand Down Expand Up @@ -138,7 +138,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.restricted-noop',
'alertsRestrictedFixture'
),
Expand Down Expand Up @@ -192,7 +192,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.unrestricted-noop',
'alertsFixture'
),
Expand All @@ -205,7 +205,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getProducerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.unrestricted-noop',
'alertsRestrictedFixture'
),
Expand Down Expand Up @@ -258,7 +258,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.restricted-noop',
'alerts'
),
Expand All @@ -272,7 +272,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getProducerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.restricted-noop',
'alertsRestrictedFixture'
),
Expand Down Expand Up @@ -325,7 +325,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'muteInstance',
'muteAlert',
'test.noop',
'alertsFixture'
),
Expand Down
12 changes: 6 additions & 6 deletions x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/unmute_instance.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.noop',
'alertsFixture'
),
Expand Down Expand Up @@ -148,7 +148,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.restricted-noop',
'alertsRestrictedFixture'
),
Expand Down Expand Up @@ -207,7 +207,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.unrestricted-noop',
'alertsFixture'
),
Expand All @@ -220,7 +220,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getProducerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.unrestricted-noop',
'alertsRestrictedFixture'
),
Expand Down Expand Up @@ -278,7 +278,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getConsumerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.restricted-noop',
'alerts'
),
Expand All @@ -292,7 +292,7 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
expect(response.body).to.eql({
error: 'Forbidden',
message: getProducerUnauthorizedErrorMessage(
'unmuteInstance',
'unmuteAlert',
'test.restricted-noop',
'alertsRestrictedFixture'
),
Expand Down

0 comments on commit 7d42c25

Please sign in to comment.