Reducing operations

elastic · Apr 29, 2021 · f7ae701 · f7ae701
1 parent d048e07
commit f7ae701
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 40 deletions.
diff --git a/x-pack/plugins/cases/server/authorization/index.ts b/x-pack/plugins/cases/server/authorization/index.ts
@@ -48,6 +48,16 @@ const EVENT_TYPES: Record<string, EcsEventType> = {
   access: 'access',
 };
 
+/**
+ * These values need to match the respective values in this file: x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts
+ * These are shared between find, get, get all, and delete/delete all
+ * There currently isn't a use case for a user to delete one comment but not all or differentiating between get, get all,
+ * and find operations from a privilege stand point.
+ */
+const DELETE_COMMENT_OPERATION = 'deleteComment';
+const ACCESS_COMMENT_OPERATION = 'getComment';
+const ACCESS_CASE_OPERATION = 'getCase';
+
 /**
  * Database constant for ECS category for use for audit logging.
  */
@@ -117,15 +127,15 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
   },
   [ReadOperations.GetCase]: {
     type: EVENT_TYPES.access,
-    name: ReadOperations.GetCase,
+    name: ACCESS_CASE_OPERATION,
     action: 'get-case',
     verbs: accessVerbs,
     docType: 'case',
     savedObjectType: CASE_SAVED_OBJECT,
   },
   [ReadOperations.FindCases]: {
     type: EVENT_TYPES.access,
-    name: ReadOperations.FindCases,
+    name: ACCESS_CASE_OPERATION,
     action: 'find-cases',
     verbs: accessVerbs,
     docType: 'cases',
@@ -158,15 +168,15 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
   },
   [WriteOperations.DeleteAllComments]: {
     type: EVENT_TYPES.deletion,
-    name: WriteOperations.DeleteAllComments,
+    name: DELETE_COMMENT_OPERATION,
     action: 'delete-all-comments',
     verbs: deleteVerbs,
     docType: 'comments',
     savedObjectType: CASE_COMMENT_SAVED_OBJECT,
   },
   [WriteOperations.DeleteComment]: {
     type: EVENT_TYPES.deletion,
-    name: WriteOperations.DeleteComment,
+    name: DELETE_COMMENT_OPERATION,
     action: 'delete-comment',
     verbs: deleteVerbs,
     docType: 'comments',
@@ -182,23 +192,23 @@ export const Operations: Record<ReadOperations | WriteOperations, OperationDetai
   },
   [ReadOperations.GetComment]: {
     type: EVENT_TYPES.access,
-    name: ReadOperations.GetComment,
+    name: ACCESS_COMMENT_OPERATION,
     action: 'get-comment',
     verbs: accessVerbs,
     docType: 'comments',
     savedObjectType: CASE_COMMENT_SAVED_OBJECT,
   },
   [ReadOperations.GetAllComments]: {
     type: EVENT_TYPES.access,
-    name: ReadOperations.GetAllComments,
+    name: ACCESS_COMMENT_OPERATION,
     action: 'get-all-comment',
     verbs: accessVerbs,
     docType: 'comments',
     savedObjectType: CASE_COMMENT_SAVED_OBJECT,
   },
   [ReadOperations.FindComments]: {
     type: EVENT_TYPES.access,
-    name: ReadOperations.FindComments,
+    name: ACCESS_COMMENT_OPERATION,
     action: 'find-comments',
     verbs: accessVerbs,
     docType: 'comments',

diff --git a/x-pack/plugins/cases/server/authorization/types.ts b/x-pack/plugins/cases/server/authorization/types.ts
@@ -59,11 +59,30 @@ export enum WriteOperations {
  * Defines the structure for a case API route.
  */
 export interface OperationDetails {
+  /**
+   * The ECS event type that this operation should be audit logged as (creation, deletion, access, etc)
+   */
   type: EcsEventType;
-  name: ReadOperations | WriteOperations;
+  /**
+   * The name of the operation to authorize against for the privilege check.
+   * These values need to match one of the operation strings defined here: x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts
+   */
+  name: string;
+  /**
+   * The ECS `event.action` field, should be in the form of <operation>-<entity> e.g get-comment, find-cases
+   */
   action: string;
+  /**
+   * The verbs that are associated with this type of operation, these should line up with the event type e.g. creating, created, create etc
+   */
   verbs: Verbs;
+  /**
+   * The readable name of the entity being operated on e.g. case, comment, configurations (make it plural if it reads better that way etc)
+   */
   docType: string;
+  /**
+   * The actual saved object type of the entity e.g. cases, cases-comments
+   */
   savedObjectType: string;
 }
 

diff --git a/.../plugins/security/server/authorization/privileges/feature_privilege_builder/cases.test.ts b/.../plugins/security/server/authorization/privileges/feature_privilege_builder/cases.test.ts
@@ -71,10 +71,7 @@ describe(`cases`, () => {
         expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
             "cases:1.0.0-zeta1:observability/getCase",
-            "cases:1.0.0-zeta1:observability/findCases",
             "cases:1.0.0-zeta1:observability/getComment",
-            "cases:1.0.0-zeta1:observability/getAllComments",
-            "cases:1.0.0-zeta1:observability/findComments",
             "cases:1.0.0-zeta1:observability/getTags",
             "cases:1.0.0-zeta1:observability/getReporters",
             "cases:1.0.0-zeta1:observability/findConfigurations",
@@ -112,18 +109,14 @@ describe(`cases`, () => {
         expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
             "cases:1.0.0-zeta1:security/getCase",
-            "cases:1.0.0-zeta1:security/findCases",
             "cases:1.0.0-zeta1:security/getComment",
-            "cases:1.0.0-zeta1:security/getAllComments",
-            "cases:1.0.0-zeta1:security/findComments",
             "cases:1.0.0-zeta1:security/getTags",
             "cases:1.0.0-zeta1:security/getReporters",
             "cases:1.0.0-zeta1:security/findConfigurations",
             "cases:1.0.0-zeta1:security/createCase",
             "cases:1.0.0-zeta1:security/deleteCase",
             "cases:1.0.0-zeta1:security/updateCase",
             "cases:1.0.0-zeta1:security/createComment",
-            "cases:1.0.0-zeta1:security/deleteAllComments",
             "cases:1.0.0-zeta1:security/deleteComment",
             "cases:1.0.0-zeta1:security/updateComment",
             "cases:1.0.0-zeta1:security/createConfiguration",
@@ -163,27 +156,20 @@ describe(`cases`, () => {
         expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
             "cases:1.0.0-zeta1:security/getCase",
-            "cases:1.0.0-zeta1:security/findCases",
             "cases:1.0.0-zeta1:security/getComment",
-            "cases:1.0.0-zeta1:security/getAllComments",
-            "cases:1.0.0-zeta1:security/findComments",
             "cases:1.0.0-zeta1:security/getTags",
             "cases:1.0.0-zeta1:security/getReporters",
             "cases:1.0.0-zeta1:security/findConfigurations",
             "cases:1.0.0-zeta1:security/createCase",
             "cases:1.0.0-zeta1:security/deleteCase",
             "cases:1.0.0-zeta1:security/updateCase",
             "cases:1.0.0-zeta1:security/createComment",
-            "cases:1.0.0-zeta1:security/deleteAllComments",
             "cases:1.0.0-zeta1:security/deleteComment",
             "cases:1.0.0-zeta1:security/updateComment",
             "cases:1.0.0-zeta1:security/createConfiguration",
             "cases:1.0.0-zeta1:security/updateConfiguration",
             "cases:1.0.0-zeta1:obs/getCase",
-            "cases:1.0.0-zeta1:obs/findCases",
             "cases:1.0.0-zeta1:obs/getComment",
-            "cases:1.0.0-zeta1:obs/getAllComments",
-            "cases:1.0.0-zeta1:obs/findComments",
             "cases:1.0.0-zeta1:obs/getTags",
             "cases:1.0.0-zeta1:obs/getReporters",
             "cases:1.0.0-zeta1:obs/findConfigurations",
@@ -222,52 +208,38 @@ describe(`cases`, () => {
         expect(casesFeaturePrivilege.getActions(privilege, feature)).toMatchInlineSnapshot(`
           Array [
             "cases:1.0.0-zeta1:security/getCase",
-            "cases:1.0.0-zeta1:security/findCases",
             "cases:1.0.0-zeta1:security/getComment",
-            "cases:1.0.0-zeta1:security/getAllComments",
-            "cases:1.0.0-zeta1:security/findComments",
             "cases:1.0.0-zeta1:security/getTags",
             "cases:1.0.0-zeta1:security/getReporters",
             "cases:1.0.0-zeta1:security/findConfigurations",
             "cases:1.0.0-zeta1:security/createCase",
             "cases:1.0.0-zeta1:security/deleteCase",
             "cases:1.0.0-zeta1:security/updateCase",
             "cases:1.0.0-zeta1:security/createComment",
-            "cases:1.0.0-zeta1:security/deleteAllComments",
             "cases:1.0.0-zeta1:security/deleteComment",
             "cases:1.0.0-zeta1:security/updateComment",
             "cases:1.0.0-zeta1:security/createConfiguration",
             "cases:1.0.0-zeta1:security/updateConfiguration",
             "cases:1.0.0-zeta1:other-security/getCase",
-            "cases:1.0.0-zeta1:other-security/findCases",
             "cases:1.0.0-zeta1:other-security/getComment",
-            "cases:1.0.0-zeta1:other-security/getAllComments",
-            "cases:1.0.0-zeta1:other-security/findComments",
             "cases:1.0.0-zeta1:other-security/getTags",
             "cases:1.0.0-zeta1:other-security/getReporters",
             "cases:1.0.0-zeta1:other-security/findConfigurations",
             "cases:1.0.0-zeta1:other-security/createCase",
             "cases:1.0.0-zeta1:other-security/deleteCase",
             "cases:1.0.0-zeta1:other-security/updateCase",
             "cases:1.0.0-zeta1:other-security/createComment",
-            "cases:1.0.0-zeta1:other-security/deleteAllComments",
             "cases:1.0.0-zeta1:other-security/deleteComment",
             "cases:1.0.0-zeta1:other-security/updateComment",
             "cases:1.0.0-zeta1:other-security/createConfiguration",
             "cases:1.0.0-zeta1:other-security/updateConfiguration",
             "cases:1.0.0-zeta1:obs/getCase",
-            "cases:1.0.0-zeta1:obs/findCases",
             "cases:1.0.0-zeta1:obs/getComment",
-            "cases:1.0.0-zeta1:obs/getAllComments",
-            "cases:1.0.0-zeta1:obs/findComments",
             "cases:1.0.0-zeta1:obs/getTags",
             "cases:1.0.0-zeta1:obs/getReporters",
             "cases:1.0.0-zeta1:obs/findConfigurations",
             "cases:1.0.0-zeta1:other-obs/getCase",
-            "cases:1.0.0-zeta1:other-obs/findCases",
             "cases:1.0.0-zeta1:other-obs/getComment",
-            "cases:1.0.0-zeta1:other-obs/getAllComments",
-            "cases:1.0.0-zeta1:other-obs/findComments",
             "cases:1.0.0-zeta1:other-obs/getTags",
             "cases:1.0.0-zeta1:other-obs/getReporters",
             "cases:1.0.0-zeta1:other-obs/findConfigurations",

diff --git a/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts b/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts
@@ -14,10 +14,7 @@ import { BaseFeaturePrivilegeBuilder } from './feature_privilege_builder';
 // x-pack/plugins/cases/server/authorization/index.ts
 const readOperations: string[] = [
   'getCase',
-  'findCases',
   'getComment',
-  'getAllComments',
-  'findComments',
   'getTags',
   'getReporters',
   'findConfigurations',
@@ -27,7 +24,6 @@ const writeOperations: string[] = [
   'deleteCase',
   'updateCase',
   'createComment',
-  'deleteAllComments',
   'deleteComment',
   'updateComment',
   'createConfiguration',