-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cases] RBAC Refactoring audit logging #100952
Changes from 3 commits
6878922
294c99e
20e49ed
83146b3
95f2f58
2829509
e69c1cf
f5ee7dc
aa3bc6a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,10 +9,11 @@ import { KibanaRequest, Logger } from 'kibana/server'; | |
import Boom from '@hapi/boom'; | ||
import { SecurityPluginStart } from '../../../security/server'; | ||
import { PluginStartContract as FeaturesPluginStart } from '../../../features/server'; | ||
import { AuthorizationFilter, GetSpaceFn } from './types'; | ||
import { AuthFilterHelpers, GetSpaceFn } from './types'; | ||
import { getOwnersFilter } from './utils'; | ||
import { AuthorizationAuditLogger, OperationDetails } from '.'; | ||
import { createCaseError } from '../common'; | ||
import { OwnerEntity } from './types'; | ||
|
||
/** | ||
* This class handles ensuring that the user making a request has the correct permissions | ||
|
@@ -90,10 +91,49 @@ export class Authorization { | |
* Checks that the user making the request for the passed in owners and operation has the correct authorization. This | ||
* function will throw if the user is not authorized for the requested operation and owners. | ||
* | ||
* @param owners an array of strings describing the case owners attempting to be authorized | ||
* @param enitites an array of entities describing the case owners in conjunction with the saved object ID attempting | ||
* to be authorized | ||
* @param operation information describing the operation attempting to be authorized | ||
*/ | ||
public async ensureAuthorized(owners: string[], operation: OperationDetails) { | ||
public async ensureAuthorized({ | ||
entities, | ||
operation, | ||
}: { | ||
entities: OwnerEntity[]; | ||
operation: OperationDetails; | ||
}) { | ||
const logSavedObjects = (error?: Error) => { | ||
for (const entity of entities) { | ||
this.auditLogger.log({ operation, error, entity }); | ||
} | ||
}; | ||
|
||
try { | ||
await this.ensureAuthorizedHelper( | ||
entities.map((entity) => entity.owner), | ||
operation | ||
); | ||
|
||
logSavedObjects(); | ||
} catch (error) { | ||
logSavedObjects(error); | ||
throw error; | ||
} | ||
} | ||
|
||
/** | ||
* Returns an object to filter the saved object find request to the authorized owners of an entity. | ||
*/ | ||
public async getAuthorizationFilter(operation: OperationDetails): Promise<AuthFilterHelpers> { | ||
try { | ||
return await this.getFindAuthorizationFilterHelper(operation); | ||
} catch (error) { | ||
this.auditLogger.log({ error, operation }); | ||
throw error; | ||
} | ||
} | ||
|
||
private async ensureAuthorizedHelper(owners: string[], operation: OperationDetails) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: What do you think about |
||
const { securityAuth } = this; | ||
const areAllOwnersAvailable = owners.every((owner) => this.featureCaseOwners.has(owner)); | ||
|
||
|
@@ -103,7 +143,7 @@ export class Authorization { | |
); | ||
|
||
const checkPrivileges = securityAuth.checkPrivilegesDynamicallyWithRequest(this.request); | ||
const { hasAllRequested, username } = await checkPrivileges({ | ||
const { hasAllRequested } = await checkPrivileges({ | ||
kibana: requiredPrivileges, | ||
}); | ||
|
||
|
@@ -115,55 +155,55 @@ export class Authorization { | |
* as Privileged. | ||
* This check will ensure we don't accidentally let these through | ||
*/ | ||
throw Boom.forbidden(this.auditLogger.failure({ username, owners, operation })); | ||
throw Boom.forbidden(AuthorizationAuditLogger.createFailureMessage({ owners, operation })); | ||
} | ||
|
||
if (hasAllRequested) { | ||
this.auditLogger.success({ username, operation, owners }); | ||
} else { | ||
throw Boom.forbidden(this.auditLogger.failure({ owners, operation, username })); | ||
if (!hasAllRequested) { | ||
throw Boom.forbidden(AuthorizationAuditLogger.createFailureMessage({ owners, operation })); | ||
} | ||
} else if (!areAllOwnersAvailable) { | ||
throw Boom.forbidden(this.auditLogger.failure({ owners, operation })); | ||
throw Boom.forbidden(AuthorizationAuditLogger.createFailureMessage({ owners, operation })); | ||
} | ||
|
||
// else security is disabled so let the operation proceed | ||
} | ||
|
||
/** | ||
* Returns an object to filter the saved object find request to the authorized owners of an entity. | ||
*/ | ||
public async getFindAuthorizationFilter( | ||
private async getFindAuthorizationFilterHelper( | ||
operation: OperationDetails | ||
): Promise<AuthorizationFilter> { | ||
): Promise<AuthFilterHelpers> { | ||
const { securityAuth } = this; | ||
if (securityAuth && this.shouldCheckAuthorization()) { | ||
const { username, authorizedOwners } = await this.getAuthorizedOwners([operation]); | ||
const { authorizedOwners } = await this.getAuthorizedOwners([operation]); | ||
|
||
if (!authorizedOwners.length) { | ||
throw Boom.forbidden(this.auditLogger.failure({ username, operation })); | ||
throw Boom.forbidden( | ||
AuthorizationAuditLogger.createFailureMessage({ owners: authorizedOwners, operation }) | ||
); | ||
} | ||
|
||
return { | ||
filter: getOwnersFilter(operation.savedObjectType, authorizedOwners), | ||
ensureSavedObjectIsAuthorized: (owner: string) => { | ||
if (!authorizedOwners.includes(owner)) { | ||
throw Boom.forbidden( | ||
this.auditLogger.failure({ username, operation, owners: [owner] }) | ||
); | ||
} | ||
}, | ||
logSuccessfulAuthorization: () => { | ||
if (authorizedOwners.length) { | ||
this.auditLogger.success({ username, owners: authorizedOwners, operation }); | ||
ensureSavedObjectsAreAuthorized: (entities: OwnerEntity[]) => { | ||
for (const entity of entities) { | ||
if (!authorizedOwners.includes(entity.owner)) { | ||
const error = Boom.forbidden( | ||
AuthorizationAuditLogger.createFailureMessage({ | ||
operation, | ||
owners: [entity.owner], | ||
}) | ||
); | ||
this.auditLogger.log({ error, operation, entity }); | ||
throw error; | ||
} | ||
|
||
this.auditLogger.log({ operation, entity }); | ||
} | ||
}, | ||
}; | ||
} | ||
|
||
return { | ||
ensureSavedObjectIsAuthorized: (owner: string) => {}, | ||
logSuccessfulAuthorization: () => {}, | ||
ensureSavedObjectsAreAuthorized: (entities: OwnerEntity[]) => {}, | ||
}; | ||
} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { isWriteOperation, Operations } from '.'; | ||
import { OperationDetails } from './types'; | ||
|
||
describe('index tests', () => { | ||
it('should identify a write operation', () => { | ||
expect(isWriteOperation(Operations.createCase)).toBeTruthy(); | ||
}); | ||
|
||
it('should identify a read operation', () => { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yeah good point, I guess it doesn't necessarily mean that it is a |
||
expect(isWriteOperation(Operations.getCase)).toBeFalsy(); | ||
}); | ||
|
||
it('should not identify an invalid operation as a write operation', () => { | ||
expect(isWriteOperation({ name: 'blah' } as OperationDetails)).toBeFalsy(); | ||
}); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: in the very unlikely event that this call to
logSavedObjects
throws an exception, we will end up with both success and failure events in the audit logs. If we movelogSavedObjects
below thistry
block, then we will prevent this from happening