-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Securing Spaces #21995
Merged
Merged
[WIP] Securing Spaces #21995
Changes from 48 commits
Commits
Show all changes
88 commits
Select commit
Hold shift + click to select a range
a25ed8e
Splitting to a client and a wrapper, integation tests are passing
kobelb e0a83cd
Adding the spaces wrapper back in the mix using a priority collection
kobelb f937154
Restructuring the secure wrapper as we don't need to switch between
kobelb 591a31b
Checking authorization at the current space
kobelb dbfe32e
Beginning to make the rbac api integration tests run against spaces
kobelb d25514a
Adding identical data to the rbac esArchives for two more spaces
kobelb 7ed4332
Adding some space tests for find
kobelb 43322c2
Beginning to work on the spaces client
kobelb daad804
Fixing find and filtering out unrequested privileges from response
kobelb d5b9b53
Adding get code and test
kobelb 74335fa
Introducing an RBAC Auth Scope
kobelb 706c505
Exposing the spacesClient a bit better
kobelb e0a6c6f
Moving the server.expose to the security plugin init
kobelb 5487f0f
Moving checkPrivilegesAtAllResources to it's own thing
kobelb 69b1eb6
No longer using the auth scope for RBAC, dashboard mode didn't work with
kobelb 685b061
Securing the create space method
kobelb c7e390b
Adding secure update method
kobelb 6d5a15a
Adding secured delete endpoints
kobelb e355ff0
Restructuring some code in the spaces client
kobelb 67b64e9
Adding tests for the select endpoint
kobelb 52633f0
Spaces can't be managed via the SavedObjectsClient now
kobelb d2ab5cc
Creating separate space_all and space_read privileges
kobelb cff7c61
Merge branch 'spaces-phase-1' into spaces/securing
kobelb b827684
Splitting out the spaces and global privileges
kobelb ed54020
Merge branch 'spaces-phase-1' into spaces/securing
kobelb 3d75fb3
Fixing edit role screen after API changes
kobelb 151d4ee
Revising comment, there is a Set in JavaScript now, but lodash can't
kobelb cec82a9
Using authorization mode to log deprecation warning on login
kobelb 5649e10
Changing the signature of checkPrivileges
kobelb 5995cae
Refactoring the way we specify resources when checking privileges
kobelb b87b506
Exposing the space service more intuitively
kobelb 13fdf1f
Fixing comments
kobelb 588e2e8
Security defines all actions
kobelb 87a8332
Renaming `response` returned by the checkPrivileges function
kobelb 58f037c
Merge remote-tracking branch 'upstream/spaces-phase-1' into spaces/se…
kobelb e64ec72
Hard-coding the kibana app privileges teporarily
kobelb daca66b
Adding Authenticator authorization mode tests
kobelb 8ee733f
Adding actions.manageSpaces tests
kobelb 58aa6f1
Adding check privileges tests
kobelb 18e058f
Fixing checkPrivileges test snapshots
kobelb 3813a12
Making sure tests fail until I correct this deficiency
kobelb a50d51a
Adding stubbed out authorization mode tests
kobelb 4dfb720
Fixing tests for RegisterPrivilegesWithCluster
kobelb 2a632f0
Fixing service AuthorizationService tests
kobelb e3b23e6
Addinng serializer tests
kobelb 1f5c127
Adding validateEsResponse tests
kobelb 31cc9ff
We don't need the SecureSavedObjectsClient anymore!
kobelb ac3d143
Adding SecureSavedObjectsClientWrapper tests...
kobelb aefe2c5
Merge remote-tracking branch 'upstream/spaces-phase-1' into spaces/se…
kobelb ce171ca
Fixing a few stray tests
kobelb cef2e78
Fixing issue when user isn't authenticated and check useRbacForRequest
kobelb 7b4575b
Merge remote-tracking branch 'upstream/spaces-phase-1' into spaces/se…
kobelb 5413b47
Validating spaces we're adding to roles
kobelb c02d0fb
Reusing hasAnyPrivileges from hasAnyResourcePrivileges
kobelb 1436495
Better variable name
kobelb 79884be
toArray -> toPrioritizedArray
kobelb b7d2aa4
Using Space throughout the SpacesClient
kobelb 14a1d96
GetActiveSpace uses the SpacesClient now
kobelb d9699f9
Squashed commit of the following:
kobelb 6da2f05
Merge branch 'spaces-phase-1' into spaces/securing
legrego 8e52fc0
update public api to use SpacesClient
legrego 81b785b
fix
legrego b3b04f3
test and api fixes
legrego fb40ad9
fix tests
legrego eb3fde7
Merge branch 'spaces-phase-1' into spaces/securing
legrego f52e688
Merge pull request #5 from legrego/spaces/securing-update
kobelb 88b03e7
Disallowing use of Spaces with the SpacesSavedObjectsClientWrapper
kobelb b2e4321
Adding spaces audit logging
kobelb 454dcb1
Updating snapshots
kobelb d01f9b6
Adding get and getAll tests for the spaces client
kobelb e3569c8
Adding update tests
kobelb 90b9811
Adding create tests
kobelb 3d0a8f4
Adding SpacesClient delete tests
kobelb a061555
Fixing authenticate tests
kobelb b8d9738
Making tests more consistent
kobelb 5e79942
Merge remote-tracking branch 'upstream/spaces-phase-1' into spaces/se…
kobelb 54360a2
Fixing kibana privileges tests
kobelb ec1eeb7
Fixing a few type issues
kobelb 6685a52
Making typescript ignore the .only test suites
kobelb dea9859
Switching to beforeEach and afterEach and removing the mocha types
kobelb d9dc42b
Switching to our own expect.js definitions
kobelb 77538e8
Fixing more linting rules
kobelb b7fc11e
Removing test stubs and replacing with TODOs. Updating snapshots
kobelb f59a2ee
No longer shadowing application for the put role API
kobelb bbc54cb
Relying on the errors thrown by the SpacedClient when determining active
kobelb aba3f39
Back to after/before... mocha doesn't have beforeAll/afterAll
kobelb 0a531b5
We got them types, thanks Spencer!!!
kobelb a68f029
Ignoring space type from the secure saved objects client find with no
kobelb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
3 changes: 3 additions & 0 deletions
3
src/server/saved_objects/service/lib/__snapshots__/priority_collection.test.ts.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
// Jest Snapshot v1, https://goo.gl/fbAQLP | ||
|
||
exports[`1, 1 throws Error 1`] = `"Already have entry with this priority"`; |
57 changes: 57 additions & 0 deletions
57
src/server/saved_objects/service/lib/priority_collection.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
import { PriorityCollection } from './priority_collection'; | ||
|
||
test(`1, 2, 3`, () => { | ||
const priorityCollection = new PriorityCollection(); | ||
priorityCollection.add(1, 1); | ||
priorityCollection.add(2, 2); | ||
priorityCollection.add(3, 3); | ||
expect(priorityCollection.toArray()).toEqual([1, 2, 3]); | ||
}); | ||
|
||
test(`3, 2, 1`, () => { | ||
const priorityCollection = new PriorityCollection(); | ||
priorityCollection.add(3, 3); | ||
priorityCollection.add(2, 2); | ||
priorityCollection.add(1, 1); | ||
expect(priorityCollection.toArray()).toEqual([1, 2, 3]); | ||
}); | ||
|
||
test(`2, 3, 1`, () => { | ||
const priorityCollection = new PriorityCollection(); | ||
priorityCollection.add(2, 2); | ||
priorityCollection.add(3, 3); | ||
priorityCollection.add(1, 1); | ||
expect(priorityCollection.toArray()).toEqual([1, 2, 3]); | ||
}); | ||
|
||
test(`Number.MAX_VALUE, NUMBER.MIN_VALUE, 1`, () => { | ||
const priorityCollection = new PriorityCollection(); | ||
priorityCollection.add(Number.MAX_VALUE, 3); | ||
priorityCollection.add(Number.MIN_VALUE, 1); | ||
priorityCollection.add(1, 2); | ||
expect(priorityCollection.toArray()).toEqual([1, 2, 3]); | ||
}); | ||
|
||
test(`1, 1 throws Error`, () => { | ||
const priorityCollection = new PriorityCollection(); | ||
priorityCollection.add(1, 1); | ||
expect(() => priorityCollection.add(1, 1)).toThrowErrorMatchingSnapshot(); | ||
}); |
47 changes: 47 additions & 0 deletions
47
src/server/saved_objects/service/lib/priority_collection.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
interface PriorityCollectionEntry<T> { | ||
priority: number; | ||
value: T; | ||
} | ||
|
||
export class PriorityCollection<T> { | ||
private readonly array: Array<PriorityCollectionEntry<T>> = []; | ||
|
||
public add(priority: number, value: T) { | ||
let i = 0; | ||
while (i < this.array.length) { | ||
const current = this.array[i]; | ||
if (priority === current.priority) { | ||
throw new Error('Already have entry with this priority'); | ||
} | ||
|
||
if (priority < current.priority) { | ||
break; | ||
} | ||
++i; | ||
} | ||
this.array.splice(i, 0, { priority, value }); | ||
} | ||
|
||
public toArray(): T[] { | ||
return this.array.map(entry => entry.value); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,13 +16,14 @@ | |
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
import { PriorityCollection } from './priority_collection'; | ||
|
||
/** | ||
* Provider for the Scoped Saved Object Client. | ||
*/ | ||
export class ScopedSavedObjectsClientProvider { | ||
|
||
_wrapperFactories = []; | ||
_wrapperFactories = new PriorityCollection(); | ||
|
||
constructor({ | ||
defaultClientFactory | ||
|
@@ -38,8 +39,8 @@ export class ScopedSavedObjectsClientProvider { | |
// dependency on plugin b, that means that plugin b's client wrapper would want | ||
// to be able to run first when the SavedObjectClient methods are invoked to | ||
// provide additional context to plugin a's client wrapper. | ||
addClientWrapperFactory(wrapperFactory) { | ||
this._wrapperFactories.unshift(wrapperFactory); | ||
addClientWrapperFactory(priority, wrapperFactory) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The preceding comment is outdated now that this accepts a priority |
||
this._wrapperFactories.add(priority, wrapperFactory); | ||
} | ||
|
||
setClientFactory(customClientFactory) { | ||
|
@@ -55,11 +56,13 @@ export class ScopedSavedObjectsClientProvider { | |
request, | ||
}); | ||
|
||
return this._wrapperFactories.reduce((clientToWrap, wrapperFactory) => { | ||
return wrapperFactory({ | ||
request, | ||
client: clientToWrap, | ||
}); | ||
}, client); | ||
return this._wrapperFactories | ||
.toArray() | ||
.reduceRight((clientToWrap, wrapperFactory) => { | ||
return wrapperFactory({ | ||
request, | ||
client: clientToWrap, | ||
}); | ||
}, client); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about naming this
toPrioritizedArray()
, or something similar?