Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cases] Attachments RBAC #97756

Merged
merged 19 commits into from
Apr 30, 2021
Merged

[Cases] Attachments RBAC #97756

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
39b3950
Starting rbac for comments
jonathan-buttner Apr 20, 2021
6fb28ce
Adding authorization to rest of comment apis
jonathan-buttner Apr 21, 2021
2e0239c
Starting the comment rbac tests
jonathan-buttner Apr 21, 2021
5a63e2e
Fixing some of the rbac tests
jonathan-buttner Apr 22, 2021
a2c7842
Adding some integration tests
jonathan-buttner Apr 23, 2021
f8dd425
Starting patch tests
jonathan-buttner Apr 26, 2021
d670b1c
Merge branch 'cases-rbac-poc' of github.com:elastic/kibana into attac…
jonathan-buttner Apr 26, 2021
ba380e9
Working tests for comments
jonathan-buttner Apr 26, 2021
7734644
Working tests
jonathan-buttner Apr 26, 2021
86180fa
Fixing some tests
jonathan-buttner Apr 27, 2021
eb26150
Merge branch 'cases-rbac-poc' of github.com:elastic/kibana into attac…
jonathan-buttner Apr 27, 2021
3d4726d
Fixing type issues from pulling in master
jonathan-buttner Apr 27, 2021
518db99
Fixing connector tests that only work in trial license
jonathan-buttner Apr 27, 2021
a32b1ba
Attempting to fix cypress
jonathan-buttner Apr 27, 2021
28f8b62
Mock return of array for configure
jonathan-buttner Apr 27, 2021
7e2778c
Fixing cypress test
jonathan-buttner Apr 27, 2021
221d17c
Cleaning up
jonathan-buttner Apr 28, 2021
d048e07
Addressing PR comments
jonathan-buttner Apr 29, 2021
f7ae701
Reducing operations
jonathan-buttner Apr 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions x-pack/plugins/cases/common/api/cases/comment.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import * as rt from 'io-ts';
import { SavedObjectFindOptionsRt } from '../saved_object';

import { UserRT } from '../user';

Expand All @@ -27,6 +28,7 @@ export const CommentAttributesBasicRt = rt.type({
]),
created_at: rt.string,
created_by: UserRT,
owner: rt.string,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding owner here even though that means that patch requests must include the owner. This is to keep it consistent with how patch was already working. All of the fields need to be included in the patch and we have checks to make sure that certain fields like type and owner aren't different in the request than what is already defined in the object.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should make a type for owner like:

const OwnerTypeRT = rt.union([rt.literal('securitySolution'), rt.literal('observability')]);

Not for this PR, but I think it would be good to have strict control over that type and not just accept any old string.

pushed_at: rt.union([rt.string, rt.null]),
pushed_by: rt.union([UserRT, rt.null]),
updated_at: rt.union([rt.string, rt.null]),
Expand All @@ -42,6 +44,7 @@ export enum CommentType {
export const ContextTypeUserRt = rt.type({
comment: rt.string,
type: rt.literal(CommentType.user),
owner: rt.string,
});

/**
Expand All @@ -57,6 +60,7 @@ export const AlertCommentRequestRt = rt.type({
id: rt.union([rt.string, rt.null]),
name: rt.union([rt.string, rt.null]),
}),
owner: rt.string,
});

const AttributesTypeUserRt = rt.intersection([ContextTypeUserRt, CommentAttributesBasicRt]);
Expand Down Expand Up @@ -112,6 +116,12 @@ export const CommentsResponseRt = rt.type({

export const AllCommentsResponseRt = rt.array(CommentResponseRt);

export const FindQueryParamsRt = rt.partial({
...SavedObjectFindOptionsRt.props,
subCaseId: rt.string,
});

export type FindQueryParams = rt.TypeOf<typeof FindQueryParamsRt>;
export type AttributesTypeAlerts = rt.TypeOf<typeof AttributesTypeAlertsRt>;
export type AttributesTypeUser = rt.TypeOf<typeof AttributesTypeUserRt>;
export type CommentAttributes = rt.TypeOf<typeof CommentAttributesRt>;
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/cases/common/api/cases/user_actions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ const UserActionFieldTypeRt = rt.union([
rt.literal('status'),
rt.literal('settings'),
rt.literal('sub_case'),
rt.literal('owner'),
]);
const UserActionFieldRt = rt.array(UserActionFieldTypeRt);
const UserActionRt = rt.union([
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/cases/common/api/helpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import {
SUB_CASES_URL,
CASE_PUSH_URL,
SUB_CASE_USER_ACTIONS_URL,
CASE_CONFIGURE_DETAILS_URL,
} from '../constants';

export const getCaseDetailsUrl = (id: string): string => {
Expand Down Expand Up @@ -47,3 +48,7 @@ export const getSubCaseUserActionUrl = (caseID: string, subCaseId: string): stri
export const getCasePushUrl = (caseId: string, connectorId: string): string => {
return CASE_PUSH_URL.replace('{case_id}', caseId).replace('{connector_id}', connectorId);
};

export const getCaseConfigurationDetailsUrl = (configureID: string): string => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so the UI can send the correct patch request with the configuration_id.

return CASE_CONFIGURE_DETAILS_URL.replace('{configuration_id}', configureID);
};
16 changes: 8 additions & 8 deletions x-pack/plugins/cases/server/authorization/audit_logger.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
* 2.0.
*/

import { OperationDetails } from '.';
import { AuditLogger, EventCategory, EventOutcome } from '../../../security/server';
import { DATABASE_CATEGORY, ECS_OUTCOMES, OperationDetails } from '.';
import { AuditLogger } from '../../../security/server';

enum AuthorizationResult {
Unauthorized = 'Unauthorized',
Expand Down Expand Up @@ -51,9 +51,9 @@ export class AuthorizationAuditLogger {
message: `${username ?? 'unknown user'} ${message}`,
event: {
action: operation.action,
category: EventCategory.DATABASE,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security plugin no longer defines these. They're using the ECS library directly now. So I defined some constants for us.

Copy link
Contributor

@stephmilovic stephmilovic Apr 28, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe something to come back to. I defined some ECS in the RAC work we did (no overlap). maybe we should use library?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that could be helpful. The struggle was that the ECS library defines types but not the values from what I could tell 🤷‍♂️ . I don't anticipate needing to add more than what was in this PR but if we do then yeah maybe a library would be a good option.

type: operation.type,
outcome: EventOutcome.SUCCESS,
category: DATABASE_CATEGORY,
type: [operation.type],
outcome: ECS_OUTCOMES.success,
},
...(username != null && {
user: {
Expand Down Expand Up @@ -81,9 +81,9 @@ export class AuthorizationAuditLogger {
message: `${username ?? 'unknown user'} ${message}`,
event: {
action: operation.action,
category: EventCategory.DATABASE,
type: operation.type,
outcome: EventOutcome.FAILURE,
category: DATABASE_CATEGORY,
type: [operation.type],
outcome: ECS_OUTCOMES.failure,
},
// add the user information if we have it
...(username != null && {
Expand Down
130 changes: 111 additions & 19 deletions x-pack/plugins/cases/server/authorization/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@
* 2.0.
*/

import { EventType } from '../../../security/server';
import { CASE_CONFIGURE_SAVED_OBJECT, CASE_SAVED_OBJECT } from '../../common/constants';
import { EcsEventCategory, EcsEventOutcome, EcsEventType } from 'kibana/server';
import {
CASE_COMMENT_SAVED_OBJECT,
CASE_CONFIGURE_SAVED_OBJECT,
CASE_SAVED_OBJECT,
} from '../../common/constants';
import { Verbs, ReadOperations, WriteOperations, OperationDetails } from './types';

export * from './authorization';
Expand Down Expand Up @@ -37,89 +41,177 @@ const deleteVerbs: Verbs = {
past: 'deleted',
};

const EVENT_TYPES: Record<string, EcsEventType> = {
creation: 'creation',
deletion: 'deletion',
change: 'change',
access: 'access',
};

/**
* These values need to match the respective values in this file: x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/cases.ts
* These are shared between find, get, get all, and delete/delete all
* There currently isn't a use case for a user to delete one comment but not all or differentiating between get, get all,
* and find operations from a privilege stand point.
*/
const DELETE_COMMENT_OPERATION = 'deleteComment';
const ACCESS_COMMENT_OPERATION = 'getComment';
const ACCESS_CASE_OPERATION = 'getCase';

/**
* Database constant for ECS category for use for audit logging.
*/
export const DATABASE_CATEGORY: EcsEventCategory[] = ['database'];

/**
* ECS Outcomes for audit logging.
*/
export const ECS_OUTCOMES: Record<string, EcsEventOutcome> = {
failure: 'failure',
success: 'success',
unknown: 'unknown',
};

/**
* Definition of all APIs within the cases backend.
*/
export const Operations: Record<ReadOperations | WriteOperations, OperationDetails> = {
// case operations
[WriteOperations.CreateCase]: {
type: EventType.CREATION,
type: EVENT_TYPES.creation,
name: WriteOperations.CreateCase,
action: 'create-case',
verbs: createVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[WriteOperations.DeleteCase]: {
type: EventType.DELETION,
type: EVENT_TYPES.deletion,
name: WriteOperations.DeleteCase,
action: 'delete-case',
verbs: deleteVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[WriteOperations.UpdateCase]: {
type: EventType.CHANGE,
type: EVENT_TYPES.change,
name: WriteOperations.UpdateCase,
action: 'update-case',
verbs: updateVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[WriteOperations.CreateConfiguration]: {
type: EventType.CREATION,
type: EVENT_TYPES.creation,
name: WriteOperations.CreateConfiguration,
action: 'create-configuration',
verbs: createVerbs,
docType: 'case configuration',
savedObjectType: CASE_CONFIGURE_SAVED_OBJECT,
},
[WriteOperations.UpdateConfiguration]: {
type: EventType.CHANGE,
type: EVENT_TYPES.change,
name: WriteOperations.UpdateConfiguration,
action: 'update-configuration',
verbs: updateVerbs,
docType: 'case configuration',
savedObjectType: CASE_CONFIGURE_SAVED_OBJECT,
},
[ReadOperations.FindConfigurations]: {
type: EVENT_TYPES.access,
name: ReadOperations.FindConfigurations,
action: 'find-configurations',
verbs: accessVerbs,
docType: 'case configurations',
savedObjectType: CASE_CONFIGURE_SAVED_OBJECT,
},
[ReadOperations.GetCase]: {
type: EventType.ACCESS,
name: ReadOperations.GetCase,
type: EVENT_TYPES.access,
name: ACCESS_CASE_OPERATION,
action: 'get-case',
verbs: accessVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[ReadOperations.FindCases]: {
type: EventType.ACCESS,
name: ReadOperations.FindCases,
type: EVENT_TYPES.access,
name: ACCESS_CASE_OPERATION,
action: 'find-cases',
verbs: accessVerbs,
docType: 'cases',
savedObjectType: CASE_SAVED_OBJECT,
},
[ReadOperations.GetTags]: {
type: EventType.ACCESS,
type: EVENT_TYPES.access,
name: ReadOperations.GetCase,
action: 'get-tags',
verbs: accessVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[ReadOperations.GetReporters]: {
type: EventType.ACCESS,
type: EVENT_TYPES.access,
name: ReadOperations.GetReporters,
action: 'get-reporters',
verbs: accessVerbs,
docType: 'case',
savedObjectType: CASE_SAVED_OBJECT,
},
[ReadOperations.FindConfigurations]: {
type: EventType.ACCESS,
name: ReadOperations.FindConfigurations,
action: 'find-configurations',
// comments operations
[WriteOperations.CreateComment]: {
type: EVENT_TYPES.creation,
name: WriteOperations.CreateComment,
action: 'create-comment',
verbs: createVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[WriteOperations.DeleteAllComments]: {
type: EVENT_TYPES.deletion,
name: DELETE_COMMENT_OPERATION,
action: 'delete-all-comments',
verbs: deleteVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[WriteOperations.DeleteComment]: {
type: EVENT_TYPES.deletion,
name: DELETE_COMMENT_OPERATION,
action: 'delete-comment',
verbs: deleteVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[WriteOperations.UpdateComment]: {
type: EVENT_TYPES.change,
name: WriteOperations.UpdateComment,
action: 'update-comments',
verbs: updateVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[ReadOperations.GetComment]: {
type: EVENT_TYPES.access,
name: ACCESS_COMMENT_OPERATION,
action: 'get-comment',
verbs: accessVerbs,
docType: 'case configurations',
savedObjectType: CASE_CONFIGURE_SAVED_OBJECT,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[ReadOperations.GetAllComments]: {
type: EVENT_TYPES.access,
name: ACCESS_COMMENT_OPERATION,
action: 'get-all-comment',
verbs: accessVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
[ReadOperations.FindComments]: {
type: EVENT_TYPES.access,
name: ACCESS_COMMENT_OPERATION,
action: 'find-comments',
verbs: accessVerbs,
docType: 'comments',
savedObjectType: CASE_COMMENT_SAVED_OBJECT,
},
};
Loading