add error handling and tests for privilege related errors

Author: neptunian

x-pack/plugins/data_usage/server/common/errors.ts

@@ -16,3 +16,9 @@ export class BaseError<MetaType = unknown> extends Error {
     }
   }
 }
+
+export const NoPrivilegeMeteringError =
+  'You do not have the necessary privileges to access data stream statistics. Please contact your administrator.';
+
+export const NoIndicesMeteringError =
+  'No data streams or indices are available for the current user. Ensure that the data streams or indices you are authorized to access have been created and contain data. If you believe this is an error, please contact your administrator.';

x-pack/plugins/data_usage/server/routes/error_handler.ts

@@ -7,7 +7,7 @@
 
 import type { IKibanaResponse, KibanaResponseFactory, Logger } from '@kbn/core/server';
 import { CustomHttpRequestError } from '../utils/custom_http_request_error';
-import { BaseError } from '../common/errors';
+import { BaseError, NoIndicesMeteringError, NoPrivilegeMeteringError } from '../common/errors';
 import { AutoOpsError } from '../services/errors';
 
 export class NotFoundError extends BaseError {}
@@ -43,6 +43,22 @@ export const errorHandler = <E extends Error>(
     return res.notFound({ body: error });
   }
 
+  if (error.message.includes('security_exception')) {
+    return res.forbidden({
+      body: {
+        message: NoPrivilegeMeteringError,
+      },
+    });
+  }
+
+  if (error.message.includes('index_not_found_exception')) {
+    return res.notFound({
+      body: {
+        message: NoIndicesMeteringError,
+      },
+    });
+  }
+
   // Kibana CORE will take care of `500` errors when the handler `throw`'s, including logging the error
   throw error;
 };

x-pack/test_serverless/api_integration/test_suites/common/data_usage/index.ts

@@ -11,6 +11,7 @@ export default function ({ loadTestFile }: FtrProviderContext) {
   describe('Serverless Data Usage APIs', function () {
     this.tags(['esGate']);
 
+    loadTestFile(require.resolve('./tests/data_streams_privileges'));
     loadTestFile(require.resolve('./tests/data_streams'));
     loadTestFile(require.resolve('./tests/metrics'));
   });

x-pack/test_serverless/api_integration/test_suites/common/data_usage/tests/data_streams_privileges.ts

@@ -0,0 +1,153 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { DataStreamsResponseBodySchemaBody } from '@kbn/data-usage-plugin/common/rest_types';
+import { DATA_USAGE_DATA_STREAMS_API_ROUTE } from '@kbn/data-usage-plugin/common';
+import type { RoleCredentials } from '@kbn/ftr-common-functional-services';
+import {
+  NoIndicesMeteringError,
+  NoPrivilegeMeteringError,
+} from '@kbn/data-usage-plugin/server/common/errors';
+import { FtrProviderContext } from '../../../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const svlDatastreamsHelpers = getService('svlDatastreamsHelpers');
+  const svlCommonApi = getService('svlCommonApi');
+  const samlAuth = getService('samlAuth');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const testDataStreamName = 'test-data-stream';
+  const otherTestDataStreamName = 'other-test-data-stream';
+  let roleAuthc: RoleCredentials;
+
+  describe('privileges with custom roles', function () {
+    // custom role testing is not supported in MKI
+    // the metering api which this route calls requires one of: monitor,view_index_metadata,manage,all
+    this.tags(['skipMKI']);
+    before(async () => {
+      await svlDatastreamsHelpers.createDataStream(testDataStreamName);
+      await svlDatastreamsHelpers.createDataStream(otherTestDataStreamName);
+    });
+    after(async () => {
+      await svlDatastreamsHelpers.deleteDataStream(testDataStreamName);
+      await svlDatastreamsHelpers.deleteDataStream(otherTestDataStreamName);
+    });
+    afterEach(async () => {
+      await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
+      await samlAuth.deleteCustomRole();
+    });
+    it('returns all data streams for indices with necessary privileges', async () => {
+      await samlAuth.setCustomRole({
+        elasticsearch: {
+          indices: [{ names: ['*'], privileges: ['all'] }],
+        },
+        kibana: [
+          {
+            base: ['all'],
+            feature: {},
+            spaces: ['*'],
+          },
+        ],
+      });
+      roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+      const res = await supertestWithoutAuth
+        .get(DATA_USAGE_DATA_STREAMS_API_ROUTE)
+        .query({ includeZeroStorage: true })
+        .set(svlCommonApi.getInternalRequestHeader())
+        .set(roleAuthc.apiKeyHeader)
+        .set('elastic-api-version', '1');
+
+      const dataStreams: DataStreamsResponseBodySchemaBody = res.body;
+      const foundTestDataStream = dataStreams.find((stream) => stream.name === testDataStreamName);
+      const foundTestDataStream2 = dataStreams.find(
+        (stream) => stream.name === otherTestDataStreamName
+      );
+      expect(res.statusCode).to.be(200);
+      expect(foundTestDataStream?.name).to.be(testDataStreamName);
+      expect(foundTestDataStream2?.name).to.be(otherTestDataStreamName);
+    });
+    it('returns data streams for only a subset of indices with necessary privileges', async () => {
+      await samlAuth.setCustomRole({
+        elasticsearch: {
+          indices: [{ names: ['test-data-stream*'], privileges: ['all'] }],
+        },
+        kibana: [
+          {
+            base: ['all'],
+            feature: {},
+            spaces: ['*'],
+          },
+        ],
+      });
+      roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+      const res = await supertestWithoutAuth
+        .get(DATA_USAGE_DATA_STREAMS_API_ROUTE)
+        .query({ includeZeroStorage: true })
+        .set(svlCommonApi.getInternalRequestHeader())
+        .set(roleAuthc.apiKeyHeader)
+        .set('elastic-api-version', '1');
+
+      const dataStreams: DataStreamsResponseBodySchemaBody = res.body;
+      const foundTestDataStream = dataStreams.find((stream) => stream.name === testDataStreamName);
+      const dataStreamNoPermission = dataStreams.find(
+        (stream) => stream.name === otherTestDataStreamName
+      );
+
+      expect(res.statusCode).to.be(200);
+      expect(foundTestDataStream?.name).to.be(testDataStreamName);
+      expect(dataStreamNoPermission?.name).to.be(undefined);
+    });
+    it('returns no data streams without necessary privileges', async () => {
+      await samlAuth.setCustomRole({
+        elasticsearch: {
+          indices: [{ names: ['*'], privileges: ['write'] }],
+        },
+        kibana: [
+          {
+            base: ['all'],
+            feature: {},
+            spaces: ['*'],
+          },
+        ],
+      });
+      roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+      const res = await supertestWithoutAuth
+        .get(DATA_USAGE_DATA_STREAMS_API_ROUTE)
+        .query({ includeZeroStorage: true })
+        .set(svlCommonApi.getInternalRequestHeader())
+        .set(roleAuthc.apiKeyHeader)
+        .set('elastic-api-version', '1');
+
+      expect(res.statusCode).to.be(403);
+      expect(res.body.message).to.contain(NoPrivilegeMeteringError);
+    });
+    it('returns no data streams when there are none it has access to', async () => {
+      await samlAuth.setCustomRole({
+        elasticsearch: {
+          indices: [{ names: ['none*'], privileges: ['all'] }],
+        },
+        kibana: [
+          {
+            base: ['all'],
+            feature: {},
+            spaces: ['*'],
+          },
+        ],
+      });
+      roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+      const res = await supertestWithoutAuth
+        .get(DATA_USAGE_DATA_STREAMS_API_ROUTE)
+        .query({ includeZeroStorage: true })
+        .set(svlCommonApi.getInternalRequestHeader())
+        .set(roleAuthc.apiKeyHeader)
+        .set('elastic-api-version', '1');
+
+      expect(res.statusCode).to.be(404);
+      expect(res.body.message).to.contain(NoIndicesMeteringError);
+    });
+  });
+}

x-pack/test_serverless/functional/test_suites/common/data_usage/privileges.ts

@@ -5,14 +5,21 @@
  * 2.0.
  */
 
+import expect from '@kbn/expect';
+import {
+  NoIndicesMeteringError,
+  NoPrivilegeMeteringError,
+} from '@kbn/data-usage-plugin/server/common/errors';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default ({ getPageObjects, getService }: FtrProviderContext) => {
   const pageObjects = getPageObjects(['svlCommonPage', 'svlManagementPage', 'common']);
   const testSubjects = getService('testSubjects');
   const samlAuth = getService('samlAuth');
   const retry = getService('retry');
+  const es = getService('es');
   const dataUsageAppUrl = 'management/data/data_usage';
+  const toasts = getService('toasts');
 
   const navigateAndVerify = async (expectedVisible: boolean) => {
     await pageObjects.common.navigateToApp('management');
@@ -32,6 +39,32 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
   };
 
   describe('privileges', function () {
+    before(async () => {
+      await es.indices.putIndexTemplate({
+        name: 'test-datastream',
+        body: {
+          index_patterns: ['test-datastream'],
+          data_stream: {},
+          priority: 200,
+        },
+      });
+
+      await es.indices.createDataStream({ name: 'test-datastream' });
+      await es.indices.putIndexTemplate({
+        name: 'no-permission-test-datastream',
+        body: {
+          index_patterns: ['no-permission-test-datastream'],
+          data_stream: {},
+          priority: 200,
+        },
+      });
+
+      await es.indices.createDataStream({ name: 'no-permission-test-datastream' });
+    });
+    after(async () => {
+      await es.indices.deleteDataStream({ name: 'test-datastream' });
+      await es.indices.deleteDataStream({ name: 'no-permission-test-datastream' });
+    });
     it('renders for the admin role', async () => {
       await pageObjects.svlCommonPage.loginAsAdmin();
       await navigateAndVerify(true);
@@ -63,7 +96,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
       afterEach(async () => {
         await samlAuth.deleteCustomRole();
       });
-      it('renders with a custom role that has the monitor cluster privilege', async () => {
+      it('renders with a custom role that has the privileges cluster: monitor and indices all', async () => {
         await samlAuth.setCustomRole({
           elasticsearch: {
             cluster: ['monitor'],
@@ -97,6 +130,72 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => {
         await pageObjects.svlCommonPage.loginWithCustomRole();
         await navigateAndVerify(false);
       });
+
+      describe.skip('with custom role and data streams', function () {
+        // skip in all environments.  requires a code change to the data_streams route
+        // to allow zero storage data streams to not be filtered out, but useful for testing.
+        // the api integration tests can pass a flag to get around this case but we can't in the UI.
+        // metering api requires one of: monitor,view_index_metadata,manage,all
+        it('does not load data streams without necessary index privilege for any index', async () => {
+          await samlAuth.setCustomRole({
+            elasticsearch: {
+              cluster: ['monitor'],
+              indices: [{ names: ['*'], privileges: ['read'] }],
+            },
+            kibana: [
+              {
+                base: ['all'],
+                feature: {},
+                spaces: ['*'],
+              },
+            ],
+          });
+          await pageObjects.svlCommonPage.loginWithCustomRole();
+          await navigateAndVerify(true);
+          const toastContent = await toasts.getContentByIndex(1);
+          expect(toastContent).to.contain(NoPrivilegeMeteringError);
+        });
+
+        it('does load data streams with necessary index privilege for some indices', async () => {
+          await samlAuth.setCustomRole({
+            elasticsearch: {
+              cluster: ['monitor'],
+              indices: [
+                { names: ['test-datastream*'], privileges: ['all'] },
+                { names: ['.*'], privileges: ['read'] },
+              ],
+            },
+            kibana: [
+              {
+                base: ['all'],
+                feature: {},
+                spaces: ['*'],
+              },
+            ],
+          });
+          await pageObjects.svlCommonPage.loginWithCustomRole();
+          await navigateAndVerify(true);
+        });
+        it('handles error when no data streams that it has permission to exist (index_not_found_exception)', async () => {
+          await samlAuth.setCustomRole({
+            elasticsearch: {
+              cluster: ['monitor'],
+              indices: [{ names: ['none*'], privileges: ['all'] }],
+            },
+            kibana: [
+              {
+                base: ['all'],
+                feature: {},
+                spaces: ['*'],
+              },
+            ],
+          });
+          await pageObjects.svlCommonPage.loginWithCustomRole();
+          await navigateAndVerify(true);
+          const toastContent = await toasts.getContentByIndex(1);
+          expect(toastContent).to.contain(NoIndicesMeteringError);
+        });
+      });
     });
   });
 };